TechSpot

Browser has been Hijacked - Get Re-Directed HijackThis Log Attached

Solved
By OMD
Jun 13, 2011
  1. I will attach my log file here, but first let me just explain.....

    I have seen other's gripes about doing a search in yahoo or google, then it opens up the results. Any link you click on in the results re-routes to a bogus or crap site that is not the actual site. I know it is in the HOSTS file. I actually found it and all the 'bogus' entries. Problem is, I thought just deleting it and putting a copy of the original HOSTS file would fix it......NOT! So, somehow, it is still kicking my butt and I am soooo tired of doing all the deep scans with Adaware, and spybot, and hitman, and a couple others. I added AVG, and I am pretty sure her PC is clean but that stupid file.

    Below is the log file from Hijack This. I have an idea of what to remove, but would really appreciate help from someone that really knows what they are doing. I have messed up enough in this process

    [HJT log removed - Broni]
     
  2. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. OMD

    OMD TS Rookie Topic Starter Posts: 37

    all log files posted as instructed....now what :(

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6837

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/14/2011 6:43:32 PM
    mbam-log-2011-06-14 (18-43-32).txt

    Scan type: Quick scan
    Objects scanned: 161951
    Time elapsed: 5 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\matt\AppData\Local\Temp\AF19.tmp (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    c:\Users\matt\0.5888022055122095.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.



    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-14 19:03:46
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\0000005f WDC_WD32 rev.21.0
    Running: jd5geom4.exe; Driver: C:\Users\matt\AppData\Local\Temp\kwldypow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:248] 86772E7A
    Thread System [4:252] 86775008

    ---- EOF - GMER 1.0.15 ----




    .
    DDS (Ver_2011-06-12.02) - NTFSx86
    Internet Explorer: 8.0.7600.16385
    Run by matt at 19:10:42 on 2011-06-14
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2943.1669 [GMT -4:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {3A033352-45FD-579C-DF47-2D2DA7A56A3D}
    SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {8162D2B6-63C7-5812-E5F7-165FDC222080}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Windows\system32\svchost.exe -k HsfXAudioService
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\system32\lxdxcoms.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Windows\vVX3000.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
    C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: N/A: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    uURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: : {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
    BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
    TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
    TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] "c:\windows\ehome\ehTray.exe"
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    uRunOnce: [AVG search provider] "c:\program files\avg\avg10\SearchProvider.exe" /AFTERINST
    mRun: [VX3000] "c:\windows\vVX3000.exe"
    mRun: [KBD] "c:\hp\kbd\KbdStub.EXE"
    mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
    mRun: [RtHDVCpl] "RtHDVCpl.exe"
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
    mRun: [NeroFilterCheck] "c:\program files\common files\nero\lib\NeroCheck.exe"
    mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"
    mRun: [lxdxamon] "c:\program files\lexmark 3600-4600 series\lxdxamon.exe"
    mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\matt\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{1DF46C1E-5E0E-4194-9900-44C0030EB6B1} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{2E0D32B0-2A06-4E6C-A8FC-1DF27758C054} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{3B699371-F1D1-407D-A025-FEAA1B63DFD0} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{447EACD7-E31E-4452-A038-F61EC05D9BB6}\2375942554234353 : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{465985AB-B50A-4F4A-9A02-CE0A8E4E2C3A} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{465985AB-B50A-4F4A-9A02-CE0A8E4E2C3A}\E4544574541425 : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{52B35637-18BA-4843-844C-2330830061CD} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{CB29F0B6-8408-4337-BF86-86A32CD4EDC1} : DhcpNameServer = 192.168.1.254
    Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\nz09223s.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4df42492&i=23&tp=ab&nt=1&q=
    FF - prefs.js: keyword.enabled - trueFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\matt\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-6-11 64512]
    R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
    R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-6-11 1153368]
    R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
    R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-10-11 1201640]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
    R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2010-9-24 98984]
    S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-29 904192]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-7-1 55280]
    S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-11 39984]
    S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-14 1343400]
    .
    =============== Created Last 30 ================
    .
    2011-06-12 05:40:53 388096 ----a-r- c:\users\matt\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-06-12 05:40:53 -------- d-----w- c:\program files\Trend Micro
    2011-06-12 02:30:56 -------- d-----w- c:\users\matt\appdata\roaming\AVG10
    2011-06-12 02:29:18 -------- d--h--w- c:\programdata\Common Files
    2011-06-12 02:27:54 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-06-12 02:27:54 -------- d-----w- c:\programdata\AVG10
    2011-06-12 02:27:05 -------- d-----w- c:\program files\AVG
    2011-06-12 02:21:39 -------- d-----w- c:\programdata\MFAData
    2011-06-12 02:17:58 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-12 02:14:35 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-06-12 02:10:00 711672 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
    2011-06-12 02:10:00 19416 ----a-w- c:\program files\mozilla firefox\xpcom.dll
    2011-06-12 02:10:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-06-12 02:10:00 14117848 ----a-w- c:\program files\mozilla firefox\xul.dll
    2011-06-12 01:56:01 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-06-12 01:56:00 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-06-12 01:47:42 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-12 01:47:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-12 01:33:51 7071056 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{be771fc3-cf3c-49d5-9617-970230df51e6}\mpengine.dll
    2011-06-11 23:37:08 -------- d-----w- c:\users\matt\appdata\local\CrashDumps
    2011-06-11 23:07:24 -------- d-----w- c:\programdata\Hitman Pro
    2011-06-11 17:37:59 -------- d-----w- c:\users\matt\appdata\local\NPE
    2011-06-11 17:37:59 -------- d-----w- c:\programdata\Norton
    2011-06-11 17:28:06 -------- d-----w- c:\users\matt\appdata\roaming\Malwarebytes
    2011-06-11 17:28:00 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-11 02:40:17 -------- d-----w- c:\users\matt\appdata\roaming\SUPERAntiSpyware.com
    2011-06-11 02:40:17 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-06-11 02:40:05 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-06-11 02:34:54 -------- d-sh--w- C:\%APPDATA%
    2011-06-08 02:12:12 -------- d-----w- c:\users\matt\appdata\local\Mozilla
    2011-06-07 21:22:52 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-06-07 21:22:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-06-07 21:18:23 -------- d-----w- c:\program files\Lavasoft
    .
    ==================== Find3M ====================
    .
    2011-05-10 23:28:47 90191 ---ha-w- c:\programdata\SPL7EB4.tmp
    2011-04-15 01:28:30 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
    2011-04-09 06:13:06 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-04-09 06:13:06 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-05 12:07:45 28808 ---ha-w- c:\programdata\SPLC10B.tmp
    2011-04-05 04:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-03-25 03:06:46 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2011-03-25 03:06:25 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
    2011-03-25 03:06:23 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-03-25 03:06:12 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2011-03-25 03:06:11 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2011-03-25 03:06:10 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2011-03-25 03:06:06 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
    .
    ============= FINISH: 19:11:14.03 ===============
     
  4. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    I still need Attach.txt part of DDS.

    Also, you're running 3 AV programs, AVG, Webroot AntiVirus and Lavasoft Ad-Watch Live! Anti-Virus
    Two of them has to go.
    If AVG is among those for removal, make sure to use AVG Remover to uninstall it: http://www.avg.com/us-en/utilities
     
  5. OMD

    OMD TS Rookie Topic Starter Posts: 37

    I just loaded AVG and thought it was suppose to be one of the better ones? So, if I need to removed 2, which 2 should I dump?

    Also, fwiw, I can close out of IE and go to taskmanager and there are always still 2 instances that stay open. I manually shut em down.

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-12.02)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/24/2009 8:01:43 PM
    System Uptime: 6/14/2011 6:49:08 PM (3 hours ago)
    .
    Motherboard: ASUSTek Computer INC. | | NODUSM3
    Processor: AMD Athlon(tm) 64 Processor 3800+ | Socket AM2 | 2400/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 292 GiB total, 223.396 GiB free.
    D: is FIXED (NTFS) - 6 GiB total, 0.874 GiB free.
    F: is CDROM ()
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP214: 3/17/2011 3:00:10 AM - Windows Update
    RP215: 3/18/2011 2:12:30 AM - Windows Update
    RP216: 3/22/2011 2:12:25 AM - Windows Update
    RP217: 3/25/2011 2:12:37 AM - Windows Update
    RP218: 3/25/2011 3:00:11 AM - Windows Update
    RP219: 3/29/2011 2:12:25 AM - Windows Update
    RP220: 4/1/2011 2:12:31 AM - Windows Update
    RP221: 4/5/2011 2:12:27 AM - Windows Update
    RP222: 4/8/2011 2:17:22 AM - Windows Update
    RP223: 4/12/2011 2:17:10 AM - Windows Update
    RP224: 4/15/2011 2:17:12 AM - Windows Update
    RP225: 4/15/2011 3:00:11 AM - Windows Update
    RP226: 4/19/2011 2:56:02 PM - Windows Update
    RP227: 4/22/2011 2:47:25 AM - Windows Update
    RP228: 4/22/2011 3:00:10 AM - Windows Update
    RP229: 4/26/2011 2:46:09 AM - Windows Update
    RP230: 4/27/2011 3:00:11 AM - Windows Update
    RP231: 4/29/2011 2:31:38 AM - Windows Update
    RP232: 5/3/2011 8:00:44 AM - Windows Update
    RP233: 5/6/2011 2:31:30 AM - Windows Update
    RP234: 5/10/2011 6:14:34 PM - Windows Update
    RP235: 5/11/2011 3:00:11 AM - Windows Update
    RP236: 5/13/2011 3:34:40 AM - Windows Update
    RP237: 5/17/2011 12:48:46 PM - Windows Update
    RP238: 5/20/2011 3:34:32 AM - Windows Update
    RP239: 5/24/2011 2:10:53 AM - Windows Update
    RP240: 5/24/2011 3:00:10 AM - Windows Update
    RP241: 5/26/2011 3:00:11 AM - Windows Update
    RP242: 5/27/2011 5:28:38 PM - Windows Update
    RP243: 5/31/2011 8:07:17 PM - Windows Update
    RP244: 6/3/2011 2:20:48 AM - Windows Update
    RP245: 6/7/2011 4:11:03 PM - Windows Update
    RP246: 6/7/2011 4:43:41 PM - Restore Operation
    RP247: 6/7/2011 4:55:45 PM - Windows Update
    RP248: 6/7/2011 5:16:53 PM - Installed Ad-Aware
    RP249: 6/7/2011 5:17:14 PM - Installed Ad-Aware
    RP250: 6/7/2011 10:45:35 PM - Installed Microsoft Fix it 50267
    RP251: 6/11/2011 8:37:00 PM - Restore Operation
    RP252: 6/11/2011 10:13:28 PM - Installed Ad-Aware
    RP253: 6/11/2011 10:14:06 PM - Installed Ad-Aware
    RP254: 6/11/2011 10:26:42 PM - Installed AVG 2011
    RP255: 6/11/2011 10:27:15 PM - Installed AVG 2011
    RP256: 6/12/2011 1:40:18 AM - Installed HiJackThis
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    ABBYY FineReader 6.0 Sprint
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.4
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Audacity 1.3.12 (Unicode)
    AutoUpdate
    Avanquest update
    AVG 2011
    Belkin Wireless USB Utility
    Bonjour
    BufferChm
    Choice Guard
    Copy
    Destinations
    DeviceDiscovery
    DivX
    DJ_AIO_06_F2400_SW_Min
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    Enhanced Multimedia Keyboard Solution
    F2400
    Fast Browser Search (My Web Tattoo)
    GPBaseService2
    Hardware Diagnostic Tools
    HiJackThis
    Hitman Pro 3.5
    HP Connections (remove only)
    HP Customer Experience Enhancements
    HP Customer Feedback
    HP Customer Participation Program 13.0
    HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6
    HP Easy Setup - Core
    HP Easy Setup - Frontend
    HP Imaging Device Functions 13.0
    HP Picasso Media Center Add-In
    HP Print Projects 1.0
    HP Solution Center 13.0
    HP Total Care Advisor
    HP Update
    HPPhotoGadget
    hpPrintProjects
    HPProductAssistant
    HPSSupply
    hpWLPGInstaller
    Inbox Toolbar
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 22
    Junk Mail filter update
    LAME v3.98.3 for Audacity
    Lexmark 3600-4600 Series
    Lexmark Fax Solutions
    Lexmark Toolbar
    LightScribe 1.4.124.1
    Malwarebytes' Anti-Malware version 1.51.0.1200
    MarketResearch
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Corporation
    Microsoft LifeCam
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Mozilla Firefox 4.0.1 (x86 en-US)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 and SOAP Toolkit 3.0
    muvee autoProducer 5.0
    Nero 8
    NVIDIA Drivers
    OpenOffice.org 3.3
    PVSonyDll
    Python 2.4.3
    QuickTime
    Realtek High Definition Audio Driver
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator EasyArchive
    Roxio Creator Tools
    Roxio Express Labeler 3
    Scan
    ScholarWord
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Shop for HP Supplies
    Skype web features
    Skype? 4.1
    Soft Data Fax Modem with SmartCP
    SolutionCenter
    Spy Sweeper Core
    Spybot - Search & Destroy
    Status
    Toolbox
    TrayApp
    WeatherBug
    WebReg
    Webroot AntiVirus with Spy Sweeper
    Windows 7 Upgrade Advisor
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/7/2011 4:52:25 PM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    6/14/2011 6:50:07 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the lxdxCATSCustConnectService service to connect.
    6/14/2011 6:50:07 PM, Error: Service Control Manager [7000] - The lxdxCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/14/2011 6:48:43 PM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
    6/14/2011 6:48:07 PM, Error: Service Control Manager [7022] - The Server service hung on starting.
    6/14/2011 6:48:07 PM, Error: Service Control Manager [7001] - The HomeGroup Listener service depends on the Server service which failed to start because of the following error: After starting, the service hung in a start-pending state.
    6/14/2011 6:48:02 PM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
    6/14/2011 6:47:29 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
    6/14/2011 6:47:25 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Spooler service.
    6/11/2011 9:55:54 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: After starting, the service hung in a start-pending state.
    6/11/2011 9:06:58 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..
    6/11/2011 9:01:53 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    6/11/2011 6:34:32 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    6/11/2011 1:33:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    6/11/2011 1:33:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    6/11/2011 1:33:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    6/11/2011 1:33:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    6/11/2011 1:33:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    6/11/2011 1:33:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    6/11/2011 1:33:12 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL spldr tdx Wanarpv6 WfpLwf
    6/11/2011 1:33:05 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/11/2011 1:33:05 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    6/11/2011 1:33:05 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    6/11/2011 1:33:05 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    6/11/2011 1:33:05 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/11/2011 1:33:05 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/11/2011 1:33:02 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    6/11/2011 1:33:02 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    6/11/2011 1:33:02 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/11/2011 1:33:02 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    6/10/2011 8:04:12 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer OWNER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{2E0D32B0-2A06-4E6C-A8FC-1DF27758C. The master browser is stopping or an election is being forced.
    6/10/2011 11:00:53 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
    .
    ==== End Of File ===========================
     
  6. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    If it's paid and updated, I'd stay with Webroot.
     
  7. OMD

    OMD TS Rookie Topic Starter Posts: 37

    I don't think it has been updated and not paid - maybe just a trial type thing. it was on the PC when I inherited it 2 years ago

    ok so what now?
     
  8. Broni

    Broni Malware Annihilator Posts: 47,163   +264

  9. OMD

    OMD TS Rookie Topic Starter Posts: 37

  10. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    When done...

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
     
  11. OMD

    OMD TS Rookie Topic Starter Posts: 37

    aswMBR and Unhook files are below:

    aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
    Run date: 2011-06-15 08:40:02
    -----------------------------
    08:40:02.803 OS Version: Windows 6.1.7600
    08:40:02.803 Number of processors: 1 586 0x5F02
    08:40:02.818 ComputerName: MATT-PC UserName: matt
    08:40:07.373 AVAST engine 6.0.1125 defs: 11061500
    08:40:07.373 Initialize success
    08:41:52.751 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
    08:41:52.751 Disk 0 Vendor: WDC_WD32 21.0 Size: 305245MB BusType: 6
    08:41:54.779 Disk 0 MBR read successfully
    08:41:54.779 Disk 0 MBR scan
    08:41:54.779 Disk 0 Windows 7 default MBR code
    08:41:56.792 Disk 0 scanning sectors +625136400
    08:41:56.823 Disk 0 scanning C:\Windows\system32\drivers
    08:42:04.623 Service scanning
    08:42:05.731 Disk 0 trace - called modules:
    08:42:05.746 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x867a21ed]<<
    08:42:05.762 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x866a7a58]
    08:42:05.777 3 CLASSPNP.SYS[83afe59e] -> nt!IofCallDriver -> [0x85ff2190]
    08:42:05.777 5 ACPI.sys[839993b2] -> nt!IofCallDriver -> \Device\0000005a[0x856dac68]
    08:42:06.292 \Driver\nvstor32[0x85ffe880] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x867a21ed
    08:42:06.292 AVAST engine scan C:\Windows\system32
    08:44:00.577 Scan finished successfully
    08:44:15.381 Disk 0 MBR has been saved successfully to "C:\Users\matt\Desktop\MBR.dat"
    08:44:15.397 The log file has been saved successfully to "C:\Users\matt\Desktop\aswMBR.txt"





    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows 7
    Version 6.1.7600
    Number of processors #1
    ==============================================
    >Drivers
    ==============================================
    0x91215000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 9506816 bytes (NVIDIA Corporation, NVIDIA Windows Kernel Mode Driver, Version 191.07 )
    0x82E09000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
    0x82E09000 PnpManager 4259840 bytes
    0x82E09000 RAW 4259840 bytes
    0x82E09000 WMIxWDM 4259840 bytes
    0x92035000 C:\Windows\system32\drivers\RTKVHDA.sys 2740224 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
    0x96720000 Win32k 2404352 bytes
    0x96720000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0x8B215000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
    0x8AE07000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
    0x906B9000 C:\Windows\system32\DRIVERS\HSX_DP.sys 1056768 bytes (Conexant Systems, Inc., HSF_DP driver)
    0x9231A000 C:\Windows\system32\DRIVERS\athrusb.sys 921600 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
    0x91B28000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
    0x8B015000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
    0x9082A000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
    0x83866000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
    0x92626000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
    0x9A8AD000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0x83911000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
    0x8E425000 C:\Windows\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
    0x8AF74000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
    0x8E56C000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x9274C000 C:\Windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
    0x926FD000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
    0x90639000 C:\Windows\system32\DRIVERS\HSXHWBS2.sys 311296 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
    0x9013F000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0x83A65000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
    0x90089000 C:\Windows\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
    0x83990000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
    0x83B68000 C:\Windows\system32\DRIVERS\storport.sys 290816 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
    0x9A844000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
    0x9090B000 C:\Windows\system32\DRIVERS\nvmf6232.sys 282624 bytes (NVIDIA Corporation, NVIDIA MCP Networking Function Driver.)
    0x901B6000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0x83824000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
    0x90002000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0x8B38F000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0x8B0CC000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
    0x9A980000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
    0x90106000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
    0x8B18E000 C:\Windows\system32\drivers\aswMonFlt.sys 229376 bytes (AVAST Software, avast! File System Minifilter for Windows 2003/Vista)
    0x83219000 ACPI_HAL 225280 bytes
    0x83219000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0x83BB8000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0x90685000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
    0x8B15C000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
    0x8E53A000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
    0x8B35E000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
    0x922D2000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0x8B12F000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
    0x9018A000 C:\Windows\system32\DRIVERS\1394ohci.sys 180224 bytes (Microsoft Corporation, 1394 OpenHCI Driver)
    0x8AF36000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
    0x83A0F000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0x83AFA000 C:\Windows\system32\drivers\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
    0x8B10A000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
    0x83B28000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
    0x9A95D000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0x909C9000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0x926C7000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
    0x900D3000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x8E4AF000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
    0x9279E000 C:\Windows\system32\DRIVERS\WUDFRd.sys 135168 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
    0x8B1C6000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0x908EC000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
    0x83ADB000 C:\Windows\system32\drivers\nvraid.sys 126976 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) RAID Driver)
    0x8E5D2000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
    0x969B0000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
    0x90600000 C:\Windows\System32\Drivers\dump_nvstor32.sys 118784 bytes
    0x83B4B000 C:\Windows\system32\DRIVERS\nvstor32.sys 118784 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) Sata Performance Driver)
    0x8B1E5000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
    0x9A9BB000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
    0x9A81A000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0x9A932000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
    0x92301000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
    0x90063000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
    0x90950000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
    0x909A6000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0x90800000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x907BB000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x907D2000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
    0x8E50E000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
    0x92000000 C:\Windows\system32\drivers\USBSTOR.SYS 94208 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
    0x83AC5000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
    0x8AF61000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0x9A89A000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
    0x8E400000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0x90994000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
    0x900F4000 C:\Windows\system32\DRIVERS\amdk8.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
    0x9A94B000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
    0x8B3EE000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
    0x9061D000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
    0x83BEC000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
    0x909EB000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
    0x83A44000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
    0x8380B000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
    0x9A834000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
    0x8B3D6000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
    0x9A88A000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
    0x8E413000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
    0x83A55000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
    0x91BE9000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0x9007B000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
    0x8E5F1000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x8E500000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
    0x83AB7000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0x8AFD1000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
    0x9081A000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
    0x83982000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
    0x90987000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
    0x92019000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
    0x9097A000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
    0x908DF000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
    0x90968000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
    0x926E8000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
    0x8E4D0000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
    0x90057000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
    0x8E4A3000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0xA24A1000 C:\Users\matt\AppData\Local\Temp\aswMBR.sys 45056 bytes
    0x83800000 C:\Windows\system32\mcupdate_AuthenticAMD.dll 45056 bytes (Microsoft Corporation, AMD Microcode Update Library)
    0x907E9000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
    0x8E4F5000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
    0x909BE000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x8E525000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
    0x83A39000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
    0x8E530000 C:\Windows\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
    0x92026000 C:\Windows\System32\Drivers\dump_diskdump.sys 40960 bytes
    0x9062E000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
    0x9004D000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
    0x90043000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
    0x926BD000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
    0x91BDF000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
    0x83BAF000 C:\Windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
    0xA2498000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
    0x83B1F000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0xA24AC000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0x8AFDF000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
    0x83A00000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0x96980000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
    0x839D8000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0x8381C000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
    0x8B3E6000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
    0x80BC4000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
    0x839E1000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
    0x8E4DD000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x8E4E5000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
    0x8E4ED000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
    0x8B3CE000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
    0x926F5000 C:\Windows\system32\DRIVERS\XAudio32.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
    0x8E49C000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
    0x8E495000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
    0x83AB0000 C:\Windows\system32\DRIVERS\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    0x8E5CB000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
    0x91BF8000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
    0x8E5C6000 C:\Windows\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
    0x90975000 C:\Windows\system32\DRIVERS\PS2.sys 20480 bytes (Hewlett-Packard Company, PS2 SYS)
    0x9A9EE000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
    0x92030000 C:\Windows\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
    0x91B26000 C:\Windows\system32\DRIVERS\nvBridge.kmd 8192 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 191.07 )
    0x90818000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0x92017000 C:\Windows\system32\drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0x867A21ED unknown_irp_handler 3603 bytes
    ==============================================
    >Stealth
    ==============================================
    0x867A3A91 Unknown page with executable code, 1391 bytes
    0x8B38F000 WARNING: Virus alike driver modification [volsnap.sys], 258048 bytes
    0x867A4191 Unknown page with executable code, 3695 bytes
    0x867A6E7A Unknown thread object [ ETHREAD 0x866B1020 ] TID: 244, 600 bytes
    0x867A9008 Unknown thread object [ ETHREAD 0x86A8ED48 ] TID: 248, 600 bytes
    0x867A8CDC Unknown page with executable code, 804 bytes
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  13. OMD

    OMD TS Rookie Topic Starter Posts: 37

    This is interesting....So I followed the instructions and unzipped on the desktop and go to run the exe and the normal msg pops up asking if I want to allow this application to make changes - this is typical and when I answer yes, it spins for a second and then nothing. I have attempted repeatedly and to no avail.

    What continues to haunt me is I can close out of IE and a few minutes later in the processes running, there is always 2 instances of it started back up.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    This is normal.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  15. OMD

    OMD TS Rookie Topic Starter Posts: 37

    one thing to add, many times when I run one of these apps you give me, when I fire up IE again, spybot pops up alot of 'wanting to make entry changes' - I deny them. Also, I don't think it is normal that 2 instances of IE runs when I am not even using IE....but hey, what do I know :(


    combofix log:

    ComboFix 11-06-15.02 - matt 06/15/2011 21:07:45.1.1 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2943.1719 [GMT -4:00]
    Running from: c:\users\matt\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Fast Browser Search
    c:\program files\Fast Browser Search\IE\1.bat
    c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
    c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
    c:\program files\Fast Browser Search\IE\MTWB3SH.dll
    c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
    c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
    c:\program files\Fast Browser Search\IE\SGPU.ico
    c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
    c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
    c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
    c:\program files\Search Guard PlusU
    c:\program files\Search Guard PlusU\SGPU.ico
    c:\program files\Search Guard PlusU\sgpUpdater.xml
    c:\program files\SGPSA
    c:\program files\SGPSA\mtWB3sh.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-16 01:14 . 2011-06-16 01:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-16 01:14 . 2011-06-16 01:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-06-16 01:05 . 2011-06-16 01:05 -------- d-----w- C:\32788R22FWJFW
    2011-06-15 03:49 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-06-15 03:49 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-06-15 03:49 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-06-15 03:49 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-06-15 03:49 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-06-15 03:49 . 2011-05-10 11:59 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-06-15 03:48 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-06-15 03:48 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-06-15 03:48 . 2011-06-15 03:48 -------- d-----w- c:\programdata\AVAST Software
    2011-06-15 03:48 . 2011-06-15 03:48 -------- d-----w- c:\program files\AVAST Software
    2011-06-12 05:40 . 2011-06-12 05:40 388096 ----a-r- c:\users\matt\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-06-12 05:40 . 2011-06-12 05:40 -------- d-----w- c:\program files\Trend Micro
    2011-06-12 02:30 . 2011-06-12 02:30 -------- d-----w- c:\users\matt\AppData\Roaming\AVG10
    2011-06-12 02:29 . 2011-06-12 02:29 -------- d--h--w- c:\programdata\Common Files
    2011-06-12 02:27 . 2011-06-12 02:27 -------- d-----w- c:\program files\AVG
    2011-06-12 02:21 . 2011-06-12 02:30 -------- d-----w- c:\programdata\MFAData
    2011-06-12 02:17 . 2011-06-12 02:17 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-12 01:56 . 2011-06-12 01:56 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-06-12 01:56 . 2011-06-12 01:56 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-06-12 01:47 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-12 01:47 . 2011-06-12 01:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-12 01:33 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BE771FC3-CF3C-49D5-9617-970230DF51E6}\mpengine.dll
    2011-06-11 23:37 . 2011-06-12 00:21 -------- d-----w- c:\users\matt\AppData\Local\CrashDumps
    2011-06-11 23:07 . 2011-06-11 23:07 -------- d-----w- c:\programdata\Hitman Pro
    2011-06-11 17:37 . 2011-06-12 01:02 -------- d-----w- c:\programdata\Norton
    2011-06-11 17:37 . 2011-06-11 17:38 -------- d-----w- c:\users\matt\AppData\Local\NPE
    2011-06-11 17:28 . 2011-06-11 17:28 -------- d-----w- c:\users\matt\AppData\Roaming\Malwarebytes
    2011-06-11 17:28 . 2011-06-11 17:28 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-11 02:40 . 2011-06-11 02:40 -------- d-----w- c:\users\matt\AppData\Roaming\SUPERAntiSpyware.com
    2011-06-11 02:40 . 2011-06-11 02:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-06-11 02:40 . 2011-06-12 01:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-06-11 02:34 . 2011-06-11 02:34 -------- d-----w- C:\%APPDATA%
    2011-06-08 02:12 . 2011-06-08 02:12 -------- d-----w- c:\users\matt\AppData\Local\Mozilla
    2011-06-07 21:22 . 2011-06-14 23:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-06-07 21:22 . 2011-06-12 02:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-06-07 21:18 . 2011-06-07 21:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Sunbelt Software
    2011-06-07 21:18 . 2011-06-07 21:18 -------- d-----w- c:\programdata\Lavasoft
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-10 23:28 . 2011-05-10 23:28 90191 ---ha-w- c:\programdata\SPL7EB4.tmp
    2011-04-09 06:13 . 2011-05-10 22:16 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-04-09 06:13 . 2011-05-10 22:16 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-05 12:07 . 2011-04-05 12:07 28808 ---ha-w- c:\programdata\SPLC10B.tmp
    2011-03-25 03:06 . 2011-05-10 22:16 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2011-03-25 03:06 . 2011-05-10 22:16 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
    2011-03-25 03:06 . 2011-05-10 22:16 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-03-25 03:06 . 2011-05-10 22:16 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2011-03-25 03:06 . 2011-05-10 22:16 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2011-03-25 03:06 . 2011-05-10 22:16 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2011-03-25 03:06 . 2011-05-10 22:16 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
    2011-04-14 16:26 . 2011-06-12 02:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-05-11 5252408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VX3000"="c:\windows\vVX3000.exe" [2009-06-26 757248]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
    "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
    "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
    "lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]
    "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    c:\users\matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
    backup=c:\windows\pss\HP Connections.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
    2006-11-16 22:59 1480296 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
    2006-09-28 13:42 65536 ----a-w- c:\hp\support\hpsysdrv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-05-11 16:39 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-10-09 18:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe [2008-02-28 98984]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]
    R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-15 1343400]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2008-02-28 594600]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ASWMBR
    *NewlyCreated* - BLACKBOX
    *Deregistered* - aswMBR
    *Deregistered* - BlackBox
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\matt\AppData\Roaming\Mozilla\Firefox\Profiles\nz09223s.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4df42492&i=23&tp=ab&nt=1&q=
    FF - prefs.js: keyword.enabled - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-06-15 21:17:44
    ComboFix-quarantined-files.txt 2011-06-16 01:17
    .
    Pre-Run: 236,466,495,488 bytes free
    Post-Run: 236,653,019,136 bytes free
    .
    - - End Of File - - B7D14A616A13A5B96E56FDD5BB119117
     
  16. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Do NOT allow Spybot to interfere with our tools.
    Spybot should be disabled, as my instructions say.

    Disable TeaTimer, as it'll interfere with the cleaning process:
    Right click Spybot's TeaTimer System Tray Icon.
    Click Exit Spybot-S&D Resident.
    TeaTimer closes.
    NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

    Alternatively, I suggest, you uninstall Spybot since it's a tool of the past.

    If IE is closed, then yes, it's not normal.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\programdata\SPL7EB4.tmp
    c:\programdata\SPLC10B.tmp
    
    
    Folder::
    c:\users\matt\AppData\Roaming\AVG10
    c:\program files\AVG
    c:\programdata\Norton
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt

    .
     
  17. OMD

    OMD TS Rookie Topic Starter Posts: 37

    Spybot has been removed!


    ComboFix 11-06-15.02 - matt 06/15/2011 23:17:19.2.1 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2943.1950 [GMT -4:00]
    Running from: c:\users\matt\Desktop\ComboFix.exe
    Command switches used :: c:\users\matt\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\programdata\SPL7EB4.tmp"
    "c:\programdata\SPLC10B.tmp"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\AVG
    c:\program files\AVG\AVG10\Chrome\safesearch.crx
    c:\program files\AVG\AVG10\Firefox4\chrome.manifest
    c:\program files\AVG\AVG10\Firefox4\Chrome\searchshield.jar
    c:\program files\AVG\AVG10\Firefox4\Components\avgssff4.dll
    c:\program files\AVG\AVG10\Firefox4\Components\ISearchShield4.xpt
    c:\program files\AVG\AVG10\Firefox4\install.rdf
    c:\programdata\Norton
    c:\programdata\Norton\NPE\NPEsettings.dat
    c:\programdata\SPL7EB4.tmp
    c:\programdata\SPLC10B.tmp
    c:\users\matt\AppData\Roaming\AVG10
    c:\users\matt\AppData\Roaming\AVG10\cfgall\usergui.cfg
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-16 03:24 . 2011-06-16 03:24 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-06-16 03:24 . 2011-06-16 03:24 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-15 03:49 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-06-15 03:49 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-06-15 03:49 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-06-15 03:49 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-06-15 03:49 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-06-15 03:49 . 2011-05-10 11:59 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-06-15 03:48 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-06-15 03:48 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-06-15 03:48 . 2011-06-15 03:48 -------- d-----w- c:\programdata\AVAST Software
    2011-06-15 03:48 . 2011-06-15 03:48 -------- d-----w- c:\program files\AVAST Software
    2011-06-12 05:40 . 2011-06-12 05:40 388096 ----a-r- c:\users\matt\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-06-12 05:40 . 2011-06-12 05:40 -------- d-----w- c:\program files\Trend Micro
    2011-06-12 02:29 . 2011-06-12 02:29 -------- d--h--w- c:\programdata\Common Files
    2011-06-12 02:21 . 2011-06-12 02:30 -------- d-----w- c:\programdata\MFAData
    2011-06-12 02:17 . 2011-06-12 02:17 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-12 01:56 . 2011-06-12 01:56 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-06-12 01:56 . 2011-06-12 01:56 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-06-12 01:47 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-12 01:47 . 2011-06-12 01:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-12 01:33 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BE771FC3-CF3C-49D5-9617-970230DF51E6}\mpengine.dll
    2011-06-11 23:37 . 2011-06-12 00:21 -------- d-----w- c:\users\matt\AppData\Local\CrashDumps
    2011-06-11 23:07 . 2011-06-11 23:07 -------- d-----w- c:\programdata\Hitman Pro
    2011-06-11 17:37 . 2011-06-11 17:38 -------- d-----w- c:\users\matt\AppData\Local\NPE
    2011-06-11 17:28 . 2011-06-11 17:28 -------- d-----w- c:\users\matt\AppData\Roaming\Malwarebytes
    2011-06-11 17:28 . 2011-06-11 17:28 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-11 02:40 . 2011-06-11 02:40 -------- d-----w- c:\users\matt\AppData\Roaming\SUPERAntiSpyware.com
    2011-06-11 02:40 . 2011-06-11 02:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-06-11 02:40 . 2011-06-12 01:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-06-11 02:34 . 2011-06-11 02:34 -------- d-----w- C:\%APPDATA%
    2011-06-08 02:12 . 2011-06-08 02:12 -------- d-----w- c:\users\matt\AppData\Local\Mozilla
    2011-06-07 21:22 . 2011-06-16 03:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-06-07 21:22 . 2011-06-16 03:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-06-07 21:18 . 2011-06-07 21:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Sunbelt Software
    2011-06-07 21:18 . 2011-06-07 21:18 -------- d-----w- c:\programdata\Lavasoft
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-09 06:13 . 2011-05-10 22:16 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-04-09 06:13 . 2011-05-10 22:16 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-03-25 03:06 . 2011-05-10 22:16 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2011-03-25 03:06 . 2011-05-10 22:16 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
    2011-03-25 03:06 . 2011-05-10 22:16 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-03-25 03:06 . 2011-05-10 22:16 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2011-03-25 03:06 . 2011-05-10 22:16 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2011-03-25 03:06 . 2011-05-10 22:16 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2011-03-25 03:06 . 2011-05-10 22:16 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
    2011-04-14 16:26 . 2011-06-12 02:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-05-11 5252408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VX3000"="c:\windows\vVX3000.exe" [2009-06-26 757248]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
    "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
    "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
    "lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]
    "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    c:\users\matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
    backup=c:\windows\pss\HP Connections.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
    2006-11-16 22:59 1480296 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
    2006-09-28 13:42 65536 ----a-w- c:\hp\support\hpsysdrv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-05-11 16:39 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-10-09 18:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe [2008-02-28 98984]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]
    R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-15 1343400]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2008-02-28 594600]
    S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\matt\AppData\Roaming\Mozilla\Firefox\Profiles\nz09223s.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4df42492&i=23&tp=ab&nt=1&q=
    FF - prefs.js: keyword.enabled - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-06-15 23:27:27
    ComboFix-quarantined-files.txt 2011-06-16 03:27
    ComboFix2.txt 2011-06-16 01:17
    .
    Pre-Run: 236,485,373,952 bytes free
    Post-Run: 236,467,417,088 bytes free
    .
    - - End Of File - - AFF9D8D59ADE4F16F67048E97D6DA719
     
  18. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Very well....

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    volsnap.sys
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  19. OMD

    OMD TS Rookie Topic Starter Posts: 37

    i will need to wait and do this last instruction tomorrow afternoon....btw - thanks so much for taking the time to help me out!
     
  20. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    No problem :)
     
  21. OMD

    OMD TS Rookie Topic Starter Posts: 37

    I know I mentioned it, but been watching it closer - I close IE and check the processes running and make sure it is no longer running. I can come back 15 minutes later, and always 2 instances of it are running again. One instance is not using much resources, but the other is using quite a bit more....

    The two files are broken up in two threads


    OTL logfile created on: 6/16/2011 5:11:54 PM - Run 1
    OTL by OldTimer - Version 3.2.24.0 Folder = C:\Users\matt\Desktop
    Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.87 Gb Total Physical Memory | 1.70 Gb Available Physical Memory | 59.02% Memory free
    5.75 Gb Paging File | 4.64 Gb Available in Paging File | 80.73% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 291.83 Gb Total Space | 224.41 Gb Free Space | 76.90% Space Free | Partition Type: NTFS
    Drive D: | 6.26 Gb Total Space | 0.87 Gb Free Space | 13.97% Space Free | Partition Type: NTFS

    Computer Name: MATT-PC | User Name: matt | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/06/16 15:40:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\matt\Desktop\OTL.exe
    PRC - [2011/05/10 08:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2011/02/26 01:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2011/01/17 19:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
    PRC - [2011/01/17 19:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
    PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2009/06/26 17:21:00 | 000,757,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\vVX3000.exe
    PRC - [2009/05/21 23:13:36 | 000,275,768 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    PRC - [2008/06/13 12:04:02 | 000,025,256 | ---- | M] () -- C:\Program Files\Lexmark 3600-4600 Series\lxdxmsdmon.exe
    PRC - [2008/06/13 12:04:01 | 000,668,328 | ---- | M] () -- C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
    PRC - [2007/08/03 13:51:18 | 001,422,632 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    PRC - [2007/08/03 13:51:06 | 000,202,024 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    PRC - [2006/11/09 06:57:52 | 003,784,704 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/06/16 15:40:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\matt\Desktop\OTL.exe
    MOD - [2011/05/10 08:10:55 | 000,199,792 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\snxhk.dll
    MOD - [2010/08/21 01:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/05/10 08:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/05/14 22:16:04 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2009/07/24 15:05:24 | 000,139,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
    SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/05/21 23:13:36 | 000,248,832 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
    SRV - [2009/05/21 23:03:06 | 000,133,120 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
    SRV - [2009/04/29 04:21:04 | 000,410,624 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\XAudio32.dll -- (HsfXAudioService)
    SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2008/02/27 20:53:25 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxdxcoms.exe -- (lxdx_device)
    SRV - [2008/02/27 20:53:22 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe -- (lxdxCATSCustConnectService)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
    DRV - [2011/05/10 08:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/05/10 08:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/05/10 08:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/05/10 07:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/05/10 07:59:44 | 000,053,592 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2011/05/10 07:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2009/09/28 00:12:22 | 009,509,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2009/07/31 01:12:54 | 000,287,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmf6232.sys -- (NVNET)
    DRV - [2009/07/13 19:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
    DRV - [2009/07/13 18:13:47 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)
    DRV - [2009/07/13 18:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD)
    DRV - [2009/06/26 17:21:02 | 001,956,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VX3000.sys -- (VX3000)
    DRV - [2009/04/29 04:20:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio32.sys -- (XAudio)
    DRV - [2009/02/13 06:58:30 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
    DRV - [2009/02/13 06:56:32 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
    DRV - [2008/07/29 04:45:00 | 000,904,192 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athrusb.sys -- (athrusb)
    DRV - [2007/10/26 21:51:26 | 000,131,616 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvrd32.sys -- (nvrd32)
    DRV - [2007/10/26 21:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
    DRV - [2005/12/12 12:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
    IE - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
    IE - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
    FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"
    FF - prefs.js..keyword.URL: "http://search.avg.com/?d=4df42492&i=23&tp=ab&nt=1&q="
    FF - prefs.js..keyword.enabled: true

    FF - HKLM\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\
    FF - HKLM\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/06/14 23:48:54 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/11 22:10:00 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2009/11/24 15:25:36 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\matt\AppData\Roaming\Mozilla\Extensions
    [2009/10/31 20:51:10 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\matt\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
    [2011/06/11 22:10:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    File not found (No name found) --
    [2011/06/11 21:04:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
    [2011/04/14 12:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
    [2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

    O1 HOSTS File: ([2011/06/15 23:24:43 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
    O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
    O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O2 - BHO: () - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
    O2 - BHO: (Ask Toolbar BHO) - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (Ask.com)
    O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
    O3 - HKLM\..\Toolbar: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (Ask.com)
    O3 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
    O3 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\..\Toolbar\WebBrowser: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
    O3 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {FE063DB9-4EC0-403E-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (Ask.com)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
    O4 - HKLM..\Run: [KBD] C:\HP\KBD\KbdStub.EXE ()
    O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [lxdxamon] C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe ()
    O4 - HKLM..\Run: [lxdxmon.exe] C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe ()
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
    O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
    O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [VX3000] C:\Windows\vVX3000.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
    O4 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
    O4 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000..\Run: [Weather] File not found
    O4 - Startup: C:\Users\matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\##aswSnx private storage\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\##aswSnx private storage\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
    O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O15 - HKU\S-1-5-21-2834837877-3431995649-1172067647-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O18 - Protocol\Handler\inbox {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\awave.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\awave.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivXNetworks, Inc.)


    ========== Files/Folders - Created Within 30 Days ==========

    [2011/06/16 15:56:22 | 000,000,000 | ---D | C] -- C:\Users\matt\Desktop\spyware tools
    [2011/06/16 15:40:26 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\matt\Desktop\OTL.exe
    [2011/06/15 23:27:31 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/06/15 23:16:13 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/06/15 21:06:38 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/06/15 21:06:38 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/06/15 21:05:17 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/06/15 21:05:13 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/06/15 20:55:13 | 004,128,845 | R--- | C] (Swearware) -- C:\Users\matt\Desktop\ComboFix.exe
    [2011/06/14 23:49:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2011/06/14 23:49:09 | 000,307,928 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2011/06/14 23:49:09 | 000,019,544 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2011/06/14 23:49:04 | 000,441,176 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2011/06/14 23:49:04 | 000,053,592 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2011/06/14 23:49:04 | 000,049,240 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2011/06/14 23:49:04 | 000,025,432 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
    [2011/06/14 23:48:46 | 000,199,304 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2011/06/14 23:48:46 | 000,040,112 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
    [2011/06/14 23:48:38 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2011/06/14 23:48:38 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2011/06/12 01:40:53 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2011/06/12 01:40:53 | 000,000,000 | ---D | C] -- C:\Users\matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
    [2011/06/11 22:29:18 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
    [2011/06/11 22:21:39 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
    [2011/06/11 22:17:58 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
    [2011/06/11 21:56:00 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
    [2011/06/11 21:47:42 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2011/06/11 21:47:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/06/11 21:47:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/06/11 19:37:08 | 000,000,000 | ---D | C] -- C:\Users\matt\AppData\Local\CrashDumps
    [2011/06/11 19:07:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
    [2011/06/11 13:37:59 | 000,000,000 | ---D | C] -- C:\Users\matt\AppData\Local\NPE
    [2011/06/11 13:28:06 | 000,000,000 | ---D | C] -- C:\Users\matt\AppData\Roaming\Malwarebytes
    [2011/06/11 13:28:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/06/10 22:40:17 | 000,000,000 | ---D | C] -- C:\Users\matt\AppData\Roaming\SUPERAntiSpyware.com
    [2011/06/10 22:40:17 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
    [2011/06/10 22:40:05 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
    [2011/06/10 22:34:54 | 000,000,000 | ---D | C] -- C:\%APPDATA%
    [2011/06/07 22:12:12 | 000,000,000 | ---D | C] -- C:\Users\matt\AppData\Local\Mozilla
    [2011/06/07 22:12:04 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
    [2011/06/07 17:22:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
    [2011/06/07 17:22:52 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2011/06/07 17:18:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
    [2010/09/24 21:56:18 | 000,843,776 | ---- | C] ( ) -- C:\Windows\System32\lxdxusb1.dll
    [2010/09/24 21:56:18 | 000,438,272 | ---- | C] ( ) -- C:\Windows\System32\LXDXhcp.dll
    [2010/09/24 21:56:18 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxdxinpa.dll
    [2010/09/24 21:56:18 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxdxiesc.dll
    [2010/09/24 21:56:16 | 001,105,920 | ---- | C] ( ) -- C:\Windows\System32\lxdxserv.dll
    [2010/09/24 21:56:14 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\lxdxprox.dll
    [2010/09/24 21:56:13 | 000,647,168 | ---- | C] ( ) -- C:\Windows\System32\lxdxpmui.dll
    [2010/09/24 21:56:12 | 000,569,344 | ---- | C] ( ) -- C:\Windows\System32\lxdxlmpm.dll
    [2010/09/24 21:56:09 | 000,320,168 | ---- | C] ( ) -- C:\Windows\System32\lxdxih.exe
    [2010/09/24 21:56:08 | 000,663,552 | ---- | C] ( ) -- C:\Windows\System32\lxdxhbn3.dll
    [2010/09/24 21:56:05 | 000,851,968 | ---- | C] ( ) -- C:\Windows\System32\lxdxcomc.dll
    [2010/09/24 21:56:05 | 000,594,600 | ---- | C] ( ) -- C:\Windows\System32\lxdxcoms.exe
    [2010/09/24 21:56:05 | 000,376,832 | ---- | C] ( ) -- C:\Windows\System32\lxdxcomm.dll
    [2010/09/24 21:56:04 | 000,365,224 | ---- | C] ( ) -- C:\Windows\System32\lxdxcfg.exe
    [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/06/16 15:40:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\matt\Desktop\OTL.exe
    [2011/06/16 11:41:35 | 000,011,104 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/06/16 11:41:35 | 000,011,104 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/06/16 03:26:39 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/06/16 03:26:35 | 2314,117,120 | -HS- | M] () -- C:\hiberfil.sys
    [2011/06/16 03:04:45 | 000,623,940 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/06/16 03:04:45 | 000,106,316 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/06/15 23:24:43 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2011/06/15 21:04:52 | 004,128,845 | R--- | M] (Swearware) -- C:\Users\matt\Desktop\ComboFix.exe
    [2011/06/14 23:49:10 | 000,002,000 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2011/06/14 23:49:04 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
    [2011/06/14 17:20:14 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
    [2011/06/14 17:20:14 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
    [2011/06/11 22:17:58 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
    [2011/06/11 22:10:00 | 000,001,102 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2011/06/11 21:56:01 | 000,017,480 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
    [2011/06/05 06:29:21 | 000,000,392 | -H-- | M] () -- C:\ProgramData\24043256
    [2011/06/05 06:26:13 | 000,000,160 | -H-- | M] () -- C:\ProgramData\~24043256r
    [2011/06/05 06:26:13 | 000,000,136 | -H-- | M] () -- C:\ProgramData\~24043256
    [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/06/15 21:06:38 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/06/15 21:06:38 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/06/15 21:06:38 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/06/15 21:06:38 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/06/15 21:06:38 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/06/14 23:49:10 | 000,002,000 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2011/06/14 17:20:14 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
    [2011/06/14 17:20:14 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
    [2011/06/11 22:10:00 | 000,001,102 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2011/06/11 21:56:01 | 000,017,480 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
    [2011/06/05 06:26:13 | 000,000,160 | -H-- | C] () -- C:\ProgramData\~24043256r
    [2011/06/05 06:26:13 | 000,000,136 | -H-- | C] () -- C:\ProgramData\~24043256
    [2011/06/05 06:26:06 | 000,000,392 | -H-- | C] () -- C:\ProgramData\24043256
    [2010/09/24 22:03:26 | 000,360,448 | ---- | C] () -- C:\Windows\System32\lxdxcoin.dll
    [2010/09/24 22:02:38 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxdxvs.dll
    [2010/09/24 22:00:25 | 000,782,336 | ---- | C] () -- C:\Windows\System32\lxdxdrs.dll
    [2010/09/24 22:00:25 | 000,081,920 | ---- | C] () -- C:\Windows\System32\lxdxcaps.dll
    [2010/09/24 22:00:25 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdxcnv4.dll
    [2010/09/24 21:59:38 | 000,045,056 | ---- | C] () -- C:\Windows\System32\LXF3PMON.DLL
    [2010/09/24 21:59:38 | 000,032,768 | ---- | C] () -- C:\Windows\System32\LXF3FXPU.DLL
    [2010/09/24 21:59:18 | 000,053,248 | ---- | C] () -- C:\Windows\System32\lxf3oem.dll
    [2010/09/24 21:59:18 | 000,012,288 | ---- | C] () -- C:\Windows\System32\LXF3PMRC.DLL
    [2010/09/24 21:56:39 | 000,000,044 | ---- | C] () -- C:\Windows\System32\lxdxrwrd.ini
    [2010/09/24 21:56:20 | 000,348,160 | ---- | C] () -- C:\Windows\System32\LXDXinst.dll
    [2010/09/24 21:56:07 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdxgrd.dll
    [2010/08/20 10:50:41 | 000,035,423 | ---- | C] () -- C:\ProgramData\LUUnInstall.LiveUpdate
    [2010/03/05 07:50:35 | 000,000,164 | ---- | C] () -- C:\Windows\install.dat
    [2009/12/10 12:27:20 | 000,163,153 | ---- | C] () -- C:\Windows\hpoins44.dat
    [2009/11/24 15:31:11 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
    [2009/10/12 13:06:31 | 000,000,007 | ---- | C] () -- C:\Windows\sbacknt.bin
    [2009/08/07 20:06:05 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
    [2009/07/17 20:27:24 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
    [2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2009/07/14 00:33:53 | 000,352,752 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2009/07/13 22:05:48 | 000,623,940 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2009/07/13 22:05:48 | 000,106,316 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
    [2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
    [2009/06/27 15:01:55 | 000,000,338 | -H-- | C] () -- C:\Users\matt\AppData\Roaming\wklnhst.dat
    [2009/06/26 17:21:02 | 000,015,498 | ---- | C] () -- C:\Windows\VX3000.ini
    [2009/06/26 07:39:13 | 000,006,136 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
    [2009/06/25 19:44:56 | 000,024,206 | -H-- | C] () -- C:\Users\matt\AppData\Roaming\UserTile.png
    [2009/06/11 05:30:02 | 000,000,586 | ---- | C] () -- C:\Windows\hpomdl44.dat
    [2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
    [2007/01/10 22:38:59 | 000,049,152 | ---- | C] () -- C:\Windows\System32\ChCfg.exe
    [2007/01/10 22:32:36 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom24.dll
    [2007/01/10 22:32:36 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes24.dll
    [2006/11/09 10:19:08 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
    [2006/08/11 03:00:40 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
    [2006/08/11 03:00:40 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
    [2004/09/16 16:24:26 | 003,375,104 | ---- | C] () -- C:\Windows\System32\qt-mt331.dll

    ========== LOP Check ==========

    [2011/06/11 21:04:45 | 000,000,000 | ---D | M] -- C:\Users\matt\AppData\Roaming\Audacity
    [2011/04/21 08:37:44 | 000,000,000 | -H-D | M] -- C:\Users\matt\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2011/01/01 21:28:22 | 000,000,000 | -H-D | M] -- C:\Users\matt\AppData\Roaming\Lexmark Productivity Studio
    [2011/06/11 20:50:55 | 000,000,000 | ---D | M] -- C:\Users\matt\AppData\Roaming\OpenOffice.org
    [2009/06/25 19:44:56 | 000,000,000 | -H-D | M] -- C:\Users\matt\AppData\Roaming\PeerNetworking
    [2009/11/24 15:25:37 | 000,000,000 | -H-D | M] -- C:\Users\matt\AppData\Roaming\Template
    [2009/11/24 15:25:37 | 000,000,000 | -H-D | M] -- C:\Users\matt\AppData\Roaming\vghd
    [2009/07/14 00:53:46 | 000,027,164 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2011/06/11 20:27:07 | 000,004,063 | ---- | M] () -- C:\aaw7boot.log
    [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2009/07/13 21:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
    [2009/11/24 18:11:06 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
    [2011/06/15 23:27:27 | 000,013,056 | ---- | M] () -- C:\ComboFix.txt
    [2009/06/10 17:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2010/11/08 19:03:59 | 000,000,000 | ---- | M] () -- C:\f_run.txt
    [2011/06/16 03:26:35 | 2314,117,120 | -HS- | M] () -- C:\hiberfil.sys
    [2010/06/29 08:29:12 | 000,304,152 | ---- | M] () -- C:\img2-001.raw
    [2011/06/16 03:26:37 | 3085,492,224 | -HS- | M] () -- C:\pagefile.sys
    [2009/10/10 19:13:06 | 000,000,000 | -H-- | M] () -- C:\ProgramData.LOG1
    [2009/10/10 19:13:06 | 000,000,000 | ---- | M] () -- C:\ProgramData.LOG2
    [2007/01/10 22:39:01 | 000,000,402 | ---- | M] () -- C:\RHDSetup.log

    < %systemroot%\Fonts\*.com >
    [2009/07/14 00:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/14 00:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/14 00:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/14 00:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 17:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2009/04/16 15:08:20 | 000,312,832 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\hpfpp70v.dll
    [2007/03/28 16:57:34 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\hpzpp5ha.dll
    [2008/01/19 00:34:30 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPLHN.DLL
    [2009/07/13 21:15:26 | 000,090,624 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPWN7.DLL
    [2009/07/13 21:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
    [2008/02/27 20:15:28 | 000,115,200 | ---- | M] () -- C:\Windows\System32\spool\prtprocs\w32x86\lxdxdrpp.dll
    [2009/07/13 21:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/05/10 08:10:59 | 000,040,112 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
    [2009/02/06 22:03:18 | 000,307,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/07/14 00:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/07/16 14:32:04 | 000,000,286 | -HS- | M] () -- C:\Users\matt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini
    [2009/11/24 21:02:06 | 000,000,221 | -HS- | M] () -- C:\Users\matt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011/06/15 21:04:52 | 004,128,845 | R--- | M] (Swearware) -- C:\Users\matt\Desktop\ComboFix.exe
    [2011/06/16 15:40:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\matt\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >
    [2009/06/26 17:21:02 | 000,013,023 | ---- | M] () -- C:\Windows\VX3000.src

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 17:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2010/02/27 18:47:32 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
    [2010/02/27 18:47:33 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
    [2009/11/25 01:03:09 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
    [2009/11/25 01:03:10 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
    [2010/02/27 18:47:35 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2010/08/03 08:59:21 | 000,000,402 | -HS- | M] () -- C:\Users\matt\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/06/05 06:29:21 | 000,000,392 | -H-- | M] () -- C:\ProgramData\24043256
    [2009/12/10 12:49:19 | 000,001,816 | ---- | M] () -- C:\ProgramData\hpzinstall.log
    [2010/08/20 10:51:20 | 000,035,423 | ---- | M] () -- C:\ProgramData\LUUnInstall.LiveUpdate
    [2010/09/24 22:06:07 | 000,000,089 | -H-- | M] () -- C:\ProgramData\lxdx.log
    [2011/06/05 06:26:13 | 000,000,136 | -H-- | M] () -- C:\ProgramData\~24043256
    [2011/06/05 06:26:13 | 000,000,160 | -H-- | M] () -- C:\ProgramData\~24043256r
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < MD5 for: VOLSNAP.SYS >
    [2009/07/13 21:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\System32\drivers\volsnap.sys
    [2009/07/13 21:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_29364d30156a24ca\volsnap.sys
    [2009/07/13 21:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys

    < >

    < End of report >
     
  22. OMD

    OMD TS Rookie Topic Starter Posts: 37

    OTL Extras logfile created on: 6/16/2011 5:11:54 PM - Run 1
    OTL by OldTimer - Version 3.2.24.0 Folder = C:\Users\matt\Desktop
    Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.87 Gb Total Physical Memory | 1.70 Gb Available Physical Memory | 59.02% Memory free
    5.75 Gb Paging File | 4.64 Gb Available in Paging File | 80.73% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 291.83 Gb Total Space | 224.41 Gb Free Space | 76.90% Space Free | Partition Type: NTFS
    Drive D: | 6.26 Gb Total Space | 0.87 Gb Free Space | 13.97% Space Free | Partition Type: NTFS

    Computer Name: MATT-PC | User Name: matt | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0373779B-A362-4B2E-B8E9-7442F19F9394}" = HP Total Care Advisor
    "{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
    "{06A1D88C-E102-4527-AF70-29FFD7AF215A}" = Scan
    "{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
    "{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
    "{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
    "{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
    "{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
    "{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive
    "{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
    "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
    "{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
    "{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
    "{350FB27C-CF62-4EF3-AF9D-70FF313FE221}" = iTunes
    "{36C97B5B-5593-45B8-B50E-DAD87036BD9D}" = Microsoft LifeCam
    "{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
    "{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
    "{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
    "{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
    "{42E2EEB2-D48E-4A47-B181-32ECA031D93B}" = DJ_AIO_06_F2400_SW_Min
    "{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
    "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
    "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
    "{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
    "{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
    "{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
    "{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In
    "{612AD33D-9824-4E87-8396-92374E91C4BB}_is1" = Inbox Toolbar
    "{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
    "{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
    "{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
    "{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
    "{6BAA71B6-8F43-4C72-931A-3354ABB0258A}" = F2400
    "{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
    "{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
    "{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
    "{75E71ADD-042C-4F30-BFAC-A9EC42351313}" = Python 2.4.3
    "{76CD2979-09C0-493A-84B3-8FD97EF4BCEA}" = Windows Live Family Safety
    "{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7B08D306-7266-4647-A926-2F78817ED1E0}" = Microsoft Corporation
    "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
    "{8AEA4BE2-2B52-41C0-BB7D-9F2D17AF1033}" = Nero 8
    "{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
    "{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
    "{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback
    "{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility
    "{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
    "{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
    "{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
    "{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
    "{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
    "{B83A15A7-2BD5-4416-BC43-AF5F9A4B08A9}" = muvee autoProducer 5.0
    "{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
    "{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
    "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
    "{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
    "{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
    "{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
    "{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
    "{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
    "{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
    "{CDBF8C2D-04B0-4F9B-9AE1-7422F7F0EC94}" = HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6
    "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
    "{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
    "{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
    "{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
    "{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
    "{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
    "{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}" = HP Easy Setup - Core
    "{FAF26102-09D7-4C58-AB01-0D59A2E517CA}" = Copy
    "{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)
    "avast" = avast! Free Antivirus
    "CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Soft Data Fax Modem with SmartCP
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "DVD Decrypter" = DVD Decrypter (Remove Only)
    "DVD Shrink_is1" = DVD Shrink 3.2
    "HitmanPro35" = Hitman Pro 3.5
    "HP Imaging Device Functions" = HP Imaging Device Functions 13.0
    "HP Print Projects" = HP Print Projects 1.0
    "HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
    "HPExtendedCapabilities" = HP Customer Participation Program 13.0
    "HPOOVClient-6811507 Uninstaller" = HP Connections (remove only)
    "InstallShield_{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility
    "LAME for Audacity_is1" = LAME v3.98.3 for Audacity
    "Lexmark 3600-4600 Series" = Lexmark 3600-4600 Series
    "Lexmark Fax Solutions" = Lexmark Fax Solutions
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
    "NVIDIA Drivers" = NVIDIA Drivers
    "PC-Doctor 5 for Windows" = Hardware Diagnostic Tools
    "ScholarWord 3.0" = ScholarWord
    "Shop for HP Supplies" = Shop for HP Supplies
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "Yahoo! Companion" = Yahoo! Toolbar
    "Yahoo! Messenger" = Yahoo! Messenger
    "Yahoo! Software Update" = Yahoo! Software Update

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2834837877-3431995649-1172067647-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 7/22/2010 7:03:13 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    Error - 7/22/2010 7:12:00 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    Error - 7/22/2010 7:21:02 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    Error - 7/22/2010 7:29:18 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    Error - 7/22/2010 7:38:10 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    Error - 7/22/2010 7:47:54 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    Error - 7/22/2010 7:56:53 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    Error - 7/22/2010 8:05:50 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    Error - 7/22/2010 8:15:57 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    Error - 7/22/2010 8:25:01 AM | Computer Name = matt-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description =

    [ System Events ]
    Error - 6/15/2011 9:15:04 PM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 6/15/2011 11:08:07 PM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7016
    Description = The NVIDIA Display Driver Service service has reported an invalid
    current state 32.

    Error - 6/15/2011 11:09:38 PM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7009
    Description = A timeout was reached (30000 milliseconds) while waiting for the lxdxCATSCustConnectService
    service to connect.

    Error - 6/15/2011 11:09:38 PM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7000
    Description = The lxdxCATSCustConnectService service failed to start due to the
    following error: %%1053

    Error - 6/15/2011 11:16:55 PM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 6/15/2011 11:20:56 PM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 6/15/2011 11:24:47 PM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 6/16/2011 3:25:31 AM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7016
    Description = The NVIDIA Display Driver Service service has reported an invalid
    current state 32.

    Error - 6/16/2011 3:27:07 AM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7009
    Description = A timeout was reached (30000 milliseconds) while waiting for the lxdxCATSCustConnectService
    service to connect.

    Error - 6/16/2011 3:27:07 AM | Computer Name = matt-PC | Source = Service Control Manager | ID = 7000
    Description = The lxdxCATSCustConnectService service failed to start due to the
    following error: %%1053


    < End of report >
     
  23. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Please, re-run RKUnhooker and post fresh log.

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Windows\System32\drivers\volsnap.sys
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  24. OMD

    OMD TS Rookie Topic Starter Posts: 37

    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows 7
    Version 6.1.7600
    Number of processors #1
    ==============================================
    >Drivers
    ==============================================
    0x92229000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 9506816 bytes (NVIDIA Corporation, NVIDIA Windows Kernel Mode Driver, Version 191.07 )
    0x82E3D000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
    0x82E3D000 PnpManager 4259840 bytes
    0x82E3D000 RAW 4259840 bytes
    0x82E3D000 WMIxWDM 4259840 bytes
    0x9763B000 C:\Windows\system32\drivers\RTKVHDA.sys 2740224 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
    0x9A360000 Win32k 2404352 bytes
    0x9A360000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0x8B228000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
    0x8AE21000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
    0x90EA4000 C:\Windows\system32\DRIVERS\HSX_DP.sys 1056768 bytes (Conexant Systems, Inc., HSF_DP driver)
    0x93671000 C:\Windows\system32\DRIVERS\athrusb.sys 921600 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
    0x92B3C000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
    0x8B02B000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
    0x93014000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
    0x8388E000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
    0x93208000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
    0x9EC29000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0x83939000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
    0x8F231000 C:\Windows\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
    0x8AF8E000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
    0x8F378000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x9332E000 C:\Windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
    0x932DF000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
    0x90E24000 C:\Windows\system32\DRIVERS\HSXHWBS2.sys 311296 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
    0x9016E000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0x83A62000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
    0x900B8000 C:\Windows\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
    0x839B8000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
    0x83B65000 C:\Windows\system32\DRIVERS\storport.sys 290816 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
    0x93752000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
    0x930F5000 C:\Windows\system32\DRIVERS\nvmf6232.sys 282624 bytes (NVIDIA Corporation, NVIDIA MCP Networking Function Driver.)
    0x9361C000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0x8384C000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
    0x90031000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0x8B3A2000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0x8B0E2000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
    0x9ECFC000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
    0x90135000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
    0x979AE000 C:\Windows\system32\drivers\aswMonFlt.sys 229376 bytes (AVAST Software, avast! File System Minifilter for Windows 2003/Vista)
    0x82E06000 ACPI_HAL 225280 bytes
    0x82E06000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0x83BB5000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0x90E70000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
    0x8B172000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
    0x8F346000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
    0x8B371000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
    0x978D8000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0x8B145000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
    0x901B9000 C:\Windows\system32\DRIVERS\1394ohci.sys 180224 bytes (Microsoft Corporation, 1394 OpenHCI Driver)
    0x8AF50000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
    0x83A0C000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0x83AF7000 C:\Windows\system32\drivers\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
    0x8B120000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
    0x83B25000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
    0x9ECD9000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0x931B3000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0x932A9000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
    0x90102000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x8F2BB000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
    0x93380000 C:\Windows\system32\DRIVERS\WUDFRd.sys 135168 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
    0x8B1DC000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0x930D6000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
    0x83AD8000 C:\Windows\system32\drivers\nvraid.sys 126976 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) RAID Driver)
    0x8F3DE000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
    0x9A200000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
    0x97937000 C:\Windows\System32\Drivers\dump_nvstor32.sys 118784 bytes
    0x83B48000 C:\Windows\system32\DRIVERS\nvstor32.sys 118784 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) Sata Performance Driver)
    0x97993000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
    0x9ED37000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
    0x97600000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0x9ECAE000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
    0x97907000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
    0x90092000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
    0x9313A000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
    0x93190000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0x931D5000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x90FA6000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x90FBD000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
    0x8F31A000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
    0x9797A000 C:\Windows\system32\drivers\USBSTOR.SYS 94208 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
    0x83AC2000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
    0x8AF7B000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0x979E9000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
    0x8F20E000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0x9317E000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
    0x90123000 C:\Windows\system32\DRIVERS\amdk8.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
    0x9ECC7000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
    0x8B208000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
    0x97954000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
    0x83BE9000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
    0x93660000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
    0x83A41000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
    0x83833000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
    0x9761A000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
    0x8B3E9000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
    0x9762A000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
    0x8F221000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
    0x83A52000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
    0x92200000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0x900AA000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
    0x8F200000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x8F30C000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
    0x83AB4000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0x8AFEB000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
    0x931EF000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
    0x839AA000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
    0x93171000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
    0x97920000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
    0x93164000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
    0x930C9000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
    0x93152000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
    0x932CA000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
    0x8F2DC000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
    0x90086000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
    0x8F2AF000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0x83828000 C:\Windows\system32\mcupdate_AuthenticAMD.dll 45056 bytes (Microsoft Corporation, AMD Microcode Update Library)
    0x9796F000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
    0x8F301000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
    0x931A8000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x8F331000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
    0x83A36000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
    0x8F33C000 C:\Windows\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
    0x9792D000 C:\Windows\System32\Drivers\dump_diskdump.sys 40960 bytes
    0x97965000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
    0x9007C000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
    0x90072000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
    0x9329F000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
    0x92BF3000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
    0x83BAC000 C:\Windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
    0x933A1000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
    0x83B1C000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0x933B3000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0x8AE00000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
    0x83A00000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0x9A5C0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
    0x83800000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0x83844000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
    0x8B200000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
    0x80BC9000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
    0x83809000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
    0x8F2E9000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x8F2F1000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
    0x8F2F9000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
    0x8B3E1000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
    0x932D7000 C:\Windows\system32\DRIVERS\XAudio32.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
    0x8F2A8000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
    0x8F2A1000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
    0x83AAD000 C:\Windows\system32\DRIVERS\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    0x8F3D7000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
    0x9220F000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
    0x8F3D2000 C:\Windows\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
    0x9315F000 C:\Windows\system32\DRIVERS\PS2.sys 20480 bytes (Hewlett-Packard Company, PS2 SYS)
    0x9ED6A000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
    0x979E6000 C:\Windows\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
    0x92B3A000 C:\Windows\system32\DRIVERS\nvBridge.kmd 8192 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 191.07 )
    0x931ED000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0x97991000 C:\Windows\system32\drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0x867911ED unknown_irp_handler 3603 bytes
    ==============================================
    >Stealth
    ==============================================
    0x86792A91 Unknown page with executable code, 1391 bytes
    0x8B3A2000 WARNING: Virus alike driver modification [volsnap.sys], 258048 bytes
    0x86793191 Unknown page with executable code, 3695 bytes
    0x86795E7A Unknown thread object [ ETHREAD 0x85FCBD48 ] TID: 244, 600 bytes
    0x86798008 Unknown thread object [ ETHREAD 0x86AB9298 ] TID: 248, 600 bytes
    0x86797CDC Unknown page with executable code, 804 bytes




    File name: volsnap.sys
    Submission date: 2011-06-17 01:13:52 (UTC)
    Current status: queued queued (#32) analysing finished


    Result: 0/ 42 (0.0%)
    VT Community

    not reviewed
    Safety score: -
    Compact Print results Antivirus Version Last Update Result
    AhnLab-V3 2011.06.17.00 2011.06.16 -
    AntiVir 7.11.9.254 2011.06.16 -
    Antiy-AVL 2.0.3.7 2011.06.16 -
    Avast 4.8.1351.0 2011.06.16 -
    Avast5 5.0.677.0 2011.06.16 -
    AVG 10.0.0.1190 2011.06.16 -
    BitDefender 7.2 2011.06.17 -
    CAT-QuickHeal 11.00 2011.06.16 -
    ClamAV 0.97.0.0 2011.06.16 -
    Commtouch 5.3.2.6 2011.06.16 -
    Comodo 9093 2011.06.17 -
    DrWeb 5.0.2.03300 2011.06.17 -
    Emsisoft 5.1.0.8 2011.06.17 -
    eSafe 7.0.17.0 2011.06.15 -
    eTrust-Vet 36.1.8391 2011.06.16 -
    F-Prot 4.6.2.117 2011.06.16 -
    Fortinet 4.2.257.0 2011.06.16 -
    GData 22 2011.06.17 -
    Ikarus T3.1.1.104.0 2011.06.17 -
    Jiangmin 13.0.900 2011.06.16 -
    K7AntiVirus 9.106.4819 2011.06.16 -
    Kaspersky 9.0.0.837 2011.06.17 -
    McAfee 5.400.0.1158 2011.06.17 -
    McAfee-GW-Edition 2010.1D 2011.06.17 -
    Microsoft 1.6903 2011.06.13 -
    NOD32 6215 2011.06.17 -
    Norman 6.07.10 2011.06.16 -
    nProtect 2011-06-16.01 2011.06.16 -
    Panda 10.0.3.5 2011.06.16 -
    PCTools 7.0.3.5 2011.06.16 -
    Prevx 3.0 2011.06.17 -
    Rising 23.62.02.05 2011.06.15 -
    Sophos 4.66.0 2011.06.17 -
    SUPERAntiSpyware 4.40.0.1006 2011.06.17 -
    Symantec 20111.1.0.186 2011.06.17 -
    TheHacker 6.7.0.1.230 2011.06.14 -
    TrendMicro 9.200.0.1012 2011.06.16 -
    TrendMicro-HouseCall 9.200.0.1012 2011.06.17 -
    VBA32 3.12.16.1 2011.06.16 -
    VIPRE 9603 2011.06.17 -
    ViRobot 2011.6.16.4517 2011.06.16 -
    VirusBuster 14.0.83.0 2011.06.16 -

    Additional informationShow all
    MD5 : 58df9d2481a56edde167e51b334d44fd
    SHA1 : 164a63886e621b566f4c1cccfceff59bdcc4a948
    SHA256: c77d7be83cf1c0dec80429c5a519e794fd2e8c1e6dad6f5c92b5eb5694ceb8ea
    ssdeep: 6144:s1r0/LRxYFqKXIgiYlKwu0H+XTqmu3iKz8Yzh:s1rKRxERlKV0eXTqbi5g
    File size : 245328 bytes
    First seen: 2009-11-04 01:58:23
    Last seen : 2011-06-17 01:13:52
    TrID:
    Win32 Executable Generic (68.0%)
    Generic Win/DOS Executable (15.9%)
    DOS Executable Generic (15.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:
    publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. All rights reserved.
    product......: Microsoft_ Windows_ Operating System
    description..: Volume Shadow Copy Driver
    original name: volsnap.sys
    internal name: volsnap.sys
    file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned

    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x336D3
    timedatestamp....: 0x4A5BBF26 (Mon Jul 13 23:11:34 2009)
    machinetype......: 0x14c (I386)

    [[ 8 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x1000, 0x66E4, 0x6800, 6.39, 93bcb4e70c0388d983f8471c63f6998b
    .rdata, 0x8000, 0xFE0, 0x1000, 4.47, 9e8f22a03bb59825f3c962d21cf52de1
    .data, 0x9000, 0x161, 0x200, 0.94, e84d256285d9a0368b950fe765fa41a2
    PAGELK, 0xA000, 0x272FE, 0x27400, 6.45, f4fc55ef7e6b53b839fdf48f7fe0f657
    PAGE, 0x32000, 0x3F7, 0x400, 5.65, 245330a97bc77fb7cb89aa897a67d3f5
    INIT, 0x33000, 0x1B80, 0x1C00, 5.97, ee85fdaf0273950175aa2fb1d2536163
    .rsrc, 0x35000, 0x74D0, 0x7600, 3.46, 9b522bc4b8032d9ea556015b1a062682
    .reloc, 0x3D000, 0x1992, 0x1A00, 6.38, 6d2bda755aad00c474a0b3b7cff235a4

    [[ 2 import(s) ]]
    ntoskrnl.exe: RtlClearBits, RtlClearBit, RtlSetBits, RtlSetBit, RtlNumberOfSetBits, RtlAreBitsClear, RtlAreBitsSet, RtlFindNextForwardRunClear, memcpy, KeWaitForSingleObject, KeReleaseSemaphore, memset, MmBuildMdlForNonPagedPool, IoSetIoPriorityHint, ExFreePoolWithTag, IoFreeMdl, IoAllocateIrp, IoAllocateMdl, ExAllocatePoolWithTag, IoFreeIrp, RtlCompareMemory, ZwClose, ZwQueryValueKey, ZwOpenKey, RtlInitUnicodeString, RtlQueryRegistryValues, ZwCreateKey, RtlStringFromGUID, ObfDereferenceObject, ExQueueWorkItem, IofCompleteRequest, IofCallDriver, _allshr, KeSetEvent, ZwQueryVolumeInformationFile, ZwFsControlFile, _allmul, _alldiv, ZwQueryInformationFile, ZwSetInformationFile, IoDeleteSymbolicLink, swprintf_s, KeQueryTimeIncrement, KeTickCount, IoGetIoPriorityHint, MmMapLockedPagesSpecifyCache, IoFileObjectType, RtlGetAce, RtlEqualSid, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, ZwQuerySecurityObject, ZwOpenFile, IoBuildDeviceIoControlRequest, KeInitializeEvent, IoReleaseCancelSpinLock, KeResetEvent, IoAcquireCancelSpinLock, RtlAppendUnicodeStringToString, RtlCreateSystemVolumeInformationFolder, RtlSetDaclSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlCreateSecurityDescriptor, ZwReadFile, KeInitializeMutex, KeReleaseMutex, RtlInsertElementGenericTableAvl, RtlLookupElementGenericTableAvl, RtlEnumerateGenericTableAvl, RtlInitializeBitMap, SeReleaseSubjectContext, SeUnlockSubjectContext, SeAccessCheck, IoGetFileObjectGenericMapping, SeLockSubjectContext, SeCaptureSubjectContext, MmLockPagableDataSection, MmUnlockPages, ZwUnmapViewOfSection, RtlDeleteElementGenericTableAvl, ObfReferenceObject, RtlEqualUnicodeString, ObReferenceObjectByHandle, RtlGetVersion, _allrem, IoGetDeviceObjectPointer, ZwSetValueKey, PsGetThreadProcessId, KeQuerySystemTime, EtwWrite, EtwEventEnabled, PsGetThreadId, KeCancelTimer, KeSetTimer, ExReInitializeRundownProtectionCacheAware, ExWaitForRundownProtectionReleaseCacheAware, ExReleaseRundownProtectionCacheAware, PoCallDriver, PoStartNextPowerIrp, ExAcquireRundownProtectionCacheAware, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, memmove, IoVolumeDeviceToDosName, IoQueueWorkItem, FsRtlGetVirtualDiskNestingLevel, ZwWaitForSingleObject, ZwOpenEvent, ExAllocatePoolWithTagPriority, KeReadStateEvent, MmProbeAndLockPages, ZwMapViewOfSection, ZwCreateSection, IoGetAttachedDeviceReference, ZwCreateFile, IoBuildSynchronousFsdRequest, IoInvalidateDeviceRelations, FsRtlIsTotalDeviceFailure, IoFreeWorkItem, IoAllocateWorkItem, PsTerminateSystemThread, KeSetPriorityThread, ExUuidCreate, IoInitializeWorkItem, KeInitializeDpc, KeInitializeTimer, ExInitializeRundownProtectionCacheAware, KeInitializeSemaphore, IoAttachDeviceToDeviceStack, IoDeleteDevice, IoGetDriverObjectExtension, IoCreateDevice, IoSizeofWorkItem, ExSizeOfRundownProtectionCacheAware, ZwSetInformationThread, PsCreateSystemThread, ZwQueryDirectoryFile, ZwDuplicateObject, KeLeaveCriticalRegion, KeEnterCriticalRegion, RtlGUIDFromString, KeClearEvent, IoForwardIrpSynchronously, ObReleaseObjectSecurity, ObSetSecurityObjectByPointer, ObGetObjectSecurity, IoCreateSymbolicLink, IoUninitializeWorkItem, IoSetDeviceInterfaceState, IoRegisterDeviceInterface, IoGetDeviceProperty, IoUnregisterPlugPlayNotification, IoDetachDevice, IoRegisterPlugPlayNotification, PsSetThreadHardErrorsAreDisabled, PsGetThreadHardErrorsAreDisabled, PoRegisterPowerSettingCallback, EtwRegister, RtlInitializeGenericTableAvl, ExDeleteNPagedLookasideList, ExInitializeNPagedLookasideList, IoRegisterBootDriverReinitialization, IoRegisterDriverReinitialization, IoAllocateDriverObjectExtension, RtlInsertElementGenericTableFullAvl, RtlLookupElementGenericTableFullAvl, KeBugCheckEx, RtlUnwind, KeGetCurrentThread, InterlockedPushEntrySList, IoBuildPartialMdl, InterlockedPopEntrySList, EtwUnregister, EtwProviderEnabled
    HAL.dll: KfAcquireSpinLock, KfReleaseSpinLock, KeGetCurrentIrql
     
  25. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Delete your TDSSKIller file, download fresh one and see, if it'll run now.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.