# The system has detected a problem with one or more installed IDE/SATA hard disks



## sweetbutterfly73

I know I have a virus. I just dont know how to get rid of it. Right now I have to use another comuter to post this because I cant even use my laptop which has become infected. 

I need help please!

I just started an online business as a stay at home mom and I need access to the internet and my computer for my business!

I will warn you. I dont know much about computer stuff so if someone can help me I will need baby steps through the process  And since I cant even use the computer that is infected, I will need to know how to go about getting rid of the virus even if it wont access the internet. 

Thank you SOOOOOO much! I need this for my business!!!


----------



## johnb35

Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## browneypearl

*need more help*

hi i was hit by the problem and followed the solution and it removed the virus. but still my desktop icons are not showing up and right click on the desktop does not work. please help


----------



## JHM

bye


----------



## johnb35

browneypearl said:


> hi i was hit by the problem and followed the solution and it removed the virus. but still my desktop icons are not showing up and right click on the desktop does not work. please help



What procedures did you use to clean the infection?  Without posting logs, we can't be sure your system is clean.


----------



## jellypie

johnb35 said:


> Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.
> 
> Double-click *mbam-setup.exe* and follow the prompts to install the program.
> At the end, be sure a checkmark is placed next to
> *Update Malwarebytes' Anti-Malware*
> and *Launch Malwarebytes' Anti-Malware*
> 
> then click *Finish*.
> If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
> Once the program has loaded, select *Perform quick scan*, then click *Scan*.
> When the scan is complete, click *OK*, then *Show Results* to view the results.
> Be sure that everything is checked, and click *Remove Selected*.
> A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware
> 
> If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.
> 
> 
> 
> Download the HijackThis installer from *here*.
> Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.
> 
> Click *Do a system scan and save a logfile*
> 
> _Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._
> 
> Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log




Hi johnb35, thanks for the help.

I don't have 'windows 7 recovery' pop up anymore and no more critical errors. I think Malwarebytes did the job.

All files are still hidden but i solved that problem to.

anyway, thanks for the clear instructions you gave. I hope I don't have to come visit this topic anymore.

thanks, jellypie
greetings from Belgium


----------



## poommop

Hi i had the same problem and managed to remove windows 7 recovery also. Was wondering how you went solving the hidden files problem. Thank You.


----------



## whalene

If the files are still hidden, then right-click on your profile folder and go to the properties. There should be a check box for Hidden. Be sure to uncheck the box if it is checked. If it is currently unchecked, I would check the box, apply the settings, and then uncheck it. It should apply that change to all subfolders, thus unhiding your profile.


----------



## johnb35

poommop said:


> Hi i had the same problem and managed to remove windows 7 recovery also. Was wondering how you went solving the hidden files problem. Thank You.



Download and run Unhide.exe.  This should restore your missing file/folder/etc..


----------



## mluna0904

*help with taking this virus off*

heres the log for malwarebyte results

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6776

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/5/2011 11:45:45 AM
mbam-log-2011-06-05 (11-45-45).txt

Scan type: Quick scan
Objects scanned: 161969
Time elapsed: 15 minute(s), 34 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\programdata\sqoxnmcuxyw.exe (Trojan.FakeMS) -> 1532 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqoXnmCuXYw (Trojan.FakeMS) -> Value: sqoXnmCuXYw -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{4D5210CC-7969-5697-B081-96156DE0DCF1} (Trojan.ZbotR.Gen) -> Value: {4D5210CC-7969-5697-B081-96156DE0DCF1} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\sqoxnmcuxyw.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\Mariella\AppData\Local\Temp\1363E8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Users\Mariella\AppData\Local\Temp\tmpF82.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.


----------



## voyagerfan99

Wow....there's like 5 people posting in here, each with only one post count.


----------



## johnb35

mluna0904,

Are you having any more issues?  Please post a hijackthis log.

Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces


----------



## robbi

I had a black desktop screen with with a grey box saying "The system has detected a problem with one or more installed IDE/SATA hard disks" I also had a windows 7 recovery box too as if it was checking my hardrive for problems. Another box came up, which if I clicked on, shut down my PC.

When I click start nothing was there....

Everthing was also missing from "My documents" which has boxing photos and about 30 boxing video fights in it" and even my favorites is blank too. 

I ran AVG, no success......I ran malware bytes, which took away the boxes that were popping up on the screen which I told you about in my first paragraph. Malware bytes has solved everything apart from a blank desktop and missing files...My photos, documents, etc, blank. However, desktop is now blue still no desktop icons for programs or files which were on it.

I can't get that thing to run which is meant to restore hidden files.


----------



## robbi

I got this from another forum. 

"Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file)"

The results are below after I said on the above.....still files missing.


exeHelper by Raktor
Build 20100414
Run at 22:08:06 on 06/06/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 22:36:19 on 06/06/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


----------



## johnb35

You mean the program unhide.exe?

What happens when you try and run it?  It may take a few minutes to actually complete.


----------



## mmoje

*here are the logs you requested*

Unfortunately the computer was rebooted automatically before running malware bytes or rkill. After the reboot, I executed rkill, unhide, malware bytes and HiJack This. (unhide made the start menu and desktop icons appear again

rkill.log
This log file is located at C:\rkill.log. 
Please post this only if requested to by the person helping you. 
Otherwise you can close this log when you wish. 

Rkill was run on 06/07/2011 at 10:55:15. 
Operating System: Microsoft Windows XP 


Processes terminated by Rkill or while it was running: 

C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe


Rkill completed on 06/07/2011 at 10:55:20. 


HiJack This log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:26:46 AM, on 6/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WebEx\Productivity Tools\PTIM.exe
C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\unhide.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\regedit.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\mojem\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\BrowserPlusCore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Hijckthis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://i4.tsacorp.com/homepage.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\work\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O3 - Toolbar: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [support] "c:\Program Files\Common Files\support\s.bat"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PTIM.exe] C:\Program Files\WebEx\Productivity Tools\PTIM.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - S-1-5-18 Startup: Lotus Quickr Monitor.lnk = C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Lotus Quickr Monitor.lnk = C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe (User 'Default user')
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Startup: Shortcut to Wlipper.lnk = C:\mojem\kits\Wlipper.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\work\jre6\jre\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\work\jre6\jre\bin\jp2iexp.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (Lotus Quickr Class) - http://quickr.tsacorp.com/qp2.cab
O16 - DPF: {5E3E59C4-7847-11D0-9081-0080C76A0985} (IPTDImageControl.SImage) - https://i4.tsacorp.com/Common/activex/iptdimagecontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1214935205578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1285052103780
O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - 
O16 - DPF: {CAFECAFE-0013-0001-0030-ABCDEFABCDEF} (JInitiator 1.3.1.30) - 
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - 
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://i4.tsacorp.com/common/activex/ikcntrls.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eu.tsacorp.com
O17 - HKLM\Software\..\Telephony: DomainName = eu.tsacorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eu.tsacorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eu.tsacorp.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASMAgent - Dell|ASAP Software - C:\Program Files\Asset Services Management\ASMAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\work\jre6\bin\jqs.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10018 bytes

Malware Bytes log:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6794

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/7/2011 11:40:30 AM
mbam-log-2011-06-07 (11-40-19).txt

Scan type: Quick scan
Objects scanned: 192639
Time elapsed: 35 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\17358628.exe (Trojan.FakeMS) -> No action taken.
c:\documents and settings\all users\application data\wyfyddipxfrmt.exe (Trojan.FakeMS) -> No action taken.



Could you please help?

Thanks


----------



## johnb35

mmoje,

Did you click on remove selected button in malwarebytes so it would remove those infections?  With these new infections out, it seems that running combofix is a necessity so lets go ahead and run it.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## mmoje

*new logs*

combofix log:
ComboFix 11-06-06.06 - mojem 06/07/2011  16:30:46.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.666 [GMT 3:00]
Running from: C:\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Thumbs.db
.
----- BITS: Possible infected sites -----
.
hxxp://ROT2SMS03:80
.
(((((((((((((((((((((((((   Files Created from 2011-05-07 to 2011-06-07  )))))))))))))))))))))))))))))))
.
.
2011-06-07 09:42 . 2011-06-07 09:42	--------	d-----w-	c:\documents and settings\mojem\Application Data\smkits
2011-06-07 09:12 . 2011-06-07 09:12	--------	d-----w-	c:\documents and settings\mojem\Local Settings\Application Data\LogMeIn
2011-06-07 08:25 . 2011-06-07 08:25	388096	----a-r-	c:\documents and settings\mojem\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-07 08:25 . 2011-06-07 08:25	--------	d-----w-	c:\program files\Hijckthis
2011-06-07 07:58 . 2011-06-07 07:58	--------	d-----w-	c:\documents and settings\mojem\Application Data\Malwarebytes
2011-06-07 07:58 . 2011-05-29 06:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-07 07:58 . 2011-06-07 07:58	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-07 07:58 . 2011-06-07 07:58	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-07 07:58 . 2011-05-29 06:11	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-06 07:21 . 2007-04-03 11:59	23176	----a-r-	c:\windows\system32\drivers\s616nd5.sys
2011-06-06 07:21 . 2007-04-03 11:59	99080	----a-r-	c:\windows\system32\drivers\s616unic.sys
2011-06-06 07:21 . 2007-04-03 11:59	11016	----a-r-	c:\windows\system32\drivers\s616cr.sys
2011-06-06 07:21 . 2007-04-03 11:59	100360	----a-r-	c:\windows\system32\drivers\s616mgmt.sys
2011-06-06 07:21 . 2007-04-03 11:59	98568	----a-r-	c:\windows\system32\drivers\s616obex.sys
2011-06-06 07:21 . 2007-04-03 11:59	108680	----a-r-	c:\windows\system32\drivers\s616mdm.sys
2011-06-06 07:21 . 2007-04-03 11:59	15112	----a-r-	c:\windows\system32\drivers\s616mdfl.sys
2011-06-06 07:21 . 2007-04-03 11:59	12424	----a-r-	c:\windows\system32\drivers\s616cmnt.sys
2011-06-06 07:21 . 2007-04-03 11:59	12424	----a-r-	c:\windows\system32\drivers\s616cm.sys
2011-06-06 07:21 . 2007-04-03 11:59	12424	----a-r-	c:\windows\system32\drivers\s616whnt.sys
2011-06-06 07:21 . 2007-04-03 11:59	12424	----a-r-	c:\windows\system32\drivers\s616wh.sys
2011-06-06 07:21 . 2007-04-03 11:59	83208	----a-r-	c:\windows\system32\drivers\s616bus.sys
2011-05-18 06:38 . 2011-05-18 06:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\LogMeIn
2011-05-10 06:37 . 2011-04-14 16:26	142296	----a-w-	c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-10 06:37 . 2011-04-14 16:25	781272	----a-w-	c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-10 06:37 . 2011-04-14 16:25	1874904	----a-w-	c:\program files\Mozilla Firefox\mozjs.dll
2011-05-10 06:37 . 2011-04-14 16:25	15832	----a-w-	c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-10 06:37 . 2011-04-14 16:25	465880	----a-w-	c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-10 06:37 . 2011-04-14 16:25	89048	----a-w-	c:\program files\Mozilla Firefox\libEGL.dll
2011-05-10 06:37 . 2010-01-01 08:00	1974616	----a-w-	c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-10 06:37 . 2010-01-01 08:00	1892184	----a-w-	c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-10 06:30 . 2011-05-10 06:34	12521992	----a-w-	C:\Firefox Setup 4.0.1.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-24 12:48 . 2011-05-24 12:46	8234862	----a-w-	C:\copii.zip
2011-03-15 06:53 . 2011-03-15 06:53	112832	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2011-02-23 05:26 . 2011-02-23 05:26	288568	----a-w-	c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-04-14 16:26 . 2011-05-10 06:37	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PTIM.exe"="c:\program files\WebEx\Productivity Tools\PTIM.exe" [2011-03-30 336184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-22 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"support"="c:\program files\Common Files\support\s.bat" [2010-11-22 0]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Lotus Quickr Monitor.lnk - c:\program files\IBM\Lotus Quickr connectors\DIMon.exe [2009-1-27 470152]
.
c:\documents and settings\mojem\Start Menu\Programs\Startup\
DeskPins.lnk - c:\program files\DeskPins\DeskPins.exe [2004-5-2 62464]
Shortcut to Wlipper.lnk - c:\mojem\kits\Wlipper.exe [2010-10-29 79360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CheckPoint\\Session Authentication Agent\\5.0\\fwsession.exe"=
"c:\\Lotus\\Notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win32.x86_1.6.0.20081029a-200812291355\\jre\\bin\\notes2w.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/7/2011 10:58 AM 366640]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/8/2007 5:48 AM 116664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/12/2011 6:48 PM 105592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/7/2011 10:58 AM 22712]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/27/2007 7:22 PM 10880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 Manager;Manager;c:\program files\Manager.exe [10/20/2010 9:04 AM 31184]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [9/21/2010 7:45 AM 423576]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 3:37 PM 26624]
S3 TestController;Test Controller;c:\program files\testController.exe [10/20/2010 9:04 AM 157144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Checkpoint]
2004-11-11 07:42	132707	----a-w-	c:\program files\CheckPoint\Session Authentication Agent\5.0\checkpoint_executable.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Quicktime]
2008-05-18 23:57	95744	----a-w-	c:\windows\system32\msiexec.exe
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://i4.tsacorp.com/homepage.asp
uInternet Settings,ProxyOverride = *.local
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
LSP: c:\progra~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlLSP.dll
TCP: DhcpNameServer = 172.22.14.18 172.23.66.71
DPF: {5E3E59C4-7847-11D0-9081-0080C76A0985} - hxxps://i4.tsacorp.com/Common/activex/iptdimagecontrol.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF}
DPF: {CAFECAFE-0013-0001-0030-ABCDEFABCDEF}
FF - ProfilePath - c:\documents and settings\mojem\Application Data\Mozilla\Firefox\Profiles\pd14r8hd.default\
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-wxPython2.8-ansi-py27_is1 - c:\work\Python27\Lib\site-packages\wx-2.8-msw-ansi\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-07 16:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(748)
c:\progra~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlNSP.dll
.
Completion time: 2011-06-07  16:40:39
ComboFix-quarantined-files.txt  2011-06-07 13:40
.
Pre-Run: 21,860,237,312 bytes free
Post-Run: 22,084,165,632 bytes free
.
- - End Of File - - 287542A23710A2EF9A704641CA7EF171

hijack log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:44:43 PM, on 6/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\mojem\kits\Wlipper.exe
C:\mojem\kits\net\putty.exe
C:\totalcmd\TOTALCMD.EXE
C:\mojem\fx\mt4\terminal.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.1.2.200808010926\win32\x86\eclipse.exe
C:\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20081029a-200812291355\jre\bin\notes2w.exe
C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
C:\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Hijckthis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://i4.tsacorp.com/homepage.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll
O3 - Toolbar: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [support] "c:\Program Files\Common Files\support\s.bat"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [PTIM.exe] C:\Program Files\WebEx\Productivity Tools\PTIM.exe
O4 - S-1-5-18 Startup: Lotus Quickr Monitor.lnk = C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Lotus Quickr Monitor.lnk = C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe (User 'Default user')
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Startup: Shortcut to Wlipper.lnk = C:\mojem\kits\Wlipper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\work\jre6\jre\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\work\jre6\jre\bin\jp2iexp.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (Lotus Quickr Class) - http://quickr.tsacorp.com/qp2.cab
O16 - DPF: {5E3E59C4-7847-11D0-9081-0080C76A0985} (IPTDImageControl.SImage) - https://i4.tsacorp.com/Common/activex/iptdimagecontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1214935205578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1285052103780
O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - 
O16 - DPF: {CAFECAFE-0013-0001-0030-ABCDEFABCDEF} (JInitiator 1.3.1.30) - 
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - 
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://i4.tsacorp.com/common/activex/ikcntrls.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eu.tsacorp.com
O17 - HKLM\Software\..\Telephony: DomainName = eu.tsacorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eu.tsacorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eu.tsacorp.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASMAgent - Dell|ASAP Software - C:\Program Files\Asset Services Management\ASMAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\work\jre6\bin\jqs.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8719 bytes



The computer works fine


----------



## johnb35

Rerun hijackthis and place checks next to the following entries.

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - 
O16 - DPF: {CAFECAFE-0013-0001-0030-ABCDEFABCDEF} (JInitiator 1.3.1.30) - 
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - 

Then click on fix checked.  

do you know what these entries are?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eu.tsacorp.com
O17 - HKLM\Software\..\Telephony: DomainName = eu.tsacorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eu.tsacorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eu.tsacorp.com

Are you affiliated with eu.Tsacorp.com?  If not, you should have  hijackthis fix those entries as well.


----------



## mmoje

I did that and I know those entries, they are good.
I think I'm clean now, thanks for your help


----------



## johnb35

Your welcome.


----------



## mmoje

One more question, I think unhide tool is great, but I still have a problem Control Panel->Administrative Tools is still empty. Do you know what to do to fix this?


----------



## johnb35

Try following the instructions on this page.

http://windowsxp.mvps.org/admintools.htm


----------



## rosycheeks

I had to create an account simply to thank you, johnb35!  I used Malwarebytes and the unhide program that you suggested and my computer seems to be running just fine now. Thank goodness! I was ready to cry.  haha. So thank you! <3


----------



## johnb35

rosycheeks said:


> I had to create an account simply to thank you, johnb35!  I used Malwarebytes and the unhide program that you suggested and my computer seems to be running just fine now. Thank goodness! I was ready to cry.  haha. So thank you! <3



Well thank you.  Glad it all worked out for you.  Just a warning though, its still posible that you may have remnants of infections still on your machine without posting the logs requested.  Most of the time combofix is needed to fully remove the infections.


----------



## Kyledoubleyou

Hello, thanks for the advice so far. I installed and ran Rkill.scr and MalwareBytes, scanned my computer with a quick scan and came up with virus warnings. Cleaned the checked problems and restarted my computer to complete the process. However when it started up again my screen is still black, my Interface is still white and not Windows Vista like it should be, but if I scan again in MalwareBytes it says everything is fixed. 

I'm confused, I'll post the logs for Malware and Hijack This now...
[MalwareBytes scan]
*Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6816

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

6/8/2011 11:18:43 PM
mbam-log-2011-06-08 (23-18-43).txt

Scan type: Quick scan
Objects scanned: 172555
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)*


----------



## Kyledoubleyou

[Hijack This Log]
*
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:11:55 PM, on 6/8/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows jZip Toolbar\Datamngr\datamngrUI.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: jZip Toolbar - {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~1\WI83E4~1\ToolBar\jzipdtx.dll
O2 - BHO: UrlHelper Class - {41C4AA37-1DDD-4345-B8DC-734E4B38414D} - C:\PROGRA~1\WI83E4~1\Datamngr\IEBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: jZip Toolbar - {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~1\WI83E4~1\ToolBar\jzipdtx.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WI83E4~1\Datamngr\DATAMN~1.EXE
O4 - HKLM\..\Run: [LifeChat] "C:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3402300340-2907761543-3658775700-1006\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O20 - AppInit_DLLs: C:\PROGRA~1\WI83E4~1\Datamngr\datamngr.dll C:\PROGRA~1\WI83E4~1\Datamngr\IEBHO.dll
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 5889 bytes
*


----------



## djbulgogi

Hello Johnb35, boy I am glad I came across this thread, you are a saint and explain everything so clearly!

In any case I downloaded malwarebytes and ran it. While it was running the first time the computer suddenly shut down and rebooted before it could finish the scan and remove selected problems. I ran Rkill and waited until I got a log which is below.

*Rkill Log:*

Rkill was run on 06/09/2011 at  1:07:47.
Operating System: Windows 7 Home Premium


Processes terminated by Rkill or while it was running:

C:\ProgramData\hsRITIwubRlhk.exe
C:\windows\SysWOW64\attrib.exe
C:\windows\SysWOW64\attrib.exe
C:\windows\SysWOW64\attrib.exe


Rkill completed on 06/09/2011 at  1:07:54. 
________________________________________________________________

After this I ran malwarebytes again and this time it finished and I was able to remove the viruses. *Here is the log from malwarebytes:*

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6816

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/9/2011 1:21:45 AM
mbam-log-2011-06-09 (01-21-45).txt

Scan type: Quick scan
Objects scanned: 170748
Time elapsed: 6 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsRITIwubRlhk (Trojan.FakeMS) -> Value: hsRITIwubRlhk -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\hsritiwubrlhk.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\programdata\41410296.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\matei\AppData\Local\Temp\-213E8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\matei\AppData\Local\Temp\1363E8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Users\matei\AppData\Local\Temp\D456.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\matei\AppData\Local\Temp\tmpD189.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
________________________________________________________________


After this I installed HijackThis and ran "scan and save log." However I can't seem to save my log file it will only scan when I press this. When it begins scanning this message appears: "For some reason system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this. If that happens you need to edit the file yourself. To do this, run: notepad C:\windows\system32\etc\hosts and find the line(s) HijackThis reports and delete them. Save the file as 'hosts' and reboot.
________________________________________________________________
Here is what I found in the hosts file when opened with notepad: 


# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost


This does not seems to have much and is a generic message right? So how can I get the log saved from HijackThis. My computer is running fine now and the virus seems to be gone, I just want to double check with you that I'm in the clear.

Very much appreciated, again you are a saint mate!


----------



## rschwarz

*Can't load malware bytes to deal with "system has detected . . .IDE/SATA" virus*

Hi,

I have the same problems as the other users who got the error message "system has detected . . . IDE/SATA hard disks, except that my computer won't let me install Malware Bytes.

I am able to download Malware Bytes and save the exe file to my desktop, but when i try to install the file, after the install program starts to run and extract files, i get what looks like a fake error message saying that the setup has failed. When i X out of that dialog box the Malware bytes install program rolls back and doesn't finish installation.

I'm pretty sure that either my daughter or i rebooted the computer after getting the virus.

Is there anything i can do to fix this?

Thanks in advance for your help.


----------



## djbulgogi

Rschwarz - This is a nasty little virus we got I'd recommend reading every post in this thread because it's going to help us all out a lot. Here is the answer to your question which Johnb35 answers in the first page of this thread.



> If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com but DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.


----------



## johnb35

rschwarz,

Please do the following.


If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.


Let me know if it still won't work and I'll have you run another program.


----------



## johnb35

djbulgogi,

Please right click on hijackthis and click on run as admin,  If the run as admin option doesn't appear then press and hold the shift key while right clicking on hijackthis and the option will apear.

Also go ahead and do the following.  Please disable any active virus software before running combofix.  If you AVG antivirus, it must be uninstalled before running combofix.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## johnb35

Kyledoubleyou,

Please download and run unhide.exe.  This should restore your missing desktop and files/folders, etc...

Also please do the following.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## rschwarz

johnb35,

I followed your instructions, but i couldn't get MalWare Bytes to install.

I ran rKill and got a notepad message saying that rKill was run and completed, but it didn't list any processes terminated by rKill.

When i tried to run MalWare Bytes after getting the rKill notepad, i got the same fake error messages i got before and it rolled back the Malware file installation.

What do you suggest?  thanks so much for your willingness to help!


----------



## djbulgogi

Yes, shift + right click and running it as the admin did the trick.

*HijackThis Log*
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:43:42 PM, on 6/9/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
C:\Program Files (x86)\msi\msi LED Manager\SLM.exe
C:\Program Files (x86)\msi\NVIDIA Overclock Tool\NVIDIAOCAP.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Motorola\Bluetooth\btplayerctrl.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msi.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msi.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NortonOnlineBackup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [msi LED Manager] C:\Program Files (x86)\msi\msi LED Manager\SLM.exe
O4 - HKLM\..\Run: [NVIDIAOCAP] C:\Program Files (x86)\MSI\NVIDIA Overclock Tool\NVIDIAOCAP.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1575950506-223816923-3895840053-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1575950506-223816923-3895840053-1000\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Device Manager - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
O23 - Service: Bluetooth Media Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\audiosrv.exe
O23 - Service: Bluetooth OBEX Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\obexsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files (x86)\System Control Manager\MSIService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
O23 - Service: Norton Online Backup (NOBU) - Symantec Corporation - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 12418 bytes
________________________________________________________________________________


I ran combofix but had some troubles with Norton Internet Security. I shutdown combofix before it could start running until I dealt with NIS. I downloaded a Norton Remover Tool because I couldn't delete it from add/remove program in the control panel for some reason. This cleared Norton Internet Security. _What internet security would you suggest I download after I have cleared my computer of an malware?_

So I rebooted, ran combofix and all worked well.

*Combofix Log*
ComboFix 11-06-09.04 - matei 06/09/2011  15:22:30.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.6126.4589 [GMT -5:00]
Running from: c:\users\matei\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ICON.ico
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-09 to 2011-06-09  )))))))))))))))))))))))))))))))
.
.
2011-06-09 20:29 . 2011-06-09 20:29	--------	d-----w-	c:\users\UpdatusUser\AppData\Local\temp
2011-06-09 20:29 . 2011-06-09 20:29	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-06-09 20:20 . 2011-06-09 20:20	--------	d-----w-	C:\32788R22FWJFW
2011-06-09 20:11 . 2011-06-09 20:11	--------	d-----w-	c:\programdata\Symantec
2011-06-09 06:28 . 2011-06-09 06:28	388096	----a-r-	c:\users\matei\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-09 06:28 . 2011-06-09 06:28	--------	d-----w-	c:\program files (x86)\Trend Micro
2011-06-09 05:51 . 2011-06-09 05:51	--------	d-----w-	c:\users\matei\AppData\Roaming\Malwarebytes
2011-06-09 05:51 . 2011-05-29 14:11	39984	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-09 05:51 . 2011-06-09 05:51	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-09 05:51 . 2011-06-09 06:14	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-06-09 05:51 . 2011-05-29 14:11	25912	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-09 05:33 . 2011-05-09 22:00	8718160	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{36D02244-265C-4479-9452-D104B569FC15}\mpengine.dll
2011-05-29 03:48 . 2011-06-09 05:06	--------	d-----w-	c:\users\matei\AppData\Roaming\go
2011-05-29 03:48 . 2011-06-09 05:16	--------	d-----w-	c:\programdata\Easybits GO
2011-05-25 16:46 . 2011-04-22 20:18	27008	----a-w-	c:\windows\system32\drivers\Diskdump.sys
2011-05-19 22:15 . 2011-05-19 22:15	--------	d-----w-	c:\program files (x86)\MSECache
2011-05-16 22:06 . 2011-05-16 22:06	1090952	----a-w-	c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2011-05-16 03:25 . 2011-06-09 05:06	--------	d-----w-	c:\programdata\Skype Extras
2011-05-14 01:06 . 2011-04-09 06:58	142336	----a-w-	c:\windows\system32\poqexec.exe
2011-05-14 01:06 . 2011-04-09 05:56	123904	----a-w-	c:\windows\SysWow64\poqexec.exe
2011-05-13 10:19 . 2011-05-13 10:19	--------	d-----w-	c:\program files (x86)\Catan GmbH
2011-05-13 10:19 . 2011-05-13 10:19	--------	d-----w-	c:\program files (x86)\Common Files\Java
2011-05-13 10:19 . 2011-05-13 10:19	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-05-13 10:19 . 2011-05-13 10:19	--------	d-----w-	c:\program files (x86)\Java
2011-05-11 06:46 . 2011-05-11 06:48	--------	d-----w-	c:\users\matei\AppData\Roaming\Ventrilo
2011-05-11 06:45 . 2011-05-11 06:45	--------	d-----w-	c:\program files (x86)\Ventrilo
2011-05-11 06:44 . 2011-05-11 06:44	--------	d-----w-	c:\program files (x86)\Common Files\Wise Installation Wizard
2011-05-10 23:31 . 2011-04-09 06:45	5509504	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-05-10 23:31 . 2011-04-09 06:13	3957632	----a-w-	c:\windows\SysWow64\ntkrnlpa.exe
2011-05-10 23:31 . 2011-04-09 06:13	3901824	----a-w-	c:\windows\SysWow64\ntoskrnl.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 00:14 . 2011-03-25 21:25	270720	------w-	c:\windows\system32\MpSigStub.exe
2011-03-25 02:58 . 2011-03-25 02:58	6	----a-w-	c:\windows\silentOnce.tmp
2011-03-25 02:38 . 2011-03-25 02:28	2829	----a-w-	c:\windows\War3Unin.pif
2011-03-25 02:38 . 2011-03-25 02:28	139264	----a-w-	c:\windows\War3Unin.exe
2011-03-12 12:03 . 2011-04-26 20:04	662528	----a-w-	c:\windows\system32\XpsPrint.dll
2011-03-12 11:31 . 2011-04-26 20:04	442880	----a-w-	c:\windows\SysWow64\XpsPrint.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-01-22 106496]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"NortonOnlineBackup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-03-05 1112920]
"MGSysCtrl"="c:\program files (x86)\System Control Manager\MGSysCtrl.exe" [2010-03-19 2408448]
"msi LED Manager"="c:\program files (x86)\msi\msi LED Manager\SLM.exe" [2010-06-22 2793984]
"NVIDIAOCAP"="c:\program files (x86)\MSI\NVIDIA Overclock Tool\NVIDIAOCAP.exe" [2010-06-11 81408]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 136176]
R3 BTMCOM;Bluetooth Serial Port;c:\windows\System32\Drivers\btmcom.sys [x]
R3 BTMHID;BTMHID;c:\windows\system32\DRIVERS\btmhid.sys [x]
R3 BTMUSB;Motorola Bluetooth Radio Service;c:\windows\system32\Drivers\btmusb.sys [x]
R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\safedrv.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 136176]
R3 MGHwCtrl;MGHwCtrl;c:\program files\msi\msi Software Install\MGHwCtrl.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-03-05 340240]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Motorola\Bluetooth\obexsrv.exe [2010-04-22 677128]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 Micro Star SCM;Micro Star SCM;c:\program files (x86)\System Control Manager\MSIService.exe [2009-07-09 160768]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe service [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2010-03-10 1927784]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
S3 Bluetooth Device Manager;Bluetooth Device Manager;c:\program files\Motorola\Bluetooth\devmgrsrv.exe [2010-04-15 4170504]
S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Motorola\Bluetooth\audiosrv.exe [2010-04-15 1096456]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-07-17 1028096]
S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 03:52]
.
2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 03:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-10 17410152]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-05-10 10804256]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1928976]
"BTMTrayAgent"="c:\program files\Motorola\Bluetooth\btmshell.dll" [2010-04-22 19645704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://msi.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\matei\AppData\Roaming\Mozilla\Firefox\Profiles\tu1jgxci.default\
FF - prefs.js: browser.startup.homepage - nytimes.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-09  15:32:27
ComboFix-quarantined-files.txt  2011-06-09 20:32
.
Pre-Run: 535,689,859,072 bytes free
Post-Run: 535,399,694,336 bytes free
.
- - End Of File - - D0F7FFF33EC13C6CB36E436BE87CDBBB
_________________________________________________________________________________________________________________

*Update on Computer Status*

Seems to running fine overall, definitely not bogged down anymore. I'm getting some minor spikes in online games I didn't have before but I think that has more to do with an internet connection to a server rather than my laptop.

*Much appreciated!!!*


----------



## johnb35

rschwarz said:


> johnb35,
> 
> I followed your instructions, but i couldn't get MalWare Bytes to install.
> 
> I ran rKill and got a notepad message saying that rKill was run and completed, but it didn't list any processes terminated by rKill.
> 
> When i tried to run MalWare Bytes after getting the rKill notepad, i got the same fake error messages i got before and it rolled back the Malware file installation.
> 
> What do you suggest?  thanks so much for your willingness to help!



*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## johnb35

djbulgogi,

You didn't have to uninstall norton, you just had to disble its realtime scanning.  You can either reinstall it or download and install a free program such as Microsoft Security Essentials or Avast.

MSE - http://www.microsoft.com/en-us/security_essentials/default.aspx

Avast - http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html


----------



## djbulgogi

Johnb35,

Ah okay I was just having some troubles closing the program. It kept denying me access from closing the program so I just scrapped it 

Downloading Avast right now, thanks for the suggestion.

All the logs looked okay?


----------



## johnb35

djbulgogi said:


> Johnb35,
> 
> Ah okay I was just having some troubles closing the program. It kept denying me access from closing the program so I just scrapped it
> 
> Downloading Avast right now, thanks for the suggestion.
> 
> All the logs looked okay?



Your logs look good.  Let me know if you have any more issues.


----------



## rschwarz

my computer seems to be virus free but, I can't get the files unhidden.

I ran combofix, hijackthis, and malwarebytes (no problems found with malware). I tried to paste the logs for combofix and hijackthis, but everytime i do, it freezes up the message box.

I ran unhide.exe with Avira enabled and disabled, but neither worked. i also tried to get to the profile folder to uncheck hidden files, but i don't know how to get to the profile folder/file. Can you help?


----------



## johnb35

Can you try emailing me the combofix and malwarebytes logs?  [email protected]


----------



## djbulgogi

johnb35 said:


> Your logs look good.  Let me know if you have any more issues.



Everythings going pretty smoothly, thanks for your time and patience


----------



## GameOver

I had the same Virus and I downloaded both Malwarebytes and ComboFix here is the log file from hijackthis could you look over it for me and thanks for all the help with your previous posts.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:42:36 PM, on 6/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T27L10NSP11EP14/support/ieatgpc.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: EloSystemService - Elo Touchsystems - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe

--
End of file - 4870 bytes


----------



## johnb35

GameOver,

I would need to see the combofix log as well.  Please post it when you have the opportunity.  The log will be at c:\combofix.txt.  Just open it up and copy and paste the contents of it back here.


----------



## topcatin

Hi Johnb35, 

I got the "The system has detected a problem with one or emore..." error. I loaded the Malwarebytes and ran it. The pop-ups stopped but my icons are not visible. I tried the "unhide.exe" too. 
The following is the log from hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:51:21 PM, on 6/10/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Application Data\U3\0000155C29603393\LaunchPad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CIEDownload Object - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,[email protected]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [hsRITIwubRlhk] C:\Documents and Settings\All Users\Application Data\hsRITIwubRlhk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137432375828
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - https://kronosweb.cps.k12.il.us/WFC/plugins/j2re-1_3_1_02-win.exe
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,37
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlcg_device -   - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O24 - Desktop Component 0: (no name) - http://mail.google.com/mail/?view=att&disp=emb&attid=0.1&th=10bf32c0aa33d507

--
End of file - 8738 bytes


Please advise and what I should do. Thanks!


----------



## johnb35

topcatin,

Please post the combofix log for me to analyze, there still may be malware that needs to be removed.  The combofix log is located at C:\combofix.txt.


----------



## kez

Hi John,
After trying some suggestions in a couple of other forums that proved fruitless, I found this discussion and followed your instructions.

I ran malwarebytes, HijackThis, unhide and ComboFix. The problem appeared to be removed by Malwarebytes, however ComboFix took a really long time to run so I don't know if that means I still have problems! I've posted all the logs below.

Also, unhide made my files and folders reappear, however only half my desktop icons are visible, and there is nothing showing up in the start bar. Also, the "show desktop" icon isn't on the taskbar. 

Many thanks!!!

-------------------------------------------------
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6832

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048

11/06/2011 11:57:30 AM
mbam-log-2011-06-11 (11-57-30).txt

Scan type: Quick scan
Objects scanned: 155032
Time elapsed: 19 minute(s), 44 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
c:\programdata\xvwrsqswuxyvn.exe (Trojan.FakeAlert) -> 4200 -> Unloaded process successfully.
c:\programdata\35184376.exe (Trojan.FakeAlert) -> 5240 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xVWrsqSWuxYVn (Trojan.FakeAlert) -> Value: xVWrsqSWuxYVn -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\xvwrsqswuxyvn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\programdata\35184376.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Kerryn\AppData\Local\Temp\7D81.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Kerryn\AppData\Local\Temp\7DA3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Kerryn\AppData\Local\Temp\83D9.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Kerryn\AppData\Local\Temp\tmp7CA7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.



------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:40:50 PM, on 11/06/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.19048)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ooVoo\ooVoo.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Ovi Files\Ovi Files_agent.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/USCON/19
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: DigitalPersona Fingerprint Software Extension - {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\DigitalPersona\Bin\DpOtsPluginIe8.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ooVoo Toolbar - {A1FB2F9A-D35E-11DD-8935-E46A56D89593} - C:\Program Files\oovootb\oovoodx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: ooVoo Toolbar - {A1FB2F9A-D35E-11DD-8935-E46A56D89593} - C:\Program Files\oovootb\oovoodx.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [OA001Cfg.exe] OA001Cfg.exe
O4 - HKLM\..\Run: [Ovi Files Update] "C:\Program Files\Ovi Files\updater.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Kerryn\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ooVoo.exe] C:\program files\oovoo\oovoo.exe /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = C:\Users\Kerryn\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: EvernoteClipper.lnk = C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ovi Files Connector.lnk = ?
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Add to Evernote 4.0 - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dldn_device -   - C:\Windows\system32\dldncoms.exe
O23 - Service: @C:\Program Files\DigitalPersona\Bin\DpHostW.exe,-128 (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 13785 bytes


-------------------------------------


.
(((((((((((((((((((((((((   Files Created from 2011-05-11 to 2011-06-11  )))))))))))))))))))))))))))))))
.
.
2011-06-11 03:31 . 2011-06-11 03:31	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-06-11 02:32 . 2011-06-11 02:32	388096	----a-r-	c:\users\Kerryn\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-11 02:32 . 2011-06-11 02:32	--------	d-----w-	c:\program files\Trend Micro
2011-06-11 01:36 . 2011-06-11 01:36	--------	d-----w-	c:\users\Kerryn\AppData\Roaming\Malwarebytes
2011-06-11 01:35 . 2011-05-28 23:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-11 01:35 . 2011-06-11 01:35	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-11 01:35 . 2011-06-11 01:35	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-11 01:35 . 2011-05-28 23:11	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-07 23:30 . 2011-06-07 23:30	--------	d-----w-	c:\program files\CCleaner
2011-06-05 08:46 . 2011-05-09 20:46	6962000	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{6208882C-220A-46B5-9A20-D7FFD169F332}\mpengine.dll
2011-05-29 02:01 . 2011-05-29 02:01	--------	d-----w-	c:\program files\Encrypt Files
2011-05-28 04:57 . 2011-04-07 12:01	2409784	----a-w-	c:\program files\Windows Mail\OESpamFilter.dat
2011-05-28 04:12 . 2011-05-28 04:12	--------	d-----w-	c:\program files\iPod
2011-05-28 04:06 . 2011-05-28 04:06	--------	d-----w-	c:\program files\Bonjour
2011-05-26 01:17 . 2011-05-26 01:17	--------	d-----w-	c:\program files\Safari
2011-05-25 11:12 . 2011-05-25 11:12	--------	d-----w-	c:\users\Kerryn\AppData\Local\Evernote
2011-05-25 11:10 . 2011-05-25 11:11	--------	d-----w-	c:\program files\Evernote
2011-05-18 09:30 . 2011-05-18 09:30	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-15 07:50 . 2011-05-15 07:54	--------	d-----w-	c:\users\Kerryn\AppData\Roaming\PC Suite
2011-05-15 07:50 . 2011-05-15 07:53	--------	d-----w-	c:\programdata\PC Suite
2011-05-15 07:49 . 2011-05-15 08:18	--------	d-----w-	c:\users\Kerryn\AppData\Roaming\Nokia
2011-05-15 07:48 . 2011-05-15 07:48	--------	d-----w-	c:\program files\Common Files\PCSuite
2011-05-15 07:48 . 2011-05-15 07:48	--------	d-----w-	c:\program files\Common Files\Nokia
2011-05-15 07:47 . 2007-09-17 05:53	21632	----a-w-	c:\windows\system32\drivers\pccsmcfd.sys
2011-05-15 07:45 . 2011-05-15 07:45	--------	d-----w-	c:\program files\PC Connectivity Solution
2011-05-15 07:40 . 2007-11-29 00:32	48128	----a-w-	c:\windows\system32\nmwcdcls.dll
2011-05-15 07:40 . 2011-05-15 07:48	--------	d-----w-	c:\program files\Nokia
2011-05-15 07:37 . 2011-05-15 07:37	--------	d-----w-	c:\programdata\Installations
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 06:20 . 2011-04-06 06:20	91424	----a-w-	c:\windows\system32\dnssd.dll
2011-04-06 06:20 . 2011-04-06 06:20	75040	----a-w-	c:\windows\system32\jdns_sd.dll
2011-04-06 06:20 . 2011-04-06 06:20	197920	----a-w-	c:\windows\system32\dnssdX.dll
2011-04-06 06:20 . 2011-04-06 06:20	107808	----a-w-	c:\windows\system32\dns-sd.exe
2011-05-08 00:57 . 2011-05-08 00:57	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-01-02 01:06	365960	----a-w-	c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]
2009-05-08 19:00	86016	----a-w-	c:\program files\oovootb\oovoodx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-01-02 365960]
"{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"= "c:\program files\oovootb\oovoodx.dll" [2009-05-08 86016]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-01-02 365960]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36	94208	----a-w-	c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36	94208	----a-w-	c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36	94208	----a-w-	c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-11 2424192]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 1232896]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 1079808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-17 22631608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-22 483420]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-21 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-21 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-21 154136]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-28 1218008]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-07-04 132392]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"OA001Cfg.exe"="OA001Cfg.exe" [2009-01-19 32768]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-05-12 842816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-26 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-28 1047656]
.
c:\users\Kerryn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Kerryn\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-26 24176560]
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2011-4-27 973824]
Shrink Pic.lnk - c:\program files\Shrink Pic\shrink_pic.exe [2009-3-19 2515456]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]
Corel Desktop Application Director 8.LNK - c:\corel\Suite8\Programs\DAD8.EXE [2009-4-18 200192]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-4-2 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2007-6-3 83360]
Ovi Files Connector.lnk - c:\program files\Ovi Files\Ovi Files_agent.exe [2010-2-22 1160560]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2009-1-29 10950144]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-31 1616976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 22:00	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-02 00:31	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-28 39984]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-19 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-19 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-07-20 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe [2008-12-22 81920]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-10-16 1668344]
S2 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe [2008-03-04 595184]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-10-16 482176]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-06-16 29736]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-21 112128]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-08-25 54784]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-08-25 203264]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-07-04 3663360]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2009-03-05 133632]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-03-08 280096]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600607289-1744401803-3834185915-1000Core.job
- c:\users\Kerryn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-26 02:40]
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600607289-1744401803-3834185915-1000UA.job
- c:\users\Kerryn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-26 02:40]
.
2010-05-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 01:22]
.
2009-04-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 01:22]
.
2011-06-10 c:\windows\Tasks\User_Feed_Synchronization-{FB6FEBCF-F48B-4E51-95DA-59DD4B298EAB}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
TCP: DhcpNameServer = 10.1.1.1
FF - ProfilePath - c:\users\Kerryn\AppData\Roaming\Mozilla\Firefox\Profiles\q67fm0o4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Ovi Files Update - c:\program files\Ovi Files\updater.exe
.
.
.
**************************************************************************
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2172)
c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\STacSV.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2011-06-11  13:50:15 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-11 03:49
.
Pre-Run: 207,474,601,984 bytes free
Post-Run: 207,395,270,656 bytes free
.
- - End Of File - - 9752B975B72B4C3F2B1C348E769A327D


----------



## johnb35

You omitted the first part of the combofix log.  Please repost.


----------



## kez

Sorry...

ComboFix 11-06-10.09 - Kerryn 11/06/2011  12:52:58.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.61.1033.18.2006.815 [GMT 10:00]
Running from: c:\users\Kerryn\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: McAfee VirusScan *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee VirusScan *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: McAfee VirusScan *Disabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\windows\winhelp.ini
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-11 to 2011-06-11  )))))))))))))))))))))))))))))))
.
.
2011-06-11 03:31 . 2011-06-11 03:31	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-06-11 02:32 . 2011-06-11 02:32	388096	----a-r-	c:\users\Kerryn\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-11 02:32 . 2011-06-11 02:32	--------	d-----w-	c:\program files\Trend Micro
2011-06-11 01:36 . 2011-06-11 01:36	--------	d-----w-	c:\users\Kerryn\AppData\Roaming\Malwarebytes
2011-06-11 01:35 . 2011-05-28 23:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-11 01:35 . 2011-06-11 01:35	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-11 01:35 . 2011-06-11 01:35	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-11 01:35 . 2011-05-28 23:11	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-07 23:30 . 2011-06-07 23:30	--------	d-----w-	c:\program files\CCleaner
2011-06-05 08:46 . 2011-05-09 20:46	6962000	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{6208882C-220A-46B5-9A20-D7FFD169F332}\mpengine.dll
2011-05-29 02:01 . 2011-05-29 02:01	--------	d-----w-	c:\program files\Encrypt Files
2011-05-28 04:57 . 2011-04-07 12:01	2409784	----a-w-	c:\program files\Windows Mail\OESpamFilter.dat
2011-05-28 04:12 . 2011-05-28 04:12	--------	d-----w-	c:\program files\iPod
2011-05-28 04:06 . 2011-05-28 04:06	--------	d-----w-	c:\program files\Bonjour
2011-05-26 01:17 . 2011-05-26 01:17	--------	d-----w-	c:\program files\Safari
2011-05-25 11:12 . 2011-05-25 11:12	--------	d-----w-	c:\users\Kerryn\AppData\Local\Evernote
2011-05-25 11:10 . 2011-05-25 11:11	--------	d-----w-	c:\program files\Evernote
2011-05-18 09:30 . 2011-05-18 09:30	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-15 07:50 . 2011-05-15 07:54	--------	d-----w-	c:\users\Kerryn\AppData\Roaming\PC Suite
2011-05-15 07:50 . 2011-05-15 07:53	--------	d-----w-	c:\programdata\PC Suite
2011-05-15 07:49 . 2011-05-15 08:18	--------	d-----w-	c:\users\Kerryn\AppData\Roaming\Nokia
2011-05-15 07:48 . 2011-05-15 07:48	--------	d-----w-	c:\program files\Common Files\PCSuite
2011-05-15 07:48 . 2011-05-15 07:48	--------	d-----w-	c:\program files\Common Files\Nokia
2011-05-15 07:47 . 2007-09-17 05:53	21632	----a-w-	c:\windows\system32\drivers\pccsmcfd.sys
2011-05-15 07:45 . 2011-05-15 07:45	--------	d-----w-	c:\program files\PC Connectivity Solution
2011-05-15 07:40 . 2007-11-29 00:32	48128	----a-w-	c:\windows\system32\nmwcdcls.dll
2011-05-15 07:40 . 2011-05-15 07:48	--------	d-----w-	c:\program files\Nokia
2011-05-15 07:37 . 2011-05-15 07:37	--------	d-----w-	c:\programdata\Installations
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 06:20 . 2011-04-06 06:20	91424	----a-w-	c:\windows\system32\dnssd.dll
2011-04-06 06:20 . 2011-04-06 06:20	75040	----a-w-	c:\windows\system32\jdns_sd.dll
2011-04-06 06:20 . 2011-04-06 06:20	197920	----a-w-	c:\windows\system32\dnssdX.dll
2011-04-06 06:20 . 2011-04-06 06:20	107808	----a-w-	c:\windows\system32\dns-sd.exe
2011-05-08 00:57 . 2011-05-08 00:57	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-01-02 01:06	365960	----a-w-	c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]
2009-05-08 19:00	86016	----a-w-	c:\program files\oovootb\oovoodx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-01-02 365960]
"{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"= "c:\program files\oovootb\oovoodx.dll" [2009-05-08 86016]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-01-02 365960]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36	94208	----a-w-	c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36	94208	----a-w-	c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36	94208	----a-w-	c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-11 2424192]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 1232896]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 1079808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-17 22631608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-22 483420]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-21 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-21 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-21 154136]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-28 1218008]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-07-04 132392]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"OA001Cfg.exe"="OA001Cfg.exe" [2009-01-19 32768]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-05-12 842816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-26 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-28 1047656]
.
c:\users\Kerryn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Kerryn\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-26 24176560]
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2011-4-27 973824]
Shrink Pic.lnk - c:\program files\Shrink Pic\shrink_pic.exe [2009-3-19 2515456]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]
Corel Desktop Application Director 8.LNK - c:\corel\Suite8\Programs\DAD8.EXE [2009-4-18 200192]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-4-2 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2007-6-3 83360]
Ovi Files Connector.lnk - c:\program files\Ovi Files\Ovi Files_agent.exe [2010-2-22 1160560]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2009-1-29 10950144]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-31 1616976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 22:00	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-02 00:31	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-28 39984]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-19 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-19 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-07-20 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe [2008-12-22 81920]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-10-16 1668344]
S2 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe [2008-03-04 595184]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-10-16 482176]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-06-16 29736]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-21 112128]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-08-25 54784]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-08-25 203264]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-07-04 3663360]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2009-03-05 133632]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-03-08 280096]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600607289-1744401803-3834185915-1000Core.job
- c:\users\Kerryn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-26 02:40]
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600607289-1744401803-3834185915-1000UA.job
- c:\users\Kerryn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-26 02:40]
.
2010-05-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 01:22]
.
2009-04-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 01:22]
.
2011-06-10 c:\windows\Tasks\User_Feed_Synchronization-{FB6FEBCF-F48B-4E51-95DA-59DD4B298EAB}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
TCP: DhcpNameServer = 10.1.1.1
FF - ProfilePath - c:\users\Kerryn\AppData\Roaming\Mozilla\Firefox\Profiles\q67fm0o4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Ovi Files Update - c:\program files\Ovi Files\updater.exe
.
.
.
**************************************************************************
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2172)
c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\STacSV.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2011-06-11  13:50:15 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-11 03:49
.
Pre-Run: 207,474,601,984 bytes free
Post-Run: 207,395,270,656 bytes free
.
- - End Of File - - 9752B975B72B4C3F2B1C348E769A327D


----------



## johnb35

I don't see anything else that needs to be removed, however, you do need to run a small combofix script.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]




3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!








ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.



Try rerunning the unhide file again to see if it restores anything more.  If not, I would suggest doing a system restore back to a few days prior to being infected and then rescan your system with malwarebytes and hijackthis and post the logs for me.


----------



## kez

Thanks John. New Combofix log below.

I tried to run Unhide again but it won't run - says 'The directory name is invalid'. I tried downloading it again but same result.

I went to do a system restore but the only option for a restore point it gave me was the one created by ComboFix today.


ComboFix 11-06-10.09 - Kerryn 11/06/2011  14:36:08.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.61.1033.18.2006.959 [GMT 10:00]
Running from: c:\users\Kerryn\Desktop\ComboFix.exe
Command switches used :: c:\users\Kerryn\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: McAfee VirusScan *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee VirusScan *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: McAfee VirusScan *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-11 to 2011-06-11  )))))))))))))))))))))))))))))))
.
.
2011-06-11 04:44 . 2011-06-11 04:44	--------	d-----w-	c:\users\Kerryn\AppData\Local\temp
2011-06-11 04:44 . 2011-06-11 04:44	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-06-11 02:32 . 2011-06-11 02:32	388096	----a-r-	c:\users\Kerryn\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-11 02:32 . 2011-06-11 02:32	--------	d-----w-	c:\program files\Trend Micro
2011-06-11 01:36 . 2011-06-11 01:36	--------	d-----w-	c:\users\Kerryn\AppData\Roaming\Malwarebytes
2011-06-11 01:35 . 2011-05-28 23:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-11 01:35 . 2011-06-11 01:35	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-11 01:35 . 2011-06-11 01:35	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-11 01:35 . 2011-05-28 23:11	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-07 23:30 . 2011-06-07 23:30	--------	d-----w-	c:\program files\CCleaner
2011-06-05 08:46 . 2011-05-09 20:46	6962000	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{6208882C-220A-46B5-9A20-D7FFD169F332}\mpengine.dll
2011-05-29 02:01 . 2011-05-29 02:01	--------	d-----w-	c:\program files\Encrypt Files
2011-05-28 04:57 . 2011-04-07 12:01	2409784	----a-w-	c:\program files\Windows Mail\OESpamFilter.dat
2011-05-28 04:12 . 2011-05-28 04:12	--------	d-----w-	c:\program files\iPod
2011-05-28 04:06 . 2011-05-28 04:06	--------	d-----w-	c:\program files\Bonjour
2011-05-26 01:17 . 2011-05-26 01:17	--------	d-----w-	c:\program files\Safari
2011-05-25 11:12 . 2011-05-25 11:12	--------	d-----w-	c:\users\Kerryn\AppData\Local\Evernote
2011-05-25 11:10 . 2011-05-25 11:11	--------	d-----w-	c:\program files\Evernote
2011-05-18 09:30 . 2011-05-18 09:30	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-15 07:50 . 2011-05-15 07:54	--------	d-----w-	c:\users\Kerryn\AppData\Roaming\PC Suite
2011-05-15 07:50 . 2011-05-15 07:53	--------	d-----w-	c:\programdata\PC Suite
2011-05-15 07:49 . 2011-05-15 08:18	--------	d-----w-	c:\users\Kerryn\AppData\Roaming\Nokia
2011-05-15 07:48 . 2011-05-15 07:48	--------	d-----w-	c:\program files\Common Files\PCSuite
2011-05-15 07:48 . 2011-05-15 07:48	--------	d-----w-	c:\program files\Common Files\Nokia
2011-05-15 07:47 . 2007-09-17 05:53	21632	----a-w-	c:\windows\system32\drivers\pccsmcfd.sys
2011-05-15 07:45 . 2011-05-15 07:45	--------	d-----w-	c:\program files\PC Connectivity Solution
2011-05-15 07:40 . 2007-11-29 00:32	48128	----a-w-	c:\windows\system32\nmwcdcls.dll
2011-05-15 07:40 . 2011-05-15 07:48	--------	d-----w-	c:\program files\Nokia
2011-05-15 07:37 . 2011-05-15 07:37	--------	d-----w-	c:\programdata\Installations
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 06:20 . 2011-04-06 06:20	91424	----a-w-	c:\windows\system32\dnssd.dll
2011-04-06 06:20 . 2011-04-06 06:20	75040	----a-w-	c:\windows\system32\jdns_sd.dll
2011-04-06 06:20 . 2011-04-06 06:20	197920	----a-w-	c:\windows\system32\dnssdX.dll
2011-04-06 06:20 . 2011-04-06 06:20	107808	----a-w-	c:\windows\system32\dns-sd.exe
2011-05-08 00:57 . 2011-05-08 00:57	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-01-02 01:06	365960	----a-w-	c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]
2009-05-08 19:00	86016	----a-w-	c:\program files\oovootb\oovoodx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-01-02 365960]
"{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"= "c:\program files\oovootb\oovoodx.dll" [2009-05-08 86016]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-01-02 365960]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36	94208	----a-w-	c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36	94208	----a-w-	c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36	94208	----a-w-	c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-11 2424192]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 1232896]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 1079808]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-17 22631608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-22 483420]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-21 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-21 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-21 154136]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-07-04 132392]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"OA001Cfg.exe"="OA001Cfg.exe" [2009-01-19 32768]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-05-12 842816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-26 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-28 1047656]
.
c:\users\Kerryn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Kerryn\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-26 24176560]
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2011-4-27 973824]
Shrink Pic.lnk - c:\program files\Shrink Pic\shrink_pic.exe [2009-3-19 2515456]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\System32\cmd.exe [2008-1-21 318976]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]
Corel Desktop Application Director 8.LNK - c:\corel\Suite8\Programs\DAD8.EXE [2009-4-18 200192]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-4-2 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2007-6-3 83360]
Ovi Files Connector.lnk - c:\program files\Ovi Files\Ovi Files_agent.exe [2010-2-22 1160560]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2009-1-29 10950144]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-31 1616976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 22:00	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-02 00:31	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 0281771307766785mcinstcleanup;McAfee Application Installer Cleanup (0281771307766785);c:\users\Kerryn\AppData\Local\Temp\028177~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-28 39984]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-19 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-19 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-07-20 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe [2008-12-22 81920]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-10-16 1668344]
S2 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe [2008-03-04 595184]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-10-16 482176]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-06-16 29736]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-21 112128]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-08-25 54784]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-08-25 203264]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-07-04 3663360]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2009-03-05 133632]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-03-08 280096]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600607289-1744401803-3834185915-1000Core.job
- c:\users\Kerryn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-26 02:40]
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600607289-1744401803-3834185915-1000UA.job
- c:\users\Kerryn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-26 02:40]
.
2011-06-11 c:\windows\Tasks\User_Feed_Synchronization-{FB6FEBCF-F48B-4E51-95DA-59DD4B298EAB}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
TCP: DhcpNameServer = 10.1.1.1
FF - ProfilePath - c:\users\Kerryn\AppData\Roaming\Mozilla\Firefox\Profiles\q67fm0o4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-11 14:44
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3572)
c:\users\Kerryn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2011-06-11  14:46:47
ComboFix-quarantined-files.txt  2011-06-11 04:46
ComboFix2.txt  2011-06-11 03:50
.
Pre-Run: 207,375,507,456 bytes free
Post-Run: 207,341,871,104 bytes free
.
- - End Of File - - F171768B2CA5EA4ACCE78D2FF40F703B


----------



## kez

After restarting, unhide runs again. But it still hasn't made the other desktop or start menu items visible (nor when I run it with anti-virus disabled).


----------



## topcatin

johnb35 said:


> topcatin,
> 
> Please post the combofix log for me to analyze, there still may be malware that needs to be removed.  The combofix log is located at C:\combofix.txt.


Hi John,
Here is the combofix log file:
ComboFix 11-06-10.0A - Compaq_Owner 06/11/2011   7:00.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.2494.1793 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton AntiVirus *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\1476.tmp
C:\148E.tmp
C:\152.tmp
C:\16.tmp
C:\18.tmp
C:\1E.tmp
C:\20.tmp
C:\23.tmp
C:\26.tmp
C:\28.tmp
C:\2B.tmp
C:\2F.tmp
C:\5.tmp
C:\6.tmp
C:\AE.tmp
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\AxRUploadServer.dll
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\desktop.ini
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\dwusplay.dll
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\dwusplay.exe
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\erma.inf
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\ExifParser.dll
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\FacebookPhotoUploader.inf
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\FacebookPhotoUploader.ocx
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\FNFotoKioskImg.dll
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\isusweb.dll
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\LtXmlLib3.dll
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\muweb.inf
c:\documents and settings\Compaq_Owner\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\SonyISUpload.inf
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
C:\E.tmp
C:\EBC.tmp
C:\EC4.tmp
C:\F8C.tmp
C:\F96.tmp
C:\FBB.tmp
C:\FC3.tmp
C:\FCB.tmp
c:\windows\racle~1
c:\windows\sstem3~1
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\wcpit.exe
D:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-11 to 2011-06-11  )))))))))))))))))))))))))))))))
.
.
2011-06-11 01:50 . 2011-06-11 01:50	388096	----a-r-	c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-11 01:50 . 2011-06-11 01:50	--------	d-----w-	c:\program files\Trend Micro
2011-06-10 22:17 . 2011-06-10 22:17	--------	d-----w-	c:\documents and settings\Administrator
2011-06-10 21:59 . 2011-06-10 22:02	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2011-06-10 21:48 . 2011-06-10 21:48	--------	d-----w-	c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2011-06-10 21:46 . 2011-05-29 13:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-10 21:46 . 2011-06-10 21:46	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-10 21:46 . 2011-06-10 21:58	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-10 21:46 . 2011-05-29 13:11	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-05-14 12:44 . 2011-06-04 01:25	--------	d-----w-	c:\documents and settings\All Users\Application Data\Skype Extras
2011-05-14 12:44 . 2011-05-14 12:44	--------	d-----w-	c:\program files\Common Files\Skype
2011-05-14 11:05 . 2011-05-14 11:05	--------	d-----w-	c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Logitech-LS
2011-05-13 22:54 . 2005-05-27 13:23	2180096	----a-w-	c:\windows\system32\drivers\lvsvf2.sys
2011-05-13 22:54 . 2004-08-04 04:56	90624	----a-w-	c:\windows\system32\kswdmcap.ax
2011-05-13 22:54 . 2004-08-04 04:56	61952	----a-w-	c:\windows\system32\kstvtune.ax
2011-05-13 22:54 . 2004-08-04 04:56	28672	----a-w-	c:\windows\system32\vidcap.ax
2011-05-13 22:54 . 2004-08-04 04:56	43008	----a-w-	c:\windows\system32\ksxbar.ax
2011-05-13 22:54 . 2004-08-04 04:56	53760	----a-w-	c:\windows\system32\vfwwdm32.dll
2011-05-13 22:54 . 2004-08-04 04:56	53760	----a-w-	c:\windows\system32\dllcache\vfwwdm32.dll
2011-05-13 22:51 . 2005-07-19 21:31	53248	----a-r-	c:\windows\system32\InstMed.exe
2011-05-13 22:51 . 2005-01-31 15:20	211712	----a-w-	c:\windows\system32\drivers\LV561AV.SYS
2011-05-13 22:51 . 2005-05-27 13:36	372736	----a-w-	c:\windows\system32\LVUI2RC.dll
2011-05-13 22:51 . 2005-05-27 13:31	22016	----a-w-	c:\windows\system32\drivers\LVUSBSta.sys
2011-05-13 22:51 . 2005-05-27 13:29	204800	----a-w-	c:\windows\system32\LVUI2.dll
2011-05-13 22:51 . 2005-05-27 13:26	204800	----a-w-	c:\windows\system32\LVCodec2.dll
2011-05-13 22:51 . 2005-01-31 15:00	106496	----a-w-	c:\windows\system32\lvcoinst.dll
2011-05-13 22:51 . 2011-05-13 22:51	--------	d-----w-	c:\program files\Common Files\Logitech
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-13 22:40 . 2011-04-13 22:40	4284416	----a-w-	c:\windows\system32\GPhotos.scr
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"dlcgmon.exe"="c:\program files\Dell AIO 810\dlcgmon.exe" [2005-10-21 425984]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\progra~1\\mozill~1\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/6/2010 9:41 PM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/6/2010 9:41 PM 17744]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/10/2011 5:46 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/10/2011 5:46 PM 22712]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/10/2011 5:46 PM 39984]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1288348467-584738473-2231368349-1009Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-16 18:23]
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1288348467-584738473-2231368349-1009UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-16 18:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ip192v79.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f}
FF - Ext: Forecastfox: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: iFox Smooth: {d3d70bca-2d54-425e-b02c-b7e2f4b07688} - %profile%\extensions\{d3d70bca-2d54-425e-b02c-b7e2f4b07688}
FF - Ext: iFox Smooth: {d3d70bca-2d54-425e-b02c-b7e2f4b07688} - %profile%\extensions\{d3d70bca-2d54-425e-b02c-b7e2f4b07688}
FF - Ext: mediaplayerconnectivity: {84b24861-62f6-364b-eba5-2e5e2061d7e6} - %profile%\extensions\{84b24861-62f6-364b-eba5-2e5e2061d7e6}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Conduit Engine : [email protected] - %profile%\extensions\[email protected]
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: TVU Web Player: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-hsRITIwubRlhk - c:\documents and settings\All Users\Application Data\hsRITIwubRlhk.exe
AddRemove-HijackThis - c:\documents and settings\Compaq_Owner\Desktop\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-11 07:08
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,[email protected]??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2732)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\SMART Board Software\SMARTBoardService.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dlcgcoms.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-06-11  07:17:38 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-11 11:17
.
Pre-Run: 87,318,855,680 bytes free
Post-Run: 87,447,789,568 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 9D1385CBAB8B33481896543F174E6F1F


Thanks!


----------



## johnb35

Kez, 

I just noticed you have mcafee and avast installed on your machine.  You can only have one installed at any given time.  Which virus program are you wanting to keep?  You must uninstall the other one.  If you are keeping avast and getting rid of mcafee, please download and run their removal tool here.

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

This may be the problem why unhide won't fix everything.  If you are wanting to keep Mcafee then uninstall avast in add/remove programs.


----------



## johnb35

topcatin,

It looks like combofix got everything.  How's the pc running now?


----------



## rschwarz

johnb35 said:


> Can you try emailing me the combofix and malwarebytes logs?  [email protected]



Hi John,

I emailed you the logs the other day? Did you recieve them? thanks a lot.


----------



## johnb35

rschwarz said:


> Hi John,
> 
> I emailed you the logs the other day? Did you recieve them? thanks a lot.



I'm looking at them now.  Sorry, I figured you would tell me when you emailed them to me. so i haven't looked at that email address until now.  Be back shortly.


----------



## johnb35

For some reason I only got part of the combofix log.  Can you send them again but this time send them here instead?   [email protected]


----------



## topcatin

johnb35 said:


> topcatin,
> 
> It looks like combofix got everything.  How's the pc running now?



John thanks for the response. PC runs fine but my apps are not visible when I go to "All Programs" For example: If I click on "Start"->Programs->Microsoft Office--> Microsoft Word--> Empty (instead of showing MSWORD,Excel).
I dont know if this matters, but yesterday after running the malware program, someone mentioned in this thread to go to the properties of your folder and uncheck the hidden. I tried this on the "Administrator" and "All Users" folder, and then I ran the unhide.exe.
Does this matter? 
My computer runs fine but these apps are still missing. I ran avast full scan and it found 3 infections which it placed in the "chest" with no issues. 
Let me know your thoughts..
Thanks.


----------



## topcatin

Another thing is when I go to "Control Panel" and "Administrator" tools the folder is empty.


----------



## kez

johnb35 said:


> Kez,
> 
> I just noticed you have mcafee and avast installed on your machine.  You can only have one installed at any given time.  Which virus program are you wanting to keep?  You must uninstall the other one.  If you are keeping avast and getting rid of mcafee, please download and run their removal tool here.
> 
> http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
> 
> This may be the problem why unhide won't fix everything.  If you are wanting to keep Mcafee then uninstall avast in add/remove programs.



Thanks, I've been trying to get rid of the remnants of Mcafee for some time!
It has now gone, but unfortunately unhide still didn't restore the other stuff.

I am however able to add icons to the desktop and start menu, so if you think there are unlikely to be any other residual problems from this most annoying virus then I can live with this situation!

I've been using Avast for years and it always picks everything up before infection - do you know where this particular virus might have come from? (it seemed to appear when I was web browsing, but I hadn't downloaded anything.)

Thanks again for all your help.


----------



## johnb35

If you can live with the way things are right now, then thats fine.  As far as where you got the infection, most likely you visited a bad website.  i would suggest you use the broswer addon called web of trust (wot).  When you do web searches it shows you whether or not the site is safe or not.

http://www.mywot.com/


----------



## kez

OK cool, have installed that addon. I think all is well now. 

MANY THANKS, you're a lifesaver!

Cheers from the other side of the world,
Kez


----------



## lwqbulb

*Help*

Need help you I encountered the malware recently and fix it accordingly to your guide but I feel like there's still something missing from my computer. Like when I use the unhide.exe, my start bar seems to be incomplete. And this is just to let you see whether my computer is free from the virus already or not. Thanks alot.

Here's the malewarebytes log. There are two different logs as I was infected on the same day...

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6838

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

6/12/2011 3:50:47 PM
mbam-log-2011-06-12 (15-50-47).txt

Scan type: Quick scan
Objects scanned: 216947
Time elapsed: 12 minute(s), 58 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\documents and settings\all users\application data\ugjmynhsukifwrd.exe (Trojan.FakeAlert) -> 1036 -> Unloaded process successfully.
c:\documents and settings\all users\application data\19652388.exe (Trojan.FakeAlert) -> 3828 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uGjMyNHSUKIFwrD (Trojan.FakeAlert) -> Value: uGjMyNHSUKIFwrD -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\ugjmynhsukifwrd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\19652388.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\tmp6664.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.







Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6840

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

6/12/2011 8:06:08 PM
mbam-log-2011-06-12 (20-06-08).txt

Scan type: Quick scan
Objects scanned: 216715
Time elapsed: 14 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uGjMyNHSUKIFwrD (Trojan.FakeAlert) -> Value: uGjMyNHSUKIFwrD -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\ugjmynhsukifwrd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\tmpF6E1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.


----------



## lwqbulb

Sorry for double post. Need to ask is there anyway to prevent this again? I think the cause of the malware is I visited a basketball website as I tried it twice and learn my lesson. I have avast and nod32 as my anti virus but both seems unable to block this attack.


----------



## johnb35

You can't have 2 antivirus programs installed at the same time, you must uninstall either avast or eset.  After you uninstall one of the programs please download and run the program below.  You must disable the realtime scanning of your virus program before running.  Download combofix to your desktop screen and run it from there.

These new malware infections are becoming a real pain to clean up the damange.  

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## lwqbulb

*Alright*

Thanks. Alright I remove Nod32 and use avast as the anti virus. D you think I made the better choice.

Here are the logs. thanks

The ComboFix log

ComboFix 11-06-11.01 - User 06/12/2011  22:58:48.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3071.2383 [GMT 8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Application Data\PriceGong
c:\documents and settings\User\Application Data\PriceGong\Data\1.xml
c:\documents and settings\User\Application Data\PriceGong\Data\a.xml
c:\documents and settings\User\Application Data\PriceGong\Data\b.xml
c:\documents and settings\User\Application Data\PriceGong\Data\c.xml
c:\documents and settings\User\Application Data\PriceGong\Data\d.xml
c:\documents and settings\User\Application Data\PriceGong\Data\e.xml
c:\documents and settings\User\Application Data\PriceGong\Data\f.xml
c:\documents and settings\User\Application Data\PriceGong\Data\g.xml
c:\documents and settings\User\Application Data\PriceGong\Data\h.xml
c:\documents and settings\User\Application Data\PriceGong\Data\i.xml
c:\documents and settings\User\Application Data\PriceGong\Data\J.xml
c:\documents and settings\User\Application Data\PriceGong\Data\k.xml
c:\documents and settings\User\Application Data\PriceGong\Data\l.xml
c:\documents and settings\User\Application Data\PriceGong\Data\m.xml
c:\documents and settings\User\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\User\Application Data\PriceGong\Data\n.xml
c:\documents and settings\User\Application Data\PriceGong\Data\o.xml
c:\documents and settings\User\Application Data\PriceGong\Data\p.xml
c:\documents and settings\User\Application Data\PriceGong\Data\q.xml
c:\documents and settings\User\Application Data\PriceGong\Data\r.xml
c:\documents and settings\User\Application Data\PriceGong\Data\s.xml
c:\documents and settings\User\Application Data\PriceGong\Data\t.xml
c:\documents and settings\User\Application Data\PriceGong\Data\u.xml
c:\documents and settings\User\Application Data\PriceGong\Data\v.xml
c:\documents and settings\User\Application Data\PriceGong\Data\w.xml
c:\documents and settings\User\Application Data\PriceGong\Data\x.xml
c:\documents and settings\User\Application Data\PriceGong\Data\y.xml
c:\documents and settings\User\Application Data\PriceGong\Data\z.xml
c:\documents and settings\User\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-12 to 2011-06-12  )))))))))))))))))))))))))))))))
.
.
2011-06-12 14:56 . 2011-06-12 14:56	388096	----a-r-	c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-10 09:04 . 2011-06-10 09:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2011-06-10 08:56 . 2011-06-10 08:56	--------	d-----w-	c:\program files\SystemRequirementsLab
2011-06-10 08:56 . 2011-06-10 08:56	--------	d-----w-	c:\documents and settings\User\Application Data\SystemRequirementsLab
2011-06-10 08:49 . 2011-06-10 08:49	--------	d-----w-	c:\program files\USB TV
2011-06-10 08:42 . 2011-06-10 08:42	--------	d-----w-	c:\program files\AMD APP
2011-06-10 08:41 . 2011-06-10 08:41	--------	d-----w-	c:\program files\ATI Technologies
2011-06-10 08:41 . 2011-06-10 08:41	--------	d-----w-	c:\program files\ATI
2011-06-10 08:40 . 2011-06-10 08:40	--------	d-----w-	C:\ATI
2011-06-10 07:20 . 2009-09-04 09:44	515416	----a-w-	c:\windows\system32\XAudio2_5.dll
2011-06-10 07:20 . 2009-09-04 09:44	238936	----a-w-	c:\windows\system32\xactengine3_5.dll
2011-06-10 07:20 . 2009-09-04 09:29	1974616	----a-w-	c:\windows\system32\D3DCompiler_42.dll
2011-06-10 07:20 . 2009-09-04 09:29	5501792	----a-w-	c:\windows\system32\d3dcsx_42.dll
2011-06-10 07:20 . 2009-09-04 09:29	235344	----a-w-	c:\windows\system32\d3dx11_42.dll
2011-06-10 07:20 . 2009-09-04 09:29	453456	----a-w-	c:\windows\system32\d3dx10_42.dll
2011-06-10 07:20 . 2009-09-04 09:29	1892184	----a-w-	c:\windows\system32\D3DX9_42.dll
2011-06-07 07:17 . 2011-06-07 07:17	--------	d-----w-	c:\program files\Common Files\InstallShield
2011-06-07 05:51 . 2011-06-07 05:52	--------	d-----w-	c:\documents and settings\User\keel
2011-06-07 05:24 . 2011-06-07 05:24	--------	d-----w-	c:\documents and settings\User\oni
2011-06-05 07:41 . 2010-10-21 20:06	4208208	----a-w-	c:\windows\system32\GameMon.des
2011-06-05 05:47 . 2010-07-27 08:13	27136	----a-w-	c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
2011-06-05 05:47 . 2010-03-24 08:57	713312	----a-w-	c:\windows\system32\ijjiSetup.exe
2011-06-05 05:47 . 2010-03-24 08:56	62048	----a-w-	c:\windows\system32\ijjiProcessRestarter.exe
2011-06-05 05:47 . 2011-06-07 07:10	--------	d-----w-	c:\program files\REACTOR
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 01:11 . 2011-03-16 11:44	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 01:11 . 2011-03-16 11:44	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-05-25 06:09 . 2007-12-04 17:41	54272	----a-w-	c:\windows\system32\nvwddi.dll
2011-05-25 06:09 . 2007-12-04 17:41	154728	----a-w-	c:\windows\system32\nvsvc32.exe
2011-05-25 06:09 . 2007-12-04 17:41	111208	----a-w-	c:\windows\system32\nvmctray.dll
2011-05-25 06:09 . 2007-12-04 17:41	13895272	----a-w-	c:\windows\system32\nvcpl.dll
2011-05-25 06:09 . 2011-04-19 14:10	61440	----a-w-	c:\windows\system32\OpenCL.dll
2011-05-25 06:09 . 2007-12-04 17:41	145000	-c--a-w-	c:\windows\system32\nvcolor.exe
2011-05-25 06:09 . 2007-12-04 17:41	5332992	----a-w-	c:\windows\system32\nvcuda.dll
2011-05-25 06:09 . 2007-12-04 17:41	4198272	----a-w-	c:\windows\system32\nv4_disp.dll
2011-05-25 06:09 . 2007-12-04 17:41	2328576	----a-w-	c:\windows\system32\nvapi.dll
2011-05-25 06:09 . 2007-12-04 17:41	12753664	----a-w-	c:\windows\system32\drivers\nv4_mini.sys
2011-05-10 12:10 . 2011-03-16 13:10	40112	----a-w-	c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-03-16 13:10	199304	----a-w-	c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-03-16 13:10	441176	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-03-16 13:10	307928	----a-w-	c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-03-16 13:10	49240	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-03-16 13:10	102616	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-03-16 13:10	96344	----a-w-	c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-03-16 13:10	25432	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-03-16 13:10	30808	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-03-16 13:10	19544	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2011-04-19 14:10 . 2011-04-19 14:10	59904	----a-w-	c:\windows\system32\OVDecode.dll
2011-04-19 14:10 . 2011-04-19 14:10	12385280	----a-w-	c:\windows\system32\amdocl.dll
2011-04-11 12:56 . 2011-03-29 06:38	0	----a-w-	c:\windows\system32\ConduitEngine.tmp
2011-05-08 08:53 . 2011-05-08 08:53	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 1AB9333EC47BC064050A2BF554AE5A95 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2006-02-28 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9b339f6e-ddcd-401b-8764-230adbd01761}"= "c:\program files\Messenger_Plus_Live\prxtbMes0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54	175912	----a-w-	c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9b339f6e-ddcd-401b-8764-230adbd01761}]
2011-01-17 14:54	175912	----a-w-	c:\program files\Messenger_Plus_Live\prxtbMes0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9b339f6e-ddcd-401b-8764-230adbd01761}"= "c:\program files\Messenger_Plus_Live\prxtbMes0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9B339F6E-DDCD-401B-8764-230ADBD01761}"= "c:\program files\Messenger_Plus_Live\prxtbMes0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25	122512	------w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2011-04-27 400760]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2010-11-22 2836656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2006-02-28 143360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-10 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
"aswAhAScr.dll"="c:\program files\AVAST Software\Avast\aswRegSvr.exe" [2011-02-23 22016]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [N/A]
ImationFlashDetect.lnk - c:\documents and settings\User\Local Settings\Temp\Imation\ImationFlashDetect.exe [N/A]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2011-6-10 81997]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-12-6 303104]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk /k:C /k *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\User\\Desktop\\yvd9prefinal\\Utilities\\Basic IRC.exe"=
"c:\\Documents and Settings\\User\\Desktop\\yvd9prefinal\\Yugioh Virtual Desktop 9.exe"=
"c:\\Program Files\\Yugioh Virtual Dueling\\Utilities\\Basic IRC.exe"=
"c:\\Program Files\\Yugioh Virtual Dueling\\Yugioh Virtual Desktop 9.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\FreeStyle\\FreeStyle.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\2k11\\nba2k11.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\REACTOR\\REACTOR.exe"=
"c:\\Program Files\\REACTOR\\ijjiOptimizer.exe"=
"d:\\Gunz\\Gunz.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25477:TCP"= 25477:TCP:BitComet 25477 TCP
"25477:UDP"= 25477:UDP:BitComet 25477 UDP
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/27/2010 8:25 PM 691696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/16/2011 9:10 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/16/2011 9:10 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/16/2011 9:10 PM 19544]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/10/2011 5:04 PM 2214504]
R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [3/17/2010 11:35 AM 4224]
S0 wrrpowly;wrrpowly;c:\windows\system32\drivers\jikju.sys --> c:\windows\system32\drivers\jikju.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2010 1:28 PM 135664]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\User\LOCALS~1\Temp\TLZC0.tmp --> c:\docume~1\User\LOCALS~1\Temp\TLZC0.tmp [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [8/2/2008 10:24 AM 10976]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2010 1:28 PM 135664]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [9/9/2010 1:43 PM 137344]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [6/21/2008 8:26 AM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [6/21/2008 8:26 AM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [6/21/2008 8:26 AM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [6/21/2008 8:27 AM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [6/21/2008 8:26 AM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [6/21/2008 8:27 AM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [6/21/2008 8:27 AM 97704]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 05:28]
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 05:28]
.
2011-01-07 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2010-12-31 18:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15003&l=dis
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2fm83v0x.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15000&locale=en_US&apn_uid=36D583F4-CA0B-42DB-9073-728A0E93A57A&apn_ptnrs=PV&apn_sauid=49F55832-A66F-43C1-8834-64FDE0823A39&apn_dtid=YYYYYYYYSG&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
BHO-{CC14DD9B-8599-EF19-7AB7-10CF9A32ED8A} - c:\program files\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
ShellIconOverlayIdentifiers-{02696AD5-FF96-454b-9E00-81DA8B79B678} - (no file)
HKCU-Run-Dog Bat - c:\docume~1\User\APPLIC~1\GRAMLI~1\deletelockssend.exe
HKCU-Run-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKLM-Run-BVRPLiveUpdate - c:\program files\Avanquest update\Engine\Setup.exe
HKLM-Run-UpdateReminder - c:\program files\Eset\UpdateReminder.exe
AddRemove-C5A76DC11BABDA0A881E7BE8DDEB641365A77FFD - c:\progra~1\DIFX\270581355A767BF1\dpinst.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-SopCast - c:\program files\SopCast\uninst.exe
AddRemove-Switch - c:\program files\NCH Swift Sound\Switch\uninst.exe
AddRemove-{3E5CBADD-2E51-47C1-BBE2-B802DB6DA56A} - c:\program files\MetaTrader 4\Uninstall.exe
AddRemove-{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1 - c:\program files\Eset\unins000.exe
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-12 23:10
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\User\LOCALS~1\Temp\TLZC0.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2011-06-12  23:14:55
ComboFix-quarantined-files.txt  2011-06-12 15:14
.
Pre-Run: 3,548,626,944 bytes free
Post-Run: 6,119,878,656 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B81AA268C341DFC7FE9F507CFE1DE7EC



A fresh HiJackThis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:16:01 PM, on 6/12/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15003&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Program Files\Messenger_Plus_Live\prxtbMes0.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Messenger Plus Live - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Program Files\Messenger_Plus_Live\prxtbMes0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Download Accelerator Plus Integration - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O3 - Toolbar: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Program Files\Messenger_Plus_Live\prxtbMes0.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTA2ODE5ODIxLVZPUCszLVQxLVVDQUxMKzEtQkFSOEcrMS1VQ0FMTDIrMi1UQjgrMi1GTCs4LVFJWDErNC1WSVAxMCsxLVgyMDEwKzI"&"prod=90"&"ver=10.0.1204
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] "C:\Program Files\AVAST Software\Avast\aswRegSvr.exe" "C:\Program Files\AVAST Software\Avast\AhAScr.dll"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: ImationFlashDetect.lnk = C:\Documents and Settings\User\Local Settings\Temp\Imation\ImationFlashDetect.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: ViiKiiDesktopPlugin.lnk = C:\Program Files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe
O4 - Global Startup: BDARemote.lnk = ?
O4 - Global Startup: Exif Launcher S.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Parking Dash\Images\stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Nanny Mania\Images\armhelper.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10654 bytes


An update on how your computer is running:
It's doing fine but I am unsure whether the nod32 is completely remove but I guess it is considering i don't see any nod32 stuff in the processes anymore.

And thanks alot.


----------



## johnb35

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

File::
c:\windows\system32\ijjiSetup.exe
c:\windows\system32\ijjiProcessRestarter.exe

Driver::
wrrpowly
GarenaPEngine
GGSAFERDriver
npggsvc

Firefox::
FF - prefs.js: browser.search.selectedEngine - Ask.com

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!








ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## lwqbulb

Done what you asked.


ComboFix 11-06-11.01 - User 06/13/2011   1:41.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3071.2471 [GMT 8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\ijjiProcessRestarter.exe"
"c:\windows\system32\ijjiSetup.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ijjiProcessRestarter.exe
c:\windows\system32\ijjiSetup.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GARENAPENGINE
-------\Legacy_GGSAFERDRIVER
-------\Service_GarenaPEngine
-------\Service_GGSAFERDriver
-------\Service_npggsvc
-------\Service_wrrpowly
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-12 to 2011-06-12  )))))))))))))))))))))))))))))))
.
.
2011-06-12 14:56 . 2011-06-12 14:56	388096	----a-r-	c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-12 14:35 . 2011-06-12 14:35	512096	----a-w-	c:\windows\system32\drivers\amon.sys
2011-06-12 14:35 . 2011-06-12 14:35	15424	----a-w-	c:\windows\system32\drivers\nod32drv.sys
2011-06-10 09:04 . 2011-06-10 09:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2011-06-10 08:56 . 2011-06-10 08:56	--------	d-----w-	c:\program files\SystemRequirementsLab
2011-06-10 08:56 . 2011-06-10 08:56	--------	d-----w-	c:\documents and settings\User\Application Data\SystemRequirementsLab
2011-06-10 08:49 . 2011-06-10 08:49	--------	d-----w-	c:\program files\USB TV
2011-06-10 08:42 . 2011-06-10 08:42	--------	d-----w-	c:\program files\AMD APP
2011-06-10 08:41 . 2011-06-10 08:41	--------	d-----w-	c:\program files\ATI Technologies
2011-06-10 08:41 . 2011-06-10 08:41	--------	d-----w-	c:\program files\ATI
2011-06-10 08:40 . 2011-06-10 08:40	--------	d-----w-	C:\ATI
2011-06-10 07:20 . 2009-09-04 09:44	515416	----a-w-	c:\windows\system32\XAudio2_5.dll
2011-06-10 07:20 . 2009-09-04 09:44	238936	----a-w-	c:\windows\system32\xactengine3_5.dll
2011-06-10 07:20 . 2009-09-04 09:29	1974616	----a-w-	c:\windows\system32\D3DCompiler_42.dll
2011-06-10 07:20 . 2009-09-04 09:29	5501792	----a-w-	c:\windows\system32\d3dcsx_42.dll
2011-06-10 07:20 . 2009-09-04 09:29	235344	----a-w-	c:\windows\system32\d3dx11_42.dll
2011-06-10 07:20 . 2009-09-04 09:29	453456	----a-w-	c:\windows\system32\d3dx10_42.dll
2011-06-10 07:20 . 2009-09-04 09:29	1892184	----a-w-	c:\windows\system32\D3DX9_42.dll
2011-06-07 07:17 . 2011-06-07 07:17	--------	d-----w-	c:\program files\Common Files\InstallShield
2011-06-07 05:51 . 2011-06-07 05:52	--------	d-----w-	c:\documents and settings\User\keel
2011-06-07 05:24 . 2011-06-07 05:24	--------	d-----w-	c:\documents and settings\User\oni
2011-06-05 07:41 . 2010-10-21 20:06	4208208	----a-w-	c:\windows\system32\GameMon.des
2011-06-05 05:47 . 2010-07-27 08:13	27136	----a-w-	c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
2011-06-05 05:47 . 2011-06-07 07:10	--------	d-----w-	c:\program files\REACTOR
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 01:11 . 2011-03-16 11:44	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 01:11 . 2011-03-16 11:44	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-05-25 06:09 . 2007-12-04 17:41	54272	----a-w-	c:\windows\system32\nvwddi.dll
2011-05-25 06:09 . 2007-12-04 17:41	154728	----a-w-	c:\windows\system32\nvsvc32.exe
2011-05-25 06:09 . 2007-12-04 17:41	111208	----a-w-	c:\windows\system32\nvmctray.dll
2011-05-25 06:09 . 2007-12-04 17:41	13895272	----a-w-	c:\windows\system32\nvcpl.dll
2011-05-25 06:09 . 2011-04-19 14:10	61440	----a-w-	c:\windows\system32\OpenCL.dll
2011-05-25 06:09 . 2007-12-04 17:41	145000	-c--a-w-	c:\windows\system32\nvcolor.exe
2011-05-25 06:09 . 2007-12-04 17:41	5332992	----a-w-	c:\windows\system32\nvcuda.dll
2011-05-25 06:09 . 2007-12-04 17:41	4198272	----a-w-	c:\windows\system32\nv4_disp.dll
2011-05-25 06:09 . 2007-12-04 17:41	2328576	----a-w-	c:\windows\system32\nvapi.dll
2011-05-25 06:09 . 2007-12-04 17:41	12753664	----a-w-	c:\windows\system32\drivers\nv4_mini.sys
2011-05-10 12:10 . 2011-03-16 13:10	40112	----a-w-	c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-03-16 13:10	199304	----a-w-	c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-03-16 13:10	441176	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-03-16 13:10	307928	----a-w-	c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-03-16 13:10	49240	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-03-16 13:10	102616	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-03-16 13:10	96344	----a-w-	c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-03-16 13:10	25432	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-03-16 13:10	30808	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-03-16 13:10	19544	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2011-04-19 14:10 . 2011-04-19 14:10	59904	----a-w-	c:\windows\system32\OVDecode.dll
2011-04-19 14:10 . 2011-04-19 14:10	12385280	----a-w-	c:\windows\system32\amdocl.dll
2011-04-11 12:56 . 2011-03-29 06:38	0	----a-w-	c:\windows\system32\ConduitEngine.tmp
2011-05-08 08:53 . 2011-05-08 08:53	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 1AB9333EC47BC064050A2BF554AE5A95 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2006-02-28 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
.
(((((((((((((((((((((((((((((   [email protected]_15.10.43   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-12 17:51 . 2011-06-12 17:51	16384              c:\windows\Temp\Perflib_Perfdata_414.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9b339f6e-ddcd-401b-8764-230adbd01761}"= "c:\program files\Messenger_Plus_Live\prxtbMes0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54	175912	----a-w-	c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9b339f6e-ddcd-401b-8764-230adbd01761}]
2011-01-17 14:54	175912	----a-w-	c:\program files\Messenger_Plus_Live\prxtbMes0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9b339f6e-ddcd-401b-8764-230adbd01761}"= "c:\program files\Messenger_Plus_Live\prxtbMes0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9B339F6E-DDCD-401B-8764-230ADBD01761}"= "c:\program files\Messenger_Plus_Live\prxtbMes0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{9b339f6e-ddcd-401b-8764-230adbd01761}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10	122512	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2011-04-27 400760]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2010-11-22 2836656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2006-02-28 143360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-10 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [N/A]
ImationFlashDetect.lnk - c:\documents and settings\User\Local Settings\Temp\Imation\ImationFlashDetect.exe [N/A]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2011-6-10 81997]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-12-6 303104]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk /k:C /k *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\User\\Desktop\\yvd9prefinal\\Utilities\\Basic IRC.exe"=
"c:\\Documents and Settings\\User\\Desktop\\yvd9prefinal\\Yugioh Virtual Desktop 9.exe"=
"c:\\Program Files\\Yugioh Virtual Dueling\\Utilities\\Basic IRC.exe"=
"c:\\Program Files\\Yugioh Virtual Dueling\\Yugioh Virtual Desktop 9.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\FreeStyle\\FreeStyle.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\2k11\\nba2k11.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\REACTOR\\REACTOR.exe"=
"c:\\Program Files\\REACTOR\\ijjiOptimizer.exe"=
"d:\\Gunz\\Gunz.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25477:TCP"= 25477:TCP:BitComet 25477 TCP
"25477:UDP"= 25477:UDP:BitComet 25477 UDP
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/27/2010 8:25 PM 691696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/16/2011 9:10 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/16/2011 9:10 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/16/2011 9:10 PM 19544]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/10/2011 5:04 PM 2214504]
R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [3/17/2010 11:35 AM 4224]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2010 1:28 PM 135664]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [8/2/2008 10:24 AM 10976]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2010 1:28 PM 135664]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [9/9/2010 1:43 PM 137344]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [6/21/2008 8:26 AM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [6/21/2008 8:26 AM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [6/21/2008 8:26 AM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [6/21/2008 8:27 AM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [6/21/2008 8:26 AM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [6/21/2008 8:27 AM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [6/21/2008 8:27 AM 97704]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 05:28]
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 05:28]
.
2011-01-07 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2010-12-31 18:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15003&l=dis
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2fm83v0x.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15000&locale=en_US&apn_uid=36D583F4-CA0B-42DB-9073-728A0E93A57A&apn_ptnrs=PV&apn_sauid=49F55832-A66F-43C1-8834-64FDE0823A39&apn_dtid=YYYYYYYYSG&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-13 01:52
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2488)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\RunDLL32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2011-06-13  01:56:52 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-12 17:56
ComboFix2.txt  2011-06-12 15:14
.
Pre-Run: 6,116,200,448 bytes free
Post-Run: 5,952,499,712 bytes free
.
- - End Of File - - 73A2722F33AED6CD845CF4A2A85BDCAA


----------



## addagirl73

johnb35 said:


> Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.
> 
> Double-click *mbam-setup.exe* and follow the prompts to install the program.
> At the end, be sure a checkmark is placed next to
> *Update Malwarebytes' Anti-Malware*
> and *Launch Malwarebytes' Anti-Malware*
> 
> then click *Finish*.
> If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
> Once the program has loaded, select *Perform quick scan*, then click *Scan*.
> When the scan is complete, click *OK*, then *Show Results* to view the results.
> Be sure that everything is checked, and click *Remove Selected*.
> A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware
> 
> If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.
> 
> 
> 
> Download the HijackThis installer from *here*.
> Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.
> 
> Click *Do a system scan and save a logfile*
> 
> _Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._
> 
> Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log





sweetbutterfly73 said:


> I know I have a virus. I just dont know how to get rid of it. Right now I have to use another comuter to post this because I cant even use my laptop which has become infected.
> 
> I need help please!
> 
> I just started an online business as a stay at home mom and I need access to the internet and my computer for my business!
> 
> I will warn you. I dont know much about computer stuff so if someone can help me I will need baby steps through the process  And since I cant even use the computer that is infected, I will need to know how to go about getting rid of the virus even if it wont access the internet.
> 
> Thank you SOOOOOO much! I need this for my business!!!



Johnb35 - 

I didn't see where you addressed "sweetbutterfly" questions about getting rid of the virus if you can't even access the internet from the infected computer?  I have a computer that was just infected and I happened upon this thread and I can't access the internet to download all the files that are suggesting. Please help.


----------



## topcatin

johnb35 said:


> topcatin,
> 
> It looks like combofix got everything.  How's the pc running now?



John I had posted this earlier. Thanks for your help in clearing the virus. PC runs fine but my apps are not visible when I go to "All Programs" For example: If I click on "Start"->Programs->Microsoft Office--> Microsoft Word--> Empty (instead of showing MSWORD,Excel).
Another thing is when I go to "Control Panel" and "Administrator" tools the folder is empty. 
I dont know if this matters, but yesterday after running the malware program, someone mentioned in this thread to go to the properties of your folder and uncheck the hidden. I tried this on the "Administrator" and "All Users" folder, and then I ran the unhide.exe.
Does this matter?
My computer runs fine but these apps are still missing. I ran avast full scan and it found 3 infections which it placed in the "chest" with no issues.

please advise..
Thanks.


----------



## johnb35

topcatin said:


> John I had posted this earlier. Thanks for your help in clearing the virus. PC runs fine but my apps are not visible when I go to "All Programs" For example: If I click on "Start"->Programs->Microsoft Office--> Microsoft Word--> Empty (instead of showing MSWORD,Excel).
> Another thing is when I go to "Control Panel" and "Administrator" tools the folder is empty.
> I dont know if this matters, but yesterday after running the malware program, someone mentioned in this thread to go to the properties of your folder and uncheck the hidden. I tried this on the "Administrator" and "All Users" folder, and then I ran the unhide.exe.
> Does this matter?
> My computer runs fine but these apps are still missing. I ran avast full scan and it found 3 infections which it placed in the "chest" with no issues.
> 
> please advise..
> Thanks.



I swear I replied to you but maybe not.  

This should restore your administrative tools programs to the Start Menu. Download and save this to Desktop,

Restore Admin Tools Program Files Menu with admintools.zip for XP
Extract (unzip) the tool, double-click on it to run and click on Restore Administrative Tools Items.



If you still have the office cd, just do repair install of office and it should fix the shortcuts.  Or you can manually add the shortcuts back.


----------



## johnb35

addagirl73 said:


> Johnb35 -
> 
> I didn't see where you addressed "sweetbutterfly" questions about getting rid of the virus if you can't even access the internet from the infected computer?  I have a computer that was just infected and I happened upon this thread and I can't access the internet to download all the files that are suggesting. Please help.



If you can't access the internet to download the tools then you must use a usb flash drive to download them to a computer that has internet access and then transfer them to the flash drive and then put them on the infected computer and then run them.


----------



## lwqbulb

So how's my new combofix log john?


----------



## johnb35

Oh sorry, forgot all about it.

Rerun hijackthis and place checks next to the following entries.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unins...lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtN ElKTUg"&"inst=NzctNTA2ODE5ODIxLVZPUCszLVQxLVVDQUxM KzEtQkFSOEcrMS1VQ0FMTDIrMi1UQjgrMi1GTCs4LVFJWDErNC 1WSVAxMCsxLVgyMDEwKzI"&"prod=90"&"ver=10.0.1204
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

Then click on fix checked.

Also, you have p2p software installed. bittorent and limewire.  I highly suggest you uninstall it as this could be the reason you were infected.  Most files downloaded by p2p programs contain malware.

Please navigate to c:\qoobox and in that folder will be a file named "add-remove programs.txt"  Please open that log and copy and paste the contents back here.

If you have any nongenuine(illegal/pirated) software installed please uninstall it before posting the log.


----------



## smb820

*Unable to log on to internet to make correction*

I have the problem described in this thread. But, I am unable to sign on to the internet to download malware. i am currently using another PC to try and correct this problem. I have not computer experience. Help!!!
 The problem is: The system has detected a problem with one or more installed IDE/SATA...

I am also getting this error: Read time to hard drive clusters less than 500 ms..

This error also: Bad sectors on hard drive or damaged file allocation table...

Another error is displayed: Boot sector of the hard drive is damaged...

Again another problem displayed is : Hard drive doesn't repond to system commands...


----------



## johnb35

smb820 said:


> I have the problem described in this thread. But, I am unable to sign on to the internet to download malware. i am currently using another PC to try and correct this problem. I have not computer experience. Help!!!
> The problem is: The system has detected a problem with one or more installed IDE/SATA...
> 
> I am also getting this error: Read time to hard drive clusters less than 500 ms..
> 
> This error also: Bad sectors on hard drive or damaged file allocation table...
> 
> Another error is displayed: Boot sector of the hard drive is damaged...
> 
> Again another problem displayed is : Hard drive doesn't repond to system commands...



Your best bet would be to download the following file to a usb flash drive and then boot to safe mode on the infected pc and then run it.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running

After running this you should be able to work in regular mode and then do the following.

Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## GameOver

Hi John,  My post was on page 5 and here is what you asked for thanks,
Mark
ComboFix 11-06-10.08 - User 06/10/2011  14:08:01.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.707 [GMT -6:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Cache
c:\windows\system32\drivers\hwinterface.sys
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_hwinterface
-------\Service_hwinterface
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-10 to 2011-06-10  )))))))))))))))))))))))))))))))
.
.
2011-06-10 17:39 . 2011-06-10 17:39	--------	d-----w-	c:\documents and settings\User\Application Data\Malwarebytes
2011-06-10 17:39 . 2011-05-29 15:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-10 17:39 . 2011-06-10 17:39	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-10 17:38 . 2011-06-10 18:31	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-10 17:38 . 2011-05-29 15:11	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-10 15:02 . 2011-06-10 15:02	--------	d-sh--w-	c:\documents and settings\LocalService\IETldCache
2011-06-08 19:00 . 2011-06-08 19:00	--------	d-----w-	c:\documents and settings\User\Local Settings\Application Data\Mozilla
2011-06-08 17:11 . 2011-06-08 17:11	--------	d-----w-	c:\documents and settings\User\Application Data\AVG10
2011-06-08 17:11 . 2011-06-08 17:11	--------	d-----w-	c:\documents and settings\All Users\Application Data\Common Files
2011-06-08 17:10 . 2011-06-10 20:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG10
2011-06-08 17:09 . 2011-06-08 17:09	--------	d-----w-	c:\program files\AVG
2011-06-08 16:52 . 2011-06-10 20:02	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2011-05-19 21:31 . 2008-04-14 07:15	60032	-c--a-w-	c:\windows\system32\dllcache\usbaudio.sys
2011-05-19 21:31 . 2008-04-14 07:15	60032	----a-w-	c:\windows\system32\drivers\USBAUDIO.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:26 . 2011-06-08 19:00	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-05-19 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SoundMan"="SOUNDMAN.EXE" [2005-03-25 77824]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-12 186904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2009-12-25 206216]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngserver.exe"=
"c:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDPeer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [4/14/2008 6:00 AM 14336]
R3 EloBus;Elobus Filter Driver;c:\windows\system32\drivers\EloBus.sys [4/28/2011 9:18 AM 14208]
R3 EloSer;Elo Serial Driver;c:\windows\system32\drivers\EloSer.Sys [4/28/2011 9:18 AM 48256]
S3 elomoufiltr;ELO TouchSystems-SRV2;c:\windows\system32\drivers\EloFiltr.sys [4/28/2011 9:18 AM 48512]
S3 EloUsb;ELO TouchSystems-SRV;c:\windows\system32\drivers\EloUsb.Sys [4/28/2011 9:18 AM 37504]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/10/2011 11:39 AM 39984]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [3/5/2011 1:36 AM 14592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc	REG_MULTI_SZ   	p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 66.180.96.12
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\mls6hpax.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-EloTouchscreen - c:\program files\elotouchsystems\EloSetup
AddRemove-SIUSBXP&10C4&EA61 - c:\windows\system32\Silabs\DriverUninstaller.exe USBXpress\SIUSBXP&10C4&EA61
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-10 14:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1692)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\EloSrvce.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\EloDkMon.exe
c:\windows\system32\EloTTray.exe
c:\program files\Symantec\Ghost\ngserver.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Symantec\Ghost\bin\dbserv.exe
c:\program files\Symantec\Ghost\bin\rteng9.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-06-10  14:14:20 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-10 20:14
.
Pre-Run: 55,723,675,648 bytes free
Post-Run: 56,438,157,312 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 99CDDDA33F87142E70E320D45A5906C7


----------



## smb820

Thank you for your help. My computer is back up. I have to redo some of my personal updates, but most of all the instructions you gave me was a blessing!!! 
I did the HiJack, but I received a popup that stated something was not allowing HiJack to access the Host. It gave instructions on how to manually do the scan. I did not do this because I am was not comfortable with manually doing the HiJack request. I am submitting the other logs you requested. Again, Thanks.
ComboFix log

ComboFix 11-06-12.04 - SMBarron 06/13/2011  10:17:07.1.2 - x64 MINIMAL
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3032.1932 [GMT -5:00]
Running from: e:\stephanie\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\51632000.exe
c:\programdata\FcfOwmsgtCRNpxt.exe
c:\users\SMBarron\AppData\Local\Microsoft\Windows\Temporary Internet Files\{238282EE-06AB-4073-A67C-C8A582F7EE5D}.xps
c:\users\SMBarron\AppData\Local\Microsoft\Windows\Temporary Internet Files\{3F9F32A6-943F-4125-81B2-1AE089F7AE43}.xps
c:\users\SMBarron\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4F2C8C4B-CC46-443B-BE2E-0958CD914FEE}.xps
c:\users\SMBarron\AppData\Local\Microsoft\Windows\Temporary Internet Files\{56BEBAAD-4FE7-4118-9DFA-88ADB63B84F2}.xps
c:\users\SMBarron\AppData\Local\Microsoft\Windows\Temporary Internet Files\{87340114-5D86-4D3F-AB81-4ED5C0526CAD}.xps
c:\users\SMBarron\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B5B3ECE7-A7C2-41D3-9DC3-BCAF4B272865}.xps
c:\users\SMBarron\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D38F5074-14A3-40D2-89BC-21322A2FF7E0}.xps
c:\windows\system32\jusched.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-13 to 2011-06-13  )))))))))))))))))))))))))))))))
.
.
2011-06-13 15:25 . 2011-06-13 15:25	0	---ha-w-	c:\users\SMBarron\AppData\Local\BIT85D3.tmp
2011-06-13 15:13 . 2011-06-13 15:14	--------	d-----w-	C:\32788R22FWJFW
2011-06-13 04:44 . 2011-06-13 04:44	--------	d-----w-	c:\windows\system32\SPReview
2011-06-13 04:42 . 2011-06-13 04:42	--------	d-----w-	c:\windows\system32\EventProviders
2011-06-10 22:58 . 2011-05-09 22:00	8718160	---ha-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{AE791411-DC34-4D56-A3AB-D712DD1F4731}\mpengine.dll
2011-06-10 00:06 . 2011-06-10 00:06	--------	d--h--w-	c:\users\SMBarron\AppData\Roaming\webex
2011-06-10 00:05 . 2011-06-10 00:06	--------	d--h--w-	c:\programdata\WebEx
2011-05-26 15:58 . 2011-04-22 20:18	27008	----a-w-	c:\windows\system32\drivers\Diskdump.sys
2011-05-20 03:55 . 2011-04-09 06:58	142336	----a-w-	c:\windows\system32\poqexec.exe
2011-05-20 03:55 . 2011-04-09 05:56	123904	----a-w-	c:\windows\SysWow64\poqexec.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-12 11:32 . 2010-05-21 02:43	737072	---ha-w-	c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-06-12 11:32 . 2010-05-28 06:47	4283672	---ha-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-06-12 11:32 . 2010-05-21 02:41	42776	---ha-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-06-07 14:50 . 2010-05-28 06:47	737072	---ha-w-	c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2011-06-07 14:50 . 2010-05-21 02:43	4283672	---ha-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-06-07 14:49 . 2010-05-28 06:46	42776	---ha-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-06-04 13:43 . 2010-05-31 15:40	539968	---ha-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-04-09 06:45 . 2011-05-12 03:15	5509504	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-12 03:15	3957632	----a-w-	c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-12 03:15	3901824	----a-w-	c:\windows\SysWow64\ntoskrnl.exe
2011-03-29 03:32 . 2011-05-12 03:15	343040	----a-w-	c:\windows\system32\drivers\usbhub.sys
2011-03-29 03:32 . 2011-05-12 03:15	99328	----a-w-	c:\windows\system32\drivers\usbccgp.sys
2011-03-29 03:32 . 2011-05-12 03:15	324608	----a-w-	c:\windows\system32\drivers\usbport.sys
2011-03-29 03:32 . 2011-05-12 03:15	52224	----a-w-	c:\windows\system32\drivers\usbehci.sys
2011-03-29 03:32 . 2011-05-12 03:15	25600	----a-w-	c:\windows\system32\drivers\usbohci.sys
2011-03-29 03:32 . 2011-05-12 03:15	30720	----a-w-	c:\windows\system32\drivers\usbuhci.sys
2011-03-29 03:32 . 2011-05-12 03:15	7936	----a-w-	c:\windows\system32\drivers\usbd.sys
2011-03-27 19:18 . 2011-03-27 19:18	91648	----a-w-	c:\windows\system32\SetIEInstalledDate.exe
2011-03-27 19:18 . 2011-03-27 19:18	89088	----a-w-	c:\windows\system32\RegisterIEPKEYs.exe
2011-03-27 19:18 . 2011-03-27 19:18	86528	----a-w-	c:\windows\SysWow64\iesysprep.dll
2011-03-27 19:18 . 2011-03-27 19:18	85504	----a-w-	c:\windows\system32\iesetup.dll
2011-03-27 19:18 . 2011-03-27 19:18	76800	----a-w-	c:\windows\SysWow64\SetIEInstalledDate.exe
2011-03-27 19:18 . 2011-03-27 19:18	76800	----a-w-	c:\windows\system32\tdc.ocx
2011-03-27 19:18 . 2011-03-27 19:18	74752	----a-w-	c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-03-27 19:18 . 2011-03-27 19:18	74752	----a-w-	c:\windows\SysWow64\iesetup.dll
2011-03-27 19:18 . 2011-03-27 19:18	63488	----a-w-	c:\windows\SysWow64\tdc.ocx
2011-03-27 19:18 . 2011-03-27 19:18	603648	----a-w-	c:\windows\system32\vbscript.dll
2011-03-27 19:18 . 2011-03-27 19:18	49664	----a-w-	c:\windows\system32\imgutil.dll
2011-03-27 19:18 . 2011-03-27 19:18	48640	----a-w-	c:\windows\SysWow64\mshtmler.dll
2011-03-27 19:18 . 2011-03-27 19:18	48640	----a-w-	c:\windows\system32\mshtmler.dll
2011-03-27 19:18 . 2011-03-27 19:18	448512	----a-w-	c:\windows\system32\html.iec
2011-03-27 19:18 . 2011-03-27 19:18	420864	----a-w-	c:\windows\SysWow64\vbscript.dll
2011-03-27 19:18 . 2011-03-27 19:18	367104	----a-w-	c:\windows\SysWow64\html.iec
2011-03-27 19:18 . 2011-03-27 19:18	35840	----a-w-	c:\windows\SysWow64\imgutil.dll
2011-03-27 19:18 . 2011-03-27 19:18	30720	----a-w-	c:\windows\system32\licmgr10.dll
2011-03-27 19:18 . 2011-03-27 19:18	2382848	----a-w-	c:\windows\SysWow64\mshtml.tlb
2011-03-27 19:18 . 2011-03-27 19:18	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2011-03-27 19:18 . 2011-03-27 19:18	23552	----a-w-	c:\windows\SysWow64\licmgr10.dll
2011-03-27 19:18 . 2011-03-27 19:18	2303488	----a-w-	c:\windows\system32\jscript9.dll
2011-03-27 19:18 . 2011-03-27 19:18	222208	----a-w-	c:\windows\system32\msls31.dll
2011-03-27 19:18 . 2011-03-27 19:18	1797632	----a-w-	c:\windows\SysWow64\jscript9.dll
2011-03-27 19:18 . 2011-03-27 19:18	173056	----a-w-	c:\windows\system32\ieUnatt.exe
2011-03-27 19:18 . 2011-03-27 19:18	165888	----a-w-	c:\windows\system32\iexpress.exe
2011-03-27 19:18 . 2011-03-27 19:18	161792	----a-w-	c:\windows\SysWow64\msls31.dll
2011-03-27 19:18 . 2011-03-27 19:18	160256	----a-w-	c:\windows\system32\wextract.exe
2011-03-27 19:18 . 2011-03-27 19:18	152064	----a-w-	c:\windows\SysWow64\wextract.exe
2011-03-27 19:18 . 2011-03-27 19:18	150528	----a-w-	c:\windows\SysWow64\iexpress.exe
2011-03-27 19:18 . 2011-03-27 19:18	1492992	----a-w-	c:\windows\system32\inetcpl.cpl
2011-03-27 19:18 . 2011-03-27 19:18	142848	----a-w-	c:\windows\SysWow64\ieUnatt.exe
2011-03-27 19:18 . 2011-03-27 19:18	1427456	----a-w-	c:\windows\SysWow64\inetcpl.cpl
2011-03-27 19:18 . 2011-03-27 19:18	1389056	----a-w-	c:\windows\system32\wininet.dll
2011-03-27 19:18 . 2011-03-27 19:18	135168	----a-w-	c:\windows\system32\IEAdvpack.dll
2011-03-27 19:18 . 2011-03-27 19:18	12288	----a-w-	c:\windows\system32\mshta.exe
2011-03-27 19:18 . 2011-03-27 19:18	11776	----a-w-	c:\windows\SysWow64\mshta.exe
2011-03-27 19:18 . 2011-03-27 19:18	114176	----a-w-	c:\windows\system32\admparse.dll
2011-03-27 19:18 . 2011-03-27 19:18	1126912	----a-w-	c:\windows\SysWow64\wininet.dll
2011-03-27 19:18 . 2011-03-27 19:18	111616	----a-w-	c:\windows\system32\iesysprep.dll
2011-03-27 19:18 . 2011-03-27 19:18	110592	----a-w-	c:\windows\SysWow64\IEAdvpack.dll
2011-03-27 19:18 . 2011-03-27 19:18	101888	----a-w-	c:\windows\SysWow64\admparse.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"FATrayAlert"="c:\program files (x86)\Sensible Vision\Fast Access\FATrayMon.exe" [2009-06-24 95496]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"FaxMonitor"="c:\program files (x86)\IPFax\FaxMonitor.exe" [2009-06-08 49152]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-05-11 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2009-12-02 165104]
.
c:\users\SMBarron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
 WinCinema Manager.lnk - c:\program files (x86)\Sandisk\Common\Bin\WinCinemaMgr.exe [2011-3-28 303104]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2009-06-24 21:31	140552	---ha-w-	c:\program files (x86)\Sensible Vision\Fast Access\FALogNot.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-21 136176]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [x]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [x]
R3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\DRIVERS\facap.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-21 136176]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 FAService;FAService;c:\program files (x86)\Sensible Vision\Fast Access\FAService.exe [2009-06-24 2368776]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2009-12-02 656624]
S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2010-04-08 149544]
S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2010-04-08 148008]
S2 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2010-04-08 205352]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-21 15:49]
.
2011-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-21 15:49]
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2723741184-3176970583-2435770781-1000Core.job
- c:\users\SMBarron\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-28 15:49]
.
2011-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2723741184-3176970583-2435770781-1000UA.job
- c:\users\SMBarron\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-28 15:49]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF29905.cfxxe" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-01-23 305664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-30 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-30 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-30 365080]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-07-02 3180624]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Spell Check Options... - c:\program files (x86)\ucietb\Speller.dll/RUNOPTIONS.HTM
IE: Spell Check this page... - c:\program files (x86)\ucietb\Speller.dll/RUNSPELLER.HTM
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-msnmsgr - c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe
Wow6432Node-HKCU-Run-FcfOwmsgtCRNpxt - c:\programdata\FcfOwmsgtCRNpxt.exe
Wow6432Node-HKLM-Run-fsi - c:\program files (x86)\Phoenix Technologies Ltd\FailSafe\FailSafeLauncher.exe
Wow6432Node-HKLM-Run-FAStartup - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{DD662A0C-12FE-4B38-BA53-247F7EC82F46} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-YInstHelper - c:\windows\system32\regsvr32
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
c:\program files (x86)\Sensible Vision\Fast Access\FATrayAlert.exe
c:\program files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe
c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2011-06-13  10:35:22 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-13 15:35
.
Pre-Run: 196,179,357,696 bytes free
Post-Run: 195,755,737,088 bytes free
.
- - End Of File - - 8A3E1C0B3F2DD495E6724A9C11E20373


----------



## johnb35

Gameover,

Your logs look good.  Are you still having any issues?


----------



## johnb35

smb820,

To run Hijackthis, you will need to right click on the hijackthis icon on your desktop and then click on "run as".  If the option doesn't appear then press and hold the shift key while right clicking on hijackthis to get the run as option to appear.


Please move combofix to your desktop so you can do the following.


1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

File::
c:\users\SMBarron\AppData\Local\BIT85D3.tmp


Reglock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!








ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

then please rescan your system with malwarebytes and hijackthis and post the logs.


----------



## GameOver

John, Thanks for your help.  Everything seems ok now I uninstalled AVG though because I ran it and said it restored something but basically it gave me the virus again.  Ran all the great things you have mentioned again and installed Avast and it is running smooth now..  Thanks again for all your help with everyone it is a nasty virus that won't let you do much like task manager, restore points and even hiding everything.


----------



## armani

hello john. Had the same problem but I installad Mallaware  bytes and unhide.exe and everything seems to work smoothly. Just one problem i encountered and it was similar to somebody elses on this thread. When I go to start> programs> (actual program) > it shows empty in the place where their needs to be the program.exe and other files. They seemed to all disappered. It's a similar problem like the guy who couldn't find his Microsoft Word.  I know you said you might have to take it back manually but how would i do that? Thanks in advance!


----------



## johnb35

All the entries in the start menu are actually only shortcuts to the actual program.  So you can either reinstall the program or you can just find the actual program and drop it in the start menu.  Is it all the programs or just a few?


----------



## armani

It is all the programs. I tried dropping it in but for some reason it's not working. Any other way I can do this?


----------



## cherishme17

i wanted to thank you John, thank you.
here is my log info.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6858

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

6/14/2011 5:57:02 PM
mbam-log-2011-06-14 (17-57-02).txt

Scan type: Quick scan
Objects scanned: 132771
Time elapsed: 15 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\GamevanceText.DLL (Adware.GameVance) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44CF-8957-5838F569A31D} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44cf-8957-5838F569A31D} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\funwebproducts (Adware.MyWebSearch) -> Delete on reboot.
c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) -> Delete on reboot.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> Delete on reboot.
c:\program files\mywebsearch (Adware.MyWebSearch) -> Delete on reboot.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Delete on reboot.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> Delete on reboot.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Delete on reboot.

Files Infected:
c:\programdata\ncqftnhgdltsbd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\programdata\49404760.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.


----------



## johnb35

Can you please do the following.

Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces


----------



## johnb35

armani said:


> It is all the programs. I tried dropping it in but for some reason it's not working. Any other way I can do this?



Then the only other thing I can suggest is to do a system restore back to a few days of you getting infected and everything should be back to normal.  However, you will still need to rescan your system with malwarebytes to make sure everything is gone.


----------



## 2Johns

*This fixed my issue*



johnb35 said:


> Download and run Unhide.exe.  This should restore your missing file/folder/etc..



Hi johnb35,

Thank you so much for extending your help by providing the links that we need to download. The malwerbytes and this unhide.exe helped me in resolving this issue that I had. I know that it's a virus but I just don't know how to get rid of it. Just to share with everyone, that virus came from UPS. They said that I will be getting a package in 3 days and there is an attached waybill. When I downloaded it, my system suddenly acted out. I was so nervous earlier since some of my important files were saved in my desktop. Thank God because I was able to access the internet and just googled the exact error that popped up my screen. Luckily, I found this forum and patiently followed the instructions. In just less than 30 minutes, the problem was fixed. My laptop is running normally and all of the files are now visible.

Once again, thank you so much johnb35 and thank you as well to Computer Forum.

God bless you all!!!


----------



## litefoot

I have similar problems to those described above, and found this thread on doing some Google research.

My initial problems were the same as those described above - the hard disk failure error. After installing the malware software, it found some trojans and I didn't get those problems again. But I do get

fake Internet Explorer history, and IE loading pages I don't ask it to
icons next to start button have vanished
repeated User Account Control prompts that I didn't start
a 'Windows Vista Restore' icon on my desktop

and a few other things.

My last Hijack This log is:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:35:39, on 15/06/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18602)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Program Files\lsrmdjyl\tyfnolcp.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\NewSetApanel.cmd
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: ASETRES.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\EmpoweringTechnology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate1ca73342040b309) (gupdate1ca73342040b309) - GoogleInc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\ProgramFiles\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\GoogleUpdater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\CommonFiles\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 10375 bytes










The malware log is


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6858

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

14/06/2011 21:54:11
mbam-log-2011-06-14 (21-54-11).txt

Scan type: Quick scan
Objects scanned: 150703
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JBrIvuwsjXBVY (Trojan.FakeAlert) -> Value: JBrIvuwsjXBVY -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\jbrivuwsjxbvy.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\programdata\40689400.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Andrew\AppData\Local\Temp\tmp67A8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Andrew\AppData\Local\Temp\6806.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Andrew\AppData\Local\Temp\6845.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Andrew\AppData\Local\Temp\73CC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\-213E8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\1363E8.tmp (Trojan.FakeAlert) -> Delete on reboot.
c:\Windows\Temp\tmp000000011bdb715166f88625 (Trojan.Dropper) -> Quarantined and deleted successfully.



I did try running combofix but it loads up a bluescreen with some text for about ten seconds and then reboots my computer, asking to load in safe mode. Any suggestion? All responses gratefully received. Thank you!


----------



## johnb35

Litefoot,

Please do the following.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.






To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.






If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it.  Please open the log and copy and paste it back here.

Reboot the system and try running combofix again and posting its logfile for me.


----------



## babystrawberry66

I really can't thank you enough for your help Jonhb35 you're my life saver! 
Here is my log and HiJack this:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6867

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048

6/16/2011 2:03:41 AM
mbam-log-2011-06-16 (02-03-41).txt

Scan type: Quick scan
Objects scanned: 168081
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ayLqFlcYVBLPHi (Trojan.FakeAlert) -> Value: ayLqFlcYVBLPHi -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\aylqflcyvblphi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\thuy vy\AppData\Local\Temp\adobe_flash_player.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Users\thuy vy\AppData\Local\Temp\install_flash_player.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Users\thuy vy\AppData\Local\Temp\tmpD1B0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\thuy vy\local settings\temporary internet files\Content.IE5\QHSE1BJW\pusk3[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\programdata\49796984.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:13:49 AM, on 6/16/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.19048)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vn.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: Yahoo! Thanh công c? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
R3 - URLSearchHook: YTNavAssist.YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\YTNavAssist.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~2\IDM\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Search-Results Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Yahoo! Thanh công c? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AnchorFree Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files (x86)\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files (x86)\PlotSoft\PDFill\DownloadPDF.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E98E87D-2B9E-4EE9-91B4-C640D7D3740C}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E98E87D-2B9E-4EE9-91B4-C640D7D3740C}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Hotspot Shield Service (hshld) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files (x86)\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12819 bytes


Thanks again!


----------



## Aastii

Moved from the Memory & Hard Drive section to the computer security section of the forums


----------



## Wolfgang405

Hello John, I have been following this thread as I too have this dreaded virus. I have ridden my computer from most of it but not all. I cannot download combo fix because it says I have AVG installed. I uninstalled AVG along time ago. What should I do ? Thanks for all the help.


----------



## johnb35

Wolfgang405 said:


> Hello John, I have been following this thread as I too have this dreaded virus. I have ridden my computer from most of it but not all. I cannot download combo fix because it says I have AVG installed. I uninstalled AVG along time ago. What should I do?


Download and run the AVG removal tool since you have leftover avg files on your system.

http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe


----------



## Wolfgang405

johnb35 said:


> Download and run the AVG removal tool since you have leftover avg files on your system.
> 
> http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe



I did this and still having the same problem. Anything else I can try ?


----------



## litefoot

johnb35 said:


> Litefoot,
> 
> Please do the following.
> 
> Please download and run TDSSkiller



IE won't open kaspersky.com, not even a cached version of the page. And any attempt to get tdsskiller.exe or .zip from other sites results in IE bringing up a download error or directing me away elsewhere. From what I've seen on Google, this is a symptom of this TDSS. I'll try and get it the file from an uninfected computer, unless John or anyone else has a suggestion?

Thanks for the help John - as soon as I've got the file up and running I'll follow the rest of your instructions.


----------



## litefoot

johnb35 said:


> After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it.  Please open the log and copy and paste it back here.



I managed to get a zip of it by a friend attaching it to an email. The.exe wouldn't run, but after a couple of reboots it finally ran and found one threat. Here's the log.

2011/06/16 21:40:28.0312 5684	TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/16 21:40:29.0202 5684	================================================================================
2011/06/16 21:40:29.0202 5684	SystemInfo:
2011/06/16 21:40:29.0202 5684	
2011/06/16 21:40:29.0202 5684	OS Version: 6.0.6001 ServicePack: 1.0
2011/06/16 21:40:29.0202 5684	Product type: Workstation
2011/06/16 21:40:29.0202 5684	ComputerName: ANDREW-PC
2011/06/16 21:40:29.0202 5684	UserName: Andrew
2011/06/16 21:40:29.0202 5684	Windows directory: C:\Windows
2011/06/16 21:40:29.0202 5684	System windows directory: C:\Windows
2011/06/16 21:40:29.0202 5684	Processor architecture: Intel x86
2011/06/16 21:40:29.0202 5684	Number of processors: 2
2011/06/16 21:40:29.0202 5684	Page size: 0x1000
2011/06/16 21:40:29.0202 5684	Boot type: Normal boot
2011/06/16 21:40:29.0202 5684	================================================================================
2011/06/16 21:40:32.0259 5684	Initialize success
2011/06/16 21:40:40.0044 6012	================================================================================
2011/06/16 21:40:40.0044 6012	Scan started
2011/06/16 21:40:40.0044 6012	Mode: Manual; 
2011/06/16 21:40:40.0044 6012	================================================================================
2011/06/16 21:40:45.0987 6012	ACPI            (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
2011/06/16 21:40:46.0580 6012	adp94xx         (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/06/16 21:40:47.0017 6012	adpahci         (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/06/16 21:40:47.0407 6012	adpu160m        (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/06/16 21:40:48.0031 6012	adpu320         (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/06/16 21:40:48.0842 6012	AFD             (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys
2011/06/16 21:40:49.0201 6012	agp440          (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/06/16 21:40:49.0482 6012	aic78xx         (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/06/16 21:40:49.0825 6012	aliide          (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/06/16 21:40:50.0028 6012	amdagp          (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/06/16 21:40:50.0246 6012	amdide          (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/06/16 21:40:50.0527 6012	AmdK7           (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/06/16 21:40:50.0854 6012	AmdK8           (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2011/06/16 21:40:51.0026 6012	arc             (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/06/16 21:40:51.0432 6012	arcsas          (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/06/16 21:40:51.0900 6012	AsyncMac        (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/06/16 21:40:52.0383 6012	atapi           (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2011/06/16 21:40:52.0648 6012	Beep            (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/06/16 21:40:52.0882 6012	blbdrive        (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/06/16 21:40:53.0226 6012	bowser          (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
2011/06/16 21:40:53.0553 6012	BrFiltLo        (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/06/16 21:40:53.0787 6012	BrFiltUp        (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/06/16 21:40:54.0021 6012	Brserid         (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/06/16 21:40:54.0208 6012	BrSerWdm        (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/06/16 21:40:54.0396 6012	BrUsbMdm        (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/06/16 21:40:54.0723 6012	BrUsbSer        (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/06/16 21:40:54.0957 6012	BTHMODEM        (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/06/16 21:40:55.0191 6012	cdfs            (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/06/16 21:40:55.0410 6012	cdrom           (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
2011/06/16 21:40:55.0628 6012	circlass        (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/06/16 21:40:55.0815 6012	CLFS            (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
2011/06/16 21:40:56.0112 6012	cmdide          (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/06/16 21:40:56.0564 6012	Compbatt        (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
2011/06/16 21:40:56.0876 6012	crcdisk         (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/06/16 21:40:57.0094 6012	Crusoe          (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/06/16 21:40:57.0360 6012	DfsC            (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
2011/06/16 21:40:57.0672 6012	disk            (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
2011/06/16 21:40:57.0952 6012	drmkaud         (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/06/16 21:40:58.0062 6012	DXGKrnl         (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
2011/06/16 21:40:58.0545 6012	E1G60           (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/06/16 21:40:58.0951 6012	Ecache          (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
2011/06/16 21:40:59.0528 6012	elxstor         (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/06/16 21:40:59.0949 6012	ErrDev          (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/06/16 21:41:00.0433 6012	exfat           (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
2011/06/16 21:41:00.0760 6012	fastfat         (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
2011/06/16 21:41:00.0948 6012	fdc             (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/06/16 21:41:01.0213 6012	FileInfo        (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/06/16 21:41:01.0462 6012	Filetrace       (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/06/16 21:41:01.0681 6012	flpydisk        (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/06/16 21:41:01.0837 6012	FltMgr          (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
2011/06/16 21:41:01.0946 6012	Fs_Rec          (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/06/16 21:41:02.0024 6012	gagp30kx        (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/06/16 21:41:02.0508 6012	HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/06/16 21:41:02.0726 6012	HDAudBus        (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/06/16 21:41:02.0944 6012	HidBth          (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/06/16 21:41:03.0163 6012	HidIr           (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/06/16 21:41:03.0646 6012	HidUsb          (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
2011/06/16 21:41:03.0943 6012	HpCISSs         (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/06/16 21:41:04.0239 6012	HTTP            (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
2011/06/16 21:41:04.0692 6012	i2omp           (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/06/16 21:41:05.0082 6012	i8042prt        (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/06/16 21:41:05.0550 6012	iaStor          (580bfec487c55264bfe3d60c3c24eee1) C:\Windows\system32\drivers\iastor.sys
2011/06/16 21:41:05.0955 6012	iaStorV         (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/06/16 21:41:06.0252 6012	iirsp           (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/06/16 21:41:06.0408 6012	int15           (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Acer\Empowering Technology\eRecovery\int15.sys
2011/06/16 21:41:06.0735 6012	IntcAzAudAddService (4c01298060cf930d26a75a86b874b6ae) C:\Windows\system32\drivers\RTKVHDA.sys
2011/06/16 21:41:07.0437 6012	intelide        (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/06/16 21:41:07.0734 6012	intelppm        (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/06/16 21:41:08.0264 6012	IPMIDRV         (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/06/16 21:41:08.0514 6012	IPNAT           (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/06/16 21:41:08.0763 6012	IRENUM          (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/06/16 21:41:09.0106 6012	isapnp          (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/06/16 21:41:09.0387 6012	iScsiPrt        (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/06/16 21:41:09.0793 6012	iteatapi        (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/06/16 21:41:10.0058 6012	iteraid         (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/06/16 21:41:10.0354 6012	kbdclass        (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/06/16 21:41:10.0542 6012	kbdhid          (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/06/16 21:41:10.0760 6012	KSecDD          (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
2011/06/16 21:41:11.0462 6012	lltdio          (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/06/16 21:41:11.0680 6012	LSI_FC          (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/06/16 21:41:12.0070 6012	LSI_SAS         (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/06/16 21:41:12.0507 6012	LSI_SCSI        (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/06/16 21:41:12.0882 6012	luafv           (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/06/16 21:41:13.0350 6012	megasas         (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/06/16 21:41:13.0740 6012	MegaSR          (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/06/16 21:41:14.0176 6012	Modem           (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/06/16 21:41:14.0442 6012	monitor         (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/06/16 21:41:14.0722 6012	mouclass        (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/06/16 21:41:15.0081 6012	mouhid          (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/06/16 21:41:15.0409 6012	MountMgr        (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/06/16 21:41:15.0627 6012	mpio            (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/06/16 21:41:15.0970 6012	mpsdrv          (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/06/16 21:41:16.0470 6012	Mraid35x        (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/06/16 21:41:16.0672 6012	MREMP50         (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/06/16 21:41:17.0000 6012	MRESP50         (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/06/16 21:41:17.0187 6012	MRxDAV          (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
2011/06/16 21:41:17.0562 6012	mrxsmb          (cc752d233ef39875ca6885d9415ba869) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/06/16 21:41:17.0796 6012	mrxsmb10        (9049dddd4bd27d43d82f5968f1da76e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/06/16 21:41:18.0232 6012	mrxsmb20        (91dc069b6831ef564e7d8c97eaf0343e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/06/16 21:41:18.0451 6012	msahci          (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/06/16 21:41:18.0888 6012	msdsm           (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/06/16 21:41:19.0200 6012	Msfs            (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/06/16 21:41:19.0293 6012	msisadrv        (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/06/16 21:41:19.0480 6012	MSKSSRV         (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/06/16 21:41:19.0683 6012	MSPCLOCK        (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/06/16 21:41:19.0933 6012	MSPQM           (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/06/16 21:41:20.0494 6012	MsRPC           (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
2011/06/16 21:41:20.0806 6012	mssmbios        (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/06/16 21:41:20.0962 6012	MSTEE           (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/06/16 21:41:21.0352 6012	Mup             (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
2011/06/16 21:41:21.0586 6012	NativeWifiP     (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
2011/06/16 21:41:21.0789 6012	NDIS            (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
2011/06/16 21:41:22.0195 6012	NdisTapi        (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/06/16 21:41:22.0522 6012	Ndisuio         (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/06/16 21:41:22.0788 6012	NdisWan         (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/06/16 21:41:22.0959 6012	NDProxy         (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/06/16 21:41:23.0240 6012	NetBIOS         (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/06/16 21:41:23.0458 6012	netbt           (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
2011/06/16 21:41:23.0739 6012	nfrd960         (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/06/16 21:41:23.0926 6012	Npfs            (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
2011/06/16 21:41:24.0129 6012	nsiproxy        (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/06/16 21:41:24.0363 6012	Ntfs            (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
2011/06/16 21:41:24.0582 6012	NTIDrvr         (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2011/06/16 21:41:24.0784 6012	ntrigdigi       (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/06/16 21:41:25.0003 6012	Null            (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/06/16 21:41:25.0206 6012	NVENETFD        (b896fb556b4dc1e1d2943559ea79c5c5) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2011/06/16 21:41:25.0502 6012	NVHDA           (f3ef6cb754c908c5e79fe5bb4a7e39ba) C:\Windows\system32\drivers\nvhda32v.sys
2011/06/16 21:41:26.0079 6012	nvlddmkm        (ff58c7a7da6116c1f71e883cb088d598) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/06/16 21:41:26.0578 6012	nvraid          (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/06/16 21:41:26.0797 6012	nvrd32          (6934105ecc6a19570160d794e301e595) C:\Windows\system32\drivers\nvrd32.sys
2011/06/16 21:41:27.0015 6012	nvsmu           (7ec12a73067baca25a8e3e2a58ae83d8) C:\Windows\system32\DRIVERS\nvsmu.sys
2011/06/16 21:41:27.0156 6012	nvstor          (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/06/16 21:41:27.0265 6012	nvstor32        (d7b213299852d2026dbc90dab77ef06c) C:\Windows\system32\drivers\nvstor32.sys
2011/06/16 21:41:27.0499 6012	nv_agp          (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/06/16 21:41:27.0811 6012	ohci1394        (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/06/16 21:41:28.0014 6012	Parport         (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/06/16 21:41:28.0232 6012	partmgr         (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
2011/06/16 21:41:28.0435 6012	Parvdm          (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/06/16 21:41:28.0669 6012	pci             (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
2011/06/16 21:41:28.0887 6012	pciide          (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/06/16 21:41:29.0012 6012	pcmcia          (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/06/16 21:41:29.0355 6012	PEAUTH          (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/06/16 21:41:29.0652 6012	PptpMiniport    (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/06/16 21:41:29.0854 6012	Processor       (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/06/16 21:41:30.0120 6012	PSched          (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
2011/06/16 21:41:30.0354 6012	PSDFilter       (ab94285ff6c6bc5433407d8d182a4bb4) C:\Windows\system32\DRIVERS\psdfilter.sys
2011/06/16 21:41:30.0463 6012	PSDNServ        (2aaf9a5d7a63d26bfaea853c5f2292bc) C:\Windows\system32\DRIVERS\PSDNServ.sys
2011/06/16 21:41:30.0556 6012	psdvdisk        (0eb8cec99855beae5b0d02c2302619ef) C:\Windows\system32\DRIVERS\PSDVdisk.sys
2011/06/16 21:41:30.0915 6012	ql2300          (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/06/16 21:41:31.0165 6012	ql40xx          (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/06/16 21:41:31.0414 6012	QWAVEdrv        (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/06/16 21:41:31.0664 6012	RasAcd          (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/06/16 21:41:32.0070 6012	Rasl2tp         (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/06/16 21:41:32.0350 6012	RasPppoe        (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/06/16 21:41:32.0631 6012	RasSstp         (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
2011/06/16 21:41:32.0865 6012	rdbss           (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
2011/06/16 21:41:33.0068 6012	RDPCDD          (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/06/16 21:41:33.0364 6012	rdpdr           (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/06/16 21:41:33.0567 6012	RDPENCDD        (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/06/16 21:41:33.0754 6012	RDPWD           (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
2011/06/16 21:41:34.0020 6012	rspndr          (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/06/16 21:41:34.0363 6012	sbp2port        (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/06/16 21:41:34.0628 6012	secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/06/16 21:41:34.0878 6012	Serenum         (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
2011/06/16 21:41:35.0065 6012	Serial          (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
2011/06/16 21:41:35.0283 6012	sermouse        (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/06/16 21:41:35.0533 6012	sffdisk         (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/06/16 21:41:35.0767 6012	sffp_mmc        (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/06/16 21:41:35.0938 6012	sffp_sd         (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/06/16 21:41:36.0079 6012	sfloppy         (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/06/16 21:41:36.0188 6012	sisagp          (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/06/16 21:41:36.0297 6012	SiSRaid2        (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/06/16 21:41:36.0469 6012	SiSRaid4        (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/06/16 21:41:36.0734 6012	Smb             (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
2011/06/16 21:41:37.0030 6012	spldr           (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/06/16 21:41:37.0296 6012	srv             (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
2011/06/16 21:41:37.0498 6012	srv2            (96512f4a30b741e7d33a7936b9abbc20) C:\Windows\system32\DRIVERS\srv2.sys
2011/06/16 21:41:37.0717 6012	srvnet          (1c69e33e0e23626da5a34ca5ba0dd990) C:\Windows\system32\DRIVERS\srvnet.sys
2011/06/16 21:41:37.0920 6012	swenum          (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/06/16 21:41:38.0138 6012	Symc8xx         (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/06/16 21:41:38.0497 6012	Sym_hi          (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/06/16 21:41:38.0684 6012	Sym_u3          (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/06/16 21:41:39.0027 6012	Tcpip           (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
2011/06/16 21:41:39.0823 6012	Tcpip6          (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
2011/06/16 21:41:40.0072 6012	tcpipreg        (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
2011/06/16 21:41:40.0260 6012	TDPIPE          (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/06/16 21:41:40.0447 6012	TDTCP           (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/06/16 21:41:40.0618 6012	tdx             (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
2011/06/16 21:41:40.0743 6012	TermDD          (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2011/06/16 21:41:41.0071 6012	tssecsrv        (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/06/16 21:41:41.0664 6012	tunmp           (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/06/16 21:41:41.0944 6012	tunnel          (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
2011/06/16 21:41:42.0116 6012	tvicport        (97dd70feca64fb4f63de7bb7e66a80b1) C:\Windows\system32\drivers\tvicport.sys
2011/06/16 21:41:42.0350 6012	uagp35          (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/06/16 21:41:42.0490 6012	udfs            (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
2011/06/16 21:41:42.0709 6012	uliagpkx        (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/06/16 21:41:42.0943 6012	uliahci         (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/06/16 21:41:43.0146 6012	UlSata          (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/06/16 21:41:43.0333 6012	ulsata2         (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/06/16 21:41:43.0629 6012	umbus           (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/06/16 21:41:43.0801 6012	usbccgp         (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/06/16 21:41:43.0941 6012	usbcir          (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/06/16 21:41:44.0035 6012	usbehci         (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
2011/06/16 21:41:44.0206 6012	usbhub          (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
2011/06/16 21:41:44.0394 6012	usbohci         (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys
2011/06/16 21:41:44.0596 6012	usbprint        (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2011/06/16 21:41:44.0815 6012	USBSTOR         (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/06/16 21:41:45.0096 6012	usbuhci         (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/06/16 21:41:45.0408 6012	vga             (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/06/16 21:41:45.0579 6012	VgaSave         (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/06/16 21:41:45.0782 6012	viaagp          (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/06/16 21:41:45.0969 6012	ViaC7           (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/06/16 21:41:46.0234 6012	viaide          (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/06/16 21:41:46.0578 6012	volmgr          (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/06/16 21:41:46.0796 6012	volmgrx         (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
2011/06/16 21:41:47.0077 6012	volsnap         (0b91f93264b06ee3fceba84ef4676995) C:\Windows\system32\drivers\volsnap.sys
2011/06/16 21:41:47.0092 6012	Suspicious file (Forged): C:\Windows\system32\drivers\volsnap.sys. Real md5: 0b91f93264b06ee3fceba84ef4676995, Fake md5: d8b4a53dd2769f226b3eb374374987c9
2011/06/16 21:41:47.0108 6012	volsnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/06/16 21:41:47.0451 6012	vsmraid         (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/06/16 21:41:47.0935 6012	WacomPen        (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/06/16 21:41:48.0231 6012	Wanarp          (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/16 21:41:48.0278 6012	Wanarpv6        (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/16 21:41:48.0621 6012	Wd              (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/06/16 21:41:48.0902 6012	Wdf01000        (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/06/16 21:41:49.0245 6012	WmiAcpi         (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/06/16 21:41:49.0542 6012	WpdUsb          (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/06/16 21:41:49.0822 6012	ws2ifsl         (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/06/16 21:41:50.0166 6012	WUDFRd          (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/06/16 21:41:50.0415 6012	zntport         (40ac8590cc9006dbb99ffcb37879d4c6) C:\Windows\system32\drivers\zntport.sys
2011/06/16 21:41:50.0493 6012	MBR (0x1B8)     (a863475757cc50891aa8458c415e4b25) \Device\Harddisk0\DR0
2011/06/16 21:41:50.0680 6012	================================================================================
2011/06/16 21:41:50.0680 6012	Scan finished
2011/06/16 21:41:50.0680 6012	================================================================================
2011/06/16 21:41:50.0727 6004	Detected object count: 1
2011/06/16 21:41:50.0727 6004	Actual detected object count: 1
2011/06/16 21:43:01.0567 6004	volsnap         (0b91f93264b06ee3fceba84ef4676995) C:\Windows\system32\drivers\volsnap.sys
2011/06/16 21:43:01.0645 6004	Suspicious file (Forged): C:\Windows\system32\drivers\volsnap.sys. Real md5: 0b91f93264b06ee3fceba84ef4676995, Fake md5: d8b4a53dd2769f226b3eb374374987c9
2011/06/16 21:43:13.0126 6004	Backup copy found, using it..
2011/06/16 21:43:13.0282 6004	C:\Windows\system32\drivers\volsnap.sys - will be cured after reboot
2011/06/16 21:43:13.0282 6004	Rootkit.Win32.TDSS.tdl3(volsnap) - User select action: Cure 
2011/06/16 21:43:33.0812 5676	Deinitialize success

I'll do the combofix now, back shortly.


----------



## johnb35

Wolfgang405 said:


> I did this and still having the same problem. Anything else I can try ?



Sometimes the AVG removal tool won't even fully get rid of it.  Most of the time all thats needed is to delete the program file folder labeled "AVG" in C:\program files.


----------



## litefoot

johnb35 said:


> Reboot the system and try running combofix again and posting its logfile for me.



When I rebooted, Startup Repair ran a few times, but it let me back in and I ran Combofix. It went all the way this time. Here's the log:

ComboFix 11-06-13.01 - Andrew 16/06/2011  22:44:06.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.44.1033.18.767.192 [GMT 1:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc11CE.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1279.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc146D.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc14AB.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc20DB.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc24F1.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc37F4.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc389E.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc38FD.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3D32.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc40CA.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5100.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5256.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc54D6.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5505.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5708.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5794.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5A04.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc650C.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6AE5.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7275.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc76D7.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7B78.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7E94.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc82E8.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc842F.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8596.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc874B.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9993.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9E44.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA150.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA1AE.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA2B8.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA6BC.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA99A.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAD52.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAD71.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB6E3.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB859.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB87.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB8A7.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC1EA.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC286.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC2C5.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC3AF.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC87F.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCF33.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD319.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD490.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE38D.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEDAB.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF828.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFCE8.tmp
c:\users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFF17.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-16 to 2011-06-16  )))))))))))))))))))))))))))))))
.
.
2011-06-16 21:56 . 2011-06-16 21:57	--------	d-----w-	c:\users\Andrew\AppData\Local\temp
2011-06-16 21:56 . 2011-06-16 21:56	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-06-16 21:38 . 2011-06-16 21:38	196475	----a-w-	c:\windows\Explorermgr.exe
2011-06-16 21:38 . 2011-06-16 21:38	196475	----a-w-	c:\windows\system32\DllHostmgr.exe
2011-06-15 20:19 . 2011-06-15 20:19	--------	d-----w-	c:\programdata\WindowsSearch
2011-06-15 20:08 . 2011-06-16 21:57	--------	d-----w-	c:\program files\lsrmdjyl
2011-06-14 21:27 . 2011-06-14 21:27	587758	----a-r-	c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-14 21:27 . 2011-06-14 21:27	--------	d-----w-	c:\program files\Trend Micro
2011-06-14 20:45 . 2011-06-14 20:45	--------	d-----w-	c:\users\Andrew\AppData\Roaming\Malwarebytes
2011-06-14 20:44 . 2011-05-29 08:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 20:44 . 2011-06-14 20:44	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-14 20:44 . 2011-06-14 20:44	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-14 06:08 . 2011-05-09 20:46	6962000	------w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{13997B66-341E-438C-AF02-83331493E624}\mpengine.dll
2011-05-19 19:51 . 2011-05-19 19:51	--------	d-----w-	c:\users\Andrew\AppData\Local\Apps
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 20:45 . 2008-01-21 02:23	227896	----a-w-	c:\windows\system32\drivers\volsnap.sys
2011-05-14 12:34 . 2011-05-14 12:34	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-13 22:40 . 2011-04-13 22:40	4284416	----a-w-	c:\windows\system32\GPhotos.scr
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-05 06:38	121392	------w-	c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-08 39408]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 5369856]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-01-10 326176]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 526896]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-01-26 204908]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-06-07 203296]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1784326]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-16 618995]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-11 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2010-12-18 3656]
tyfnolcp.exe [2011-6-16 196475]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ASETRES.EXE [2008-4-14 20480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\lsrmdjyl\tyfnolcp.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 gupdate1ca73342040b309;Google Update Service (gupdate1ca73342040b309);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 133104]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 133104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2007-07-16 30752]
R3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [2007-11-30 558592]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-01-26 269448]
S4 Micorsoft Windows Service;Micorsoft Windows Service;c:\windows\TEMP\bnhgqgbo.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 09:44]
.
2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 09:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mStart Page = hxxp://en.uk.acer.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: motive.com\pbttbc.bt
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
HKLM-Run-Apanel - c:\acersw\config\NewSetApanel.cmd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-16 22:57
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1647569761-3752598539-3891556116-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{93B1328C-6078-3C44-D1E9-83F9B961E116}*]
"dabndapf"=hex:64,62,6f,6b,69,6c,65,6e,61,6f,6b,61,61,65,6e,70,68,63,6e,61,6b,
   63,61,6f,69,69,61,6c,61,61,62,6b,66,6f,6f,62,6d,6f,6b,6b,00,00
"iakjciblalojblbpip"=hex:69,61,70,61,61,70,67,66,69,6e,6a,6b,68,66,69,61,6c,6d,
   00,00
"haejmodmbkhcdngo"=hex:69,61,6b,61,6e,6f,62,67,61,64,6a,62,6e,6a,64,64,62,6a,
   00,00
.
Completion time: 2011-06-16  23:02:01
ComboFix-quarantined-files.txt  2011-06-16 22:01
.
Pre-Run: 32,956,043,264 bytes free
Post-Run: 33,228,320,768 bytes free
.
- - End Of File - - 9CFE73CE0F5357CEB2C1E4930E6C97E3


----------



## johnb35

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Folder::
c:\program files\lsrmdjyl

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\p rogram files\lsrmdjyl\tyfnolcp.exe"

Reglock::
[HKEY_USERS\S-1-5-21-1647569761-3752598539-3891556116-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{93B1328C-6078-3C44-D1E9-83F9B961E116}*]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!








ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Please post a fresh hijackthis log along with the new combofix log.


----------



## johnb35

babystrawberry66,

How's your system running now?  Please do the following.

Open hijackthis, click on open misc tools section, click on open uninstall manager, click on save list and save it.  Then copy and paste the entire contents of that log back here.


----------



## Wolfgang405

John, will you look at my combofix log ?


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\windows\system32\Thumbs.db
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-17 to 2011-06-17  )))))))))))))))))))))))))))))))
.
.
2011-06-14 19:10 . 2011-06-14 19:10	--------	d-----w-	c:\program files\StartNow Toolbar
2011-06-14 19:10 . 2011-06-14 19:10	--------	d-----w-	c:\documents and settings\fred poth\Application Data\Superfish
2011-06-14 19:10 . 2011-06-14 19:10	--------	d-----w-	c:\program files\Superfish
2011-06-14 19:10 . 2011-06-14 19:10	--------	d-----w-	c:\documents and settings\All Users\Application DataMozilla
2011-06-13 18:19 . 2011-06-13 18:20	--------	d-----w-	c:\documents and settings\fred poth\Application Data\GetRightToGo
2011-06-02 16:04 . 2011-06-02 16:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2011-06-02 16:03 . 2011-06-02 16:03	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Lexmark Productivity Studio
2011-05-31 15:43 . 2004-08-04 04:01	25856	-c--a-w-	c:\windows\system32\dllcache\usbprint.sys
2011-05-31 15:43 . 2004-08-04 04:01	25856	----a-w-	c:\windows\system32\drivers\usbprint.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 15:04 . 2005-02-23 18:57	52352	----a-w-	c:\windows\system32\drivers\volsnap.sys
2011-05-29 14:11 . 2011-02-21 21:14	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 14:27 . 2011-04-27 14:27	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-04-27 14:27 . 2011-03-25 16:59	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-05-23 17:43 . 2011-04-27 14:41	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 77824]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-29 2748928]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\lxdwamon.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\frun.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\lxdwfax.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
.
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [11/26/2009 6:38 PM 98984]
R2 Toolbar Updater Service;Toolbar Updater Service;c:\program files\StartNow Toolbar\ToolbarUpdaterService.exe [3/24/2011 4:59 AM 199904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 8:38 PM 135664]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 8:38 PM 135664]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [1/24/2011 1:20 AM 10112]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 01:38]
.
2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 01:38]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\Superfish\Window Shopper\SuperfishIEAddon.dll
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\documents and settings\fred poth\Application Data\Mozilla\Firefox\Profiles\jo4uthgp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z057&partner_id=333&product_id=519&affiliate_id=&channel=DPGL15&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110614&user_guid=6AA1891EC1364253ABF769E9B29921F6&machine_id=95757f07e3d1b405a4bd5335dbc0b71c&browser=FF&os=win&os_version=5.1-x86-SP2
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: keyword.URL - hxxp://www.startnow.com/s/?src=addrbar&provider=Bing&provider_code=Z057&partner_id=333&product_id=519&affiliate_id=&channel=DPGL15&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110614&user_guid=6AA1891EC1364253ABF769E9B29921F6&machine_id=95757f07e3d1b405a4bd5335dbc0b71c&browser=FF&os=win&os_version=5.1-x86-SP2&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-TPSvc - TPSvc.dll
SafeBoot-01846738.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-16 20:43
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3065373290-2104875111-1257492562-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3392)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdwcoms.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\windows\SOUNDMAN.EXE
c:\windows\AGRSMMSG.exe
c:\program files\Lexmark 7600 Series\lxdwMsdMon.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-16  20:45:51 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-17 01:45
.
Pre-Run: 226,670,247,936 bytes free
Post-Run: 226,615,128,064 bytes free
.
- - End Of File - - D2523B5AFF4F2B14B0A2208932EF166E


----------



## johnb35

How is the system running?  Having any issues?  There still shows some references to avg so lets get rid of those now.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Driver::
Avgfwdx
Avgfwfd


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

i also need you to post a hijackthis log please.

Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces


----------



## Wolfgang405

John, here is the hijack log you requested. 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:55:11 AM, on 6/17/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: WindowShopper - {74F475FA-6C75-43BD-AAB9-ECDA6184F600} - C:\Program Files\Superfish\Window Shopper\SuperfishIEAddon.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxdwmon.exe] "C:\Program Files\Lexmark 7600 Series\lxdwmon.exe"
O4 - HKLM\..\Run: [lxdwamon] "C:\Program Files\Lexmark 7600 Series\lxdwamon.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Window Shopper - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - C:\Program Files\Superfish\Window Shopper\SuperfishIEAddon.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdwCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe
O23 - Service: lxdw_device -   - C:\WINDOWS\system32\lxdwcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Toolbar Updater Service - Unknown owner - C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe

--
End of file - 8710 bytes


----------



## johnb35

Post the new combofix log from the script I had you run as well.


----------



## Wolfgang405

*New combofix log*

I don't know if it has anything to do with the virus, but I have noticed I cannot watch video without constant buffering every few seconds.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Avgfwdx
-------\Service_Avgfwfd
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-17 to 2011-06-17  )))))))))))))))))))))))))))))))
.
.
2011-06-17 13:36 . 2011-06-17 13:38	--------	d-----w-	C:\sally
2011-06-14 19:10 . 2011-06-14 19:10	--------	d-----w-	c:\program files\StartNow Toolbar
2011-06-14 19:10 . 2011-06-14 19:10	--------	d-----w-	c:\documents and settings\fred poth\Application Data\Superfish
2011-06-14 19:10 . 2011-06-14 19:10	--------	d-----w-	c:\program files\Superfish
2011-06-14 19:10 . 2011-06-14 19:10	--------	d-----w-	c:\documents and settings\All Users\Application DataMozilla
2011-06-13 18:19 . 2011-06-13 18:20	--------	d-----w-	c:\documents and settings\fred poth\Application Data\GetRightToGo
2011-06-02 16:04 . 2011-06-02 16:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2011-06-02 16:03 . 2011-06-02 16:03	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Lexmark Productivity Studio
2011-05-31 15:43 . 2004-08-04 04:01	25856	-c--a-w-	c:\windows\system32\dllcache\usbprint.sys
2011-05-31 15:43 . 2004-08-04 04:01	25856	----a-w-	c:\windows\system32\drivers\usbprint.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 15:04 . 2005-02-23 18:57	52352	----a-w-	c:\windows\system32\drivers\volsnap.sys
2011-05-29 14:11 . 2011-02-21 21:14	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 14:27 . 2011-04-27 14:27	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-04-27 14:27 . 2011-03-25 16:59	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-05-23 17:43 . 2011-04-27 14:41	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   [email protected]_01.43.24   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-17 13:48 . 2011-06-17 13:48	16384              c:\windows\Temp\Perflib_Perfdata_164.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 77824]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-29 2748928]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\lxdwamon.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\frun.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\lxdwfax.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
.
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [11/26/2009 6:38 PM 98984]
R2 Toolbar Updater Service;Toolbar Updater Service;c:\program files\StartNow Toolbar\ToolbarUpdaterService.exe [3/24/2011 4:59 AM 199904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 8:38 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 8:38 PM 135664]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [1/24/2011 1:20 AM 10112]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 01:38]
.
2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 01:38]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\Superfish\Window Shopper\SuperfishIEAddon.dll
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
FF - ProfilePath - c:\documents and settings\fred poth\Application Data\Mozilla\Firefox\Profiles\jo4uthgp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z057&partner_id=333&product_id=519&affiliate_id=&channel=DPGL15&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110614&user_guid=6AA1891EC1364253ABF769E9B29921F6&machine_id=95757f07e3d1b405a4bd5335dbc0b71c&browser=FF&os=win&os_version=5.1-x86-SP2
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: keyword.URL - hxxp://www.startnow.com/s/?src=addrbar&provider=Bing&provider_code=Z057&partner_id=333&product_id=519&affiliate_id=&channel=DPGL15&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110614&user_guid=6AA1891EC1364253ABF769E9B29921F6&machine_id=95757f07e3d1b405a4bd5335dbc0b71c&browser=FF&os=win&os_version=5.1-x86-SP2&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-17 08:49
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3065373290-2104875111-1257492562-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2304)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdwcoms.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Lexmark 7600 Series\lxdwMsdMon.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\dllhost.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-17  08:50:57 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-17 13:50
ComboFix2.txt  2011-06-17 01:45
.
Pre-Run: 226,589,167,616 bytes free
Post-Run: 226,582,994,944 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 613F60B0CF126E2C4584A219B6366B08


----------



## litefoot

johnb35 said:


> ComboFix will begin to execute, just follow the prompts.
> After reboot (in case it asks to reboot), it will produce a log for you.
> Post that log (Combofix.txt) in your next reply.
> 
> Please post a fresh hijackthis log along with the new combofix log.




It didn't ask to reboot. Here's the Combofix.txt:


ComboFix 11-06-13.01 - Andrew 17/06/2011   7:03.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.44.1033.18.767.257 [GMT 1:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\lsrmdjyl
c:\program files\lsrmdjyl\tyfnolcp.exe
c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tyfnolcp.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-17 to 2011-06-17  )))))))))))))))))))))))))))))))
.
.
2011-06-17 06:18 . 2011-06-17 06:19	--------	d-----w-	c:\users\Andrew\AppData\Local\temp
2011-06-17 06:18 . 2011-06-17 06:18	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-06-16 21:38 . 2011-06-16 21:38	196475	----a-w-	c:\windows\Explorermgr.exe
2011-06-16 21:38 . 2011-06-16 21:38	196475	----a-w-	c:\windows\system32\DllHostmgr.exe
2011-06-16 06:28 . 2011-05-02 16:00	766464	----a-w-	c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-16 06:28 . 2011-05-02 15:58	738816	----a-w-	c:\windows\system32\inetcomm.dll
2011-06-16 06:00 . 2011-04-29 12:49	213504	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-06-16 06:00 . 2011-04-29 12:49	79360	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-06-16 06:00 . 2011-04-29 12:49	105984	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 20:19 . 2011-06-15 20:19	--------	d-----w-	c:\programdata\WindowsSearch
2011-06-14 21:27 . 2011-06-14 21:27	587758	----a-r-	c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-14 21:27 . 2011-06-14 21:27	--------	d-----w-	c:\program files\Trend Micro
2011-06-14 20:45 . 2011-06-14 20:45	--------	d-----w-	c:\users\Andrew\AppData\Roaming\Malwarebytes
2011-06-14 20:44 . 2011-05-29 08:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 20:44 . 2011-06-14 20:44	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-14 20:44 . 2011-06-14 20:44	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-14 06:08 . 2011-05-09 20:46	6962000	------w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{13997B66-341E-438C-AF02-83331493E624}\mpengine.dll
2011-05-19 19:51 . 2011-05-19 19:51	--------	d-----w-	c:\users\Andrew\AppData\Local\Apps
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 20:45 . 2008-01-21 02:23	227896	----a-w-	c:\windows\system32\drivers\volsnap.sys
2011-05-14 12:34 . 2011-05-14 12:34	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-13 22:40 . 2011-04-13 22:40	4284416	----a-w-	c:\windows\system32\GPhotos.scr
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-05 06:38	121392	------w-	c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-08 39408]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 5369856]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-01-10 326176]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 526896]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-01-26 204908]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-06-07 203296]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1784326]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-16 618995]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-11 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2010-12-18 3656]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ASETRES.EXE [2008-4-14 20480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 gupdate1ca73342040b309;Google Update Service (gupdate1ca73342040b309);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 133104]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 133104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2007-07-16 30752]
R3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [2007-11-30 558592]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-01-26 269448]
S4 Micorsoft Windows Service;Micorsoft Windows Service;c:\windows\TEMP\bnhgqgbo.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 09:44]
.
2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 09:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
mStart Page = hxxp://en.uk.acer.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: motive.com\pbttbc.bt
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-17 07:19
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1647569761-3752598539-3891556116-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{93B1328C-6078-3C44-D1E9-83F9B961E116}*]
"dabndapf"=hex:64,62,6f,6b,69,6c,65,6e,61,6f,6b,61,61,65,6e,70,68,63,6e,61,6b,
   63,61,6f,69,69,61,6c,61,61,62,6b,66,6f,6f,62,6d,6f,6b,6b,00,00
"iakjciblalojblbpip"=hex:69,61,70,61,61,70,67,66,69,6e,6a,6b,68,66,69,61,6c,6d,
   00,00
"haejmodmbkhcdngo"=hex:69,61,6b,61,6e,6f,62,67,61,64,6a,62,6e,6a,64,64,62,6a,
   00,00
.
Completion time: 2011-06-17  07:28:05
ComboFix-quarantined-files.txt  2011-06-17 06:27
ComboFix2.txt  2011-06-16 22:02
.
Pre-Run: 34,192,932,864 bytes free
Post-Run: 33,827,340,288 bytes free
.
- - End Of File - - 2B6358AEB6406C5575FA69FBB457CAC3















And here's the hijack this log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:10:10, on 17/06/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,,C:\Program Files\lsrmdjyl\tyfnolcp.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Startup: tyfnolcp.exe
O4 - Global Startup: ASETRES.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate1ca73342040b309) (gupdate1ca73342040b309) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7588 bytes


----------



## johnb35

Litefoot,

Please rerun hijackthis and place checks next to the following entries.

F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,,C:\Prog ram Files\lsrmdjyl\tyfnolcp.exe
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe
O4 - Startup: tyfnolcp.exe
O4 - Global Startup: ASETRES.EXE

Then make sure all windows are closed and click on fix checked.  Please post a fresh hijackthis log.


----------



## litefoot

johnb35 said:


> Litefoot,
> 
> Please rerun hijackthis and place checks next to the following entries.
> 
> F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,,C:\Prog ram Files\lsrmdjyl\tyfnolcp.exe
> O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
> O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
> O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
> O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe
> O4 - Startup: tyfnolcp.exe
> O4 - Global Startup: ASETRES.EXE
> 
> Then make sure all windows are closed and click on fix checked.  Please post a fresh hijackthis log.



Thanks John. Here you go:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:41:39, on 17/06/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=C:\Windows\SYSTEM32\Userinit.exe,,C:\Program Files\lsrmdjyl\tyfnolcp.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - Startup: OneNote Table Of Contents.onetoc2
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate1ca73342040b309) (gupdate1ca73342040b309) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6499 bytes


----------



## johnb35

Ok, lets try this again.  However, this time boot to safe mode and rerun hijackthis and place a check next to this entry.

F2 - REG:system.ini: UserInit=C:\Windows\SYSTEM32\Userinit.exe,,C:\Prog ram Files\lsrmdjyl\tyfnolcp.exe

Then click on fix checked.

Then boot back to regular mode and post a fresh hijackthis log.

Rerun an updated malwarebytes quick scan and post the logfile.  Then do the following.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats 
Accept any security warnings from your browser. 
Check Scan archives 
Click Start 
ESET will then download updates, install and then start scanning your system. 
When the scan is done, push list of found threats 
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply. 
If no threats are found then it won't produce a log.


----------



## litefoot

johnb35 said:


> Ok, lets try this again.  However, this time boot to safe mode and rerun hijackthis and place a check next to this entry.
> 
> F2 - REG:system.ini: UserInit=C:\Windows\SYSTEM32\Userinit.exe,,C:\Prog ram Files\lsrmdjyl\tyfnolcp.exe
> 
> Then click on fix checked.
> 
> Then boot back to regular mode and post a fresh hijackthis log.



New hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:40:17, on 17/06/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=C:\Windows\SYSTEM32\Userinit.exe,,C:\Program Files\lsrmdjyl\tyfnolcp.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: OneNote Table Of Contents.onetoc2
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate1ca73342040b309) (gupdate1ca73342040b309) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8674 bytes




Malware update coming shortly.


----------



## litefoot

litefoot said:


> Malware update coming shortly.



Trojan.agent found, which I removed:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6863

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

17/06/2011 22:50:04
mbam-log-2011-06-17 (22-50-04).txt

Scan type: Quick scan
Objects scanned: 158249
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Andrew\AppData\Local\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Now rebooting as requested by Malwarebytes. Next step coming shortly.


----------



## johnb35

I'm heading out for a few hours, will reply when I get back home.


----------



## litefoot

litefoot said:


> Now rebooting as requested by Malwarebytes. Next step coming shortly.



After rebooting last night, I couldn't get back into Windows.

On startup, I get a blue screen which states that

"An attempt was made to write to read-only memory" with some other text.

Five seconds later, the machine reboots again, and I get two options: launch Startup Repair or log into Windows normally. If I select the latter, I get the same blue screen and reboot. If I opt for Startup Repair, the screen just goes blank and nothing else happens.

I tried rebooting and hitting F8 to bring up the Safe Mode menu, which does appear. But when I opt for Safe Mode, I just get a cursor over a blank screen.


----------



## johnb35

Do you have the vista install cd?  You can boot to it and perform the repair my computer option.  

However, you may want to try removing and reinserting the memory sticks and see if that helps or run a memory diagnostic.


----------



## Oodles_Of_Os

Thanks Johnb35 for all the help you've provided on this virus. I think I have removed all components following your instructions. I wondered if you could take a look at the following log files, just to be sure. N.b. I ran the Malware scan twice. The log from the first is below. The second time, nothing was detected:

Malware:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6886

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18/06/2011 14:37:18
mbam-log-2011-06-18 (14-37-18).txt

Scan type: Quick scan
Objects scanned: 173748
Time elapsed: 10 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\programdata\otoynheywxjxcm.exe (Trojan.FakeMS) -> 3832 -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OtOYnhEyWXjxCm (Trojan.FakeMS) -> Value: OtOYnhEyWXjxCm -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\otoynheywxjxcm.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\jane\AppData\Local\Temp\tmp8CB5.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.

COMBOFIX

ComboFix 11-06-17.04 - jane 18/06/2011  16:31:07.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.3032.1894 [GMT 1:00]
Running from: c:\users\jane\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
c:\users\jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Uninstall Windows 7 Recovery.lnk
c:\users\jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Windows 7 Recovery.lnk
c:\users\jane\Desktop\Windows 7 Recovery.lnk
c:\windows\system32\jusched.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-18 to 2011-06-18  )))))))))))))))))))))))))))))))
.
.
2011-06-18 16:03 . 2011-06-18 16:03	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-06-18 14:28 . 2011-06-18 14:28	--------	d-----w-	c:\program files\iPod
2011-06-18 14:28 . 2011-06-18 14:29	--------	d-----w-	c:\program files\iTunes
2011-06-18 14:28 . 2011-06-18 14:29	--------	d-----w-	c:\program files (x86)\iTunes
2011-06-18 14:19 . 2011-06-18 14:19	--------	d-----w-	c:\program files (x86)\Safari
2011-06-18 14:08 . 2011-06-18 14:08	--------	d-----w-	c:\users\jane\New folder
2011-06-18 14:05 . 2011-06-18 15:22	--------	d-----w-	C:\32788R22FWJFW
2011-06-18 13:57 . 2011-06-18 13:57	388096	----a-r-	c:\users\jane\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-18 13:57 . 2011-06-18 13:57	--------	d-----w-	c:\program files (x86)\Trend Micro
2011-06-18 13:19 . 2011-06-18 13:19	--------	d-----w-	c:\users\jane\AppData\Roaming\Malwarebytes
2011-06-18 13:19 . 2011-05-29 08:11	39984	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-18 13:19 . 2011-06-18 13:19	--------	d-----w-	c:\programdata\Malwarebytes
2011-06-18 13:19 . 2011-06-18 13:19	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-06-17 22:42 . 2011-06-17 22:42	42776	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-3\StartResources.dll
2011-06-17 21:07 . 2011-04-27 02:57	102400	----a-w-	c:\windows\system32\drivers\dfsc.sys
2011-06-17 21:07 . 2011-04-25 05:32	1896832	----a-w-	c:\windows\system32\drivers\tcpip.sys
2011-06-17 21:07 . 2011-04-25 02:44	499712	----a-w-	c:\windows\system32\drivers\afd.sys
2011-06-17 21:07 . 2011-04-29 05:47	1110528	----a-w-	c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-17 21:07 . 2011-04-29 05:08	759296	----a-w-	c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-17 21:07 . 2011-05-04 02:51	287744	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-06-17 21:07 . 2011-05-04 02:51	157696	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-06-17 21:07 . 2011-05-04 02:51	126464	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-06-17 21:07 . 2011-05-28 03:07	3133952	----a-w-	c:\windows\system32\win32k.sys
2011-06-17 21:05 . 2011-01-17 06:17	197120	----a-w-	c:\windows\system32\d3d10_1.dll
2011-06-17 21:05 . 2011-01-17 05:38	161792	----a-w-	c:\windows\SysWow64\d3d10_1.dll
2011-06-17 21:05 . 2011-04-29 03:13	461312	----a-w-	c:\windows\system32\drivers\srv.sys
2011-06-17 21:05 . 2011-04-29 03:12	399872	----a-w-	c:\windows\system32\drivers\srv2.sys
2011-06-17 21:05 . 2011-04-29 03:12	161792	----a-w-	c:\windows\system32\drivers\srvnet.sys
2011-06-17 21:05 . 2010-12-18 06:13	861184	----a-w-	c:\windows\system32\oleaut32.dll
2011-06-17 21:05 . 2010-12-18 05:31	571904	----a-w-	c:\windows\SysWow64\oleaut32.dll
2011-06-17 21:05 . 2011-05-03 05:21	976896	----a-w-	c:\windows\system32\inetcomm.dll
2011-06-17 21:05 . 2011-05-03 04:50	740864	----a-w-	c:\windows\SysWow64\inetcomm.dll
2011-06-05 10:49 . 2011-06-05 10:53	--------	d-----w-	c:\users\jane\AppData\Local\ElevatedDiagnostics
2011-05-24 20:38 . 2011-04-22 20:18	27008	----a-w-	c:\windows\system32\drivers\Diskdump.sys
2011-05-19 20:52 . 2011-04-09 06:58	142336	----a-w-	c:\windows\system32\poqexec.exe
2011-05-19 20:52 . 2011-04-09 05:56	123904	----a-w-	c:\windows\SysWow64\poqexec.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 03:52 . 2011-01-02 10:02	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-04-29 20:04 . 2010-04-17 08:16	710976	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-04-28 13:34 . 2011-02-23 14:06	64272	----a-w-	c:\windows\system32\drivers\RapportKE64.sys
2011-04-13 22:40 . 2011-04-13 22:40	4284416	----a-w-	c:\windows\SysWow64\GPhotos.scr
2011-04-09 06:45 . 2011-05-11 18:48	5509504	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-11 18:48	3957632	----a-w-	c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 18:48	3901824	----a-w-	c:\windows\SysWow64\ntoskrnl.exe
2011-04-06 15:26 . 2011-04-06 15:26	96544	----a-w-	c:\windows\system32\dnssd.dll
2011-04-06 15:26 . 2011-04-06 15:26	119584	----a-w-	c:\windows\system32\dns-sd.exe
2011-04-06 15:20 . 2011-04-06 15:20	91424	----a-w-	c:\windows\SysWow64\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20	107808	----a-w-	c:\windows\SysWow64\dns-sd.exe
2011-03-22 21:55 . 2011-03-22 21:55	710976	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-04-06 26105128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-30 1484856]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
c:\users\jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-16 1324384]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-16 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-03 136176]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-03 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-04-28 52496]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-04-28 61200]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-05-31 244840]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-05-31 148520]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-04-28 870200]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2009-12-02 656624]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-03 12:04]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-03 12:04]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-01-23 305664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-30 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-30 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-30 365080]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-07-02 3180624]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-30 762224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe
c:\program files (x86)\Trusteer\Rapport\bin\RapportService.exe
.
**************************************************************************
.
Completion time: 2011-06-18  17:29:26 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-18 16:29
.
Pre-Run: 175,233,695,744 bytes free
Post-Run: 175,739,998,208 bytes free
.
- - End Of File - - 71864C73B36C1670B20A81A4CAF63343

HiJACK THIS:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:44:10, on 18/06/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16800)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20100813214916.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
O4 - HKLM\..\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11685 bytes


Thanks again


----------



## litefoot

johnb35 said:


> Do you have the vista install cd?  You can boot to it and perform the repair my computer option.
> 
> However, you may want to try removing and reinserting the memory sticks and see if that helps or run a memory diagnostic.



My computer didn't come with a Vista install CD (I gather that is normal). However, after numerous attempts to reboot I finally got back in to Windows this afternoon. I could do with making an install CD though. Have you any suggestions regarding this, as Google lead me to a site called Neosmart which had a page specifically designed to help users create such a disc - but the downloads have been suspended. When you mention memory sticks, I assume this involves removing the back of the computer - that isn't something I've done before.

I tried accessing that eset scanner link but IE returned an error. I tried accessing it through eset.co.uk, and that site loaded, but the popup window I clicked on for the download scanner also failed. Looks like IE is blocking security websites again. I looked in hijackthis and a couple of those lines had reappeared (tkbell.exe and svg). I fixed them, but the original one you spotted above is still there. I ran malware to remove the same trojan in svchost and I was able to download the Eset scanner. Just running now, so far it's found 4669 files infected with the  Win32/Ramnit.H virus, and counting...


----------



## johnb35

litefoot said:


> My computer didn't come with a Vista install CD (I gather that is normal). However, after numerous attempts to reboot I finally got back in to Windows this afternoon. I could do with making an install CD though. Have you any suggestions regarding this, as Google lead me to a site called Neosmart which had a page specifically designed to help users create such a disc - but the downloads have been suspended. When you mention memory sticks, I assume this involves removing the back of the computer - that isn't something I've done before.
> 
> I tried accessing that eset scanner link but IE returned an error. I tried accessing it through eset.co.uk, and that site loaded, but the popup window I clicked on for the download scanner also failed. Looks like IE is blocking security websites again. I looked in hijackthis and a couple of those lines had reappeared (tkbell.exe and svg). I fixed them, but the original one you spotted above is still there. I ran malware to remove the same trojan in svchost and I was able to download the Eset scanner. Just running now, so far it's found 4669 files infected with the  Win32/Ramnit.H virus, and counting...



I hate to say this but your system is beyond fixing at this point, you will need to format and reinstall windows using either the system recovery cd or system recovery partition.  The ramnit infection is a file infecting virus like virut and can't be cured.  Do not back up any exe files when backing up your data.


----------



## Wolfgang405

*John, can you help please ?*

QUOTE=Wolfgang405;1643876]I don't know if it has anything to do with the virus, but I have noticed I cannot watch video without constant buffering every few seconds. 

John, my memory is very low. I have several iexplore.exe file running in the task manager. Any ideas ?


----------



## johnb35

Wolfgang405 said:


> QUOTE=Wolfgang405;1643876]I don't know if it has anything to do with the virus, but I have noticed I cannot watch video without constant buffering every few seconds.
> 
> John, my memory is very low. I have several iexplore.exe file running in the task manager. Any ideas ?



Are you running tabs in IE, if so then I beleve for every tab, there is 2 processes running.


----------



## johnb35

Oodles_Of_Os,

Are you having any issues still?  Your log looks good.


----------



## litefoot

johnb35 said:


> I hate to say this but your system is beyond fixing at this point, you will need to format and reinstall windows using either the system recovery cd or system recovery partition.  The ramnit infection is a file infecting virus like virut and can't be cured.  Do not back up any exe files when backing up your data.



OK. Thanks for your help trying to fix it anyway. Without a system recovery CD, how would I go about reinstalling Windows, as an install CD was not provided by the manufacturer? Do you recommend I purchase Windows Vista or 7?


----------



## johnb35

If you didn't get a recovery cd with your machine then most likely you have a recovery partition on the harddrive that you need to boot into to reinstall windows.  What machine do you have?


----------



## litefoot

johnb35 said:


> If you didn't get a recovery cd with your machine then most likely you have a recovery partition on the harddrive that you need to boot into to reinstall windows.  What machine do you have?



Acer Aspire M1641
Intel Celeron CPU [email protected]
Memory 1Gb
32-bit Operating System
Windows Vista


----------



## johnb35

Look in your start menu and see if you have a program called acer recovery management with an option to restore.  Or you may also have to option to make back up recovery cd's.  If the option to make back up recovery cd's are there then make them and use them to restore your system.


----------



## litefoot

johnb35 said:


> Look in your start menu and see if you have a program called acer recovery management with an option to restore.  Or you may also have to option to make back up recovery cd's.  If the option to make back up recovery cd's are there then make them and use them to restore your system.



In Control Panel->System Maintenance->Backup and Restore Center there is an option Repair Windows Using System Restore but I'm guessing that isn't what you mean. In the same place there's an option to back up files but I'm guessing this isn't what you mean also.

Acer eRecovery Management is there with

(1) three disc options:

Create factory default disc
Create current system configuration backup disc
Create driver and application backup disc

(2) three restore options:

Restore system to factory default
Recover system from CD/DVD
Reinstall applications/drivers


----------



## johnb35

First thing I would do is create the factory default disk, you will need 1,2 or 3 dvd's to do this most likely.  After creating the restore disks, then go back and select "restore system to factory default"


----------



## litefoot

johnb35 said:


> First thing I would do is create the factory default disk, you will need 1,2 or 3 dvd's to do this most likely.  After creating the restore disks, then go back and select "restore system to factory default"



Thanks John, I will get a couple of DVDs tomorrow. I also found this link which told me how to create a 32 bit Vista recovery disc, which I have done.

http://neosmart.net/blog/2008/download-windows-vista-x64-recovery-disc/


----------



## SoMeAm

I agree!  This is the place to come for virus issues.  John remains beyond amazing!


----------



## babystrawberry66

johnb35 said:


> babystrawberry66,
> 
> How's your system running now?  Please do the following.
> 
> Open hijackthis, click on open misc tools section, click on open uninstall manager, click on save list and save it.  Then copy and paste the entire contents of that log back here.



It's good but I think it's a little slower than before. Thanks again!  

Acrobat.com
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Atheros Driver Installation Program
Audition – Season 2
Compatibility Pack for the 2007 Office system
CyberLink DVD Suite
CyberLink DVD Suite
CyberLink YouCam
CyberLink YouCam
Dream Day Wedding Married in Manhattan 2.0.0.9
ESU for Microsoft Vista
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotspot Shield 2.04
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Quick Launch Buttons 6.40 H2
HP Total Care Advisor
HP Total Care Setup
HP Update
HP User Guides 0118
HP Wireless Assistant
HPAsset component for HP Active Support Library
Huawei ADSL USB Modem
Java(TM) 6 Update 7
Juno Preloader
LabelPrint
LabelPrint
LightScribe System Software  1.14.17.1
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft Live Search Toolbar
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.6.17)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee Reveal
My HP Games
NetWaiting
NetZero Preloader
Norton Internet Security
Oxford Student's Dictionary
Power2Go
Power2Go
PowerDirector
PowerDirector
QUICKfind server v1.1
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek USB 2.0 Card Reader
Search-Results Toolbar
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Skype web features
Skype™ 4.1
SPORE Creature Creator Trial Edition
UniKey 4.0 NT
Uninstall LAC VIET mtd2002-EVA
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Thanh công c?


----------



## johnb35

babystrawberry66,

Lets make sure you don't have an infection that will cause slowness.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.







To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.






If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it.  Please open the log and copy and paste it back here.


Please uninstall the following programs.

Java(TM) 6 Update 7
Search-Results Toolbar

Then go here to download the latest version of Java.

http://www.java.com/en/download/index.jsp

Also please download and run Ccleaner, this should bring back some of your speed.

http://download.cnet.com/ccleaner/

Just make sure you click where it says download now in black.  Download, install and open Ccleaner, click on run cleaner.  This may take a few minutes to delete everything.


----------



## litefoot

johnb35 said:


> First thing I would do is create the factory default disk, you will need 1,2 or 3 dvd's to do this most likely.  After creating the restore disks, then go back and select "restore system to factory default"



I did this last night. On the first reboot I got the same blue screen about an attempt being made to write to read only memory and it tried to go into Startup Repair mode again. However, Windows loaded when I did another reboot.

The system is running very slowly, and a lot of IE windows frequently open without prompting and load up Acer.yahoo.com. I am also getting a lot of dialog boxes titled 'Interactive services dialog detection' without prompting.

Also installed is a tool titled Microsoft Windows Malicious Software removal Tool, which wasn't on my system before. It's running now and has so far found 913 files infected. Looks like restoring the factory settings haven't worked. Thanks for your help though John. Any ideas what to do next?


----------



## johnb35

litefoot said:


> I did this last night. On the first reboot I got the same blue screen about an attempt being made to write to read only memory and it tried to go into Startup Repair mode again. However, Windows loaded when I did another reboot.
> 
> The system is running very slowly, and a lot of IE windows frequently open without prompting and load up Acer.yahoo.com. I am also getting a lot of dialog boxes titled 'Interactive services dialog detection' without prompting.
> 
> Also installed is a tool titled Microsoft Windows Malicious Software removal Tool, which wasn't on my system before. It's running now and has so far found 913 files infected. Looks like restoring the factory settings haven't worked. Thanks for your help though John. Any ideas what to do next?



If you actually restored it to factory defaults then you wouldn't be having this issue.  I would suggest finding someone that is computer savvy to help you do an actual system recovery.


----------



## litefoot

johnb35 said:


> First thing I would do is create the factory default disk, you will need 1,2 or 3 dvd's to do this most likely.  After creating the restore disks, then go back and select "restore system to factory default"



I definitely did the above. I burnt the discs and then selected 

Restore system to factory default

This prompted the following dialog box:

"This will restore your system and overwrite all files on C: drive. Do you want to continue?"

I confirmed and then followed the directions to insert the discs when requested.

Is it possible that infected files were burned onto the factory default discs ?

All the infected files are dlls if that suggests anything.


----------



## johnb35

The system recovery disks are created from the recovery partition files, no where else.  

Try it again, but this time go into acer recovery management and choose to 

restore system to factory default 

do not use the recovery cd's.  

What files are being detected by MSRT(malicious software removal tool)?


----------



## t91989

THANK YOU JOHN for all your help and your easy to follow directions!

I, too, found this forum because I had the virus and am extremely grateful for your detailed help. I followed the steps and installed malware, the rkill (many many times) the unhide and the combofix. I still have issues but on my way to my ol' computer but I now have successfully back upped a bunch of photos, etc. that I was worried about.

I'm sure you have helped MANY more people that aren't registered to say thanks. 

THANK YOU!!!!


----------



## johnb35

t91989,

Even though you have ran combofix, that doesn't mean you are infection free.  You should post the log for me to go through and see if you are clean or not.  

Also what issues are you still having?


----------



## t91989

I'm sure I'm not in the clear yet, but I truly appreciate all your assistance this far. 

I just emailed you my combofix logs - just maybe I'm lucky and its ok. (BUT thank you so much for checking it over.)

Thank you again!


----------



## cutyhammy

*All menu on my Window has disappeared*



johnb35 said:


> Download and run Unhide.exe.  This should restore your missing file/folder/etc..



Hi John,

thanks so much for giving the malware program and the steps to get rid of the virus. You saved my computer today 

i've also run the "unhide.exe" program which unhide all the files and folders.

But i still have one problem *hope that you can help* (or anyone pls)
All the program in my Windows menus has dissapears.
The program is stil there in the Programs folder, but i just can't seem them on Windows menu [e.g Start > All Programs > Itunes > (Empty)]

Do you have any solution on how i can fix that?

Thanks again for ya help


----------



## cutyhammy

*Still some small problems*



johnb35 said:


> Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.
> 
> Double-click *mbam-setup.exe* and follow the prompts to install the program.
> At the end, be sure a checkmark is placed next to
> *Update Malwarebytes' Anti-Malware*
> and *Launch Malwarebytes' Anti-Malware*
> 
> then click *Finish*.
> If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
> Once the program has loaded, select *Perform quick scan*, then click *Scan*.
> When the scan is complete, click *OK*, then *Show Results* to view the results.
> Be sure that everything is checked, and click *Remove Selected*.
> A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware
> 
> If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.
> 
> 
> 
> Download the HijackThis installer from *here*.
> Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.
> 
> Click *Do a system scan and save a logfile*
> 
> _Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._
> 
> Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log



Hi Jonhb35

Here is the log from Hijack

=========================================================
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:29:25, on 23/06/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r213367\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\ADP\Print Manager\faxman4.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\ADP\KCML6.2Server\kservice.exe
C:\ADP\KCML6.2Server\kservice.exe
C:\ADP\KCML6.2Server\kplicserver.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ADP\Print Manager\PMService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ADP\Print Manager\PMTrayIcon.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\ADP\KCML6.90\kclient.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\ADP\KCML62\kclient.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\ADP\KCML6.90\kclient.exe
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\ADP\KCML6.2\kclient.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Hijack\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=sg&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.usa.canon.com/html/download/irc2550.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 172.31.192.42 nelson
O1 - Hosts: 172.31.192.42 nelson.kerridge.com
O1 - Hosts: 172.31.192.47 atlas
O1 - Hosts: 172.31.192.18 alex
O1 - Hosts: 172.31.192.13 vialli.kerridge.com
O1 - Hosts: 172.31.193.9 octopus
O1 - Hosts: 172.31.192.75 titan
O1 - Hosts: 172.31.251.10 kcmlrefman.kerridge.com
O1 - Hosts: 172.31.192.59 kportal.kerridge.com
O1 - Hosts: 172.31.192.50 forums.kerridge.com
O1 - Hosts: 172.31.192.50 bugs.kerridge.com
O1 - Hosts: 172.31.196.1 solomon.kerridge.com
O1 - Hosts: 172.31.72.190 venus
O1 - Hosts: 172.31.196.157 scooby
O1 - Hosts: 172.31.196.14 golf.automotive.kerridge.com
O1 - Hosts: 172.31.192.50 forums.tealgate.kerridge.com
O1 - Hosts: 172.31.192.83 silverstone
O1 - Hosts: 172.31.205.1 silverstone.tealgate.kerridge.com
O1 - Hosts: 172.31.192.42 mail.kerridge.com
O1 - Hosts: 172.31.192.42 pop3.kerridge.com
O1 - Hosts: 208.218.106.21 www.adpcorp.com
O1 - Hosts: 172.16.200.16 www.adpcorp.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] "C:\Program Files\Wave Systems Corp\SecureUpgrade.exe"
O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe"
O4 - HKLM\..\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
O4 - HKLM\..\Run: [DellConnectionManager] "C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [EdWizard] C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe as
O4 - HKLM\..\Run: [SgeEcView] C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Print Manager Tray Icon] C:\Program Files\ADP\Print Manager\PMTrayIcon.exe
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} (KClient.ActiveX.1) - 
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DSI.AD.ADP.COM
O17 - HKLM\Software\..\Telephony: DomainName = DSI.AD.ADP.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DSI.AD.ADP.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dsi.ad.adp.com,ds.ad.adp.com,
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dsi.ad.adp.com,ds.ad.adp.com,
O20 - Winlogon Notify: NotLog - SGLogEx.dll (file missing)
O20 - Winlogon Notify: SGLogNotification - SGLogNotification.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dell ControlPoint Button Service (buttonsvc32) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
O23 - Service: Credential Vault Host Control Service - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
O23 - Service: Credential Vault Host Storage - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FaxMan Fax Engine (FaxManService) - Data Techniques, Inc. - C:\Program Files\ADP\Print Manager\faxman4.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: kplic - ADP DSI. - C:\ADP\KCML6.2Server\kservice.exe
O23 - Service: kwebadmin - ADP DSI. - C:\ADP\KCML6.2Server\kservice.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Print Manager Service v1.10.2263.15210 (PMService) - ADP DSI - C:\Program Files\ADP\Print Manager\PMService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG  Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: Smith Micro Connection Manager Service (SMManager) - Smith Micro Software, Inc. - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r213367\stacsv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 16991 bytes

=========================================================

Here is the log from Malwarebytes
==========================================================
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6923

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

23/06/2011 17:48:03
mbam-log-2011-06-23 (17-48-02).txt

Scan type: Quick scan
Objects scanned: 191486
Time elapsed: 16 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

==========================================================


----------



## alexr1090

If johnb35 was a processor he would be top of the line for keeping up with this thread


----------



## litefoot

johnb35 said:


> The system recovery disks are created from the recovery partition files, no where else.
> 
> Try it again, but this time go into acer recovery management and choose to
> 
> restore system to factory default
> 
> do not use the recovery cd's.
> 
> What files are being detected by MSRT(malicious software removal tool)?



I've been attempting to restore the factory default over the last few days but I'm having problems. When I do it from Windows, it has to reboot before it runs, and I'm getting the same blue screen on startup. I tried doing Alt and F10 from the reboot, which is supposed to take you into an Acer menu to allow you to start it outside Windows, but this combination of keys doesn't seem to work. WIll keep trying and keep you updated.


----------



## rschwarz

*logs for combofix, hijackthis, and malware to fix unhide problem*



johnb35 said:


> For some reason I only got part of the combofix log.  Can you send them again but this time send them here instead?   [email protected]



John, 

I sent the combofix, hijackthis, and malware logs to [email protected]. I also tried to put them below, but even the combofix log alone was too long (i got this error message: The text that you have entered is too long (83744 characters) Please shorten it to 60000 characters long.

Sorry for my really delayed response. Somehow my thread alert got turned off and I didn't see any responses.

Thanks so much!


----------



## johnb35

You used the wrong address.  it should be [email protected].   Since the combofix log is too long you can always break it up into multiple posts, just remember where you left off.


----------



## rschwarz

*Part 1 of combofix log*



johnb35 said:


> You used the wrong address.  it should be [email protected].   Since the combofix log is too long you can always break it up into multiple posts, just remember where you left off.



Sorry about the wrong email. I'm posting the logs here in two successive posts and sending it to the correct email, just to cover all the bases.

Here is the first part:

Combofix
ComboFix 11-06-23.01 - Roger Schwarz 06/23/2011  15:08:27.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.461 [GMT -4:00]
Running from: c:\documents and settings\Roger Schwarz\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-23 to 2011-06-23  )))))))))))))))))))))))))))))))
.
.
2011-06-16 07:03 . 2011-06-16 07:39 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 02:35 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-10 14:16 . 2011-06-10 14:16 -------- d-----w- c:\documents and settings\Roger Schwarz\Local Settings\Application Data\Apple
2011-06-10 00:33 . 2011-06-10 00:33 -------- d-----w- c:\documents and settings\Roger Schwarz\Application Data\Windows Search
2011-06-09 21:57 . 2011-06-09 21:57 -------- d-----w- c:\documents and settings\Roger Schwarz\Application Data\Avira
2011-06-09 21:13 . 2011-06-09 21:13 388096 ----a-r- c:\documents and settings\Roger Schwarz\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-09 21:13 . 2011-06-09 21:13 -------- d-----w- c:\program files\Trend Micro
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2009-09-06 18:27 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2009-09-06 18:27 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2006-01-18 04:55 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2005-08-16 10:18 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2005-08-16 10:18 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-02 04:51 . 2011-04-02 04:51 0 ----a-w- c:\documents and settings\Hannah Schwarz\FAP29F.tmp
.
.
(((((((((((((((((((((((((((((   SnapShot_2011-06-09_20.59.49   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-19 02:51 . 2011-04-19 02:51 51024              c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_4ddc769f\vcomp90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59728              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90rus.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 42832              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90kor.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 43344              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90jpn.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61264              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90ita.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 62800              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90fra.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61776              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esp.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61776              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esn.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 53584              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90enu.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 63312              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90deu.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 36688              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90cht.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 35664              c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90chs.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90u.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59904              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90.dll
+ 2011-05-14 00:17 . 2011-05-14 00:17 65536              c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920\vcomp.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80KOR.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80JPN.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80ITA.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80FRA.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80ESP.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 57344              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80ENU.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 65536              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80DEU.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 45056              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80CHT.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 40960              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80CHS.dll
+ 2011-05-14 05:06 . 2011-05-14 05:06 57856              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfcm80u.dll
+ 2011-05-14 05:23 . 2011-05-14 05:23 69632              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfcm80.dll
+ 2011-05-13 22:37 . 2011-05-13 22:37 97280              c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa\ATL80.dll
+ 2011-06-23 18:56 . 2011-06-23 18:56 16384              c:\windows\temp\Perflib_Perfdata_1e0.dat
- 2005-08-16 10:18 . 2011-02-17 19:00 44544              c:\windows\system32\pngfilt.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 44544              c:\windows\system32\pngfilt.dll
+ 2005-08-16 10:18 . 2011-06-16 07:19 80058              c:\windows\system32\perfc009.dat
- 2005-08-16 10:18 . 2011-04-13 07:11 80058              c:\windows\system32\perfc009.dat
- 2007-08-13 22:54 . 2011-02-17 19:00 52224              c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 22:54 . 2011-04-25 15:51 52224              c:\windows\system32\msfeedsbs.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 27648              c:\windows\system32\jsproxy.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 27648              c:\windows\system32\jsproxy.dll
- 2007-08-13 22:39 . 2011-02-17 11:43 13824              c:\windows\system32\ieudinit.exe
+ 2007-08-13 22:39 . 2011-04-25 12:00 13824              c:\windows\system32\ieudinit.exe
+ 2005-08-16 10:18 . 2011-04-25 15:51 44544              c:\windows\system32\iernonce.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 44544              c:\windows\system32\iernonce.dll
+ 2005-08-16 10:18 . 2011-04-25 12:00 70656              c:\windows\system32\ie4uinit.exe
- 2005-08-16 10:18 . 2011-02-17 11:43 70656              c:\windows\system32\ie4uinit.exe
+ 2007-08-13 22:36 . 2011-04-25 15:51 63488              c:\windows\system32\icardie.dll
- 2007-08-13 22:36 . 2011-02-17 19:00 63488              c:\windows\system32\icardie.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 44544              c:\windows\system32\dllcache\pngfilt.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 44544              c:\windows\system32\dllcache\pngfilt.dll
+ 2008-05-17 03:22 . 2011-04-25 15:51 52224              c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-05-17 03:22 . 2011-02-17 19:00 52224              c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 27648              c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 27648              c:\windows\system32\dllcache\jsproxy.dll
+ 2008-05-17 03:22 . 2011-04-25 12:00 13824              c:\windows\system32\dllcache\ieudinit.exe
- 2008-05-17 03:22 . 2011-02-17 11:43 13824              c:\windows\system32\dllcache\ieudinit.exe
- 2007-08-13 22:39 . 2011-02-17 19:00 44544              c:\windows\system32\dllcache\iernonce.dll
+ 2007-08-13 22:39 . 2011-04-25 15:51 44544              c:\windows\system32\dllcache\iernonce.dll
- 2007-08-13 22:45 . 2011-02-17 19:00 78336              c:\windows\system32\dllcache\ieencode.dll
+ 2007-08-13 22:45 . 2011-04-25 15:51 78336              c:\windows\system32\dllcache\ieencode.dll
- 2007-08-13 22:39 . 2011-02-17 11:43 70656              c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-13 22:39 . 2011-04-25 12:00 70656              c:\windows\system32\dllcache\ie4uinit.exe
- 2008-05-17 03:22 . 2011-02-17 19:00 63488              c:\windows\system32\dllcache\icardie.dll
+ 2008-05-17 03:22 . 2011-04-25 15:51 63488              c:\windows\system32\dllcache\icardie.dll
- 2007-08-13 22:42 . 2011-02-17 19:00 17408              c:\windows\system32\dllcache\corpol.dll
+ 2007-08-13 22:42 . 2011-04-25 15:51 17408              c:\windows\system32\dllcache\corpol.dll
- 2009-10-07 03:16 . 2011-05-11 07:05 35088              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 35088              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 18704              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 18704              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 20240              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 20240              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-06-16 07:22 . 2011-02-17 19:00 44544              c:\windows\ie7updates\KB2530548-IE7\pngfilt.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 52224              c:\windows\ie7updates\KB2530548-IE7\msfeedsbs.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 27648              c:\windows\ie7updates\KB2530548-IE7\jsproxy.dll
+ 2011-06-16 07:22 . 2011-02-17 11:43 13824              c:\windows\ie7updates\KB2530548-IE7\ieudinit.exe
+ 2011-06-16 07:22 . 2011-02-17 19:00 44544              c:\windows\ie7updates\KB2530548-IE7\iernonce.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 78336              c:\windows\ie7updates\KB2530548-IE7\ieencode.dll
+ 2011-06-16 07:22 . 2011-02-17 11:43 70656              c:\windows\ie7updates\KB2530548-IE7\ie4uinit.exe
+ 2011-06-16 07:22 . 2011-02-17 19:00 63488              c:\windows\ie7updates\KB2530548-IE7\icardie.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 17408              c:\windows\ie7updates\KB2530548-IE7\corpol.dll
+ 2011-06-16 07:24 . 2011-06-16 07:24 60928              c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\1492e9393417d6e91b5ddc746b5ef320\UIAutomationProvider.ni.dll
+ 2011-06-16 07:29 . 2011-06-16 07:29 37888              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\61c3b1e170de97a8d418b610bd9b0c77\System.Windows.Presentation.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 36864              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a4173f12a0fea30f95bc56ab04f64cae\System.Web.DynamicData.Design.ni.dll
+ 2011-06-16 07:27 . 2011-06-16 07:27 94208              c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ab5802527ce15dbcc25e301dbbb4d666\System.ComponentModel.DataAnnotations.ni.dll
+ 2011-06-16 07:27 . 2011-06-16 07:27 82944              c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\177a17af98d803ab79006d6785706462\System.AddIn.Contract.ni.dll
+ 2011-06-16 07:22 . 2011-06-16 07:22 47104              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\e9bb32c656a2f80b629f129d738c392b\PresentationFontCache.ni.exe
+ 2011-06-16 07:21 . 2011-06-16 07:21 39424              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\d54d318ae1eb0667badea576d0534f9d\PresentationCFFRasterizer.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 55296              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\87fe1d01b568b3bc9c750b7cf7802516\Microsoft.Vsa.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 65024              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\f5057c30d89ad8d99e38c946a68def9e\Microsoft.Build.Framework.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 74752              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\623c05a555ac0719a1367f511d4a9270\Microsoft.Build.Framework.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 14336              c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\c40d3caad8bff3c52db7e7562286406a\dfsvc.ni.exe
+ 2011-06-16 07:25 . 2011-06-16 07:25 25600              c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\d9228d58804dfd75fd92a4d12ffac8af\Accessibility.ni.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 77824              c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 77824              c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 81920              c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 81920              c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 81920              c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 81920              c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 32768              c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 32768              c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 12800              c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 12800              c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 28672              c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 28672              c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 77824              c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 77824              c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 36864              c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 36864              c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 77824              c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 77824              c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 13312              c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 13312              c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 10752              c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 10752              c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 72192              c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 72192              c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 69120              c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 69120              c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 8192              c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 8192              c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 7168              c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 7168              c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 5632              c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 5632              c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-04-13 07:10 . 2011-04-13 07:10 6656              c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 6656              c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 8192              c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 8192              c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 113664              c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 113664              c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 258048              c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 258048              c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 653136              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcr90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 569680              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcp90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 225280              c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcm90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 159048              c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_92453bb7\atl90.dll
+ 2011-05-14 05:17 . 2011-05-14 05:17 632656              c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll
+ 2011-05-14 05:12 . 2011-05-14 05:12 554832              c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcp80.dll
+ 2011-05-14 05:11 . 2011-05-14 05:11 479232              c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcm80.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 233472              c:\windows\system32\webcheck.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 233472              c:\windows\system32\webcheck.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 105984              c:\windows\system32\url.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 105984              c:\windows\system32\url.dll
- 2005-08-16 10:18 . 2011-04-13 07:11 466842              c:\windows\system32\perfh009.dat
+ 2005-08-16 10:18 . 2011-06-16 07:19 466842              c:\windows\system32\perfh009.dat
- 2005-08-16 10:18 . 2008-04-14 00:12 551936              c:\windows\system32\oleaut32.dll
+ 2005-08-16 10:18 . 2010-12-20 17:32 551936              c:\windows\system32\oleaut32.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 102912              c:\windows\system32\occache.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 102912              c:\windows\system32\occache.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 671232              c:\windows\system32\mstime.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 671232              c:\windows\system32\mstime.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 193024              c:\windows\system32\msrating.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 193024              c:\windows\system32\msrating.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 478208              c:\windows\system32\mshtmled.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 478208              c:\windows\system32\mshtmled.dll
- 2007-08-13 22:54 . 2011-02-17 19:00 468480              c:\windows\system32\msfeeds.dll
+ 2007-08-13 22:54 . 2011-04-25 15:51 468480              c:\windows\system32\msfeeds.dll
- 2007-08-13 22:34 . 2011-02-17 19:00 268288              c:\windows\system32\iertutil.dll
+ 2007-08-13 22:34 . 2011-04-25 15:51 268288              c:\windows\system32\iertutil.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 192512              c:\windows\system32\iepeers.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 192512              c:\windows\system32\iepeers.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 384512              c:\windows\system32\iedkcs32.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 384512              c:\windows\system32\iedkcs32.dll
- 2007-07-11 16:27 . 2011-02-17 19:00 380928              c:\windows\system32\ieapfltr.dll
+ 2007-07-11 16:27 . 2011-04-25 15:51 380928              c:\windows\system32\ieapfltr.dll
+ 2005-08-16 10:18 . 2011-04-21 10:56 161792              c:\windows\system32\ieakui.dll
- 2005-08-16 10:18 . 2011-02-14 12:15 161792              c:\windows\system32\ieakui.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 230400              c:\windows\system32\ieaksie.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 230400              c:\windows\system32\ieaksie.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 153088              c:\windows\system32\ieakeng.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 153088              c:\windows\system32\ieakeng.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 133120              c:\windows\system32\extmgr.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 133120              c:\windows\system32\extmgr.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 214528              c:\windows\system32\dxtrans.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 214528              c:\windows\system32\dxtrans.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 347136              c:\windows\system32\dxtmsft.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 347136              c:\windows\system32\dxtmsft.dll
+ 2005-08-16 10:18 . 2011-02-16 13:22 138496              c:\windows\system32\drivers\afd.sys
- 2005-08-16 10:18 . 2008-10-16 14:43 138496              c:\windows\system32\drivers\afd.sys
+ 2006-05-10 05:25 . 2011-04-25 15:51 832512              c:\windows\system32\dllcache\wininet.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 832512              c:\windows\system32\dllcache\wininet.dll
- 2007-08-13 22:54 . 2011-02-17 19:00 233472              c:\windows\system32\dllcache\webcheck.dll
+ 2007-08-13 22:54 . 2011-04-25 15:51 233472              c:\windows\system32\dllcache\webcheck.dll
+ 2006-09-18 14:15 . 2011-04-30 08:50 766464              c:\windows\system32\dllcache\vgx.dll
- 2007-08-13 22:44 . 2011-02-17 19:00 105984              c:\windows\system32\dllcache\url.dll
+ 2007-08-13 22:44 . 2011-04-25 15:51 105984              c:\windows\system32\dllcache\url.dll
+ 2010-12-20 17:32 . 2010-12-20 17:32 551936              c:\windows\system32\dllcache\oleaut32.dll
+ 2007-08-13 22:44 . 2011-04-25 15:51 102912              c:\windows\system32\dllcache\occache.dll
- 2007-08-13 22:44 . 2011-02-17 19:00 102912              c:\windows\system32\dllcache\occache.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 671232              c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 671232              c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 193024              c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 193024              c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 478208              c:\windows\system32\dllcache\mshtmled.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 478208              c:\windows\system32\dllcache\mshtmled.dll
+ 2008-05-17 03:22 . 2011-04-25 15:51 468480              c:\windows\system32\dllcache\msfeeds.dll
- 2008-05-17 03:22 . 2011-02-17 19:00 468480              c:\windows\system32\dllcache\msfeeds.dll
+ 2008-11-12 18:29 . 2011-04-29 16:19 456320              c:\windows\system32\dllcache\mrxsmb.sys
- 2008-08-15 21:19 . 2011-03-07 05:33 692736              c:\windows\system32\dllcache\inetcomm.dll
+ 2008-08-15 21:19 . 2011-05-02 15:31 692736              c:\windows\system32\dllcache\inetcomm.dll
+ 2007-08-13 22:43 . 2011-04-21 10:58 634648              c:\windows\system32\dllcache\iexplore.exe
- 2007-08-13 22:43 . 2011-02-14 12:17 634648              c:\windows\system32\dllcache\iexplore.exe
- 2008-05-17 03:22 . 2011-02-17 19:00 268288              c:\windows\system32\dllcache\iertutil.dll
+ 2008-05-17 03:22 . 2011-04-25 15:51 268288              c:\windows\system32\dllcache\iertutil.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 192512              c:\windows\system32\dllcache\iepeers.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 192512              c:\windows\system32\dllcache\iepeers.dll
- 2007-08-13 22:39 . 2011-02-17 19:00 384512              c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-13 22:39 . 2011-04-25 15:51 384512              c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-05-17 03:22 . 2011-04-25 15:51 380928              c:\windows\system32\dllcache\ieapfltr.dll
- 2008-05-17 03:22 . 2011-02-17 19:00 380928              c:\windows\system32\dllcache\ieapfltr.dll
- 2007-08-13 21:56 . 2011-02-14 12:15 161792              c:\windows\system32\dllcache\ieakui.dll
+ 2007-08-13 21:56 . 2011-04-21 10:56 161792              c:\windows\system32\dllcache\ieakui.dll
+ 2007-08-13 22:39 . 2011-04-25 15:51 230400              c:\windows\system32\dllcache\ieaksie.dll
- 2007-08-13 22:39 . 2011-02-17 19:00 230400              c:\windows\system32\dllcache\ieaksie.dll
+ 2007-08-13 22:39 . 2011-04-25 15:51 153088              c:\windows\system32\dllcache\ieakeng.dll
- 2007-08-13 22:39 . 2011-02-17 19:00 153088              c:\windows\system32\dllcache\ieakeng.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 133120              c:\windows\system32\dllcache\extmgr.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 133120              c:\windows\system32\dllcache\extmgr.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 214528              c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 214528              c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 347136              c:\windows\system32\dllcache\dxtmsft.dll
- 2006-05-10 05:25 . 2011-02-17 19:00 347136              c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-06-20 11:40 . 2011-02-16 13:22 138496              c:\windows\system32\dllcache\afd.sys
- 2008-06-20 11:40 . 2008-10-16 14:43 138496              c:\windows\system32\dllcache\afd.sys
- 2007-08-13 22:39 . 2011-02-17 19:00 124928              c:\windows\system32\dllcache\advpack.dll
+ 2007-08-13 22:39 . 2011-04-25 15:51 124928              c:\windows\system32\dllcache\advpack.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 124928              c:\windows\system32\advpack.dll
- 2005-08-16 10:18 . 2011-02-17 19:00 124928              c:\windows\system32\advpack.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 388936              c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 388936              c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 363856              c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 363856              c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 989016              c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 989016              c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2011-03-18 00:03 . 2011-03-18 00:03 308736              c:\windows\Installer\24ad2770.msp
+ 2011-06-16 07:09 . 2011-06-16 07:09 223744              c:\windows\Installer\24ad2720.msi
+ 2011-06-16 07:03 . 2011-06-16 07:03 467456              c:\windows\Installer\24ad26fa.msi
+ 2009-10-07 03:16 . 2011-06-16 07:22 888080              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 888080              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 272648              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 272648              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 922384              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 922384              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 845584              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 845584              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 217864              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 217864              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 184080              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 184080              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 159504              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 159504              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
+ 2011-06-16 07:11 . 2007-07-12 23:31 765952              c:\windows\ie7updates\KB2544521-IE7\vgx.dll
+ 2011-06-16 07:11 . 2010-07-05 13:16 382840              c:\windows\ie7updates\KB2544521-IE7\spuninst\updspapi.dll
+ 2011-06-16 07:11 . 2010-07-05 13:15 231288              c:\windows\ie7updates\KB2544521-IE7\spuninst\spuninst.exe
+ 2011-06-16 07:22 . 2011-02-17 19:00 832512              c:\windows\ie7updates\KB2530548-IE7\wininet.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 233472              c:\windows\ie7updates\KB2530548-IE7\webcheck.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 105984              c:\windows\ie7updates\KB2530548-IE7\url.dll
+ 2011-06-16 07:22 . 2010-07-05 13:16 382840              c:\windows\ie7updates\KB2530548-IE7\spuninst\updspapi.dll
+ 2011-06-16 07:22 . 2010-07-05 13:15 231288              c:\windows\ie7updates\KB2530548-IE7\spuninst\spuninst.exe
+ 2011-06-16 07:22 . 2011-02-17 19:00 102912              c:\windows\ie7updates\KB2530548-IE7\occache.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 671232              c:\windows\ie7updates\KB2530548-IE7\mstime.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 193024              c:\windows\ie7updates\KB2530548-IE7\msrating.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 478208              c:\windows\ie7updates\KB2530548-IE7\mshtmled.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 468480              c:\windows\ie7updates\KB2530548-IE7\msfeeds.dll
+ 2011-06-16 07:22 . 2011-02-14 12:17 634648              c:\windows\ie7updates\KB2530548-IE7\iexplore.exe
+ 2011-06-16 07:22 . 2011-02-17 19:00 268288              c:\windows\ie7updates\KB2530548-IE7\iertutil.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 192512              c:\windows\ie7updates\KB2530548-IE7\iepeers.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 384512              c:\windows\ie7updates\KB2530548-IE7\iedkcs32.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 380928              c:\windows\ie7updates\KB2530548-IE7\ieapfltr.dll
+ 2011-06-16 07:22 . 2011-02-14 12:15 161792              c:\windows\ie7updates\KB2530548-IE7\ieakui.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 230400              c:\windows\ie7updates\KB2530548-IE7\ieaksie.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 153088              c:\windows\ie7updates\KB2530548-IE7\ieakeng.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 133120              c:\windows\ie7updates\KB2530548-IE7\extmgr.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 214528              c:\windows\ie7updates\KB2530548-IE7\dxtrans.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 347136              c:\windows\ie7updates\KB2530548-IE7\dxtmsft.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 124928              c:\windows\ie7updates\KB2530548-IE7\advpack.dll
+ 2008-11-12 18:29 . 2011-04-29 16:19 456320              c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2011-06-16 07:26 . 2011-06-16 07:26 321536              c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\8ba27eaa0f7d987f92319c64aefd2e98\WsatConfig.ni.exe
+ 2011-06-16 07:24 . 2011-06-16


----------



## rschwarz

*Part 2 of the combofix log and hijackthis and Malware logs*



johnb35 said:


> You used the wrong address.  it should be [email protected].   Since the combofix log is too long you can always break it up into multiple posts, just remember where you left off.



Here is the rest of the combofix log and the hijackthis and malware logs:

07:24 240128              c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\431d5dc1cfcc0c0530e813f370931670\WindowsFormsIntegration.ni.dll
+ 2011-06-16 07:24 . 2011-06-16 07:24 187904              c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\3740d6db28af31a6523a79fcdd71fbeb\UIAutomationTypes.ni.dll
+ 2011-06-16 07:24 . 2011-06-16 07:24 447488              c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\00dfe5563886a1f69c96b3acb839107b\UIAutomationClient.ni.dll
+ 2011-06-16 07:29 . 2011-06-16 07:29 400896              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\80187a9cfed4fd0ec82746495be76764\System.Xml.Linq.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 129536              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\58c421c537b1c3f3878458ad306b2a42\System.Web.Routing.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 202240              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\dc26fff00ce95d24fd190f38904bb2b3\System.Web.RegularExpressions.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 859648              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\4e3dd4d7f9aeda74a2fcefee036e5070\System.Web.Extensions.Design.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 328704              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\4fb1c0c07f40248b463f2e33444b9477\System.Web.Entity.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 301056              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\4dfcffc6e6d02bdcdc185d5527a8097e\System.Web.Entity.Design.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 547328              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b921d1cffcd5e80ea14c51db967edd6\System.Web.DynamicData.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 141312              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\702b506e56d3a7051aea7822cd915c7f\System.Web.Abstractions.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 627200              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\7c430c38d71d632c019ae37d5ef12c8e\System.Transactions.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 212992              c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\0f3d321ebd65af974ff0ad424223276d\System.ServiceProcess.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 679936              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\e4bcb14e8e53c8dcaff3d2c20daf746e\System.Security.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 311296              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\503ccbb50e9c06c2f0b02ad8c3f2d100\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 621056              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\ac53723e41898bc0e8a591c2e4f6f39b\System.Net.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 998400              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\19280e723d215c0d6607d3884f453cdf\System.Management.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 330752              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\4a3a674008d8102c1aa5b3fc18251ef7\System.Management.Instrumentation.ni.dll
+ 2011-06-16 07:25 . 2011-06-16 07:25 381440              c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\7f5f5bfd5f8d6587c96870751a6eb44d\System.IO.Log.ni.dll
+ 2011-06-16 07:25 . 2011-06-16 07:25 212992              c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\de1bf796614ca11afd9fab95edb1b4e2\System.IdentityModel.Selectors.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 280064              c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\94aae9e592c0f104120572f9925fca12\System.EnterpriseServices.Wrapper.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 627712              c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\94aae9e592c0f104120572f9925fca12\System.EnterpriseServices.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 208384              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\1af8683e05c42eb32f46578fe5a8f83f\System.Drawing.Design.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 455680              c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\791a6643b70542b148d977ff42f2f2ef\System.DirectoryServices.Protocols.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 881152              c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\31759ad8be21735f0a369c37514c2efc\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 939008              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\df507a4500e73fa4cfc13f65a1c9055e\System.Data.Services.Client.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 354816              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\d1778fffc09d783bc90512b65d35be66\System.Data.Services.Design.ni.dll
+ 2011-06-16 07:27 . 2011-06-16 07:27 756736              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\5a47a8bf16370c93b3c6a471e48cc67a\System.Data.Entity.Design.ni.dll
+ 2011-06-16 07:27 . 2011-06-16 07:27 135680              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\50492d147392c238edc5a614beccb91b\System.Data.DataSetExtensions.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 971264              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\48f8b951a598647dd309ca2031807a5d\System.Configuration.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 141312              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\fa21b6c9badcf916bb254b4b823c2463\System.Configuration.Install.ni.dll
+ 2011-06-16 07:27 . 2011-06-16 07:27 633856              c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\77015cc1e6d9e7d20e63903777afd6df\System.AddIn.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 366080              c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6ca41c7917119c3a9de0bcdca525001d\SMSvcHost.ni.exe
+ 2011-06-16 07:26 . 2011-06-16 07:26 256000              c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8ff6d395f8861384bc9bfbe34cafb64e\SMDiagnostics.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 320512              c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\67dc00c24e551003f6dacb73fe9cf881\ServiceModelReg.ni.exe
+ 2011-06-16 07:23 . 2011-06-16 07:23 368128              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e468e9265c844f74577530e4df71f120\PresentationFramework.Aero.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 224768              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\959709491c71caef88fb41b0eb159714\PresentationFramework.Classic.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 258048              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\807b62468c2893ee943dffff63a34d8d\PresentationFramework.Royale.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 539648              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\6cf82f370413a2cd1e6bc54060334753\PresentationFramework.Luna.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 133632              c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\0add35a0fbe0c381c998b651c5979902\MSBuild.ni.exe
+ 2011-06-16 07:26 . 2011-06-16 07:26 386560              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\667dc256d9eb3577f2514c89c5974aff\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 144384              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\d5561a4ad04c22f0eb5acf4736c7936e\Microsoft.Build.Utilities.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 175104              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\1a0623063225521aa43044314cc5e721\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 839680              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\530f98922474a31636c34fa3db9a63ba\Microsoft.Build.Engine.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 222720              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\7e75fca3ca1f36df8ac624190d9cd283\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 220672              c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\80bd17388778c90f301746ad88700758\CustomMarshalers.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 410112              c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\c0f5f3c318a92212bbe3b413eeb2b374\ComSvcConfig.ni.exe
+ 2011-06-16 07:25 . 2011-06-16 07:25 842240              c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\0524928cbd0a686db3960ef688d0d37e\AspNetMMCExt.ni.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 839680              c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 839680              c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 835584              c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 835584              c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 114688              c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 114688              c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 258048              c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 258048              c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 131072              c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 131072              c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 303104              c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 303104              c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 258048              c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 258048              c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 372736              c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 372736              c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 626688              c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 626688              c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 401408              c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 401408              c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 188416              c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 188416              c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 970752              c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 970752              c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 745472              c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 745472              c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 425984              c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 425984              c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 110592              c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 110592              c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 659456              c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 659456              c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 372736              c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 372736              c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 110592              c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 110592              c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 749568              c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 749568              c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 655360              c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 655360              c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 348160              c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 348160              c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 507904              c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 507904              c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 261632              c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 261632              c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 113664              c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 113664              c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 258048              c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 258048              c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 486400              c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 486400              c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 3781960              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90u.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 3766600              c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90.dll
+ 2011-05-14 00:04 . 2011-05-14 00:04 1093120              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfc80u.dll
+ 2011-05-14 00:04 . 2011-05-14 00:04 1101824              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfc80.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 1168896              c:\windows\system32\urlmon.dll
+ 2005-08-16 10:18 . 2011-04-25 15:51 3608576              c:\windows\system32\mshtml.dll
+ 2007-08-13 22:54 . 2011-04-25 15:51 6076416              c:\windows\system32\ieframe.dll
+ 2006-05-10 05:25 . 2011-04-25 15:51 1168896              c:\windows\system32\dllcache\urlmon.dll
+ 2006-05-19 15:06 . 2011-04-25 15:51 3608576              c:\windows\system32\dllcache\mshtml.dll
+ 2008-05-17 03:22 . 2011-04-25 15:51 6076416              c:\windows\system32\dllcache\ieframe.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 5025792              c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 5025792              c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
- 2010-03-23 09:32 . 2010-03-23 09:32 3182592              c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2011-01-18 08:39 . 2011-01-18 08:39 3182592              c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 5912400              c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 4550656              c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 4550656              c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2011-06-09 21:13 . 2011-06-09 21:13 1094656              c:\windows\Installer\3ad254c.msi
+ 2011-04-29 16:31 . 2011-04-29 16:31 9006080              c:\windows\Installer\24ad274d.msp
+ 2011-04-29 16:28 . 2011-04-29 16:28 1995264              c:\windows\Installer\24ad2736.msp
+ 2011-04-29 16:33 . 2011-04-29 16:33 8173568              c:\windows\Installer\24ad2718.msp
+ 2011-01-19 03:36 . 2011-01-19 03:36 2687488              c:\windows\Installer\24ad2701.msp
- 2009-10-07 03:16 . 2011-05-11 07:05 1172240              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 1172240              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-10-07 03:16 . 2011-06-16 07:22 1165584              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
- 2009-10-07 03:16 . 2011-05-11 07:05 1165584              c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
+ 2011-06-16 07:22 . 2011-02-17 19:00 1168384              c:\windows\ie7updates\KB2530548-IE7\urlmon.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 3607040              c:\windows\ie7updates\KB2530548-IE7\mshtml.dll
+ 2011-06-16 07:22 . 2011-02-17 19:00 6075904              c:\windows\ie7updates\KB2530548-IE7\ieframe.dll
+ 2011-06-16 07:21 . 2011-06-16 07:21 3325440              c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\11526c1635b97a7d49e25e72ed6e9662\WindowsBase.ni.dll
+ 2011-06-16 07:24 . 2011-06-16 07:24 1049600              c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\901c3796073853746fecd8979c679494\UIAutomationClientsideProviders.ni.dll
+ 2011-06-16 07:21 . 2011-06-16 07:21 7950848              c:\windows\assembly\NativeImages_v2.0.50727_32\System\f6a9a002526806f3a5b745cf5c407cae\System.ni.dll
+ 2011-06-16 07:24 . 2011-06-16 07:24 5450752              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f354057a5b4fad4c399da28449ba0d92\System.Xml.ni.dll
+ 2011-06-16 07:29 . 2011-06-16 07:29 1356288              c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\2877dda3e0f0faeba527b4bf1efe9cb5\System.WorkflowServices.ni.dll
+ 2011-06-16 07:29 . 2011-06-16 07:29 1908224              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\d7cb3697989fe6fa3a08d2821d38aa5e\System.Workflow.Runtime.ni.dll
+ 2011-06-16 07:29 . 2011-06-16 07:29 4514304              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\4ac04107c35485d415f9e1bebfd155dd\System.Workflow.ComponentModel.ni.dll
+ 2011-06-16 07:29 . 2011-06-16 07:29 2992640              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\2169feb8bd57d96e621fa26d9391d463\System.Workflow.Activities.ni.dll
+ 2011-06-16 07:29 . 2011-06-16 07:29 1840640              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f31f1579160d87470cba918f06276e0d\System.Web.Services.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 2209280              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\bdad1c0f4eb846543b234353fd2b926f\System.Web.Mobile.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 2405376              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\647bfe6da40e8160b967c41424901dc8\System.Web.Extensions.ni.dll
+ 2011-06-16 07:24 . 2011-06-16 07:24 1917952              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\2047e63293e067b351b8f0e038253f33\System.Speech.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 1706496              c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ead07662976fb7094811461c568643d5\System.ServiceModel.Web.ni.dll
+ 2011-06-16 07:25 . 2011-06-16 07:25 2345472              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\c889a45c82004537f1620dd3b211af66\System.Runtime.Serialization.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 1035776              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\c64aa916251a45206a805ab6488b9255\System.Printing.ni.dll
+ 2011-06-16 07:25 . 2011-06-16 07:25 1070080              c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\a8039af85f459c19c041313f9fe0d7e8\System.IdentityModel.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 1587200              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\a59b17e6040e3f6286a2227dfdb17096\System.Drawing.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 1116672              c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\55211bc8f4fcff47c05bfc3020d97148\System.DirectoryServices.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 1801216              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\f9ff2fb342cd5102e2d95883b3433a5d\System.Deployment.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 6616576              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\05d99241bd45cbd96a6053841790a4a2\System.Data.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 2510336              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\ef31ab37b0d7c3c1a6d72646966c8911\System.Data.SqlXml.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 1328128              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\f945e9c32c775bb604ab83d8933f1b2c\System.Data.Services.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 2516480              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\283e9bf48e17bdb34acdc93bd5721be0\System.Data.Linq.ni.dll
+ 2011-06-16 07:27 . 2011-06-16 07:27 9924096              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\368c85cccea8a1206be5c849fd6614e3\System.Data.Entity.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 2295296              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\bd2e04dfab2993479ae17ea3fa4f6222\System.Core.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 2128896              c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\4f82a0a1b4405ef61dfa088d11161e35\ReachFramework.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 1657856              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\148505f5b0307230de5d355f10d30a20\PresentationUI.ni.dll
+ 2011-06-16 07:21 . 2011-06-16 07:21 1451008              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\1fab86af683c04bdb0aaf65ce7fcd9e5\PresentationBuildTasks.ni.dll
+ 2011-06-16 07:27 . 2011-06-16 07:27 1712128              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7292ca9d793cb71cf3d41ae663e7139b\Microsoft.VisualBasic.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 1093120              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\abaf7a180354ed5ec099fb69339b538a\Microsoft.Transactions.Bridge.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 2332160              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b41db9f2897f538203911026bb0abd5d\Microsoft.JScript.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 1966080              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\a91940f9033c7910f3f64c061571cec9\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 1620992              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\5195a94327ccef45d202776e932e847b\Microsoft.Build.Tasks.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 1888768              c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\3efbca53acdd34586bd7f6f87e71ed62\Microsoft.Build.Engine.ni.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 3182592              c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 3182592              c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 2048000              c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 2048000              c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 5025792              c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 5025792              c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 5062656              c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 5062656              c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-06-16 07:18 . 2011-06-16 07:18 5242880              c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 5242880              c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 2933248              c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 2933248              c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-06-16 07:19 . 2011-06-16 07:19 4550656              c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-04-13 07:10 . 2011-04-13 07:10 4550656              c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2006-02-18 16:46 . 2011-06-16 07:11 47716296              c:\windows\system32\MRT.exe
+ 2011-03-28 07:27 . 2011-03-28 07:27 15456256              c:\windows\Installer\24ad275a.msp
+ 2011-06-16 07:24 . 2011-06-16 07:24 12430848              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\29d16d2f164fe2263539789ecd0d9d4f\System.Windows.Forms.ni.dll
+ 2011-06-16 07:28 . 2011-06-16 07:28 11800576              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\1fb5d8788c9a9a7f44e2d0fa19c62729\System.Web.ni.dll
+ 2011-06-16 07:26 . 2011-06-16 07:26 17403904              c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\23abc8e4b535b9cd9c5560266c655ac2\System.ServiceModel.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 10683392              c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\ee914f59ad8211e0b6734dccffd9986e\System.Design.ni.dll
+ 2011-06-16 07:23 . 2011-06-16 07:23 14328320              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\999df2b262da53356dda514512bb7bb8\PresentationFramework.ni.dll
+ 2011-06-16 07:22 . 2011-06-16 07:22 12215808              c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\caafa254739e326b0cf55eed815b4333\PresentationCore.ni.dll
+ 2011-06-16 07:21 . 2011-06-16 07:21 11490816              c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"Creative MediaSource Go"="c:\program files\Creative\MediaSource\Go\CTCMSGo.exe" [2005-10-19 135168]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
c:\documents and settings\Hannah Schwarz\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139112684\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139112684\\ee\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/9/2010 9:53 AM 136360]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/24/2008 7:57 PM 24652]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [7/15/2002 11:39 PM 26496]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ROGERS~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ROGERS~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ROGERS~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ROGERS~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/2/2010 9:34 PM 135664]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [10/25/2004 5:09 PM 331776]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/2/2010 9:34 PM 135664]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [6/2/2007 2:11 PM 396192]
S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [6/2/2007 2:11 PM 10752]
S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [6/2/2007 2:11 PM 19904]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/6/2007 12:12 AM 682232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 01:34]
.
2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 01:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 207.69.188.186 207.69.188.187
FF - ProfilePath - c:\documents and settings\Roger Schwarz\Application Data\Mozilla\Firefox\Profiles\jhemn4a5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 15:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1452)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-06-23  15:16:31
ComboFix-quarantined-files.txt  2011-06-23 19:16
ComboFix2.txt  2011-06-09 21:06
.
Pre-Run: 54,141,190,144 bytes free
Post-Run: 54,138,875,904 bytes free
.
- - End Of File - - 7DB28BAD77C33E7000AAF617DA0B122C

HiJackThis
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:31:36 PM, on 6/23/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17098)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8730 bytes
MalWare
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Database version: 6931
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
6/24/2011 8:35:59 AM
mbam-log-2011-06-24 (08-35-59).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 330670
Time elapsed: 54 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Qoobox\quarantine\C\documents and settings\all users\application data\17686308.exe.vir (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1443\A0228470.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.


----------



## johnb35

rschwarz

Let me know if there is a folder in c:\temp named smtmp.  You may need to enable show hidden files and folders to view this.


----------



## rschwarz

johnb35 said:


> rschwarz
> 
> Let me know if there is a folder in c:\temp named smtmp.  You may need to enable show hidden files and folders to view this.




There isn't any temp folder at c:\. There is a temp folder at C:\WINDOWS\temp, but that doesn't have a smtmp folder.


----------



## johnb35

ok. This is where I recommend using system restore to set your system back a few days prior to being infected to where everything is working like it should.  After doing the system restore you still need to rescan your system with malwarebytes and have it remove anything it finds.


----------



## rschwarz

johnb35 said:


> ok. This is where I recommend using system restore to set your system back a few days prior to being infected to where everything is working like it should.  After doing the system restore you still need to rescan your system with malwarebytes and have it remove anything it finds.



System restore doesn't show up. I've gone to start/accessories/system tools, but the only program within system tools is Internet Explorer (which seems weird itself).


----------



## johnb35

navigate to here.

C:\WINDOWS\system32\Restore and run rstrui.exe, which is system restore.


----------



## johnb35

cutyhammy said:


> Hi John,
> 
> thanks so much for giving the malware program and the steps to get rid of the virus. You saved my computer today
> 
> i've also run the "unhide.exe" program which unhide all the files and folders.
> 
> But i still have one problem *hope that you can help* (or anyone pls)
> All the program in my Windows menus has dissapears.
> The program is stil there in the Programs folder, but i just can't seem them on Windows menu [e.g Start > All Programs > Itunes > (Empty)]
> 
> Do you have any solution on how i can fix that?
> 
> Thanks again for ya help



cutyhammy,

Is this a business/company pc?  If so, you will need to take it to the network admin of the company and have them take care of it.  We will not be liable for company machines.


----------



## rschwarz

johnb35 said:


> navigate to here.
> 
> C:\WINDOWS\system32\Restore and run rstrui.exe, which is system restore.



I ran system restore and the programs in the menu are still listed as empty. I tried restoring the computor to several reset points, including the earliest date available (April 2, 2011), to no use. 

Each time i ran the system restore, it said that it was incomplete and that no changes were made on my computer. 

Ugh.


----------



## johnb35

rschwarz said:


> I ran system restore and the programs in the menu are still listed as empty. I tried restoring the computor to several reset points, including the earliest date available (April 2, 2011), to no use.
> 
> Each time i ran the system restore, it said that it was incomplete and that no changes were made on my computer.
> 
> Ugh.



Then unfortunately, its looks like you will have to reinstall windows on this machine.  Unfortunately unhide.exe doesn't work 100 percent on all machines, and everyone should know that system restore isn't very reliable.  You may want to invest in a program called Acronis true image.  You can set it to create an exact image of your drive at certain points to where if you ever have to reinstall windows you can be back up and running within less than 10 minutes or so after starting the process.  Afterwards, all your programs and data will be back where they were.


----------



## rschwarz

johnb35 said:


> Then unfortunately, its looks like you will have to reinstall windows on this machine.  Unfortunately unhide.exe doesn't work 100 percent on all machines, and everyone should know that system restore isn't very reliable.  You may want to invest in a program called Acronis true image.  You can set it to create an exact image of your drive at certain points to where if you ever have to reinstall windows you can be back up and running within less than 10 minutes or so after starting the process.  Afterwards, all your programs and data will be back where they were.



John,

OK, I'll try reinstalling Windows. In any case, thanks for all of your help. I'm just so impressed how much help you give people on this forum. I've really appreciated it. thanks again.


----------



## litefoot

litefoot said:


> I've been attempting to restore the factory default over the last few days but I'm having problems. When I do it from Windows, it has to reboot before it runs, and I'm getting the same blue screen on startup. I tried doing Alt and F10 from the reboot, which is supposed to take you into an Acer menu to allow you to start it outside Windows, but this combination of keys doesn't seem to work. Will keep trying and keep you updated.




I'm still having this problem. If I do it from Windows, I get the blue screen. I can only do it from bootup by using the factory disks.

I am frequently getting the the blue screen on bootup now, and after auto restart it takes me into Startup Repair. I have to do this a few times before I can actually get past the blue screen and into Windows. I don't know if this is a memory problem or related to the virus. On getting into Windows the following pop box appears:

Windows has recovered from an unexpected shutdown

Problem signature:
  Problem Event Name:	BlueScreen
  OS Version:	6.0.6001.2.1.0.768.3
  Locale ID:	2057

Additional information about the problem:
  BCCode:	be
  BCP1:	81B278E0
  BCP2:	01B27161
  BCP3:	80599BFC
  BCP4:	0000000B
  OS Version:	6_0_6001
  Service Pack:	1_0
  Product:	768_1

Files that help describe the problem:
  C:\Windows\Minidump\Mini062811-01.dmp
  C:\Users\Andrew\AppData\Local\Temp\WER-419190-0.sysdata.xml
  C:\Users\Andrew\AppData\Local\Temp\WER253B.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

I ran eset again (I haven't been able to load any security websites again until tonight) and curiously I now have only 1000 infected files instead of the 5000 I mentioned earlier. I have a log file. It's too long to paste in here. You mentioned an email address earlier - would it be OK for me to email it? The first instances of infected files in the log are all in the Acer eRecovery Management folder - a sign that the factory disks could be infected?

I ran Windows malicious software recovery again and did a quick scan only. I found 6 threats which I removed. I then ran it again and found another 6 threats which I removed.


----------



## johnb35

I would say your recovery cd's are infected then.  I would call up acer and have them send you new recovery cd's.


----------



## cello

*System Restore*

OK, so I had the same virus this very evening, out of nowhere. Here's what it did (but there seems to be no doubt it's the same) :

-- It hid the contents of my C:. Not the other partitions, just C.
-- Emptied the Config Panel, and the Desktop (except for the IE icon)
-- Crippled IE, replacing the pages, 99% of the time, by spam
-- DEACTIVATED both my AV and all my anti-spywares (and made it impossible to start any of them again)
-- prevented any further installation of any type of program ("Setup denied access" or something)
-- Bombarded me with the same stupid messages which other users have reported
-- SAFE MODE was totally useless, because crippled as well (the first time I've seen that) : none of my AV programs worked, and IE in Networking was as hijacked as in Normal Mode
-- the virus messed up the "System Restore" option you get when you boot with F8 : S-R seemed to work but booted the computer in less than 30 seconds with no change
-- And the virus slowed down my comp tremendously during anything I tried to do.


But I killed this little s*** eventually, without reinstalling Windows (actually I couldn't... my DVD drive is dead.) : a REAL System Restore was enough. I had to find how to get to it, though, since the Control Panel was blank. 

There was actually a few links to it in the "Windows Help" menu, which still worked. You can probably find a way to get to them in "Normal Mode", but as it happened I did it in "Safe Mode". So :

-- Restart you computer, and press F8 until you get the boot choices, choose "Safe Mode"

-- Go make yourself a cup of coffee

-- When "Safe Mode" is finally ready, a "Help menu" is already opened on the right side of the desktop (entitled "What is Safe Mode ?"). In there, you'll easily find "System Restore" in a few clicks (check out the "tools" section, if memory serves ; no keyword search required, just click your way through the main menu, you'll quickly find SR.)

I chose my Restore Point : it took forever (about 20 mns !!!) to restore my settings, so long that I thought my computer had frozen, but it worked. 

Right now I'm having Avast (Malwarebytes and Ad-Aware are next) scanning C: ; it's been an hour, and it's still finding traces of the Trojan. But in the meantime, my computer works perfectly.

If I'm repeating here what may have been said before on this thread, 'm sorry . I didn't read most of the other posts.


----------



## djbulgogi

Hi Johnb35,

I successfully eliminated the virus with your help (I was around pages 2-5 of this thread).

My laptop however has become drastically slower and almost every operation is bogged down (rebooting takes about 3 -4 minutes). This is a new machine I bought 3.5 months ago as well so it should not be performing this poorly.

Will posting logs help you discover possible problems? Which logs do you want me to post if so, let me know and thanks!


----------



## johnb35

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.







To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.






If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it.  Please open the log and copy and paste it back here.

Then I would need to see the malwarebytes log and the hijackthis log.


----------



## djbulgogi

2011/07/01 13:00:42.0942 6940	TDSS rootkit removing tool 2.5.8.0 Jun 28 2011 19:12:16
2011/07/01 13:00:43.0391 6940	================================================================================
2011/07/01 13:00:43.0391 6940	SystemInfo:
2011/07/01 13:00:43.0391 6940	
2011/07/01 13:00:43.0391 6940	OS Version: 6.1.7600 ServicePack: 0.0
2011/07/01 13:00:43.0391 6940	Product type: Workstation
2011/07/01 13:00:43.0391 6940	ComputerName: POOPMACHINE
2011/07/01 13:00:43.0392 6940	UserName: matei
2011/07/01 13:00:43.0392 6940	Windows directory: C:\windows
2011/07/01 13:00:43.0392 6940	System windows directory: C:\windows
2011/07/01 13:00:43.0392 6940	Running under WOW64
2011/07/01 13:00:43.0392 6940	Processor architecture: Intel x64
2011/07/01 13:00:43.0392 6940	Number of processors: 8
2011/07/01 13:00:43.0392 6940	Page size: 0x1000
2011/07/01 13:00:43.0392 6940	Boot type: Normal boot
2011/07/01 13:00:43.0392 6940	================================================================================
2011/07/01 13:00:45.0695 6940	Initialize success
2011/07/01 13:01:19.0881 5852	================================================================================
2011/07/01 13:01:19.0881 5852	Scan started
2011/07/01 13:01:19.0881 5852	Mode: Manual; 
2011/07/01 13:01:19.0881 5852	================================================================================
2011/07/01 13:01:24.0165 5852	1394ohci        (1b00662092f9f9568b995902f0cc40d5) C:\windows\system32\DRIVERS\1394ohci.sys
2011/07/01 13:01:24.0369 5852	ACPI            (6f11e88748cdefd2f76aa215f97ddfe5) C:\windows\system32\DRIVERS\ACPI.sys
2011/07/01 13:01:24.0453 5852	AcpiPmi         (63b05a0420ce4bf0e4af6dcc7cada254) C:\windows\system32\DRIVERS\acpipmi.sys
2011/07/01 13:01:24.0953 5852	adp94xx         (2f6b34b83843f0c5118b63ac634f5bf4) C:\windows\system32\DRIVERS\adp94xx.sys
2011/07/01 13:01:24.0987 5852	adpahci         (597f78224ee9224ea1a13d6350ced962) C:\windows\system32\DRIVERS\adpahci.sys
2011/07/01 13:01:25.0013 5852	adpu320         (e109549c90f62fb570b9540c4b148e54) C:\windows\system32\DRIVERS\adpu320.sys
2011/07/01 13:01:25.0129 5852	AFD             (6ef20ddf3172e97d69f596fb90602f29) C:\windows\system32\drivers\afd.sys
2011/07/01 13:01:25.0159 5852	agp440          (608c14dba7299d8cb6ed035a68a15799) C:\windows\system32\DRIVERS\agp440.sys
2011/07/01 13:01:25.0192 5852	aliide          (5812713a477a3ad7363c7438ca2ee038) C:\windows\system32\DRIVERS\aliide.sys
2011/07/01 13:01:25.0212 5852	amdide          (1ff8b4431c353ce385c875f194924c0c) C:\windows\system32\DRIVERS\amdide.sys
2011/07/01 13:01:25.0231 5852	AmdK8           (7024f087cff1833a806193ef9d22cda9) C:\windows\system32\DRIVERS\amdk8.sys
2011/07/01 13:01:25.0245 5852	AmdPPM          (1e56388b3fe0d031c44144eb8c4d6217) C:\windows\system32\DRIVERS\amdppm.sys
2011/07/01 13:01:25.0285 5852	amdsata         (ec7ebab00a4d8448bab68d1e49b4beb9) C:\windows\system32\drivers\amdsata.sys
2011/07/01 13:01:25.0323 5852	amdsbs          (f67f933e79241ed32ff46a4f29b5120b) C:\windows\system32\DRIVERS\amdsbs.sys
2011/07/01 13:01:25.0348 5852	amdxata         (db27766102c7bf7e95140a2aa81d042e) C:\windows\system32\drivers\amdxata.sys
2011/07/01 13:01:25.0387 5852	Andbus          (48cd7e6520d47d62eab0e6ce3ec30c65) C:\windows\system32\DRIVERS\lgandbus64.sys
2011/07/01 13:01:25.0420 5852	AndDiag         (08cbacc00d15dcdbbaae1a7c8f231c61) C:\windows\system32\DRIVERS\lganddiag64.sys
2011/07/01 13:01:25.0458 5852	AndGps          (cea9a4cd6b3a83428ce8501240833668) C:\windows\system32\DRIVERS\lgandgps64.sys
2011/07/01 13:01:25.0481 5852	ANDModem        (e2b5663e547fa5e756b253efa8ec8286) C:\windows\system32\DRIVERS\lgandmodem64.sys
2011/07/01 13:01:25.0515 5852	AppID           (42fd751b27fa0e9c69bb39f39e409594) C:\windows\system32\drivers\appid.sys
2011/07/01 13:01:25.0571 5852	arc             (c484f8ceb1717c540242531db7845c4e) C:\windows\system32\DRIVERS\arc.sys
2011/07/01 13:01:25.0589 5852	arcsas          (019af6924aefe7839f61c830227fe79c) C:\windows\system32\DRIVERS\arcsas.sys
2011/07/01 13:01:25.0620 5852	ArcSoftKsUFilter (c130bc4a51b1382b2be8e44579ec4c0a) C:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys
2011/07/01 13:01:25.0640 5852	aswFsBlk        (f1dbe3d02ffcdee5246f29b0ecebe6e0) C:\windows\system32\drivers\aswFsBlk.sys
2011/07/01 13:01:25.0689 5852	aswMonFlt       (f3e75dd1bcc358fb4629357ad09e7c84) C:\windows\system32\drivers\aswMonFlt.sys
2011/07/01 13:01:25.0721 5852	aswRdr          (fccbdc045dc12afd1508205117e7ed11) C:\windows\system32\drivers\aswRdr.sys
2011/07/01 13:01:25.0765 5852	aswSnx          (5824dca602a0a30e866bc2ac98c6d970) C:\windows\system32\drivers\aswSnx.sys
2011/07/01 13:01:26.0865 5852	aswSP           (af07b4bef920f90205148f3a05e2974c) C:\windows\system32\drivers\aswSP.sys
2011/07/01 13:01:26.0922 5852	aswTdi          (a3eca5af3b4823a523c285a8df0f9e4f) C:\windows\system32\drivers\aswTdi.sys
2011/07/01 13:01:26.0945 5852	AsyncMac        (769765ce2cc62867468cea93969b2242) C:\windows\system32\DRIVERS\asyncmac.sys
2011/07/01 13:01:27.0225 5852	atapi           (02062c0b390b7729edc9e69c680a6f3c) C:\windows\system32\DRIVERS\atapi.sys
2011/07/01 13:01:27.0462 5852	athr            (0acc06fcf46f64ed4f11e57ee461c1f4) C:\windows\system32\DRIVERS\athrx.sys
2011/07/01 13:01:27.0633 5852	b06bdrv         (3e5b191307609f7514148c6832bb0842) C:\windows\system32\DRIVERS\bxvbda.sys
2011/07/01 13:01:27.0686 5852	b57nd60a        (b5ace6968304a3900eeb1ebfd9622df2) C:\windows\system32\DRIVERS\b57nd60a.sys
2011/07/01 13:01:28.0121 5852	Beep            (16a47ce2decc9b099349a5f840654746) C:\windows\system32\drivers\Beep.sys
2011/07/01 13:01:28.0194 5852	blbdrive        (61583ee3c3a17003c4acd0475646b4d3) C:\windows\system32\DRIVERS\blbdrive.sys
2011/07/01 13:01:28.0327 5852	bowser          (19d20159708e152267e53b66677a4995) C:\windows\system32\DRIVERS\bowser.sys
2011/07/01 13:01:28.0355 5852	BrFiltLo        (f09eee9edc320b5e1501f749fde686c8) C:\windows\system32\DRIVERS\BrFiltLo.sys
2011/07/01 13:01:28.0370 5852	BrFiltUp        (b114d3098e9bdb8bea8b053685831be6) C:\windows\system32\DRIVERS\BrFiltUp.sys
2011/07/01 13:01:28.0397 5852	Brserid         (43bea8d483bf1870f018e2d02e06a5bd) C:\windows\System32\Drivers\Brserid.sys
2011/07/01 13:01:28.0427 5852	BrSerWdm        (a6eca2151b08a09caceca35c07f05b42) C:\windows\System32\Drivers\BrSerWdm.sys
2011/07/01 13:01:28.0447 5852	BrUsbMdm        (b79968002c277e869cf38bd22cd61524) C:\windows\System32\Drivers\BrUsbMdm.sys
2011/07/01 13:01:28.0463 5852	BrUsbSer        (a87528880231c54e75ea7a44943b38bf) C:\windows\System32\Drivers\BrUsbSer.sys
2011/07/01 13:01:28.0481 5852	BthEnum         (cf98190a94f62e405c8cb255018b2315) C:\windows\system32\DRIVERS\BthEnum.sys
2011/07/01 13:01:28.0500 5852	BTHMODEM        (9da669f11d1f894ab4eb69bf546a42e8) C:\windows\system32\DRIVERS\bthmodem.sys
2011/07/01 13:01:28.0522 5852	BthPan          (02dd601b708dd0667e1331fa8518e9ff) C:\windows\system32\DRIVERS\bthpan.sys
2011/07/01 13:01:28.0571 5852	BTHPORT         (a51fa9d0e85d5adabef72e67f386309c) C:\windows\system32\Drivers\BTHport.sys
2011/07/01 13:01:29.0701 5852	BTHUSB          (f740b9a16b2c06700f2130e19986bf3b) C:\windows\system32\Drivers\BTHUSB.sys
2011/07/01 13:01:29.0822 5852	BTMCOM          (e588420b950dac5ac397f76660bce520) C:\windows\System32\Drivers\btmcom.sys
2011/07/01 13:01:29.0854 5852	BTMHID          (111160e8f47fafc0bd026293ebb95b70) C:\windows\system32\DRIVERS\btmhid.sys
2011/07/01 13:01:29.0941 5852	BTMUSB          (22a24c45a21ab98afcd09229f6ee5fcf) C:\windows\system32\Drivers\btmusb.sys
2011/07/01 13:01:30.0233 5852	cdfs            (b8bd2bb284668c84865658c77574381a) C:\windows\system32\DRIVERS\cdfs.sys
2011/07/01 13:01:30.0262 5852	cdrom           (83d2d75e1efb81b3450c18131443f7db) C:\windows\system32\DRIVERS\cdrom.sys
2011/07/01 13:01:30.0302 5852	circlass        (d7cd5c4e1b71fa62050515314cfb52cf) C:\windows\system32\DRIVERS\circlass.sys
2011/07/01 13:01:30.0373 5852	CLFS            (fe1ec06f2253f691fe36217c592a0206) C:\windows\system32\CLFS.sys
2011/07/01 13:01:31.0275 5852	CmBatt          (0840155d0bddf1190f84a663c284bd33) C:\windows\system32\DRIVERS\CmBatt.sys
2011/07/01 13:01:31.0294 5852	cmdide          (e19d3f095812725d88f9001985b94edd) C:\windows\system32\DRIVERS\cmdide.sys
2011/07/01 13:01:31.0818 5852	CNG             (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\windows\system32\Drivers\cng.sys
2011/07/01 13:01:31.0848 5852	Compbatt        (102de219c3f61415f964c88e9085ad14) C:\windows\system32\DRIVERS\compbatt.sys
2011/07/01 13:01:31.0872 5852	CompositeBus    (f26b3a86f6fa87ca360b879581ab4123) C:\windows\system32\DRIVERS\CompositeBus.sys
2011/07/01 13:01:31.0903 5852	crcdisk         (1c827878a998c18847245fe1f34ee597) C:\windows\system32\DRIVERS\crcdisk.sys
2011/07/01 13:01:31.0979 5852	DfsC            (9c253ce7311ca60fc11c774692a13208) C:\windows\system32\Drivers\dfsc.sys
2011/07/01 13:01:32.0007 5852	discache        (13096b05847ec78f0977f2c0f79e9ab3) C:\windows\system32\drivers\discache.sys
2011/07/01 13:01:32.0803 5852	Disk            (9819eee8b5ea3784ec4af3b137a5244c) C:\windows\system32\DRIVERS\disk.sys
2011/07/01 13:01:33.0004 5852	drmkaud         (9b19f34400d24df84c858a421c205754) C:\windows\system32\drivers\drmkaud.sys
2011/07/01 13:01:33.0135 5852	DXGKrnl         (1633b9abf52784a1331476397a48cbef) C:\windows\System32\drivers\dxgkrnl.sys
2011/07/01 13:01:33.0336 5852	ebdrv           (dc5d737f51be844d8c82c695eb17372f) C:\windows\system32\DRIVERS\evbda.sys
2011/07/01 13:01:33.0478 5852	elxstor         (0e5da5369a0fcaea12456dd852545184) C:\windows\system32\DRIVERS\elxstor.sys
2011/07/01 13:01:33.0519 5852	ErrDev          (34a3c54752046e79a126e15c51db409b) C:\windows\system32\DRIVERS\errdev.sys
2011/07/01 13:01:33.0653 5852	EUCR            (89d11159b361dd1eac5dd4e9895c04a4) C:\windows\system32\DRIVERS\EUCR6SK.SYS
2011/07/01 13:01:33.0704 5852	exfat           (a510c654ec00c1e9bdd91eeb3a59823b) C:\windows\system32\drivers\exfat.sys
2011/07/01 13:01:33.0752 5852	fastfat         (0adc83218b66a6db380c330836f3e36d) C:\windows\system32\drivers\fastfat.sys
2011/07/01 13:01:33.0797 5852	fdc             (d765d19cd8ef61f650c384f62fac00ab) C:\windows\system32\DRIVERS\fdc.sys
2011/07/01 13:01:33.0870 5852	FileInfo        (655661be46b5f5f3fd454e2c3095b930) C:\windows\system32\drivers\fileinfo.sys
2011/07/01 13:01:33.0892 5852	Filetrace       (5f671ab5bc87eea04ec38a6cd5962a47) C:\windows\system32\drivers\filetrace.sys
2011/07/01 13:01:33.0919 5852	flpydisk        (c172a0f53008eaeb8ea33fe10e177af5) C:\windows\system32\DRIVERS\flpydisk.sys
2011/07/01 13:01:33.0953 5852	FltMgr          (f7866af72abbaf84b1fa5aa195378c59) C:\windows\system32\drivers\fltmgr.sys
2011/07/01 13:01:33.0989 5852	FsDepends       (d43703496149971890703b4b1b723eac) C:\windows\system32\drivers\FsDepends.sys
2011/07/01 13:01:34.0005 5852	Fs_Rec          (e95ef8547de20cf0603557c0cf7a9462) C:\windows\system32\drivers\Fs_Rec.sys
2011/07/01 13:01:34.0463 5852	fvevol          (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\windows\system32\DRIVERS\fvevol.sys
2011/07/01 13:01:34.0482 5852	gagp30kx        (8c778d335c9d272cfd3298ab02abe3b6) C:\windows\system32\DRIVERS\gagp30kx.sys
2011/07/01 13:01:34.0528 5852	GEARAspiWDM     (e403aacf8c7bb11375122d2464560311) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
2011/07/01 13:01:34.0612 5852	hcw85cir        (f2523ef6460fc42405b12248338ab2f0) C:\windows\system32\drivers\hcw85cir.sys
2011/07/01 13:01:34.0661 5852	HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\windows\system32\drivers\HdAudio.sys
2011/07/01 13:01:34.0727 5852	HDAudBus        (0a49913402747a0b67de940fb42cbdbb) C:\windows\system32\DRIVERS\HDAudBus.sys
2011/07/01 13:01:34.0771 5852	HidBatt         (78e86380454a7b10a5eb255dc44a355f) C:\windows\system32\DRIVERS\HidBatt.sys
2011/07/01 13:01:34.0799 5852	HidBth          (7fd2a313f7afe5c4dab14798c48dd104) C:\windows\system32\DRIVERS\hidbth.sys
2011/07/01 13:01:34.0819 5852	HidIr           (0a77d29f311b88cfae3b13f9c1a73825) C:\windows\system32\DRIVERS\hidir.sys
2011/07/01 13:01:34.0860 5852	HidUsb          (b3bf6b5b50006def50b66306d99fcf6f) C:\windows\system32\DRIVERS\hidusb.sys
2011/07/01 13:01:34.0926 5852	HpSAMD          (0886d440058f203eba0e1825e4355914) C:\windows\system32\DRIVERS\HpSAMD.sys
2011/07/01 13:01:34.0965 5852	HTTP            (cee049cac4efa7f4e1e4ad014414a5d4) C:\windows\system32\drivers\HTTP.sys
2011/07/01 13:01:35.0012 5852	hwpolicy        (f17766a19145f111856378df337a5d79) C:\windows\system32\drivers\hwpolicy.sys
2011/07/01 13:01:35.0044 5852	i8042prt        (fa55c73d4affa7ee23ac4be53b4592d3) C:\windows\system32\DRIVERS\i8042prt.sys
2011/07/01 13:01:35.0090 5852	iaStor          (abbf174cb394f5c437410a788b7e404a) C:\windows\system32\DRIVERS\iaStor.sys
2011/07/01 13:01:35.0180 5852	iaStorV         (b75e45c564e944a2657167d197ab29da) C:\windows\system32\drivers\iaStorV.sys
2011/07/01 13:01:35.0201 5852	iirsp           (5c18831c61933628f5bb0ea2675b9d21) C:\windows\system32\DRIVERS\iirsp.sys
2011/07/01 13:01:35.0425 5852	IntcAzAudAddService (7f59c9ac306b2044c1f36933f57b88de) C:\windows\system32\drivers\RTKVHD64.sys
2011/07/01 13:01:35.0485 5852	intelide        (f00f20e70c6ec3aa366910083a0518aa) C:\windows\system32\DRIVERS\intelide.sys
2011/07/01 13:01:35.0506 5852	intelppm        (ada036632c664caa754079041cf1f8c1) C:\windows\system32\DRIVERS\intelppm.sys
2011/07/01 13:01:35.0543 5852	IpFilterDriver  (722dd294df62483cecaae6e094b4d695) C:\windows\system32\DRIVERS\ipfltdrv.sys
2011/07/01 13:01:35.0580 5852	IPMIDRV         (e2b4a4494db7cb9b89b55ca268c337c5) C:\windows\system32\DRIVERS\IPMIDrv.sys
2011/07/01 13:01:35.0619 5852	IPNAT           (af9b39a7e7b6caa203b3862582e9f2d0) C:\windows\system32\drivers\ipnat.sys
2011/07/01 13:01:35.0668 5852	IRENUM          (3abf5e7213eb28966d55d58b515d5ce9) C:\windows\system32\drivers\irenum.sys
2011/07/01 13:01:35.0687 5852	isapnp          (2f7b28dc3e1183e5eb418df55c204f38) C:\windows\system32\DRIVERS\isapnp.sys
2011/07/01 13:01:35.0700 5852	iScsiPrt        (fa4d2557de56d45b0a346f93564be6e1) C:\windows\system32\DRIVERS\msiscsi.sys
2011/07/01 13:01:36.0388 5852	kbdclass        (bc02336f1cba7dcc7d1213bb588a68a5) C:\windows\system32\DRIVERS\kbdclass.sys
2011/07/01 13:01:36.0412 5852	kbdhid          (6def98f8541e1b5dceb2c822a11f7323) C:\windows\system32\DRIVERS\kbdhid.sys
2011/07/01 13:01:37.0089 5852	KSecDD          (e8b6fcc9c83535c67f835d407620bd27) C:\windows\system32\Drivers\ksecdd.sys
2011/07/01 13:01:37.0135 5852	KSecPkg         (a8c63880ef6f4d3fec7b616b9c060215) C:\windows\system32\Drivers\ksecpkg.sys
2011/07/01 13:01:37.0172 5852	ksthunk         (6869281e78cb31a43e969f06b57347c4) C:\windows\system32\drivers\ksthunk.sys
2011/07/01 13:01:37.0216 5852	lltdio          (1538831cf8ad2979a04c423779465827) C:\windows\system32\DRIVERS\lltdio.sys
2011/07/01 13:01:37.0267 5852	LSI_FC          (1a93e54eb0ece102495a51266dcdb6a6) C:\windows\system32\DRIVERS\lsi_fc.sys
2011/07/01 13:01:37.0300 5852	LSI_SAS         (1047184a9fdc8bdbff857175875ee810) C:\windows\system32\DRIVERS\lsi_sas.sys
2011/07/01 13:01:37.0319 5852	LSI_SAS2        (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\windows\system32\DRIVERS\lsi_sas2.sys
2011/07/01 13:01:37.0380 5852	LSI_SCSI        (0504eacaff0d3c8aed161c4b0d369d4a) C:\windows\system32\DRIVERS\lsi_scsi.sys
2011/07/01 13:01:37.0411 5852	luafv           (43d0f98e1d56ccddb0d5254cff7b356e) C:\windows\system32\drivers\luafv.sys
2011/07/01 13:01:37.0693 5852	megasas         (a55805f747c6edb6a9080d7c633bd0f4) C:\windows\system32\DRIVERS\megasas.sys
2011/07/01 13:01:37.0732 5852	MegaSR          (baf74ce0072480c3b6b7c13b2a94d6b3) C:\windows\system32\DRIVERS\MegaSR.sys
2011/07/01 13:01:38.0001 5852	Modem           (800ba92f7010378b09f9ed9270f07137) C:\windows\system32\drivers\modem.sys
2011/07/01 13:01:38.0025 5852	monitor         (b03d591dc7da45ece20b3b467e6aadaa) C:\windows\system32\DRIVERS\monitor.sys
2011/07/01 13:01:38.0044 5852	mouclass        (7d27ea49f3c1f687d357e77a470aea99) C:\windows\system32\DRIVERS\mouclass.sys
2011/07/01 13:01:38.0063 5852	mouhid          (d3bf052c40b0c4166d9fd86a4288c1e6) C:\windows\system32\DRIVERS\mouhid.sys
2011/07/01 13:01:38.0084 5852	mountmgr        (791af66c4d0e7c90a3646066386fb571) C:\windows\system32\drivers\mountmgr.sys
2011/07/01 13:01:38.0115 5852	mpio            (609d1d87649ecc19796f4d76d4c15cea) C:\windows\system32\DRIVERS\mpio.sys
2011/07/01 13:01:38.0139 5852	mpsdrv          (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\windows\system32\drivers\mpsdrv.sys
2011/07/01 13:01:38.0346 5852	MRxDAV          (30524261bb51d96d6fcbac20c810183c) C:\windows\system32\drivers\mrxdav.sys
2011/07/01 13:01:39.0164 5852	mrxsmb          (040d62a9d8ad28922632137acdd984f2) C:\windows\system32\DRIVERS\mrxsmb.sys
2011/07/01 13:01:39.0217 5852	mrxsmb10        (a8c2d7673c8a010569390c826a0efaf4) C:\windows\system32\DRIVERS\mrxsmb10.sys
2011/07/01 13:01:39.0255 5852	mrxsmb20        (3c142d31de9f2f193218a53fe2632051) C:\windows\system32\DRIVERS\mrxsmb20.sys
2011/07/01 13:01:39.0299 5852	msahci          (5c37497276e3b3a5488b23a326a754b7) C:\windows\system32\DRIVERS\msahci.sys
2011/07/01 13:01:39.0324 5852	msdsm           (8d27b597229aed79430fb9db3bcbfbd0) C:\windows\system32\DRIVERS\msdsm.sys
2011/07/01 13:01:39.0410 5852	Msfs            (aa3fb40e17ce1388fa1bedab50ea8f96) C:\windows\system32\drivers\Msfs.sys
2011/07/01 13:01:39.0432 5852	mshidkmdf       (f9d215a46a8b9753f61767fa72a20326) C:\windows\System32\drivers\mshidkmdf.sys
2011/07/01 13:01:39.0483 5852	msisadrv        (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\windows\system32\DRIVERS\msisadrv.sys
2011/07/01 13:01:39.0531 5852	MSKSSRV         (49ccf2c4fea34ffad8b1b59d49439366) C:\windows\system32\drivers\MSKSSRV.sys
2011/07/01 13:01:39.0556 5852	MSPCLOCK        (bdd71ace35a232104ddd349ee70e1ab3) C:\windows\system32\drivers\MSPCLOCK.sys
2011/07/01 13:01:39.0576 5852	MSPQM           (4ed981241db27c3383d72092b618a1d0) C:\windows\system32\drivers\MSPQM.sys
2011/07/01 13:01:39.0619 5852	MsRPC           (89cb141aa8616d8c6a4610fa26c60964) C:\windows\system32\drivers\MsRPC.sys
2011/07/01 13:01:39.0643 5852	mssmbios        (0eed230e37515a0eaee3c2e1bc97b288) C:\windows\system32\DRIVERS\mssmbios.sys
2011/07/01 13:01:39.0661 5852	MSTEE           (2e66f9ecb30b4221a318c92ac2250779) C:\windows\system32\drivers\MSTEE.sys
2011/07/01 13:01:39.0684 5852	MTConfig        (7ea404308934e675bffde8edf0757bcd) C:\windows\system32\DRIVERS\MTConfig.sys
2011/07/01 13:01:39.0705 5852	Mup             (f9a18612fd3526fe473c1bda678d61c8) C:\windows\system32\Drivers\mup.sys
2011/07/01 13:01:39.0784 5852	NativeWifiP     (1ea3749c4114db3e3161156ffffa6b33) C:\windows\system32\DRIVERS\nwifi.sys
2011/07/01 13:01:39.0856 5852	NDIS            (cad515dbd07d082bb317d9928ce8962c) C:\windows\system32\drivers\ndis.sys
2011/07/01 13:01:39.0922 5852	NdisCap         (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\windows\system32\DRIVERS\ndiscap.sys
2011/07/01 13:01:39.0963 5852	NdisTapi        (30639c932d9fef22b31268fe25a1b6e5) C:\windows\system32\DRIVERS\ndistapi.sys
2011/07/01 13:01:39.0986 5852	Ndisuio         (f105ba1e22bf1f2ee8f005d4305e4bec) C:\windows\system32\DRIVERS\ndisuio.sys
2011/07/01 13:01:40.0010 5852	NdisWan         (557dfab9ca1fcb036ac77564c010dad3) C:\windows\system32\DRIVERS\ndiswan.sys
2011/07/01 13:01:40.0033 5852	NDProxy         (659b74fb74b86228d6338d643cd3e3cf) C:\windows\system32\drivers\NDProxy.sys
2011/07/01 13:01:40.0051 5852	NetBIOS         (86743d9f5d2b1048062b14b1d84501c4) C:\windows\system32\DRIVERS\netbios.sys
2011/07/01 13:01:40.0082 5852	NetBT           (9162b273a44ab9dce5b44362731d062a) C:\windows\system32\DRIVERS\netbt.sys
2011/07/01 13:01:40.0350 5852	NETw5s64        (24f64343f14a119308456e1ca7507b26) C:\windows\system32\DRIVERS\NETw5s64.sys
2011/07/01 13:01:40.0495 5852	nfrd960         (77889813be4d166cdab78ddba990da92) C:\windows\system32\DRIVERS\nfrd960.sys
2011/07/01 13:01:40.0593 5852	Npfs            (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\windows\system32\drivers\Npfs.sys
2011/07/01 13:01:40.0629 5852	nsiproxy        (e7f5ae18af4168178a642a9247c63001) C:\windows\system32\drivers\nsiproxy.sys
2011/07/01 13:01:40.0789 5852	Ntfs            (378e0e0dfea67d98ae6ea53adbbd76bc) C:\windows\system32\drivers\Ntfs.sys
2011/07/01 13:01:40.0823 5852	Null            (9899284589f75fa8724ff3d16aed75c1) C:\windows\system32\drivers\Null.sys
2011/07/01 13:01:40.0867 5852	nusb3hub        (8ebcb9165ee7f1571842f4d9d624a74c) C:\windows\system32\DRIVERS\nusb3hub.sys
2011/07/01 13:01:40.0964 5852	nusb3xhc        (5d54dbb12bbfe07cc283fd39f2cd6d63) C:\windows\system32\DRIVERS\nusb3xhc.sys
2011/07/01 13:01:41.0411 5852	nvlddmkm        (651cb3b05da7a95edb8821ec021bb8eb) C:\windows\system32\DRIVERS\nvlddmkm.sys
2011/07/01 13:01:41.0668 5852	nvraid          (a4d9c9a608a97f59307c2f2600edc6a4) C:\windows\system32\drivers\nvraid.sys
2011/07/01 13:01:41.0712 5852	nvstor          (6c1d5f70e7a6a3fd1c90d840edc048b9) C:\windows\system32\drivers\nvstor.sys
2011/07/01 13:01:42.0764 5852	nv_agp          (270d7cd42d6e3979f6dd0146650f0e05) C:\windows\system32\DRIVERS\nv_agp.sys
2011/07/01 13:01:42.0790 5852	ohci1394        (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\windows\system32\DRIVERS\ohci1394.sys
2011/07/01 13:01:42.0842 5852	Parport         (0086431c29c35be1dbc43f52cc273887) C:\windows\system32\DRIVERS\parport.sys
2011/07/01 13:01:42.0878 5852	partmgr         (7daa117143316c4a1537e074a5a9eaf0) C:\windows\system32\drivers\partmgr.sys
2011/07/01 13:01:42.0909 5852	pci             (f36f6504009f2fb0dfd1b17a116ad74b) C:\windows\system32\DRIVERS\pci.sys
2011/07/01 13:01:42.0941 5852	pciide          (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\windows\system32\DRIVERS\pciide.sys
2011/07/01 13:01:42.0961 5852	pcmcia          (b2e81d4e87ce48589f98cb8c05b01f2f) C:\windows\system32\DRIVERS\pcmcia.sys
2011/07/01 13:01:42.0990 5852	pcw             (d6b9c2e1a11a3a4b26a182ffef18f603) C:\windows\system32\drivers\pcw.sys
2011/07/01 13:01:43.0617 5852	PEAUTH          (68769c3356b3be5d1c732c97b9a80d6e) C:\windows\system32\drivers\peauth.sys
2011/07/01 13:01:43.0750 5852	PptpMiniport    (27cc19e81ba5e3403c48302127bda717) C:\windows\system32\DRIVERS\raspptp.sys
2011/07/01 13:01:43.0771 5852	Processor       (0d922e23c041efb1c3fac2a6f943c9bf) C:\windows\system32\DRIVERS\processr.sys
2011/07/01 13:01:43.0804 5852	Psched          (ee992183bd8eaefd9973f352e587a299) C:\windows\system32\DRIVERS\pacer.sys
2011/07/01 13:01:43.0946 5852	ql2300          (a53a15a11ebfd21077463ee2c7afeef0) C:\windows\system32\DRIVERS\ql2300.sys
2011/07/01 13:01:43.0991 5852	ql40xx          (4f6d12b51de1aaeff7dc58c4d75423c8) C:\windows\system32\DRIVERS\ql40xx.sys
2011/07/01 13:01:44.0018 5852	QWAVEdrv        (76707bb36430888d9ce9d705398adb6c) C:\windows\system32\drivers\qwavedrv.sys
2011/07/01 13:01:44.0034 5852	RasAcd          (5a0da8ad5762fa2d91678a8a01311704) C:\windows\system32\DRIVERS\rasacd.sys
2011/07/01 13:01:44.0055 5852	RasAgileVpn     (7ecff9b22276b73f43a99a15a6094e90) C:\windows\system32\DRIVERS\AgileVpn.sys
2011/07/01 13:01:44.0131 5852	Rasl2tp         (87a6e852a22991580d6d39adc4790463) C:\windows\system32\DRIVERS\rasl2tp.sys
2011/07/01 13:01:44.0177 5852	RasPppoe        (855c9b1cd4756c5e9a2aa58a15f58c25) C:\windows\system32\DRIVERS\raspppoe.sys
2011/07/01 13:01:44.0213 5852	RasSstp         (e8b1e447b008d07ff47d016c2b0eeecb) C:\windows\system32\DRIVERS\rassstp.sys
2011/07/01 13:01:44.0243 5852	rdbss           (3bac8142102c15d59a87757c1d41dce5) C:\windows\system32\DRIVERS\rdbss.sys
2011/07/01 13:01:44.0345 5852	rdpbus          (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\windows\system32\DRIVERS\rdpbus.sys
2011/07/01 13:01:44.0438 5852	RDPCDD          (cea6cc257fc9b7715f1c2b4849286d24) C:\windows\system32\DRIVERS\RDPCDD.sys
2011/07/01 13:01:44.0464 5852	RDPENCDD        (bb5971a4f00659529a5c44831af22365) C:\windows\system32\drivers\rdpencdd.sys
2011/07/01 13:01:44.0488 5852	RDPREFMP        (216f3fa57533d98e1f74ded70113177a) C:\windows\system32\drivers\rdprefmp.sys
2011/07/01 13:01:44.0516 5852	RDPWD           (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\windows\system32\drivers\RDPWD.sys
2011/07/01 13:01:44.0586 5852	rdyboost        (634b9a2181d98f15941236886164ec8b) C:\windows\system32\drivers\rdyboost.sys
2011/07/01 13:01:44.0717 5852	regi            (4d9afddda0efe97cdbfd3b5fa48b05f6) C:\windows\system32\drivers\regi.sys
2011/07/01 13:01:44.0749 5852	RFCOMM          (3dd798846e2c28102b922c56e71b7932) C:\windows\system32\DRIVERS\rfcomm.sys
2011/07/01 13:01:45.0453 5852	rspndr          (ddc86e4f8e7456261e637e3552e804ff) C:\windows\system32\DRIVERS\rspndr.sys
2011/07/01 13:01:45.0523 5852	RTL8167         (777fc2c418465404e3d8a290dc247d24) C:\windows\system32\DRIVERS\Rt64win7.sys
2011/07/01 13:01:45.0550 5852	sbp2port        (e3bbb89983daf5622c1d50cf49f28227) C:\windows\system32\DRIVERS\sbp2port.sys
2011/07/01 13:01:45.0616 5852	scfilter        (c94da20c7e3ba1dca269bc8460d98387) C:\windows\system32\DRIVERS\scfilter.sys
2011/07/01 13:01:45.0657 5852	sdbus           (54e47ad086782d3ae9417c155cdceb9b) C:\windows\system32\DRIVERS\sdbus.sys
2011/07/01 13:01:45.0729 5852	secdrv          (3ea8a16169c26afbeb544e0e48421186) C:\windows\system32\drivers\secdrv.sys
2011/07/01 13:01:45.0777 5852	Serenum         (cb624c0035412af0debec78c41f5ca1b) C:\windows\system32\DRIVERS\serenum.sys
2011/07/01 13:01:45.0797 5852	Serial          (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\windows\system32\DRIVERS\serial.sys
2011/07/01 13:01:45.0845 5852	sermouse        (1c545a7d0691cc4a027396535691c3e3) C:\windows\system32\DRIVERS\sermouse.sys
2011/07/01 13:01:45.0876 5852	sffdisk         (a554811bcd09279536440c964ae35bbf) C:\windows\system32\DRIVERS\sffdisk.sys
2011/07/01 13:01:45.0887 5852	sffp_mmc        (ff414f0baefeba59bc6c04b3db0b87bf) C:\windows\system32\DRIVERS\sffp_mmc.sys
2011/07/01 13:01:45.0914 5852	sffp_sd         (178298f767fe638c9fedcbdef58bb5e4) C:\windows\system32\DRIVERS\sffp_sd.sys
2011/07/01 13:01:45.0934 5852	sfloppy         (a9d601643a1647211a1ee2ec4e433ff4) C:\windows\system32\DRIVERS\sfloppy.sys
2011/07/01 13:01:46.0255 5852	Sftfs           (d5183ed285d2795491dc15bddcbee5ad) C:\windows\system32\DRIVERS\Sftfslh.sys
2011/07/01 13:01:46.0667 5852	Sftplay         (00f118b68c50d2206dd51634f9142b83) C:\windows\system32\DRIVERS\Sftplaylh.sys
2011/07/01 13:01:47.0139 5852	Sftredir        (76a827df5640bfe16a0cdbb4108adeca) C:\windows\system32\DRIVERS\Sftredirlh.sys
2011/07/01 13:01:47.0160 5852	Sftvol          (1b4c9701645086bab8cafffce30ed284) C:\windows\system32\DRIVERS\Sftvollh.sys
2011/07/01 13:01:47.0281 5852	SiSRaid2        (843caf1e5fde1ffd5ff768f23a51e2e1) C:\windows\system32\DRIVERS\SiSRaid2.sys
2011/07/01 13:01:47.0317 5852	SiSRaid4        (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\windows\system32\DRIVERS\sisraid4.sys
2011/07/01 13:01:47.0371 5852	Smb             (548260a7b8654e024dc30bf8a7c5baa4) C:\windows\system32\DRIVERS\smb.sys
2011/07/01 13:01:47.0538 5852	smserial        (7ae8bca90539ecbde87ac45ba1436be3) C:\windows\system32\DRIVERS\SmSerl64.sys
2011/07/01 13:01:47.0638 5852	spldr           (b9e31e5cacdfe584f34f730a677803f9) C:\windows\system32\drivers\spldr.sys
2011/07/01 13:01:47.0754 5852	srv             (2408c0366d96bcdf63e8f1c78e4a29c5) C:\windows\system32\DRIVERS\srv.sys
2011/07/01 13:01:48.0528 5852	srv2            (76548f7b818881b47d8d1ae1be9c11f8) C:\windows\system32\DRIVERS\srv2.sys
2011/07/01 13:01:48.0579 5852	srvnet          (0af6e19d39c70844c5caa8fb0183c36e) C:\windows\system32\DRIVERS\srvnet.sys
2011/07/01 13:01:48.0623 5852	stexstor        (f3817967ed533d08327dc73bc4d5542a) C:\windows\system32\DRIVERS\stexstor.sys
2011/07/01 13:01:48.0647 5852	swenum          (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\windows\system32\DRIVERS\swenum.sys
2011/07/01 13:01:48.0714 5852	SynTP           (e5d73228176c9f69072d1f91ced83484) C:\windows\system32\DRIVERS\SynTP.sys
2011/07/01 13:01:48.0890 5852	Tcpip           (61dc720bb065d607d5823f13d2a64321) C:\windows\system32\drivers\tcpip.sys
2011/07/01 13:01:48.0952 5852	TCPIP6          (61dc720bb065d607d5823f13d2a64321) C:\windows\system32\DRIVERS\tcpip.sys
2011/07/01 13:01:49.0008 5852	tcpipreg        (76d078af6f587b162d50210f761eb9ed) C:\windows\system32\drivers\tcpipreg.sys
2011/07/01 13:01:49.0028 5852	TDPIPE          (3371d21011695b16333a3934340c4e7c) C:\windows\system32\drivers\tdpipe.sys
2011/07/01 13:01:49.0052 5852	TDTCP           (e4245bda3190a582d55ed09e137401a9) C:\windows\system32\drivers\tdtcp.sys
2011/07/01 13:01:49.0082 5852	tdx             (079125c4b17b01fcaeebce0bcb290c0f) C:\windows\system32\DRIVERS\tdx.sys
2011/07/01 13:01:49.0148 5852	TermDD          (c448651339196c0e869a355171875522) C:\windows\system32\DRIVERS\termdd.sys
2011/07/01 13:01:49.0764 5852	tssecsrv        (61b96c26131e37b24e93327a0bd1fb95) C:\windows\system32\DRIVERS\tssecsrv.sys
2011/07/01 13:01:49.0801 5852	tunnel          (3836171a2cdf3af8ef10856db9835a70) C:\windows\system32\DRIVERS\tunnel.sys
2011/07/01 13:01:49.0932 5852	uagp35          (b4dd609bd7e282bfc683cec7eaaaad67) C:\windows\system32\DRIVERS\uagp35.sys
2011/07/01 13:01:49.0986 5852	udfs            (d47baead86c65d4f4069d7ce0a4edceb) C:\windows\system32\DRIVERS\udfs.sys
2011/07/01 13:01:50.0018 5852	uliagpkx        (4bfe1bc28391222894cbf1e7d0e42320) C:\windows\system32\DRIVERS\uliagpkx.sys
2011/07/01 13:01:50.0040 5852	umbus           (eab6c35e62b1b0db0d1b48b671d3a117) C:\windows\system32\DRIVERS\umbus.sys
2011/07/01 13:01:50.0399 5852	UmPass          (b2e8e8cb557b156da5493bbddcc1474d) C:\windows\system32\DRIVERS\umpass.sys
2011/07/01 13:01:50.0868 5852	USBAAPL64       (54d4b48d443e7228bf64cf7cdc3118ac) C:\windows\system32\Drivers\usbaapl64.sys
2011/07/01 13:01:51.0175 5852	usbccgp         (b26afb54a534d634523c4fb66765b026) C:\windows\system32\DRIVERS\usbccgp.sys
2011/07/01 13:01:51.0820 5852	usbcir          (af0892a803fdda7492f595368e3b68e7) C:\windows\system32\DRIVERS\usbcir.sys
2011/07/01 13:01:51.0901 5852	usbehci         (2ea4aff7be7eb4632e3aa8595b0803b5) C:\windows\system32\DRIVERS\usbehci.sys
2011/07/01 13:01:52.0006 5852	usbhub          (4c9042b8df86c1e8e6240c218b99b39b) C:\windows\system32\DRIVERS\usbhub.sys
2011/07/01 13:01:52.0036 5852	usbohci         (58e546bbaf87664fc57e0f6081e4f609) C:\windows\system32\DRIVERS\usbohci.sys
2011/07/01 13:01:52.0054 5852	usbprint        (73188f58fb384e75c4063d29413cee3d) C:\windows\system32\DRIVERS\usbprint.sys
2011/07/01 13:01:52.0125 5852	USBSTOR         (f39983647bc1f3e6100778ddfe9dce29) C:\windows\system32\DRIVERS\USBSTOR.SYS
2011/07/01 13:01:52.0290 5852	usbuhci         (81fb2216d3a60d1284455d511797db3d) C:\windows\system32\DRIVERS\usbuhci.sys
2011/07/01 13:01:52.0352 5852	usbvideo        (7cb8c573c6e4a2714402cc0a36eab4fe) C:\windows\System32\Drivers\usbvideo.sys
2011/07/01 13:01:52.0384 5852	vdrvroot        (c5c876ccfc083ff3b128f933823e87bd) C:\windows\system32\DRIVERS\vdrvroot.sys
2011/07/01 13:01:52.0407 5852	vga             (da4da3f5e02943c2dc8c6ed875de68dd) C:\windows\system32\DRIVERS\vgapnp.sys
2011/07/01 13:01:56.0403 5852	VgaSave         (53e92a310193cb3c03bea963de7d9cfc) C:\windows\System32\drivers\vga.sys
2011/07/01 13:01:56.0448 5852	vhdmp           (c82e748660f62a242b2dfac1442f22a4) C:\windows\system32\DRIVERS\vhdmp.sys
2011/07/01 13:01:56.0478 5852	viaide          (e5689d93ffe4e5d66c0178761240dd54) C:\windows\system32\DRIVERS\viaide.sys
2011/07/01 13:01:56.0497 5852	volmgr          (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\windows\system32\DRIVERS\volmgr.sys
2011/07/01 13:01:56.0537 5852	volmgrx         (99b0cbb569ca79acaed8c91461d765fb) C:\windows\system32\drivers\volmgrx.sys
2011/07/01 13:01:56.0680 5852	volsnap         (58f82eed8ca24b461441f9c3e4f0bf5c) C:\windows\system32\DRIVERS\volsnap.sys
2011/07/01 13:01:56.0763 5852	vsmraid         (5e2016ea6ebaca03c04feac5f330d997) C:\windows\system32\DRIVERS\vsmraid.sys
2011/07/01 13:01:56.0799 5852	vwifibus        (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\windows\system32\DRIVERS\vwifibus.sys
2011/07/01 13:01:56.0829 5852	vwififlt        (6a3d66263414ff0d6fa754c646612f3f) C:\windows\system32\DRIVERS\vwififlt.sys
2011/07/01 13:01:56.0854 5852	vwifimp         (6a638fc4bfddc4d9b186c28c91bd1a01) C:\windows\system32\DRIVERS\vwifimp.sys
2011/07/01 13:01:57.0632 5852	WacomPen        (4e9440f4f152a7b944cb1663d3935a3e) C:\windows\system32\DRIVERS\wacompen.sys
2011/07/01 13:01:57.0655 5852	WANARP          (47ca49400643effd3f1c9a27e1d69324) C:\windows\system32\DRIVERS\wanarp.sys
2011/07/01 13:01:57.0665 5852	Wanarpv6        (47ca49400643effd3f1c9a27e1d69324) C:\windows\system32\DRIVERS\wanarp.sys
2011/07/01 13:01:57.0693 5852	Wd              (72889e16ff12ba0f235467d6091b17dc) C:\windows\system32\DRIVERS\wd.sys
2011/07/01 13:01:57.0761 5852	Wdf01000        (441bd2d7b4f98134c3a4f9fa570fd250) C:\windows\system32\drivers\Wdf01000.sys
2011/07/01 13:01:58.0252 5852	WfpLwf          (611b23304bf067451a9fdee01fbdd725) C:\windows\system32\DRIVERS\wfplwf.sys
2011/07/01 13:01:58.0266 5852	WIMMount        (05ecaec3e4529a7153b3136ceb49f0ec) C:\windows\system32\drivers\wimmount.sys
2011/07/01 13:01:58.0434 5852	WmiAcpi         (f6ff8944478594d0e414d3f048f0d778) C:\windows\system32\DRIVERS\wmiacpi.sys
2011/07/01 13:01:58.0472 5852	ws2ifsl         (6bcc1d7d2fd2453957c5479a32364e52) C:\windows\system32\drivers\ws2ifsl.sys
2011/07/01 13:01:58.0527 5852	WudfPf          (7cadc74271dd6461c452c271b30bd378) C:\windows\system32\drivers\WudfPf.sys
2011/07/01 13:01:58.0579 5852	WUDFRd          (3b197af0fff08aa66b6b2241ca538d64) C:\windows\system32\DRIVERS\WUDFRd.sys
2011/07/01 13:01:59.0533 5852	MBR (0x1B8)     (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/07/01 13:01:59.0557 5852	Boot (0x1200)   (fdad0183d0eecf79f9be6c3a84f723a5) \Device\Harddisk0\DR0\Partition0
2011/07/01 13:01:59.0591 5852	Boot (0x1200)   (78c1dfdcb942be67ce071c0159de1cf0) \Device\Harddisk0\DR0\Partition1
2011/07/01 13:01:59.0601 5852	================================================================================
2011/07/01 13:01:59.0601 5852	Scan finished
2011/07/01 13:01:59.0601 5852	================================================================================
2011/07/01 13:01:59.0605 2792	Detected object count: 0
2011/07/01 13:01:59.0605 2792	Actual detected object count: 0
2011/07/01 13:15:20.0350 6496	================================================================================


----------



## djbulgogi

Here is the 2nd part of the *TDSS Killer Log*, but it appears to be a duplicate of the 1st one:

2011/07/01 13:15:20.0350 6496	Scan started
2011/07/01 13:15:20.0350 6496	Mode: Manual; 
2011/07/01 13:15:20.0351 6496	================================================================================
2011/07/01 13:15:24.0435 6496	1394ohci        (1b00662092f9f9568b995902f0cc40d5) C:\windows\system32\DRIVERS\1394ohci.sys
2011/07/01 13:15:24.0772 6496	ACPI            (6f11e88748cdefd2f76aa215f97ddfe5) C:\windows\system32\DRIVERS\ACPI.sys
2011/07/01 13:15:24.0799 6496	AcpiPmi         (63b05a0420ce4bf0e4af6dcc7cada254) C:\windows\system32\DRIVERS\acpipmi.sys
2011/07/01 13:15:25.0002 6496	adp94xx         (2f6b34b83843f0c5118b63ac634f5bf4) C:\windows\system32\DRIVERS\adp94xx.sys
2011/07/01 13:15:25.0043 6496	adpahci         (597f78224ee9224ea1a13d6350ced962) C:\windows\system32\DRIVERS\adpahci.sys
2011/07/01 13:15:25.0079 6496	adpu320         (e109549c90f62fb570b9540c4b148e54) C:\windows\system32\DRIVERS\adpu320.sys
2011/07/01 13:15:25.0152 6496	AFD             (6ef20ddf3172e97d69f596fb90602f29) C:\windows\system32\drivers\afd.sys
2011/07/01 13:15:25.0183 6496	agp440          (608c14dba7299d8cb6ed035a68a15799) C:\windows\system32\DRIVERS\agp440.sys
2011/07/01 13:15:25.0216 6496	aliide          (5812713a477a3ad7363c7438ca2ee038) C:\windows\system32\DRIVERS\aliide.sys
2011/07/01 13:15:25.0244 6496	amdide          (1ff8b4431c353ce385c875f194924c0c) C:\windows\system32\DRIVERS\amdide.sys
2011/07/01 13:15:25.0275 6496	AmdK8           (7024f087cff1833a806193ef9d22cda9) C:\windows\system32\DRIVERS\amdk8.sys
2011/07/01 13:15:25.0302 6496	AmdPPM          (1e56388b3fe0d031c44144eb8c4d6217) C:\windows\system32\DRIVERS\amdppm.sys
2011/07/01 13:15:25.0350 6496	amdsata         (ec7ebab00a4d8448bab68d1e49b4beb9) C:\windows\system32\drivers\amdsata.sys
2011/07/01 13:15:25.0376 6496	amdsbs          (f67f933e79241ed32ff46a4f29b5120b) C:\windows\system32\DRIVERS\amdsbs.sys
2011/07/01 13:15:25.0405 6496	amdxata         (db27766102c7bf7e95140a2aa81d042e) C:\windows\system32\drivers\amdxata.sys
2011/07/01 13:15:25.0444 6496	Andbus          (48cd7e6520d47d62eab0e6ce3ec30c65) C:\windows\system32\DRIVERS\lgandbus64.sys
2011/07/01 13:15:25.0484 6496	AndDiag         (08cbacc00d15dcdbbaae1a7c8f231c61) C:\windows\system32\DRIVERS\lganddiag64.sys
2011/07/01 13:15:25.0523 6496	AndGps          (cea9a4cd6b3a83428ce8501240833668) C:\windows\system32\DRIVERS\lgandgps64.sys
2011/07/01 13:15:25.0553 6496	ANDModem        (e2b5663e547fa5e756b253efa8ec8286) C:\windows\system32\DRIVERS\lgandmodem64.sys
2011/07/01 13:15:25.0595 6496	AppID           (42fd751b27fa0e9c69bb39f39e409594) C:\windows\system32\drivers\appid.sys
2011/07/01 13:15:25.0729 6496	arc             (c484f8ceb1717c540242531db7845c4e) C:\windows\system32\DRIVERS\arc.sys
2011/07/01 13:15:25.0760 6496	arcsas          (019af6924aefe7839f61c830227fe79c) C:\windows\system32\DRIVERS\arcsas.sys
2011/07/01 13:15:25.0791 6496	ArcSoftKsUFilter (c130bc4a51b1382b2be8e44579ec4c0a) C:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys
2011/07/01 13:15:25.0828 6496	aswFsBlk        (f1dbe3d02ffcdee5246f29b0ecebe6e0) C:\windows\system32\drivers\aswFsBlk.sys
2011/07/01 13:15:25.0885 6496	aswMonFlt       (f3e75dd1bcc358fb4629357ad09e7c84) C:\windows\system32\drivers\aswMonFlt.sys
2011/07/01 13:15:25.0917 6496	aswRdr          (fccbdc045dc12afd1508205117e7ed11) C:\windows\system32\drivers\aswRdr.sys
2011/07/01 13:15:25.0985 6496	aswSnx          (5824dca602a0a30e866bc2ac98c6d970) C:\windows\system32\drivers\aswSnx.sys
2011/07/01 13:15:28.0359 6496	aswSP           (af07b4bef920f90205148f3a05e2974c) C:\windows\system32\drivers\aswSP.sys
2011/07/01 13:15:28.0413 6496	aswTdi          (a3eca5af3b4823a523c285a8df0f9e4f) C:\windows\system32\drivers\aswTdi.sys
2011/07/01 13:15:28.0479 6496	AsyncMac        (769765ce2cc62867468cea93969b2242) C:\windows\system32\DRIVERS\asyncmac.sys
2011/07/01 13:15:28.0503 6496	atapi           (02062c0b390b7729edc9e69c680a6f3c) C:\windows\system32\DRIVERS\atapi.sys
2011/07/01 13:15:28.0662 6496	athr            (0acc06fcf46f64ed4f11e57ee461c1f4) C:\windows\system32\DRIVERS\athrx.sys
2011/07/01 13:15:28.0777 6496	b06bdrv         (3e5b191307609f7514148c6832bb0842) C:\windows\system32\DRIVERS\bxvbda.sys
2011/07/01 13:15:28.0823 6496	b57nd60a        (b5ace6968304a3900eeb1ebfd9622df2) C:\windows\system32\DRIVERS\b57nd60a.sys
2011/07/01 13:15:28.0871 6496	Beep            (16a47ce2decc9b099349a5f840654746) C:\windows\system32\drivers\Beep.sys
2011/07/01 13:15:29.0042 6496	blbdrive        (61583ee3c3a17003c4acd0475646b4d3) C:\windows\system32\DRIVERS\blbdrive.sys
2011/07/01 13:15:29.0223 6496	bowser          (19d20159708e152267e53b66677a4995) C:\windows\system32\DRIVERS\bowser.sys
2011/07/01 13:15:29.0245 6496	BrFiltLo        (f09eee9edc320b5e1501f749fde686c8) C:\windows\system32\DRIVERS\BrFiltLo.sys
2011/07/01 13:15:29.0277 6496	BrFiltUp        (b114d3098e9bdb8bea8b053685831be6) C:\windows\system32\DRIVERS\BrFiltUp.sys
2011/07/01 13:15:29.0312 6496	Brserid         (43bea8d483bf1870f018e2d02e06a5bd) C:\windows\System32\Drivers\Brserid.sys
2011/07/01 13:15:29.0341 6496	BrSerWdm        (a6eca2151b08a09caceca35c07f05b42) C:\windows\System32\Drivers\BrSerWdm.sys
2011/07/01 13:15:29.0370 6496	BrUsbMdm        (b79968002c277e869cf38bd22cd61524) C:\windows\System32\Drivers\BrUsbMdm.sys
2011/07/01 13:15:29.0390 6496	BrUsbSer        (a87528880231c54e75ea7a44943b38bf) C:\windows\System32\Drivers\BrUsbSer.sys
2011/07/01 13:15:29.0420 6496	BthEnum         (cf98190a94f62e405c8cb255018b2315) C:\windows\system32\DRIVERS\BthEnum.sys
2011/07/01 13:15:29.0452 6496	BTHMODEM        (9da669f11d1f894ab4eb69bf546a42e8) C:\windows\system32\DRIVERS\bthmodem.sys
2011/07/01 13:15:29.0478 6496	BthPan          (02dd601b708dd0667e1331fa8518e9ff) C:\windows\system32\DRIVERS\bthpan.sys
2011/07/01 13:15:29.0535 6496	BTHPORT         (a51fa9d0e85d5adabef72e67f386309c) C:\windows\system32\Drivers\BTHport.sys
2011/07/01 13:15:29.0839 6496	BTHUSB          (f740b9a16b2c06700f2130e19986bf3b) C:\windows\system32\Drivers\BTHUSB.sys
2011/07/01 13:15:29.0928 6496	BTMCOM          (e588420b950dac5ac397f76660bce520) C:\windows\System32\Drivers\btmcom.sys
2011/07/01 13:15:29.0967 6496	BTMHID          (111160e8f47fafc0bd026293ebb95b70) C:\windows\system32\DRIVERS\btmhid.sys
2011/07/01 13:15:30.0065 6496	BTMUSB          (22a24c45a21ab98afcd09229f6ee5fcf) C:\windows\system32\Drivers\btmusb.sys
2011/07/01 13:15:30.0170 6496	cdfs            (b8bd2bb284668c84865658c77574381a) C:\windows\system32\DRIVERS\cdfs.sys
2011/07/01 13:15:30.0210 6496	cdrom           (83d2d75e1efb81b3450c18131443f7db) C:\windows\system32\DRIVERS\cdrom.sys
2011/07/01 13:15:30.0250 6496	circlass        (d7cd5c4e1b71fa62050515314cfb52cf) C:\windows\system32\DRIVERS\circlass.sys
2011/07/01 13:15:30.0307 6496	CLFS            (fe1ec06f2253f691fe36217c592a0206) C:\windows\system32\CLFS.sys
2011/07/01 13:15:30.0375 6496	CmBatt          (0840155d0bddf1190f84a663c284bd33) C:\windows\system32\DRIVERS\CmBatt.sys
2011/07/01 13:15:30.0400 6496	cmdide          (e19d3f095812725d88f9001985b94edd) C:\windows\system32\DRIVERS\cmdide.sys
2011/07/01 13:15:30.0456 6496	CNG             (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\windows\system32\Drivers\cng.sys
2011/07/01 13:15:30.0485 6496	Compbatt        (102de219c3f61415f964c88e9085ad14) C:\windows\system32\DRIVERS\compbatt.sys
2011/07/01 13:15:30.0534 6496	CompositeBus    (f26b3a86f6fa87ca360b879581ab4123) C:\windows\system32\DRIVERS\CompositeBus.sys
2011/07/01 13:15:30.0574 6496	crcdisk         (1c827878a998c18847245fe1f34ee597) C:\windows\system32\DRIVERS\crcdisk.sys
2011/07/01 13:15:30.0676 6496	DfsC            (9c253ce7311ca60fc11c774692a13208) C:\windows\system32\Drivers\dfsc.sys
2011/07/01 13:15:30.0718 6496	discache        (13096b05847ec78f0977f2c0f79e9ab3) C:\windows\system32\drivers\discache.sys
2011/07/01 13:15:30.0780 6496	Disk            (9819eee8b5ea3784ec4af3b137a5244c) C:\windows\system32\DRIVERS\disk.sys
2011/07/01 13:15:30.0832 6496	drmkaud         (9b19f34400d24df84c858a421c205754) C:\windows\system32\drivers\drmkaud.sys
2011/07/01 13:15:30.0978 6496	DXGKrnl         (1633b9abf52784a1331476397a48cbef) C:\windows\System32\drivers\dxgkrnl.sys
2011/07/01 13:15:31.0197 6496	ebdrv           (dc5d737f51be844d8c82c695eb17372f) C:\windows\system32\DRIVERS\evbda.sys
2011/07/01 13:15:31.0294 6496	elxstor         (0e5da5369a0fcaea12456dd852545184) C:\windows\system32\DRIVERS\elxstor.sys
2011/07/01 13:15:31.0324 6496	ErrDev          (34a3c54752046e79a126e15c51db409b) C:\windows\system32\DRIVERS\errdev.sys
2011/07/01 13:15:31.0368 6496	EUCR            (89d11159b361dd1eac5dd4e9895c04a4) C:\windows\system32\DRIVERS\EUCR6SK.SYS
2011/07/01 13:15:31.0417 6496	exfat           (a510c654ec00c1e9bdd91eeb3a59823b) C:\windows\system32\drivers\exfat.sys
2011/07/01 13:15:31.0522 6496	fastfat         (0adc83218b66a6db380c330836f3e36d) C:\windows\system32\drivers\fastfat.sys
2011/07/01 13:15:31.0560 6496	fdc             (d765d19cd8ef61f650c384f62fac00ab) C:\windows\system32\DRIVERS\fdc.sys
2011/07/01 13:15:31.0624 6496	FileInfo        (655661be46b5f5f3fd454e2c3095b930) C:\windows\system32\drivers\fileinfo.sys
2011/07/01 13:15:31.0656 6496	Filetrace       (5f671ab5bc87eea04ec38a6cd5962a47) C:\windows\system32\drivers\filetrace.sys
2011/07/01 13:15:31.0706 6496	flpydisk        (c172a0f53008eaeb8ea33fe10e177af5) C:\windows\system32\DRIVERS\flpydisk.sys
2011/07/01 13:15:31.0750 6496	FltMgr          (f7866af72abbaf84b1fa5aa195378c59) C:\windows\system32\drivers\fltmgr.sys
2011/07/01 13:15:31.0802 6496	FsDepends       (d43703496149971890703b4b1b723eac) C:\windows\system32\drivers\FsDepends.sys
2011/07/01 13:15:31.0826 6496	Fs_Rec          (e95ef8547de20cf0603557c0cf7a9462) C:\windows\system32\drivers\Fs_Rec.sys
2011/07/01 13:15:32.0174 6496	fvevol          (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\windows\system32\DRIVERS\fvevol.sys
2011/07/01 13:15:32.0196 6496	gagp30kx        (8c778d335c9d272cfd3298ab02abe3b6) C:\windows\system32\DRIVERS\gagp30kx.sys
2011/07/01 13:15:32.0262 6496	GEARAspiWDM     (e403aacf8c7bb11375122d2464560311) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
2011/07/01 13:15:32.0382 6496	hcw85cir        (f2523ef6460fc42405b12248338ab2f0) C:\windows\system32\drivers\hcw85cir.sys
2011/07/01 13:15:32.0406 6496	HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\windows\system32\drivers\HdAudio.sys
2011/07/01 13:15:32.0441 6496	HDAudBus        (0a49913402747a0b67de940fb42cbdbb) C:\windows\system32\DRIVERS\HDAudBus.sys
2011/07/01 13:15:32.0558 6496	HidBatt         (78e86380454a7b10a5eb255dc44a355f) C:\windows\system32\DRIVERS\HidBatt.sys
2011/07/01 13:15:32.0578 6496	HidBth          (7fd2a313f7afe5c4dab14798c48dd104) C:\windows\system32\DRIVERS\hidbth.sys
2011/07/01 13:15:32.0617 6496	HidIr           (0a77d29f311b88cfae3b13f9c1a73825) C:\windows\system32\DRIVERS\hidir.sys
2011/07/01 13:15:32.0655 6496	HidUsb          (b3bf6b5b50006def50b66306d99fcf6f) C:\windows\system32\DRIVERS\hidusb.sys
2011/07/01 13:15:32.0746 6496	HpSAMD          (0886d440058f203eba0e1825e4355914) C:\windows\system32\DRIVERS\HpSAMD.sys
2011/07/01 13:15:32.0785 6496	HTTP            (cee049cac4efa7f4e1e4ad014414a5d4) C:\windows\system32\drivers\HTTP.sys
2011/07/01 13:15:32.0816 6496	hwpolicy        (f17766a19145f111856378df337a5d79) C:\windows\system32\drivers\hwpolicy.sys
2011/07/01 13:15:32.0848 6496	i8042prt        (fa55c73d4affa7ee23ac4be53b4592d3) C:\windows\system32\DRIVERS\i8042prt.sys
2011/07/01 13:15:32.0901 6496	iaStor          (abbf174cb394f5c437410a788b7e404a) C:\windows\system32\DRIVERS\iaStor.sys
2011/07/01 13:15:32.0967 6496	iaStorV         (b75e45c564e944a2657167d197ab29da) C:\windows\system32\drivers\iaStorV.sys
2011/07/01 13:15:33.0014 6496	iirsp           (5c18831c61933628f5bb0ea2675b9d21) C:\windows\system32\DRIVERS\iirsp.sys
2011/07/01 13:15:33.0237 6496	IntcAzAudAddService (7f59c9ac306b2044c1f36933f57b88de) C:\windows\system32\drivers\RTKVHD64.sys
2011/07/01 13:15:33.0290 6496	intelide        (f00f20e70c6ec3aa366910083a0518aa) C:\windows\system32\DRIVERS\intelide.sys
2011/07/01 13:15:33.0318 6496	intelppm        (ada036632c664caa754079041cf1f8c1) C:\windows\system32\DRIVERS\intelppm.sys
2011/07/01 13:15:33.0348 6496	IpFilterDriver  (722dd294df62483cecaae6e094b4d695) C:\windows\system32\DRIVERS\ipfltdrv.sys
2011/07/01 13:15:33.0384 6496	IPMIDRV         (e2b4a4494db7cb9b89b55ca268c337c5) C:\windows\system32\DRIVERS\IPMIDrv.sys
2011/07/01 13:15:33.0412 6496	IPNAT           (af9b39a7e7b6caa203b3862582e9f2d0) C:\windows\system32\drivers\ipnat.sys
2011/07/01 13:15:35.0636 6496	IRENUM          (3abf5e7213eb28966d55d58b515d5ce9) C:\windows\system32\drivers\irenum.sys
2011/07/01 13:15:35.0662 6496	isapnp          (2f7b28dc3e1183e5eb418df55c204f38) C:\windows\system32\DRIVERS\isapnp.sys
2011/07/01 13:15:35.0686 6496	iScsiPrt        (fa4d2557de56d45b0a346f93564be6e1) C:\windows\system32\DRIVERS\msiscsi.sys
2011/07/01 13:15:35.0728 6496	kbdclass        (bc02336f1cba7dcc7d1213bb588a68a5) C:\windows\system32\DRIVERS\kbdclass.sys
2011/07/01 13:15:35.0760 6496	kbdhid          (6def98f8541e1b5dceb2c822a11f7323) C:\windows\system32\DRIVERS\kbdhid.sys
2011/07/01 13:15:35.0907 6496	KSecDD          (e8b6fcc9c83535c67f835d407620bd27) C:\windows\system32\Drivers\ksecdd.sys
2011/07/01 13:15:35.0954 6496	KSecPkg         (a8c63880ef6f4d3fec7b616b9c060215) C:\windows\system32\Drivers\ksecpkg.sys
2011/07/01 13:15:35.0982 6496	ksthunk         (6869281e78cb31a43e969f06b57347c4) C:\windows\system32\drivers\ksthunk.sys
2011/07/01 13:15:36.0045 6496	lltdio          (1538831cf8ad2979a04c423779465827) C:\windows\system32\DRIVERS\lltdio.sys
2011/07/01 13:15:36.0126 6496	LSI_FC          (1a93e54eb0ece102495a51266dcdb6a6) C:\windows\system32\DRIVERS\lsi_fc.sys
2011/07/01 13:15:36.0159 6496	LSI_SAS         (1047184a9fdc8bdbff857175875ee810) C:\windows\system32\DRIVERS\lsi_sas.sys
2011/07/01 13:15:36.0187 6496	LSI_SAS2        (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\windows\system32\DRIVERS\lsi_sas2.sys
2011/07/01 13:15:36.0322 6496	LSI_SCSI        (0504eacaff0d3c8aed161c4b0d369d4a) C:\windows\system32\DRIVERS\lsi_scsi.sys
2011/07/01 13:15:36.0355 6496	luafv           (43d0f98e1d56ccddb0d5254cff7b356e) C:\windows\system32\drivers\luafv.sys
2011/07/01 13:15:36.0404 6496	megasas         (a55805f747c6edb6a9080d7c633bd0f4) C:\windows\system32\DRIVERS\megasas.sys
2011/07/01 13:15:36.0445 6496	MegaSR          (baf74ce0072480c3b6b7c13b2a94d6b3) C:\windows\system32\DRIVERS\MegaSR.sys
2011/07/01 13:15:36.0532 6496	Modem           (800ba92f7010378b09f9ed9270f07137) C:\windows\system32\drivers\modem.sys
2011/07/01 13:15:36.0565 6496	monitor         (b03d591dc7da45ece20b3b467e6aadaa) C:\windows\system32\DRIVERS\monitor.sys
2011/07/01 13:15:36.0593 6496	mouclass        (7d27ea49f3c1f687d357e77a470aea99) C:\windows\system32\DRIVERS\mouclass.sys
2011/07/01 13:15:36.0618 6496	mouhid          (d3bf052c40b0c4166d9fd86a4288c1e6) C:\windows\system32\DRIVERS\mouhid.sys
2011/07/01 13:15:36.0649 6496	mountmgr        (791af66c4d0e7c90a3646066386fb571) C:\windows\system32\drivers\mountmgr.sys
2011/07/01 13:15:36.0686 6496	mpio            (609d1d87649ecc19796f4d76d4c15cea) C:\windows\system32\DRIVERS\mpio.sys
2011/07/01 13:15:36.0709 6496	mpsdrv          (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\windows\system32\drivers\mpsdrv.sys
2011/07/01 13:15:36.0789 6496	MRxDAV          (30524261bb51d96d6fcbac20c810183c) C:\windows\system32\drivers\mrxdav.sys
2011/07/01 13:15:36.0854 6496	mrxsmb          (040d62a9d8ad28922632137acdd984f2) C:\windows\system32\DRIVERS\mrxsmb.sys
2011/07/01 13:15:36.0900 6496	mrxsmb10        (a8c2d7673c8a010569390c826a0efaf4) C:\windows\system32\DRIVERS\mrxsmb10.sys
2011/07/01 13:15:36.0936 6496	mrxsmb20        (3c142d31de9f2f193218a53fe2632051) C:\windows\system32\DRIVERS\mrxsmb20.sys
2011/07/01 13:15:36.0970 6496	msahci          (5c37497276e3b3a5488b23a326a754b7) C:\windows\system32\DRIVERS\msahci.sys
2011/07/01 13:15:37.0005 6496	msdsm           (8d27b597229aed79430fb9db3bcbfbd0) C:\windows\system32\DRIVERS\msdsm.sys
2011/07/01 13:15:37.0059 6496	Msfs            (aa3fb40e17ce1388fa1bedab50ea8f96) C:\windows\system32\drivers\Msfs.sys
2011/07/01 13:15:37.0087 6496	mshidkmdf       (f9d215a46a8b9753f61767fa72a20326) C:\windows\System32\drivers\mshidkmdf.sys
2011/07/01 13:15:37.0146 6496	msisadrv        (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\windows\system32\DRIVERS\msisadrv.sys
2011/07/01 13:15:37.0204 6496	MSKSSRV         (49ccf2c4fea34ffad8b1b59d49439366) C:\windows\system32\drivers\MSKSSRV.sys
2011/07/01 13:15:37.0230 6496	MSPCLOCK        (bdd71ace35a232104ddd349ee70e1ab3) C:\windows\system32\drivers\MSPCLOCK.sys
2011/07/01 13:15:37.0258 6496	MSPQM           (4ed981241db27c3383d72092b618a1d0) C:\windows\system32\drivers\MSPQM.sys
2011/07/01 13:15:37.0300 6496	MsRPC           (89cb141aa8616d8c6a4610fa26c60964) C:\windows\system32\drivers\MsRPC.sys
2011/07/01 13:15:37.0339 6496	mssmbios        (0eed230e37515a0eaee3c2e1bc97b288) C:\windows\system32\DRIVERS\mssmbios.sys
2011/07/01 13:15:37.0366 6496	MSTEE           (2e66f9ecb30b4221a318c92ac2250779) C:\windows\system32\drivers\MSTEE.sys
2011/07/01 13:15:37.0391 6496	MTConfig        (7ea404308934e675bffde8edf0757bcd) C:\windows\system32\DRIVERS\MTConfig.sys
2011/07/01 13:15:37.0421 6496	Mup             (f9a18612fd3526fe473c1bda678d61c8) C:\windows\system32\Drivers\mup.sys
2011/07/01 13:15:37.0561 6496	NativeWifiP     (1ea3749c4114db3e3161156ffffa6b33) C:\windows\system32\DRIVERS\nwifi.sys
2011/07/01 13:15:37.0645 6496	NDIS            (cad515dbd07d082bb317d9928ce8962c) C:\windows\system32\drivers\ndis.sys
2011/07/01 13:15:37.0874 6496	NdisCap         (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\windows\system32\DRIVERS\ndiscap.sys
2011/07/01 13:15:37.0900 6496	NdisTapi        (30639c932d9fef22b31268fe25a1b6e5) C:\windows\system32\DRIVERS\ndistapi.sys
2011/07/01 13:15:37.0931 6496	Ndisuio         (f105ba1e22bf1f2ee8f005d4305e4bec) C:\windows\system32\DRIVERS\ndisuio.sys
2011/07/01 13:15:37.0981 6496	NdisWan         (557dfab9ca1fcb036ac77564c010dad3) C:\windows\system32\DRIVERS\ndiswan.sys
2011/07/01 13:15:38.0010 6496	NDProxy         (659b74fb74b86228d6338d643cd3e3cf) C:\windows\system32\drivers\NDProxy.sys
2011/07/01 13:15:38.0038 6496	NetBIOS         (86743d9f5d2b1048062b14b1d84501c4) C:\windows\system32\DRIVERS\netbios.sys
2011/07/01 13:15:38.0076 6496	NetBT           (9162b273a44ab9dce5b44362731d062a) C:\windows\system32\DRIVERS\netbt.sys
2011/07/01 13:15:38.0386 6496	NETw5s64        (24f64343f14a119308456e1ca7507b26) C:\windows\system32\DRIVERS\NETw5s64.sys
2011/07/01 13:15:38.0488 6496	nfrd960         (77889813be4d166cdab78ddba990da92) C:\windows\system32\DRIVERS\nfrd960.sys
2011/07/01 13:15:38.0537 6496	Npfs            (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\windows\system32\drivers\Npfs.sys
2011/07/01 13:15:38.0598 6496	nsiproxy        (e7f5ae18af4168178a642a9247c63001) C:\windows\system32\drivers\nsiproxy.sys
2011/07/01 13:15:38.0757 6496	Ntfs            (378e0e0dfea67d98ae6ea53adbbd76bc) C:\windows\system32\drivers\Ntfs.sys
2011/07/01 13:15:38.0802 6496	Null            (9899284589f75fa8724ff3d16aed75c1) C:\windows\system32\drivers\Null.sys
2011/07/01 13:15:38.0837 6496	nusb3hub        (8ebcb9165ee7f1571842f4d9d624a74c) C:\windows\system32\DRIVERS\nusb3hub.sys
2011/07/01 13:15:39.0223 6496	nusb3xhc        (5d54dbb12bbfe07cc283fd39f2cd6d63) C:\windows\system32\DRIVERS\nusb3xhc.sys
2011/07/01 13:15:39.0580 6496	nvlddmkm        (651cb3b05da7a95edb8821ec021bb8eb) C:\windows\system32\DRIVERS\nvlddmkm.sys
2011/07/01 13:15:39.0777 6496	nvraid          (a4d9c9a608a97f59307c2f2600edc6a4) C:\windows\system32\drivers\nvraid.sys
2011/07/01 13:15:39.0815 6496	nvstor          (6c1d5f70e7a6a3fd1c90d840edc048b9) C:\windows\system32\drivers\nvstor.sys
2011/07/01 13:15:39.0958 6496	nv_agp          (270d7cd42d6e3979f6dd0146650f0e05) C:\windows\system32\DRIVERS\nv_agp.sys
2011/07/01 13:15:39.0979 6496	ohci1394        (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\windows\system32\DRIVERS\ohci1394.sys
2011/07/01 13:15:40.0935 6496	Parport         (0086431c29c35be1dbc43f52cc273887) C:\windows\system32\DRIVERS\parport.sys
2011/07/01 13:15:40.0965 6496	partmgr         (7daa117143316c4a1537e074a5a9eaf0) C:\windows\system32\drivers\partmgr.sys
2011/07/01 13:15:41.0030 6496	pci             (f36f6504009f2fb0dfd1b17a116ad74b) C:\windows\system32\DRIVERS\pci.sys
2011/07/01 13:15:41.0058 6496	pciide          (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\windows\system32\DRIVERS\pciide.sys
2011/07/01 13:15:41.0488 6496	pcmcia          (b2e81d4e87ce48589f98cb8c05b01f2f) C:\windows\system32\DRIVERS\pcmcia.sys
2011/07/01 13:15:41.0521 6496	pcw             (d6b9c2e1a11a3a4b26a182ffef18f603) C:\windows\system32\drivers\pcw.sys
2011/07/01 13:15:41.0617 6496	PEAUTH          (68769c3356b3be5d1c732c97b9a80d6e) C:\windows\system32\drivers\peauth.sys
2011/07/01 13:15:41.0776 6496	PptpMiniport    (27cc19e81ba5e3403c48302127bda717) C:\windows\system32\DRIVERS\raspptp.sys
2011/07/01 13:15:41.0799 6496	Processor       (0d922e23c041efb1c3fac2a6f943c9bf) C:\windows\system32\DRIVERS\processr.sys
2011/07/01 13:15:42.0068 6496	Psched          (ee992183bd8eaefd9973f352e587a299) C:\windows\system32\DRIVERS\pacer.sys
2011/07/01 13:15:42.0221 6496	ql2300          (a53a15a11ebfd21077463ee2c7afeef0) C:\windows\system32\DRIVERS\ql2300.sys
2011/07/01 13:15:42.0311 6496	ql40xx          (4f6d12b51de1aaeff7dc58c4d75423c8) C:\windows\system32\DRIVERS\ql40xx.sys
2011/07/01 13:15:42.0349 6496	QWAVEdrv        (76707bb36430888d9ce9d705398adb6c) C:\windows\system32\drivers\qwavedrv.sys
2011/07/01 13:15:42.0376 6496	RasAcd          (5a0da8ad5762fa2d91678a8a01311704) C:\windows\system32\DRIVERS\rasacd.sys
2011/07/01 13:15:42.0403 6496	RasAgileVpn     (7ecff9b22276b73f43a99a15a6094e90) C:\windows\system32\DRIVERS\AgileVpn.sys
2011/07/01 13:15:42.0702 6496	Rasl2tp         (87a6e852a22991580d6d39adc4790463) C:\windows\system32\DRIVERS\rasl2tp.sys
2011/07/01 13:15:42.0773 6496	RasPppoe        (855c9b1cd4756c5e9a2aa58a15f58c25) C:\windows\system32\DRIVERS\raspppoe.sys
2011/07/01 13:15:42.0842 6496	RasSstp         (e8b1e447b008d07ff47d016c2b0eeecb) C:\windows\system32\DRIVERS\rassstp.sys
2011/07/01 13:15:42.0907 6496	rdbss           (3bac8142102c15d59a87757c1d41dce5) C:\windows\system32\DRIVERS\rdbss.sys
2011/07/01 13:15:42.0957 6496	rdpbus          (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\windows\system32\DRIVERS\rdpbus.sys
2011/07/01 13:15:42.0992 6496	RDPCDD          (cea6cc257fc9b7715f1c2b4849286d24) C:\windows\system32\DRIVERS\RDPCDD.sys
2011/07/01 13:15:43.0043 6496	RDPENCDD        (bb5971a4f00659529a5c44831af22365) C:\windows\system32\drivers\rdpencdd.sys
2011/07/01 13:15:43.0092 6496	RDPREFMP        (216f3fa57533d98e1f74ded70113177a) C:\windows\system32\drivers\rdprefmp.sys
2011/07/01 13:15:43.0253 6496	RDPWD           (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\windows\system32\drivers\RDPWD.sys
2011/07/01 13:15:43.0330 6496	rdyboost        (634b9a2181d98f15941236886164ec8b) C:\windows\system32\drivers\rdyboost.sys
2011/07/01 13:15:43.0378 6496	regi            (4d9afddda0efe97cdbfd3b5fa48b05f6) C:\windows\system32\drivers\regi.sys
2011/07/01 13:15:43.0428 6496	RFCOMM          (3dd798846e2c28102b922c56e71b7932) C:\windows\system32\DRIVERS\rfcomm.sys
2011/07/01 13:15:44.0272 6496	rspndr          (ddc86e4f8e7456261e637e3552e804ff) C:\windows\system32\DRIVERS\rspndr.sys
2011/07/01 13:15:44.0317 6496	RTL8167         (777fc2c418465404e3d8a290dc247d24) C:\windows\system32\DRIVERS\Rt64win7.sys
2011/07/01 13:15:44.0360 6496	sbp2port        (e3bbb89983daf5622c1d50cf49f28227) C:\windows\system32\DRIVERS\sbp2port.sys
2011/07/01 13:15:44.0404 6496	scfilter        (c94da20c7e3ba1dca269bc8460d98387) C:\windows\system32\DRIVERS\scfilter.sys
2011/07/01 13:15:44.0591 6496	sdbus           (54e47ad086782d3ae9417c155cdceb9b) C:\windows\system32\DRIVERS\sdbus.sys
2011/07/01 13:15:44.0640 6496	secdrv          (3ea8a16169c26afbeb544e0e48421186) C:\windows\system32\drivers\secdrv.sys
2011/07/01 13:15:44.0688 6496	Serenum         (cb624c0035412af0debec78c41f5ca1b) C:\windows\system32\DRIVERS\serenum.sys
2011/07/01 13:15:44.0755 6496	Serial          (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\windows\system32\DRIVERS\serial.sys
2011/07/01 13:15:44.0776 6496	sermouse        (1c545a7d0691cc4a027396535691c3e3) C:\windows\system32\DRIVERS\sermouse.sys
2011/07/01 13:15:44.0872 6496	sffdisk         (a554811bcd09279536440c964ae35bbf) C:\windows\system32\DRIVERS\sffdisk.sys
2011/07/01 13:15:44.0892 6496	sffp_mmc        (ff414f0baefeba59bc6c04b3db0b87bf) C:\windows\system32\DRIVERS\sffp_mmc.sys
2011/07/01 13:15:44.0919 6496	sffp_sd         (178298f767fe638c9fedcbdef58bb5e4) C:\windows\system32\DRIVERS\sffp_sd.sys
2011/07/01 13:15:44.0945 6496	sfloppy         (a9d601643a1647211a1ee2ec4e433ff4) C:\windows\system32\DRIVERS\sfloppy.sys
2011/07/01 13:15:45.0040 6496	Sftfs           (d5183ed285d2795491dc15bddcbee5ad) C:\windows\system32\DRIVERS\Sftfslh.sys
2011/07/01 13:15:45.0098 6496	Sftplay         (00f118b68c50d2206dd51634f9142b83) C:\windows\system32\DRIVERS\Sftplaylh.sys
2011/07/01 13:15:45.0132 6496	Sftredir        (76a827df5640bfe16a0cdbb4108adeca) C:\windows\system32\DRIVERS\Sftredirlh.sys
2011/07/01 13:15:45.0161 6496	Sftvol          (1b4c9701645086bab8cafffce30ed284) C:\windows\system32\DRIVERS\Sftvollh.sys
2011/07/01 13:15:45.0266 6496	SiSRaid2        (843caf1e5fde1ffd5ff768f23a51e2e1) C:\windows\system32\DRIVERS\SiSRaid2.sys
2011/07/01 13:15:45.0310 6496	SiSRaid4        (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\windows\system32\DRIVERS\sisraid4.sys
2011/07/01 13:15:45.0332 6496	Smb             (548260a7b8654e024dc30bf8a7c5baa4) C:\windows\system32\DRIVERS\smb.sys
2011/07/01 13:15:45.0456 6496	smserial        (7ae8bca90539ecbde87ac45ba1436be3) C:\windows\system32\DRIVERS\SmSerl64.sys
2011/07/01 13:15:45.0534 6496	spldr           (b9e31e5cacdfe584f34f730a677803f9) C:\windows\system32\drivers\spldr.sys
2011/07/01 13:15:45.0614 6496	srv             (2408c0366d96bcdf63e8f1c78e4a29c5) C:\windows\system32\DRIVERS\srv.sys
2011/07/01 13:15:45.0666 6496	srv2            (76548f7b818881b47d8d1ae1be9c11f8) C:\windows\system32\DRIVERS\srv2.sys
2011/07/01 13:15:45.0697 6496	srvnet          (0af6e19d39c70844c5caa8fb0183c36e) C:\windows\system32\DRIVERS\srvnet.sys
2011/07/01 13:15:45.0744 6496	stexstor        (f3817967ed533d08327dc73bc4d5542a) C:\windows\system32\DRIVERS\stexstor.sys
2011/07/01 13:15:45.0826 6496	swenum          (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\windows\system32\DRIVERS\swenum.sys
2011/07/01 13:15:45.0948 6496	SynTP           (e5d73228176c9f69072d1f91ced83484) C:\windows\system32\DRIVERS\SynTP.sys
2011/07/01 13:15:46.0141 6496	Tcpip           (61dc720bb065d607d5823f13d2a64321) C:\windows\system32\drivers\tcpip.sys
2011/07/01 13:15:46.0211 6496	TCPIP6          (61dc720bb065d607d5823f13d2a64321) C:\windows\system32\DRIVERS\tcpip.sys
2011/07/01 13:15:46.0269 6496	tcpipreg        (76d078af6f587b162d50210f761eb9ed) C:\windows\system32\drivers\tcpipreg.sys
2011/07/01 13:15:46.0306 6496	TDPIPE          (3371d21011695b16333a3934340c4e7c) C:\windows\system32\drivers\tdpipe.sys
2011/07/01 13:15:46.0484 6496	TDTCP           (e4245bda3190a582d55ed09e137401a9) C:\windows\system32\drivers\tdtcp.sys
2011/07/01 13:15:46.0516 6496	tdx             (079125c4b17b01fcaeebce0bcb290c0f) C:\windows\system32\DRIVERS\tdx.sys
2011/07/01 13:15:46.0548 6496	TermDD          (c448651339196c0e869a355171875522) C:\windows\system32\DRIVERS\termdd.sys
2011/07/01 13:15:46.0742 6496	tssecsrv        (61b96c26131e37b24e93327a0bd1fb95) C:\windows\system32\DRIVERS\tssecsrv.sys
2011/07/01 13:15:46.0780 6496	tunnel          (3836171a2cdf3af8ef10856db9835a70) C:\windows\system32\DRIVERS\tunnel.sys
2011/07/01 13:15:46.0886 6496	uagp35          (b4dd609bd7e282bfc683cec7eaaaad67) C:\windows\system32\DRIVERS\uagp35.sys
2011/07/01 13:15:46.0932 6496	udfs            (d47baead86c65d4f4069d7ce0a4edceb) C:\windows\system32\DRIVERS\udfs.sys
2011/07/01 13:15:47.0204 6496	uliagpkx        (4bfe1bc28391222894cbf1e7d0e42320) C:\windows\system32\DRIVERS\uliagpkx.sys
2011/07/01 13:15:47.0235 6496	umbus           (eab6c35e62b1b0db0d1b48b671d3a117) C:\windows\system32\DRIVERS\umbus.sys
2011/07/01 13:15:48.0367 6496	UmPass          (b2e8e8cb557b156da5493bbddcc1474d) C:\windows\system32\DRIVERS\umpass.sys
2011/07/01 13:15:48.0424 6496	USBAAPL64       (54d4b48d443e7228bf64cf7cdc3118ac) C:\windows\system32\Drivers\usbaapl64.sys
2011/07/01 13:15:48.0492 6496	usbccgp         (b26afb54a534d634523c4fb66765b026) C:\windows\system32\DRIVERS\usbccgp.sys
2011/07/01 13:15:48.0527 6496	usbcir          (af0892a803fdda7492f595368e3b68e7) C:\windows\system32\DRIVERS\usbcir.sys
2011/07/01 13:15:48.0558 6496	usbehci         (2ea4aff7be7eb4632e3aa8595b0803b5) C:\windows\system32\DRIVERS\usbehci.sys
2011/07/01 13:15:48.0614 6496	usbhub          (4c9042b8df86c1e8e6240c218b99b39b) C:\windows\system32\DRIVERS\usbhub.sys
2011/07/01 13:15:48.0648 6496	usbohci         (58e546bbaf87664fc57e0f6081e4f609) C:\windows\system32\DRIVERS\usbohci.sys
2011/07/01 13:15:48.0678 6496	usbprint        (73188f58fb384e75c4063d29413cee3d) C:\windows\system32\DRIVERS\usbprint.sys
2011/07/01 13:15:48.0708 6496	USBSTOR         (f39983647bc1f3e6100778ddfe9dce29) C:\windows\system32\DRIVERS\USBSTOR.SYS
2011/07/01 13:15:48.0865 6496	usbuhci         (81fb2216d3a60d1284455d511797db3d) C:\windows\system32\DRIVERS\usbuhci.sys
2011/07/01 13:15:48.0926 6496	usbvideo        (7cb8c573c6e4a2714402cc0a36eab4fe) C:\windows\System32\Drivers\usbvideo.sys
2011/07/01 13:15:48.0969 6496	vdrvroot        (c5c876ccfc083ff3b128f933823e87bd) C:\windows\system32\DRIVERS\vdrvroot.sys
2011/07/01 13:15:49.0000 6496	vga             (da4da3f5e02943c2dc8c6ed875de68dd) C:\windows\system32\DRIVERS\vgapnp.sys
2011/07/01 13:15:49.0059 6496	VgaSave         (53e92a310193cb3c03bea963de7d9cfc) C:\windows\System32\drivers\vga.sys
2011/07/01 13:15:49.0136 6496	vhdmp           (c82e748660f62a242b2dfac1442f22a4) C:\windows\system32\DRIVERS\vhdmp.sys
2011/07/01 13:15:49.0168 6496	viaide          (e5689d93ffe4e5d66c0178761240dd54) C:\windows\system32\DRIVERS\viaide.sys
2011/07/01 13:15:49.0194 6496	volmgr          (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\windows\system32\DRIVERS\volmgr.sys
2011/07/01 13:15:49.0231 6496	volmgrx         (99b0cbb569ca79acaed8c91461d765fb) C:\windows\system32\drivers\volmgrx.sys
2011/07/01 13:15:49.0585 6496	volsnap         (58f82eed8ca24b461441f9c3e4f0bf5c) C:\windows\system32\DRIVERS\volsnap.sys
2011/07/01 13:15:49.0633 6496	vsmraid         (5e2016ea6ebaca03c04feac5f330d997) C:\windows\system32\DRIVERS\vsmraid.sys
2011/07/01 13:15:49.0670 6496	vwifibus        (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\windows\system32\DRIVERS\vwifibus.sys
2011/07/01 13:15:49.0699 6496	vwififlt        (6a3d66263414ff0d6fa754c646612f3f) C:\windows\system32\DRIVERS\vwififlt.sys
2011/07/01 13:15:49.0725 6496	vwifimp         (6a638fc4bfddc4d9b186c28c91bd1a01) C:\windows\system32\DRIVERS\vwifimp.sys
2011/07/01 13:15:49.0843 6496	WacomPen        (4e9440f4f152a7b944cb1663d3935a3e) C:\windows\system32\DRIVERS\wacompen.sys
2011/07/01 13:15:49.0878 6496	WANARP          (47ca49400643effd3f1c9a27e1d69324) C:\windows\system32\DRIVERS\wanarp.sys
2011/07/01 13:15:49.0907 6496	Wanarpv6        (47ca49400643effd3f1c9a27e1d69324) C:\windows\system32\DRIVERS\wanarp.sys
2011/07/01 13:15:49.0986 6496	Wd              (72889e16ff12ba0f235467d6091b17dc) C:\windows\system32\DRIVERS\wd.sys
2011/07/01 13:15:50.0047 6496	Wdf01000        (441bd2d7b4f98134c3a4f9fa570fd250) C:\windows\system32\drivers\Wdf01000.sys
2011/07/01 13:15:50.0427 6496	WfpLwf          (611b23304bf067451a9fdee01fbdd725) C:\windows\system32\DRIVERS\wfplwf.sys
2011/07/01 13:15:50.0447 6496	WIMMount        (05ecaec3e4529a7153b3136ceb49f0ec) C:\windows\system32\drivers\wimmount.sys
2011/07/01 13:15:50.0554 6496	WmiAcpi         (f6ff8944478594d0e414d3f048f0d778) C:\windows\system32\DRIVERS\wmiacpi.sys
2011/07/01 13:15:50.0625 6496	ws2ifsl         (6bcc1d7d2fd2453957c5479a32364e52) C:\windows\system32\drivers\ws2ifsl.sys
2011/07/01 13:15:50.0705 6496	WudfPf          (7cadc74271dd6461c452c271b30bd378) C:\windows\system32\drivers\WudfPf.sys
2011/07/01 13:15:50.0745 6496	WUDFRd          (3b197af0fff08aa66b6b2241ca538d64) C:\windows\system32\DRIVERS\WUDFRd.sys
2011/07/01 13:15:50.0860 6496	MBR (0x1B8)     (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/07/01 13:15:50.0893 6496	Boot (0x1200)   (fdad0183d0eecf79f9be6c3a84f723a5) \Device\Harddisk0\DR0\Partition0
2011/07/01 13:15:50.0936 6496	Boot (0x1200)   (78c1dfdcb942be67ce071c0159de1cf0) \Device\Harddisk0\DR0\Partition1
2011/07/01 13:15:50.0946 6496	================================================================================
2011/07/01 13:15:50.0946 6496	Scan finished
2011/07/01 13:15:50.0946 6496	================================================================================
2011/07/01 13:15:50.0966 1884	Detected object count: 0
2011/07/01 13:15:50.0966 1884	Actual detected object count: 0
2011/07/01 13:17:32.0789 4612	Deinitialize success


----------



## djbulgogi

Here is the *HijackThis Log*:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:23:48 PM, on 7/1/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16800)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
C:\Program Files (x86)\msi\msi LED Manager\SLM.exe
C:\Program Files (x86)\msi\NVIDIA Overclock Tool\NVIDIAOCAP.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Motorola\Bluetooth\btplayerctrl.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msi.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NortonOnlineBackup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [msi LED Manager] C:\Program Files (x86)\msi\msi LED Manager\SLM.exe
O4 - HKLM\..\Run: [NVIDIAOCAP] C:\Program Files (x86)\MSI\NVIDIA Overclock Tool\NVIDIAOCAP.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [B2C_AGENT] C:\ProgramData\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1575950506-223816923-3895840053-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1575950506-223816923-3895840053-1000\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bluetooth Device Manager - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
O23 - Service: Bluetooth Media Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\audiosrv.exe
O23 - Service: Bluetooth OBEX Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\obexsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files (x86)\System Control Manager\MSIService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Norton Online Backup (NOBU) - Symantec Corporation - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11489 bytes




=======================================================


Here is the *Malware Bytes Log *:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6995

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/1/2011 1:31:45 PM
mbam-log-2011-07-01 (13-31-45).txt

Scan type: Quick scan
Objects scanned: 177369
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)









*THANK YOU!*


----------



## johnb35

I don't see any issues in your log.  However, have you ran Ccleaner yet?

http://download.cnet.com/ccleaner/

download, install and run it.  Open the program and click on run cleaner, this will delete old temp files and system files which should make your system run quicker.  If not, let me know and we'll run something else just to make sure your clean.


----------



## Sdit

*Help please...*

Hi Johnb35... I've had the same problem as the first poster... I've ran Malwarebytes and am starting to run HyjackThis... 

Here are my Malwarebytes Log: I will post the HyjackThis log once complete: 
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6999

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/1/2011 2:36:21 PM
mbam-log-2011-07-01 (14-36-21).txt

Scan type: Quick scan
Objects scanned: 167300
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 7

Memory Processes Infected:
c:\programdata\vdpltshlvdsd.exe (Trojan.FakeAlert) -> 3180 -> Unloaded process successfully.
c:\programdata\37150456.exe (Trojan.FakeAlert) -> 4108 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\GamevanceText.DLL (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\gvtl (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VDPLtsHLVdsd (Trojan.FakeAlert) -> Value: VDPLtsHLVdsd -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AVGT (Rogue.AntivirusGT) -> Value: AVGT -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\Users\chase and sara\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected] (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\Users\chase and sara\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\chrome (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\Users\chase and sara\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\components (Adware.GamesVance) -> Quarantined and deleted successfully.

Files Infected:
c:\programdata\vdpltshlvdsd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\programdata\37150456.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\chase and sara\AppData\Local\Temp\Low\tmpBD6C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\chase and sara\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\chrome.manifest (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\Users\chase and sara\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\install.rdf (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\Users\chase and sara\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\chrome\gvtextlinks.jar (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\Users\chase and sara\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\components\gvtlf.xpt (Adware.GamesVance) -> Quarantined and deleted successfully.


----------



## Sdit

*HyjackThis Log*

Johnb35... here is my HyjackThis log file...

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:48:48 PM, on 7/1/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16800)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {37153479-1976-43c3-a1ee-557513977b64} - (no file)
F2 - REG:system.ini: UserInit=c:\windows\syswow64\userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110602140126.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Support.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBRC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [doubleTwist] C:\Program Files (x86)\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {03A89EFD-E023-B000-A22D-45F77558EB4C} (ILINCInstall110 Class) - https://content10.ilinc.com/download/AXCltInst11.dll
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~2\mcafee\msc\mcsniepl.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AMD RAIDXpert (AMD_RAIDXpert) - AMD - C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)
O23 - Service: McAfee Online Backup (MOBKbackup) - McAfee, Inc. - C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 16351 bytes


----------



## johnb35

Please rerun hijackthis and place a check next to these entries.

R3 - URLSearchHook: (no name) - {37153479-1976-43c3-a1ee-557513977b64} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

Then click on fix checked at the bottom.

Then go into add/remove programs and uninstall the ask toolbar and any other ask software that may be installed.


----------



## rara12

I have the exact same problem and I can't access most of my stuff. I'm really bad with computers, I'm a novice so I would really appreciate any help you guys could give to me regarding this. A window came up saying Windows XP repair and i ran it for a bit and got suspicious so i stopped it and it ran again automatically and at the end it told me to purchase something for $30 so I exited. I called Dell for help but theyre unable to help me until Monday as I'm not covered for weekend repair. Someone help please! also, is it possible that it may have affected my portable drive? because it was connected to my affected pc but i unplugged it and put it into my laptop and its working fine but I dont want to leave it there incase there's a chance my laptop could also get affected


----------



## johnb35

Please do the following.

Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## djbulgogi

johnb35 said:


> I don't see any issues in your log.  However, have you ran Ccleaner yet?
> 
> http://download.cnet.com/ccleaner/
> 
> download, install and run it.  Open the program and click on run cleaner, this will delete old temp files and system files which should make your system run quicker.  If not, let me know and we'll run something else just to make sure your clean.



Ah yes I've used this before on older computers, works wonders!

I ran it on my computer and it got rid of over a little more than 1GB so the computer is running much more smoothly *but only after the first 5-10 minutes of being rebooted or started up from standby*. In these first 5-10 minutes it takes about 15-20 secs to open a link in Firefox (I get the "Firefox is not responding message" and then it finally works) and forget about playing any games in this time period as the computer has minute long spikes where the screen freezes and then resolves what happened in that minute in about 2 seconds (ouch!).

In fact I saw a troubling message today when my computer first syncs up the hard drives (I have two 500GB partitions) and it says "Error Occured" in my second hard drive (which has no data on it yet). So I'm thinking this is a hardware issue and not a software issue.

It's almost like my laptop needs 5-10 minutes to warm up and then it is fine.

Where would you suggest I take this in? I'm in the Chicagoland area as well, Northwest side by the airport.


----------



## johnb35

Take it to a reputable mom and pop computer repair place, don't even think about taking it to geeksquad/bestbuy as they will rape you.


----------



## djbulgogi

Haha, duly noted I will take into a legitimate place.

Thanks for your time and patience!


----------



## rschwarz

*log for add-remove programs.text to fix Unhide problem*

John,

Here is the log for add-remove programs.txt that you asked for regarding my unhide problem. I have not sent it to you email. 

1.1.81
7-Zip 4.44 beta
Adobe Acrobat - Reader 6.0.2 Update
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
AIM 6
AIM Search
AIM Toolbar 5.0
Andrea VoiceCenter
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
ATI Control Panel
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Banctec Service Agreement
Band-in-a-Box 2006 Demo
Bonjour
Cake Mania® 2
Canon IJ Network Tool
Canon iP5200R
Canon Setup Utility 2.0
Canon Utilities Easy-PhotoPrint
CDBurnerXP Pro 3
Chessmaster 10th Edition
Chessmaster Challenge (remove only)
CleanUp!
Collab
Corel Photo Album 6
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Photo Printer 720
Dell Support Center
Dell System Restore
Digital Content Portal
EA Download Manager
EA Download Manager UI
EarthLink setup files
Easy-WebPrint
Easy CD-DA Extractor 10
EducateU
ESPNMotion
Fashion Boutique
FL Studio 7
GemMaster Mystic
Get High Speed Internet!
Google AFE
Google Desktop
Google Earth
Google SketchUp 6
Google Toolbar for Internet Explorer
Google Update Helper
Guitar Guru Version 2.1.2
Guitar Pro 5.0
GuitarPort 2.51 (Remove Only)
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Icy Tower v1.3.1
IL Download Manager
InfraRecorder
Intel Matrix Storage Manager
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
iPod for Windows 2005-06-26
iPodRip
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java(TM) 6 Update 18
Jojo's Fashion Show™
Learn2 Player (Uninstall Only)
LimeWire 4.12.6
Macromedia Flash Player
Macromedia Shockwave Player
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders  (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WSE 3.0 Runtime
Modem Event Monitor
Modem Helper
Modem On Hold
Mozart 9
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MSXML4 Parser
Musicnotes Player V1.22.3
Netflix Movie Viewer
OmniFormat
Otto
PDF Image Magic 1.6
Pdf995
Plaxo Toolbar for Windows
PowerDVD 5.5
PStill PostScript to PDF Converter (remove only)
QuickBooks Simple Start Special Edition
QuickTime
Ranch Rush™
RealPlayer
RiffWorks 1.00 (Remove Only)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sibelius 5 Demo
SimCopter
Skype™ 3.8
Solero Music Viewer
Sonic DLA
Sonic Encoders
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony Sound Forge 8.0b
SoulSeek Client 156c
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
SPBBC
Spybot - Search & Destroy 1.5.2.20
Steinberg Cubase LE
Sudoku
TBS WMP Plug-in
The Oregon Trail
The Sims 2 Body Shop
The Sims™ 3
Universal Document Converter
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
US-122L / US-144 driver
US-224
VideoLAN VLC media player 0.8.6b
Viewpoint Media Player
Vuze
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Search 4.0
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
WordPerfect Office 12


----------



## johnb35

Please uninstall the following programs.

Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java(TM) 6 Update 18
LimeWire 4.12.6
Plaxo Toolbar for Windows
Viewpoint Media Player
WebFldrs XP

And if you really don't use these, uninstall these 3 as well.

AIM 6
AIM Search
AIM Toolbar 5.0

Then go here to download the latest version of Adobe reader and java

http://get.adobe.com/reader/?promoid=BUIGO

Just make sure you uncheck mcafee security scan plus before downloading.

http://www.java.com/en/download/index.jsp


----------



## rschwarz

*unhiding programs*



johnb35 said:


> Please uninstall the following programs.
> 
> Adobe Acrobat - Reader 6.0.2 Update
> Adobe Reader 6.0.1
> J2SE Runtime Environment 5.0 Update 3
> Java 2 Runtime Environment, SE v1.4.2_03
> Java Auto Updater
> Java(TM) 6 Update 18
> LimeWire 4.12.6
> Plaxo Toolbar for Windows
> Viewpoint Media Player
> WebFldrs XP
> 
> And if you really don't use these, uninstall these 3 as well.
> 
> AIM 6
> AIM Search
> AIM Toolbar 5.0
> 
> Then go here to download the latest version of Adobe reader and java
> 
> http://get.adobe.com/reader/?promoid=BUIGO
> 
> Just make sure you uncheck mcafee security scan plus before downloading.
> 
> http://www.java.com/en/download/index.jsp



John,

I followed the instructions above. I'm assuming i need to do something in addition to get my programs to show up instead of the "empty" wording in the show all programs menu - yes?

Also, you mentioned deactivating my macafree before downloading java. I have Avira - i assume you meant that.

Roger


----------



## johnb35

Go into control panel and click on add/remove programs.  Find each program I listed and click on it and then click on remove.  

I never said to disable mcafee, i said to uncheck mcafee security scan plus before you click on download for adobe reader.  mcafee security scan is an addon for the download of adobe reader and you don't need it.


----------



## rschwarz

John,

I did remove the programs you listed above. Sorry about misunderstanding with macafree.

Now what do i do?


----------



## johnb35

Give me an update on how your system is running or if you are having any issues.


----------



## rschwarz

John,

Everything seems to be running fine as far as I can tell. The only issue is still not being able to open programs from the start menu because it says "empty."


----------



## johnb35

Lets try something.

Please download SystemLook and save it to your Desktop.

•Double-click SystemLook.exe to run it.

•Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator

•Copy the content of the following box into the main textfield:



		Code:
	

:dir
%Temp%\smtmp /s


•Click the Look button to start the scan.

•When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


----------



## rschwarz

Here's the systemlook.txt log:

SystemLook 04.09.10 by jpshortstuff
Log created at 22:18 on 05/07/2011 by Roger Schwarz
Administrator - Elevation successful

========== dir ==========

C:\DOCUME~1\ROGERS~1\LOCALS~1\Temp\smtmp - Unable to find folder.

-= EOF =-


----------



## johnb35

Ok, unfortunately it looks like the temp folders that the infection made that holds your start menu programs are gone.  The only way to fix this issue is to do a system restore back to a few days before you got infected.  You will need to go to this location.

C:\WINDOWS\system32\Restore

and double click on rstrui.exe to start the system restore process.  Pick a day that was before you got infected.  They system will start the restore process and then reboot the system and hopefully it will be successful as system restore is sometimes unreliable.  

If it is successful, please rescan your system with malwarebytes and hijackthis and post your logs for me to go through again.


----------



## makura

I got rid of the virus itself using rkill and malwarebytes, but after I did, it looks like my computer also has the google redirect virus and I have no sound when i go to youtube.  i've tried using tdsskiller but it wont run.  and my malwarebytes is showing nothing wrong with my computer.  also, when the recovery virus showed up on my computer, so did something called 'windows vista fix'  i looked it up on google but i saw nothing to indicate that it was a virus and it disappeared when i ran rkill and malwarebytes.


----------



## johnb35

Makura, 

what happens when you try running tdsskiller?


----------



## makura

johnb35 said:


> Makura,
> 
> what happens when you try running tdsskiller?



after I click on it, a box appears asking for permission to run.  when I click ok, it would appear to be thinking but then nothing happens.  I waited 5 minutes on one try just thinking that maybe it was a little slow, but nothing.  I even tried renaming it like i've seen recommended.  I've put it on my desktop, i've put it into my download folder.  every time it has the same result, click->give permission->nothing.


----------



## johnb35

Makura,

Please do the following.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## makura

Well my computer still has the redirect virus, and I still have no sound at streaming sites like youtube.  My internet explorer randomly crashes for no reason but seems fine afterwords and gets extremely slow on sites with a lot going on like facebook (not sure if thats just a slow internet problem or not, thought I should mention it just in case).  also misc. question, I have microsoft security essentials (up to date) and mcafee(useless) is it safe to uninstall mcafee with just MSE?

*Here is my combo fix log:*

ComboFix 11-07-13.03 - Melissa 07/13/2011  17:28:41.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1015.343 [GMT -4:00]
Running from: c:\users\Melissa\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: McAfee VirusScan *Disabled/Updated* {91492D4B-0869-000E-929C-AE00AA450731}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Melissa\AppData\Local\Temp\ppcrlui_4788_2
c:\windows\Update.bat
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-13 to 2011-07-13  )))))))))))))))))))))))))))))))
.
.
2011-07-13 22:00 . 2011-07-13 22:03	--------	d-----w-	c:\users\Melissa\AppData\Local\temp
2011-07-13 22:00 . 2011-07-13 22:00	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-07-13 17:23 . 2011-07-13 17:23	28752	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A5CDC545-6968-4050-8B9C-8DA428DD2F96}\MpKsl50bc33f1.sys
2011-07-13 05:15 . 2011-06-07 12:55	7074640	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A5CDC545-6968-4050-8B9C-8DA428DD2F96}\mpengine.dll
2011-07-11 20:40 . 2011-06-07 12:55	7074640	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-10 21:41 . 2010-11-30 15:43	439632	------w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4BAABCCF-5158-497A-976F-036260DD9E14}\gapaengine.dll
2011-07-10 21:26 . 2011-04-22 23:25	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2011-07-10 21:26 . 2011-04-25 15:29	141104	----a-w-	c:\program files\Internet Explorer\sqmapi.dll
2011-07-10 21:26 . 2011-04-22 23:35	1797632	----a-w-	c:\windows\system32\jscript9.dll
2011-07-10 21:20 . 2011-07-11 17:03	--------	d-----w-	c:\program files\Microsoft Security Client
2011-07-10 21:18 . 2010-04-05 20:00	221568	----a-w-	c:\windows\system32\drivers\netio.sys
2011-07-10 21:10 . 2011-05-02 12:02	2409784	----a-w-	c:\program files\Windows Mail\OESpamFilter.dat
2011-07-10 21:09 . 2010-12-20 16:35	563712	----a-w-	c:\windows\system32\oleaut32.dll
2011-07-10 21:09 . 2011-04-21 13:58	273408	----a-w-	c:\windows\system32\drivers\afd.sys
2011-07-10 21:09 . 2011-04-29 13:24	214016	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-07-10 21:09 . 2011-04-29 13:24	79872	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-07-10 21:09 . 2011-04-29 13:24	106496	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-07-10 21:09 . 2011-04-14 14:59	75264	----a-w-	c:\windows\system32\drivers\dfsc.sys
2011-07-10 21:08 . 2011-04-29 13:25	146432	----a-w-	c:\windows\system32\drivers\srv2.sys
2011-07-10 21:08 . 2011-04-29 13:25	102400	----a-w-	c:\windows\system32\drivers\srvnet.sys
2011-07-10 21:08 . 2011-05-02 17:16	739328	----a-w-	c:\windows\system32\inetcomm.dll
2011-07-10 21:00 . 2011-04-29 15:59	276992	----a-w-	c:\windows\system32\schannel.dll
2011-07-10 15:45 . 2011-06-07 15:55	7074640	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{8A233E6B-D477-4D48-8F0C-75EDA64BFCA1}\mpengine.dll
2011-07-10 07:04 . 2011-07-10 07:04	--------	d-----w-	c:\programdata\SiteAdvisor
2011-07-10 06:20 . 2011-07-10 06:20	--------	d-----w-	C:\## aswSnx private storage
2011-07-10 06:20 . 2011-07-13 21:20	--------	d-----w-	C:\32788R22FWJFW
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-21 12:54 . 2011-05-17 16:33	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-13 19:46 . 2011-06-13 19:46	161792	----a-w-	c:\windows\system32\msls31.dll
2011-06-13 19:46 . 2011-06-13 19:46	86528	----a-w-	c:\windows\system32\iesysprep.dll
2011-06-13 19:46 . 2011-06-13 19:46	76800	----a-w-	c:\windows\system32\SetIEInstalledDate.exe
2011-06-13 19:46 . 2011-06-13 19:46	74752	----a-w-	c:\windows\system32\RegisterIEPKEYs.exe
2011-06-13 19:46 . 2011-06-13 19:46	48640	----a-w-	c:\windows\system32\mshtmler.dll
2011-06-13 19:46 . 2011-06-13 19:46	1126912	----a-w-	c:\windows\system32\wininet.dll
2011-06-13 19:46 . 2011-06-13 19:46	63488	----a-w-	c:\windows\system32\tdc.ocx
2011-06-13 19:46 . 2011-06-13 19:46	367104	----a-w-	c:\windows\system32\html.iec
2011-06-13 19:46 . 2011-06-13 19:46	74752	----a-w-	c:\windows\system32\iesetup.dll
2011-06-13 19:46 . 2011-06-13 19:46	23552	----a-w-	c:\windows\system32\licmgr10.dll
2011-06-13 19:46 . 2011-06-13 19:46	152064	----a-w-	c:\windows\system32\wextract.exe
2011-06-13 19:46 . 2011-06-13 19:46	1427456	----a-w-	c:\windows\system32\inetcpl.cpl
2011-06-13 19:46 . 2011-06-13 19:46	420864	----a-w-	c:\windows\system32\vbscript.dll
2011-06-13 19:46 . 2011-06-13 19:46	150528	----a-w-	c:\windows\system32\iexpress.exe
2011-06-13 19:46 . 2011-06-13 19:46	142848	----a-w-	c:\windows\system32\ieUnatt.exe
2011-06-13 19:46 . 2011-06-13 19:46	11776	----a-w-	c:\windows\system32\mshta.exe
2011-06-13 19:46 . 2011-06-13 19:46	35840	----a-w-	c:\windows\system32\imgutil.dll
2011-06-13 19:46 . 2011-06-13 19:46	101888	----a-w-	c:\windows\system32\admparse.dll
2011-06-13 19:46 . 2011-06-13 19:46	110592	----a-w-	c:\windows\system32\IEAdvpack.dll
2011-06-11 19:56 . 2010-06-24 15:33	18328	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-29 13:11 . 2011-05-30 02:34	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2011-05-30 02:34	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-05-04 03:48 . 2006-11-02 10:32	101888	----a-w-	c:\windows\system32\ifxcardm.dll
2011-05-04 03:48 . 2006-11-02 10:32	82432	----a-w-	c:\windows\system32\axaltocm.dll
2011-04-27 19:25 . 2011-04-27 19:25	65024	----a-w-	c:\windows\system32\drivers\NisDrvWFP.sys
2011-04-18 17:18 . 2010-10-25 01:25	43392	----a-w-	c:\windows\system32\drivers\MpNWMon.sys
2011-04-18 17:18 . 2010-10-25 01:25	165648	----a-w-	c:\windows\system32\drivers\MpFilter.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\prxtbZyn2.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2011-03-28 16:22	176936	----a-w-	c:\program files\Zynga\prxtbZyn2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\prxtbZyn2.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\prxtbZyn2.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BitTorrent DNA"="c:\users\Melissa\Program Files\DNA\btdna.exe" [2010-06-10 323392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-29 4317184]
"CHotkey"="zHotkey.exe" [2006-11-07 547840]
"ShowWnd"="ShowWnd.exe" [2005-01-27 36864]
"ModPS2"="ModPS2Key.exe" [2006-11-07 53248]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-28 30192]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 2348584]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-18 152144]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-17 40072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-25 113664]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2007-5-15 2348584]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-10 136176]
R3 dump_wmimmc;dump_wmimmc;c:\aeriagames\Shaiya\GameGuard\dump_wmimmc.sys [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-28 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-10 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKsl50bc33f1;MpKsl50bc33f1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A5CDC545-6968-4050-8B9C-8DA428DD2F96}\MpKsl50bc33f1.sys [2011-07-13 28752]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL50BC33F1
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ   	Akamai
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-10 23:34]
.
2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-10 23:34]
.
2011-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-09-03 17:32]
.
2011-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-09-03 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.fanfiction.net/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W5233
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 69.57.112.10 137.118.1.32
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-13 18:03
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-07-13  18:21:08
ComboFix-quarantined-files.txt  2011-07-13 22:20
ComboFix2.txt  2011-07-08 07:01
.
Pre-Run: 77,821,509,632 bytes free
Post-Run: 78,073,188,352 bytes free
.
- - End Of File - - 740E21407AB8B41E64A3A5AFC0D73ED6

*and here is my HiJackThis log:*

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:32:11 PM, on 7/13/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Melissa\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Mail\WinMail.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fanfiction.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W5233
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\prxtbZyn2.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Zynga - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\prxtbZyn2.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\prxtbZyn2.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Melissa\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\Users\Melissa\AppData\Local\Temp\Low\HSPERF~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\Users\Melissa\AppData\Local\Temp\Low\HSPERF~1.SH! (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - https://research.flagler.edu:9253/lib/flagler/support/plugins/ebraryRdr.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11382 bytes


----------



## johnb35

Boot to safe mode and try running tdsskiller there.  Since you are still having redirects, you need to run it.  i also need you to post a logfile from combofix.  

Navigate to c:\qoobox and in that folder will be a file named add-remove programs.txt. Open that file and copy and paste the contents back here.


----------



## makura

well trying tdsskiller in safe mode did less than it usually does, didnt even ask for permission.  should I try safe mode with networking?  here is my qoobox:

 Update for Microsoft Office 2007 (KB2508958)
12Sky
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Photoshop 6.0
Adobe Reader 8.1.2
Akamai NetSession Interface
BigFix
Browser Address Error Redirector
CCleaner
D3DX10
Defraggler
Digital Media Reader
DivX Converter
DivX Setup
DNA
EAX(tm) Unified (SHELL)
eMachines Connect
eMachines Game Console
eMachines Recovery Center Installer
Family Feud 2
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
Grand Fantasia
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Java(TM) SE Runtime Environment 6 Update 1
Linkit_eBay
Malwarebytes' Anti-Malware version 1.51.0.1200
McAfee Security Scan Plus
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Polar Bowler
Polar Golfer
Power2Go 5.0
PS2 Multimedia Keyboard Driver
Real Alternative 2.0.1
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
Shin Megami Tensei: Imagine Online
Soft Data Fax Modem with SmartCP
System Requirements Lab for Intel
TwelveSky2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.4053
Veoh Video Compass
Veoh Web Player
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR archiver
Zynga Toolbar


----------



## johnb35

Ok.  You have some security issues here.  You have way too many security programs installed.

McAfee SecurityCenter
Microsoft Security Client
Microsoft Security Essentials

Those 3 prorgrams conflict with each other and you need to choose and keep only 1 and uninstall the others.  I suggest keeping MSE and uninstall the top 2.


You should use the Mcafee removal tool.

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe


Also need you to uninstall the following programs.

McAfee Security Scan Plus
Adobe Reader 8.1.2
Java(TM) SE Runtime Environment 6 Update 1
Zynga Toolbar 


Then go here to download the latest version of adobe and java.

http://get.adobe.com/reader/?promoid=BUIGO

just make sure you uncheck mcafee security scan plus before downloading adobe.

http://www.java.com/en/download/index.jsp

After doing this try rerunning tdsskiller.


----------



## makura

i've managed to remove and replace everything you've recommended save for microsoft security client.  I can't seem to find it in the add/change list on my control panel or in my start menu under programs.  where should I look for it?


----------



## johnb35

Probably just a registry entry that needs to be removed.   Have you tried running tdsskiller again?


----------



## makura

I tried tdsskiller again but it's still not working.


----------



## johnb35

Download mbr.exe to your Desktop.

•Doubleclick mbr.exe and follow prompts.
•When mbr.exe is ready, it will create a log.
•Copy and paste contents of that file to your next reply.


----------



## makura

ok so I ran that scan, it opened and closed in a snap and the log is very short, did it run right?  here is the log:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: WDC_WD2500JS-22NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK 
copy of MBR has been found in sector 60 !


----------



## JHM

For those of you who are having problems seeing some of your files and shortcuts, be advised that one thing this virus does is change various files attributes to those of hidden operating system files.

It is therefore possible to bring said files back into view by using the following proceedure; though it does not change their attributes back to what they should be, at least it makes them visible.

Step 1 is to open My Computer and click on the word "Tools" up at the top.







Step 2 is when the submenu opens, click on "Folder Options" down at the bottom of the submenu.






Step 3 is when the "Folder Options" window opens, click on the "View" tab.






Step 4 is when the "View Options" open, first select "Show hidden files and folders", and having done that, then uncheck the little checkbox next to "Hide protected operating system files (Recommended)"; and having done that, click on the "Apply to All Folders" button; then click on the "Apply" button and the "OK" button down at the bottom of the view options window.






The only way I have found to reset the file attributes to what they should be is by doing a restore from backup. Hope this helps. It is for XP, but Win7 should have something similar.


----------



## makura

so what should I do now?


----------



## JHM

Are you asking me that ?

You actually have several options. 1) Follow the previous instructions and that will make your files visible again, though it will also make hidden Operating System files visible. - You could live with that.

2) Do a restore from backup if you have a backup. When doing it specify, "advanced" and in the advanced choices, specify "replace all".

3) Use the "Windows Recovery Console" to reset the attributes of your invisible files to what they should be. JohnB35 can tell you how to download and install the "Recovery Console" if you don't already have it; but this would be a very laborious and tedious business to do. If you decide to go this route, once installed, when the machine is booting press the F8 key, then when you see the options come up select "Windows Recovery Console". Once you are in it, type "Help" without the quotes. That will give you a list of commands, the key ones being in this case "Dir" and "Attribute" The former gives you a list of all the files you have and the latter shows their attributes, and allows you to reset them. NO FUN!!

4) Copy off any important files into a different partition then format "C" and reinstall "Windopes"

5) Live with it as is.

Those are your options as far as I know, though maybe someone else can give you something better.


----------



## makura

JHM said:


> Are you asking me that ?
> 
> You actually have several options. 1) Follow the previous instructions and that will make your files visible again, though it will also make hidden Operating System files visible. - You could live with that.
> 
> 2) Do a restore from backup if you have a backup. When doing it specify, "advanced" and in the advanced choices, specify "replace all".
> 
> 3) Use the "Windows Recovery Console" to reset the attributes of your invisible files to what they should be. JohnB35 can tell you how to download and install the "Recovery Console" if you don't already have it; but this would be a very laborious and tedious business to do. If you decide to go this route, once installed, when the machine is booting press the F8 key, then when you see the options come up select "Windows Recovery Console". Once you are in it, type "Help" without the quotes. That will give you a list of commands, the key ones being in this case "Dir" and "Attribute" The former gives you a list of all the files you have and the latter shows their attributes, and allows you to reset them. NO FUN!!
> 
> 4) Copy off any important files into a different partition then format "C" and reinstall "Windopes"
> 
> 5) Live with it as is.
> 
> Those are your options as far as I know, though maybe someone else can give you something better.



er, no actually, i was asking john, but thanks.


----------



## S.T.A.R.S.

Holy crap lol 199 answers for so small problem xD xD xD

Here is what you should do.Note that this procedure required at least 2 hard disk drives or 2 computers.I will explain this for 2 hard disk drives:

-Unplug the first hard disk drive from the computer...
-Plug the second hard disk drive in the computer...
-Format that second hard disk drive COMPLETELY and then install Windows XP OS on it together with all needed drivers.If you do not have the drivers,you will then at LEAST need the network driver because you will need to perform an update to the antivirus program...
-install a very good antivirus program such as McAfee VirusScan Console together with the McAfee Antispyware...
-adjust ALL the settings in it properly and then update McAfee at least 3 times in a row until you get ALL the newest updates...
-Restart the cmputer...
-Turn ON the McAfee completely and by completely I mean that you should open the VirusScan console and enable following 4 things in this order:
-On-Access Scanner
-On-Delivery E-mail Scanner
-Buffer Overflow Protection
-Access Protection

-Once all of these 4 things have the "Enabled" status,plug the primary hard disk drive back in,but do NOT restart the computer!
-Now in the VirusScan Console select the SCAN TASK which YOU created with ALL the properly adjusted options and then click the small green triangle at the top to start the scanning process...
Here are the images:











-After the scanning process is finished,click the "CLOSE" button on the window...
-Shut down your computer...
-Open your computer case and this time unplug the SECOND hard disk drive,but LEAVE your first hard disk drive plugged in...
-Now...if your first hard disk drive has Windows 7 OS on it,turn on the computer,go to BIOS,open your CD/DVD-ROM drive tray,put in the Windows 7 disk,close the tray then in the BIOS BOOT section put your CD/DVD-ROM drive to be the first device to boot from and your PRIMARY HDD as the second device to boot from
-Save changes to CMOS and restart the computer...
-Boot of the Windows 7 disk and chose the REPAIR option.It looks like this:





-After the repair process is finished,you are done.

NOTE: If you do not have McAfee VirusScan Console + McAfee antispyware antivirus software,do the SAME thing as written above by using some other good antivirus programs which hopefuly have a free trial.

If you do not know how to do this,for 2 days I am finally free so you can contact me on Skype and I will lead you step by step through a video conversation.This is my Skype account name: freeman.gordon4

I usually help people by using a video conversation because it's easier and faster to solve the problem lol.



Cheers!
UAC - User Access Commands


----------



## johnb35

makura said:


> er, no actually, i was asking john, but thanks.




Makura,

Please do the following.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats 
Accept any security warnings from your browser. 
Check Scan archives 
Click Start 
ESET will then download updates, install and then start scanning your system. 
When the scan is done, push list of found threats 
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply. 
If no threats are found then it won't produce a log.





S.T.A.R.S. said:


> Holy crap lol 199 answers for so small problem xD xD xD
> 
> Here is what you should do.Note that this procedure required at least 2 hard disk drives or 2 computers.I will explain this for 2 hard disk drives:
> 
> -Unplug the first hard disk drive from the computer...
> -Plug the second hard disk drive in the computer...
> -Format that second hard disk drive COMPLETELY and then install Windows XP OS on it together with all needed drivers.If you do not have the drivers,you will then at LEAST need the network driver because you will need to perform an update to the antivirus program...
> -install a very good antivirus program such as McAfee VirusScan Console together with the McAfee Antispyware...
> -adjust ALL the settings in it properly and then update McAfee at least 3 times in a row until you get ALL the newest updates...
> -Restart the cmputer...
> -Turn ON the McAfee completely and by completely I mean that you should open the VirusScan console and enable following 4 things in this order:
> -On-Access Scanner
> -On-Delivery E-mail Scanner
> -Buffer Overflow Protection
> -Access Protection
> 
> -Once all of these 4 things have the "Enabled" status,plug the primary hard disk drive back in,but do NOT restart the computer!
> -Now in the VirusScan Console select the SCAN TASK which YOU created with ALL the properly adjusted options and then click the small green triangle at the top to start the scanning process...
> Here are the images:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -After the scanning process is finished,click the "CLOSE" button on the window...
> -Shut down your computer...
> -Open your computer case and this time unplug the SECOND hard disk drive,but LEAVE your first hard disk drive plugged in...
> -Now...if your first hard disk drive has Windows 7 OS on it,turn on the computer,go to BIOS,open your CD/DVD-ROM drive tray,put in the Windows 7 disk,close the tray then in the BIOS BOOT section put your CD/DVD-ROM drive to be the first device to boot from and your PRIMARY HDD as the second device to boot from
> -Save changes to CMOS and restart the computer...
> -Boot of the Windows 7 disk and chose the REPAIR option.It looks like this:
> 
> 
> 
> 
> 
> -After the repair process is finished,you are done.
> 
> NOTE: If you do not have McAfee VirusScan Console + McAfee antispyware antivirus software,do the SAME thing as written above by using some other good antivirus programs which hopefuly have a free trial.
> 
> If you do not know how to do this,for 2 days I am finally free so you can contact me on Skype and I will lead you step by step through a video conversation.This is my Skype account name: freeman.gordon4
> 
> I usually help people by using a video conversation because it's easier and faster to solve the problem lol.
> 
> 
> 
> Cheers!
> UAC - User Access Commands



Stars,

If you would actually take time to read the whole thread you would realize there have been many users that have asked for help in this thread, not just one.  So everything is under control.


----------



## S.T.A.R.S.

johnb35 said:


> Makura,
> 
> Please do the following.
> 
> Please download and run the ESET Online Scanner
> Disable any antivirus/security programs.
> IMPORTANT! UN-check Remove found threats
> Accept any security warnings from your browser.
> Check Scan archives
> Click Start
> ESET will then download updates, install and then start scanning your system.
> When the scan is done, push list of found threats
> Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply.
> If no threats are found then it won't produce a log.
> 
> 
> 
> 
> 
> Stars,
> 
> If you would actually take time to read the whole thread you would realize there have been many users that have asked for help in this thread, not just one. So everything is under control.


 
LoL yea I know.I was focusing on the first guy.


----------

