TechSpot

Browser Hijacked, windows updates blocked, Vista

Resolved
By phillj
Jan 2, 2011
  1. Hi,

    I have been asked to look at a neighbours computer which I think has a rootkit or similar.

    Symptoms:
    Browser redirect when visiting legitimate AV websites
    Windows update website won't load
    Windows updates failing since August 2010

    I have followed your "8 steps" instructions, here are the logs:

    Malwarebytes Anti-Malware log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5444

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18928

    02/01/2011 20:14:46
    mbam-log-2011-01-02 (20-14-46).txt

    Scan type: Quick scan
    Objects scanned: 151902
    Time elapsed: 6 minute(s), 32 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\Users\Maria\AppData\Roaming\my security shield (Rogue.MySecurityShield) -> Quarantined and deleted successfully.

    Files Infected:
    c:\Windows\System32\config\systemprofile\local settings\temporary internet files\Content.IE5\K81P3UMC\.exe[1] (Trojan.Hiloti) -> Quarantined and deleted successfully.
    c:\Windows\System32\config\systemprofile\local settings\temporary internet files\Content.IE5\K81P3UMC\.exe[2] (Trojan.Hiloti) -> Quarantined and deleted successfully.
    c:\program files\IETRes.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    c:\program files\TCIIRes.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

    =============================================================

    GMER log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-02 21:14:37
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MJA2250BH_G2 rev.8919
    Running: lschko7o.exe; Driver: C:\Users\Maria\AppData\Local\Temp\uglcypod.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 488396912 (+254): rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8637FAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8637FAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8637FAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8637FAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-1 8637FAEA

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskFUJITSU_MJA2250BH_G2____________________8919____#5&4c2688&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----

    =============================================================

    DDS.txt


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Maria at 21:21:07.36 on 02/01/2011
    Internet Explorer: 8.0.6001.18928
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3002.1679 [GMT 0:00]

    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_b9d13b43\STacSV.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_b9d13b43\aestsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgfws.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\SMINST\BLService.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Windows\system32\taskeng.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\SweetIM\Messenger\SweetIM.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\AVG\AVG10\avgui.exe
    C:\Program Files\AVG\AVG10\avgcfgex.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    E:\5-dds\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk/
    uDefault_Page_URL = hxxp://www.sky.com
    uWindow Title = Internet Explorer Provided By Sky Broadband
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
    mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\maria\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-gb\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6}
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF}
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-7-12 54112]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R1 SASDIFSV;SASDIFSV;c:\users\maria\appdata\local\temp\sas_selfextract\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\users\maria\appdata\local\temp\sas_selfextract\saskutil.sys [2010-5-10 67656]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_b9d13b43\AEstSrv.exe [2010-7-22 81920]
    R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
    R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [2009-11-17 137344]
    R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-3-2 365952]
    R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [2009-11-17 12032]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-3-2 222512]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-9-10 112640]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-16 135664]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-14 517448]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2010-5-22 23096]
    S3 STSService;STSService;"c:\program files\allmusicconverter media suite\stsservice.exe" --> c:\program files\allmusicconverter media suite\STSService.exe [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2011-01-02 20:00:01 -------- d-----w- c:\users\maria\appdata\roaming\Malwarebytes
    2011-01-02 19:59:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-02 19:59:55 -------- d-----w- c:\progra~2\Malwarebytes
    2011-01-02 19:59:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-02 19:59:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-02 19:01:33 6144 ------w- c:\windows\system32\AC94.tmp
    2011-01-02 19:01:22 6144 ------w- c:\windows\system32\819D.tmp
    2011-01-02 19:00:18 -------- d-----w- c:\users\maria\Pavark
    2010-12-31 00:01:02 -------- d-----w- c:\program files\Sophos
    2010-12-30 23:48:06 -------- d-----w- C:\TFC
    2010-12-30 21:53:19 -------- d-----w- c:\users\maria\appdata\roaming\SUPERAntiSpyware.com
    2010-12-30 21:53:19 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
    2010-12-17 18:28:29 -------- d-----w- c:\program files\Saved Games
    2010-12-17 18:28:29 -------- d-----w- c:\program files\Import Export
    2010-12-17 18:28:20 96256 ----a-w- c:\program files\SMACKW32.DLL
    2010-12-17 18:28:20 58880 ----a-w- c:\program files\_UnInstall.dll
    2010-12-17 18:27:26 306688 ----a-w- c:\windows\IsUninst.exe
    2010-12-09 17:47:57 784136 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
    2010-12-08 04:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys

    ==================== Find3M ====================


    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: FUJITSU_MJA2250BH_G2 rev.8919 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8637FEC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85989872; SUB DWORD [EBP-0x4], 0x8598912e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x82452962] -> \Device\Harddisk0\DR0[0x864EB690]
    3 CLASSPNP[0x805D78B3] -> ntkrnlpa!IofCallDriver[0x82452962] -> [0x862A28A0]
    5 acpi[0x806956BC] -> ntkrnlpa!IofCallDriver[0x82452962] -> [0x86281B98]
    [0x870E1030] -> IRP_MJ_CREATE -> 0x8637FEC5
    kernel: MBR read successfully
    _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x6c; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskFUJITSU_MJA2250BH_G2____________________8919____#5&4c2688&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8637FAEA
    user & kernel MBR OK
    sectors 488397166 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 21:21:44.92 ===============

    Attach.txt:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 08/07/2009 11:32:35
    System Uptime: 02/01/2011 20:31:13 (1 hours ago)

    Motherboard: Quanta | | 306B
    Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | CPU | 2000/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 222 GiB total, 38.786 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 1.789 GiB free.
    E: is CDROM (UDF)

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.1
    Adobe Shockwave Player
    AOL Toolbar 5.0
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Driver Installation Program
    AVG 2011
    AVG PC Tuneup 2011
    AviSynth 2.5
    Big Fish Games: Game Manager
    Compatibility Pack for the 2007 Office system
    CyberLink DVD Suite
    CyberLink YouCam
    ESU for Microsoft Vista
    ffdshow
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Common Access Service Library
    HP Customer Experience Enhancements
    HP DVD Play 3.7
    HP Games
    HP Help and Support
    HP Quick Launch Buttons 6.40 M1
    HP Total Care Advisor
    HP Total Care Setup
    HP Update
    HP User Guides 0138
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    HPNetworkAssistant
    IDT Audio
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 20
    LabelPrint
    LightScribe System Software 1.14.17.1
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    MobileMe Control Panel
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA PhysX v8.10.29
    OGA Notifier 2.0.0048.0
    Power2Go
    PowerDirector
    QuickTime
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek USB 2.0 Card Reader
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB982135)
    Sky Broadband
    Sky Broadband Browser Branding
    Sophos Anti-Rootkit 1.5.4
    Spelling Dictionaries Support For Adobe Reader 9
    SweetIM for Messenger 3.1
    Synaptics Pointing Device Driver
    Tonka Construction 2
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Yahoo! BrowserPlus 2.9.2
    Yahoo! Software Update
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    30/12/2010 20:51:19, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.7 for the Network Card with network address 00265E134DD1 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    30/12/2010 20:39:06, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 00265E134DD1 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    30/12/2010 18:19:28, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP SRTSPX
    30/12/2010 18:19:28, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the path specified.
    30/12/2010 17:46:46, Error: EventLog [6008] - The previous system shutdown at 17:44:44 on 30/12/2010 was unexpected.
    30/12/2010 16:09:01, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    30/12/2010 16:09:01, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
    28/12/2010 21:48:27, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service wercplsupport with arguments "" in order to run the server: {0E9A7BB5-F699-4D66-8A47-B919F5B6A1DB}
    27/12/2010 16:21:28, Error: EventLog [6008] - The previous system shutdown at 13:57:45 on 27/12/2010 was unexpected.
    27/12/2010 09:53:08, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Update service, but this action failed with the following error: An instance of the service is already running.
    27/12/2010 09:53:08, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error: An instance of the service is already running.
    26/12/2010 15:13:52, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 00265E134DD1 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    02/01/2011 20:33:13, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    02/01/2011 19:00:10, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    02/01/2011 19:00:10, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    02/01/2011 18:59:42, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    02/01/2011 18:59:42, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    02/01/2011 18:59:07, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    02/01/2011 18:59:07, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    02/01/2011 18:59:05, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    02/01/2011 18:58:57, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    02/01/2011 18:58:28, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgfwfd Avgldx86 Avgmfx86 Avgtdix DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr Tcpip tdx Wanarpv6
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    02/01/2011 18:58:28, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

    ==== End Of File ===========================

    Many thanks.

    Phill
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! Yes, rootkits have been very popular and it does appear this system is infected. So we'll start on that:

    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    Please leave the log in your next reply
    =============================================
    After that scan has finished, I'd like you to run Combofix. You will have to uninstall AVG to do it:
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ========================================
    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. phillj

    phillj TS Rookie Topic Starter

    Hi Bob,

    Thanks for your prompt response, so far so good,

    here's the log from TDSS killer:

    2011/01/02 23:06:55.0233 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
    2011/01/02 23:06:55.0234 ================================================================================
    2011/01/02 23:06:55.0234 SystemInfo:
    2011/01/02 23:06:55.0234
    2011/01/02 23:06:55.0234 OS Version: 6.0.6002 ServicePack: 2.0
    2011/01/02 23:06:55.0234 Product type: Workstation
    2011/01/02 23:06:55.0234 ComputerName: MARIA-PC
    2011/01/02 23:06:55.0234 UserName: Maria
    2011/01/02 23:06:55.0234 Windows directory: C:\Windows
    2011/01/02 23:06:55.0234 System windows directory: C:\Windows
    2011/01/02 23:06:55.0234 Processor architecture: Intel x86
    2011/01/02 23:06:55.0234 Number of processors: 2
    2011/01/02 23:06:55.0234 Page size: 0x1000
    2011/01/02 23:06:55.0234 Boot type: Normal boot
    2011/01/02 23:06:55.0234 ================================================================================
    2011/01/02 23:06:55.0562 Initialize success
    2011/01/02 23:07:08.0498 ================================================================================
    2011/01/02 23:07:08.0498 Scan started
    2011/01/02 23:07:08.0498 Mode: Manual;
    2011/01/02 23:07:08.0498 ================================================================================
    2011/01/02 23:07:09.0152 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    2011/01/02 23:07:09.0283 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
    2011/01/02 23:07:09.0454 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
    2011/01/02 23:07:09.0547 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
    2011/01/02 23:07:09.0647 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
    2011/01/02 23:07:09.0770 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
    2011/01/02 23:07:09.0890 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
    2011/01/02 23:07:10.0009 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    2011/01/02 23:07:10.0103 aliide (3d76fda1a10acc3dc84728f55c29b6d4) C:\Windows\system32\drivers\aliide.sys
    2011/01/02 23:07:10.0185 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
    2011/01/02 23:07:10.0414 amdide (5b92e7839f5a1fbc1b39de67758ad6f8) C:\Windows\system32\drivers\amdide.sys
    2011/01/02 23:07:10.0507 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
    2011/01/02 23:07:10.0580 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
    2011/01/02 23:07:10.0643 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
    2011/01/02 23:07:10.0719 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
    2011/01/02 23:07:10.0775 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    2011/01/02 23:07:10.0848 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    2011/01/02 23:07:10.0955 athr (8b412ddc62a0510767c5d48192ee1324) C:\Windows\system32\DRIVERS\athr.sys
    2011/01/02 23:07:11.0071 Avgfwfd (d30b785ab801a0e2b0ad922d66f971f3) C:\Windows\system32\DRIVERS\avgfwd6x.sys
    2011/01/02 23:07:11.0193 AVGIDSDriver (5f6c56305ea73760cdafc7604d64bbe0) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
    2011/01/02 23:07:11.0281 AVGIDSEH (20a2d48722cf055c846bdeafa4f733ce) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
    2011/01/02 23:07:11.0380 AVGIDSFilter (0a95333ca80ca8b79d612f3965466cc0) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
    2011/01/02 23:07:11.0466 AVGIDSShim (ab7e4b37126447ffe4fb639901012fb3) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
    2011/01/02 23:07:11.0591 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\Windows\system32\DRIVERS\avgldx86.sys
    2011/01/02 23:07:11.0642 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\Windows\system32\DRIVERS\avgmfx86.sys
    2011/01/02 23:07:11.0729 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\Windows\system32\DRIVERS\avgrkx86.sys
    2011/01/02 23:07:11.0851 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\Windows\system32\DRIVERS\avgtdix.sys
    2011/01/02 23:07:11.0952 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    2011/01/02 23:07:12.0042 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
    2011/01/02 23:07:12.0118 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
    2011/01/02 23:07:12.0203 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    2011/01/02 23:07:12.0292 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    2011/01/02 23:07:12.0347 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    2011/01/02 23:07:12.0438 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    2011/01/02 23:07:12.0512 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    2011/01/02 23:07:12.0580 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    2011/01/02 23:07:12.0650 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    2011/01/02 23:07:12.0713 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    2011/01/02 23:07:12.0786 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    2011/01/02 23:07:12.0856 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
    2011/01/02 23:07:12.0944 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    2011/01/02 23:07:13.0061 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
    2011/01/02 23:07:13.0141 cmdide (d36372a6ea6805efbe8884d10772313f) C:\Windows\system32\drivers\cmdide.sys
    2011/01/02 23:07:13.0177 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
    2011/01/02 23:07:13.0254 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
    2011/01/02 23:07:13.0330 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
    2011/01/02 23:07:13.0456 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
    2011/01/02 23:07:13.0578 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    2011/01/02 23:07:13.0656 dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
    2011/01/02 23:07:13.0738 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
    2011/01/02 23:07:13.0787 Dot4Scan (a84d8a9006b1ae515cc7b6b3586c295a) C:\Windows\system32\DRIVERS\Dot4Scan.sys
    2011/01/02 23:07:13.0867 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
    2011/01/02 23:07:13.0931 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    2011/01/02 23:07:14.0022 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
    2011/01/02 23:07:14.0072 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
    2011/01/02 23:07:14.0171 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    2011/01/02 23:07:14.0296 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
    2011/01/02 23:07:14.0388 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
    2011/01/02 23:07:14.0547 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    2011/01/02 23:07:14.0606 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    2011/01/02 23:07:14.0694 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    2011/01/02 23:07:14.0799 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    2011/01/02 23:07:14.0852 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    2011/01/02 23:07:14.0941 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
    2011/01/02 23:07:15.0032 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    2011/01/02 23:07:15.0134 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    2011/01/02 23:07:15.0176 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
    2011/01/02 23:07:15.0273 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    2011/01/02 23:07:15.0338 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    2011/01/02 23:07:15.0472 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    2011/01/02 23:07:15.0626 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    2011/01/02 23:07:15.0660 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    2011/01/02 23:07:15.0914 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    2011/01/02 23:07:15.0974 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
    2011/01/02 23:07:16.0054 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
    2011/01/02 23:07:16.0119 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    2011/01/02 23:07:16.0202 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
    2011/01/02 23:07:16.0262 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    2011/01/02 23:07:16.0341 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
    2011/01/02 23:07:16.0517 igfx (975405e9280a14476fbc17816ebae24a) C:\Windows\system32\DRIVERS\igdkmd32.sys
    2011/01/02 23:07:16.0608 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    2011/01/02 23:07:16.0672 IntcHdmiAddService (362b19109f9b6f68c8e2a35efc9144a0) C:\Windows\system32\drivers\IntcHdmi.sys
    2011/01/02 23:07:16.0747 intelide (dd512a049bd7b4bce8a83554c5eff2c1) C:\Windows\system32\drivers\intelide.sys
    2011/01/02 23:07:16.0821 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    2011/01/02 23:07:16.0890 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    2011/01/02 23:07:17.0021 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
    2011/01/02 23:07:17.0084 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    2011/01/02 23:07:17.0151 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    2011/01/02 23:07:17.0236 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
    2011/01/02 23:07:17.0330 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    2011/01/02 23:07:17.0383 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    2011/01/02 23:07:17.0454 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    2011/01/02 23:07:17.0524 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    2011/01/02 23:07:17.0616 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
    2011/01/02 23:07:17.0721 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
    2011/01/02 23:07:17.0839 litsgt (454b6c19c69ea71e83be967ab5444c55) C:\Windows\system32\DRIVERS\litsgt.sys
    2011/01/02 23:07:17.0937 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    2011/01/02 23:07:17.0987 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
    2011/01/02 23:07:18.0067 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
    2011/01/02 23:07:18.0107 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
    2011/01/02 23:07:18.0198 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    2011/01/02 23:07:18.0272 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
    2011/01/02 23:07:18.0325 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
    2011/01/02 23:07:18.0403 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    2011/01/02 23:07:18.0445 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    2011/01/02 23:07:18.0514 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    2011/01/02 23:07:18.0566 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    2011/01/02 23:07:18.0646 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    2011/01/02 23:07:18.0692 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
    2011/01/02 23:07:18.0775 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    2011/01/02 23:07:18.0826 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    2011/01/02 23:07:18.0916 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    2011/01/02 23:07:18.0979 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
    2011/01/02 23:07:19.0045 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    2011/01/02 23:07:19.0152 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    2011/01/02 23:07:19.0230 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
    2011/01/02 23:07:19.0276 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
    2011/01/02 23:07:19.0388 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    2011/01/02 23:07:19.0412 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    2011/01/02 23:07:19.0481 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    2011/01/02 23:07:19.0534 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    2011/01/02 23:07:19.0595 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    2011/01/02 23:07:19.0694 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    2011/01/02 23:07:19.0786 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    2011/01/02 23:07:19.0826 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    2011/01/02 23:07:19.0914 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    2011/01/02 23:07:19.0974 MusCAudio (2fda286ff06455c7f5f2d1eba4819eb4) C:\Windows\system32\drivers\MusCAudio.sys
    2011/01/02 23:07:20.0055 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    2011/01/02 23:07:20.0176 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    2011/01/02 23:07:20.0217 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    2011/01/02 23:07:20.0293 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    2011/01/02 23:07:20.0344 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    2011/01/02 23:07:20.0417 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    2011/01/02 23:07:20.0517 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    2011/01/02 23:07:20.0579 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    2011/01/02 23:07:21.0088 NETw3v32 (35d5458d9a1b26b2005abffbf4c1c5e7) C:\Windows\system32\DRIVERS\NETw3v32.sys
    2011/01/02 23:07:21.0180 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    2011/01/02 23:07:21.0230 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    2011/01/02 23:07:21.0308 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    2011/01/02 23:07:21.0390 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    2011/01/02 23:07:21.0471 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    2011/01/02 23:07:21.0508 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    2011/01/02 23:07:21.0586 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
    2011/01/02 23:07:21.0620 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
    2011/01/02 23:07:21.0702 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
    2011/01/02 23:07:21.0860 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
    2011/01/02 23:07:21.0970 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
    2011/01/02 23:07:22.0065 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    2011/01/02 23:07:22.0104 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
    2011/01/02 23:07:22.0193 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    2011/01/02 23:07:22.0243 pciide (1d8b3d8df8eb7fcf2f0ac02f9f947802) C:\Windows\system32\drivers\pciide.sys
    2011/01/02 23:07:22.0313 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    2011/01/02 23:07:22.0380 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    2011/01/02 23:07:22.0514 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    2011/01/02 23:07:22.0572 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
    2011/01/02 23:07:22.0662 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    2011/01/02 23:07:22.0728 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
    2011/01/02 23:07:22.0815 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    2011/01/02 23:07:22.0847 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    2011/01/02 23:07:22.0931 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    2011/01/02 23:07:22.0973 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    2011/01/02 23:07:23.0064 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    2011/01/02 23:07:23.0141 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    2011/01/02 23:07:23.0198 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    2011/01/02 23:07:23.0280 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    2011/01/02 23:07:23.0330 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
    2011/01/02 23:07:23.0403 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    2011/01/02 23:07:23.0459 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    2011/01/02 23:07:23.0590 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
    2011/01/02 23:07:23.0674 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\Windows\system32\DRIVERS\RimSerial.sys
    2011/01/02 23:07:23.0714 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
    2011/01/02 23:07:23.0826 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    2011/01/02 23:07:23.0885 RTL8169 (5163f804256deb8cf1ef64b780a18caa) C:\Windows\system32\DRIVERS\Rtlh86.sys
    2011/01/02 23:07:23.0980 RTSTOR (2b7da5a2d2c4aae01098d910007edac5) C:\Windows\system32\drivers\RTSTOR.SYS
    2011/01/02 23:07:24.0108 s116bus (815445f4676cc96bc9aeec303c727e19) C:\Windows\system32\DRIVERS\s116bus.sys
    2011/01/02 23:07:24.0211 s116mdfl (333d1e0743e6de1779c3c418ac601c3a) C:\Windows\system32\DRIVERS\s116mdfl.sys
    2011/01/02 23:07:24.0327 s116mdm (50d6e5b021e9ec7553ab8a3553cc1b6b) C:\Windows\system32\DRIVERS\s116mdm.sys
    2011/01/02 23:07:24.0401 s116mgmt (1589aa53e43f8d193a7d4d580d3ffa95) C:\Windows\system32\DRIVERS\s116mgmt.sys
    2011/01/02 23:07:24.0468 s116nd5 (306f85733671fe507470f0273025e768) C:\Windows\system32\DRIVERS\s116nd5.sys
    2011/01/02 23:07:24.0555 s116obex (ec32601f04a5a5de89315d0f55e73d66) C:\Windows\system32\DRIVERS\s116obex.sys
    2011/01/02 23:07:24.0604 s116unic (32e3ecb4b2b5887426eaf241a8149cde) C:\Windows\system32\DRIVERS\s116unic.sys
    2011/01/02 23:07:24.0767 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS
    2011/01/02 23:07:24.0901 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS
    2011/01/02 23:07:24.0984 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    2011/01/02 23:07:25.0071 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
    2011/01/02 23:07:25.0138 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    2011/01/02 23:07:25.0208 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
    2011/01/02 23:07:25.0248 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
    2011/01/02 23:07:25.0309 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    2011/01/02 23:07:25.0379 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
    2011/01/02 23:07:25.0444 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
    2011/01/02 23:07:25.0490 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
    2011/01/02 23:07:25.0554 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    2011/01/02 23:07:25.0619 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
    2011/01/02 23:07:25.0691 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
    2011/01/02 23:07:25.0748 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
    2011/01/02 23:07:25.0835 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    2011/01/02 23:07:25.0899 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    2011/01/02 23:07:26.0003 srv (0debafcc0e3591fca34f077cab62f7f7) C:\Windows\system32\DRIVERS\srv.sys
    2011/01/02 23:07:26.0043 srv2 (6b6f3658e0a58c6c50c5f7fbdf3df633) C:\Windows\system32\DRIVERS\srv2.sys
    2011/01/02 23:07:26.0183 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
    2011/01/02 23:07:26.0247 STHDA (9aefc1bc01e03a4afb8e718fc2f72c10) C:\Windows\system32\DRIVERS\stwrt.sys
    2011/01/02 23:07:26.0351 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
    2011/01/02 23:07:26.0424 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    2011/01/02 23:07:26.0480 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    2011/01/02 23:07:26.0555 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    2011/01/02 23:07:26.0604 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    2011/01/02 23:07:26.0672 SynTP (aee6e411a915f50101895ba8dc5c15d4) C:\Windows\system32\DRIVERS\SynTP.sys
    2011/01/02 23:07:26.0763 tansgt (65e9377beddba680da9034da3ed44725) C:\Windows\system32\DRIVERS\tansgt.sys
    2011/01/02 23:07:26.0869 Tcpip (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\drivers\tcpip.sys
    2011/01/02 23:07:26.0958 Tcpip6 (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\DRIVERS\tcpip.sys
    2011/01/02 23:07:27.0058 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    2011/01/02 23:07:27.0108 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    2011/01/02 23:07:27.0168 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    2011/01/02 23:07:27.0229 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    2011/01/02 23:07:27.0304 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    2011/01/02 23:07:27.0390 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    2011/01/02 23:07:27.0444 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    2011/01/02 23:07:27.0529 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    2011/01/02 23:07:27.0598 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
    2011/01/02 23:07:27.0673 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    2011/01/02 23:07:27.0760 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
    2011/01/02 23:07:27.0807 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
    2011/01/02 23:07:27.0879 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    2011/01/02 23:07:27.0925 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    2011/01/02 23:07:28.0003 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    2011/01/02 23:07:28.0077 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
    2011/01/02 23:07:28.0144 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    2011/01/02 23:07:28.0203 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    2011/01/02 23:07:28.0268 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    2011/01/02 23:07:28.0325 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    2011/01/02 23:07:28.0388 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    2011/01/02 23:07:28.0447 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    2011/01/02 23:07:28.0535 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    2011/01/02 23:07:28.0601 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    2011/01/02 23:07:28.0676 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
    2011/01/02 23:07:28.0749 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
    2011/01/02 23:07:28.0816 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    2011/01/02 23:07:28.0864 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
    2011/01/02 23:07:28.0926 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
    2011/01/02 23:07:28.0980 viaide (ea1aa6e3abb3c194feba12a46de8cf2c) C:\Windows\system32\drivers\viaide.sys
    2011/01/02 23:07:29.0032 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    2011/01/02 23:07:29.0103 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    2011/01/02 23:07:29.0195 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    2011/01/02 23:07:29.0253 vsmraid (4afb7d95ee27cd6bd1ee20c68ab820b7) C:\Windows\system32\drivers\vsmraid.sys
    2011/01/02 23:07:29.0254 Suspicious file (Forged): C:\Windows\system32\drivers\vsmraid.sys. Real md5: 4afb7d95ee27cd6bd1ee20c68ab820b7, Fake md5: 587253e09325e6bf226b299774b728a9
    2011/01/02 23:07:29.0260 vsmraid - detected Rootkit.Win32.TDSS.tdl3 (0)
    2011/01/02 23:07:29.0369 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    2011/01/02 23:07:29.0410 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/01/02 23:07:29.0432 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/01/02 23:07:29.0527 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
    2011/01/02 23:07:29.0583 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
    2011/01/02 23:07:29.0744 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
    2011/01/02 23:07:29.0844 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
    2011/01/02 23:07:29.0924 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    2011/01/02 23:07:30.0044 yukonwlh (7d1f3b131d503ef43ee594b5a2b9b427) C:\Windows\system32\DRIVERS\yk60x86.sys
    2011/01/02 23:07:30.0102 ================================================================================
    2011/01/02 23:07:30.0103 Scan finished
    2011/01/02 23:07:30.0103 ================================================================================
    2011/01/02 23:07:30.0116 Detected object count: 1
    2011/01/02 23:08:46.0984 vsmraid (4afb7d95ee27cd6bd1ee20c68ab820b7) C:\Windows\system32\drivers\vsmraid.sys
    2011/01/02 23:08:46.0985 Suspicious file (Forged): C:\Windows\system32\drivers\vsmraid.sys. Real md5: 4afb7d95ee27cd6bd1ee20c68ab820b7, Fake md5: 587253e09325e6bf226b299774b728a9
    2011/01/02 23:08:46.0990 C:\Windows\system32\drivers\vsmraid.sys - copied to quarantine
    2011/01/02 23:08:47.0030 \HardDisk0\TDLFS\config.ini - copied to quarantine
    2011/01/02 23:08:47.0053 \HardDisk0\TDLFS\tdl - copied to quarantine
    2011/01/02 23:08:47.0055 \HardDisk0\TDLFS\rsrc.dat - copied to quarantine
    2011/01/02 23:08:47.0057 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
    2011/01/02 23:08:47.0065 \HardDisk0\TDLFS\tdlcmd.dll - copied to quarantine
    2011/01/02 23:08:47.0066 Rootkit.Win32.TDSS.tdl3(vsmraid) - User select action: Quarantine
    2011/01/02 23:08:58.0620 Deinitialize success

    =========================================

    Log from Combofix:

    ComboFix 11-01-02.02 - Maria 03/01/2011 0:03.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3002.2210 [GMT 0:00]
    Running from: c:\users\Maria\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    Infected copy of c:\windows\system32\drivers\vsmraid.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
    .

    2011-01-03 00:14 . 2011-01-03 00:14 -------- d-----w- c:\users\Maria\AppData\Local\temp
    2011-01-03 00:14 . 2011-01-03 00:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-02 23:08 . 2011-01-02 23:08 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-01-02 20:00 . 2011-01-02 20:00 -------- d-----w- c:\users\Maria\AppData\Roaming\Malwarebytes
    2011-01-02 19:59 . 2011-01-02 19:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-02 19:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-02 19:59 . 2011-01-02 19:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-02 19:59 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-02 19:01 . 2010-05-26 10:39 6144 ------w- c:\windows\system32\AC94.tmp
    2011-01-02 19:01 . 2010-05-26 10:39 6144 ------w- c:\windows\system32\819D.tmp
    2011-01-02 19:00 . 2011-01-02 19:00 -------- d-----w- c:\users\Maria\Pavark
    2010-12-31 00:01 . 2010-12-31 00:01 -------- d-----w- c:\program files\Sophos
    2010-12-30 23:48 . 2010-12-30 23:48 -------- d-----w- C:\TFC
    2010-12-30 21:53 . 2010-12-30 21:53 -------- d-----w- c:\users\Maria\AppData\Roaming\SUPERAntiSpyware.com
    2010-12-30 21:53 . 2010-12-30 21:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-12-17 18:28 . 2010-12-17 18:44 -------- d-----w- c:\program files\Saved Games
    2010-12-17 18:28 . 2010-12-17 18:28 -------- d-----w- c:\program files\Import Export
    2010-12-17 18:28 . 1999-09-29 18:46 58880 ----a-w- c:\program files\_UnInstall.dll
    2010-12-17 18:28 . 1999-08-05 14:26 96256 ----a-w- c:\program files\SMACKW32.DLL
    2010-12-17 18:27 . 1998-10-29 16:45 306688 ----a-w- c:\windows\IsUninst.exe
    2010-12-09 17:47 . 2010-12-09 17:47 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-11-18 966656]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-16 39408]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-12-24 210216]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-10-30 210216]
    "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-12-08 432432]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-10 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-10 175128]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-10 153624]
    "SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2010-05-05 111928]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

    c:\users\Maria\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 135664]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-12-05 222512]
    R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2010-05-21 23096]
    R3 STSService;STSService;c:\program files\AllMusicConverter Media Suite\STSService.exe [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 SASDIFSV;SASDIFSV;c:\users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
    S1 SASKUTIL;SASKUTIL;c:\users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_b9d13b43\aestsrv.exe [2009-02-12 81920]
    S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
    S2 litsgt;litsgt;c:\windows\system32\DRIVERS\litsgt.sys [2009-11-17 137344]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-12-24 365952]
    S2 tansgt;tansgt;c:\windows\system32\DRIVERS\tansgt.sys [2009-11-17 12032]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-09-10 112640]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ezSharedSvc

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 11:39]

    2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 11:39]

    2010-12-14 c:\windows\Tasks\HPCeeScheduleForMaria.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-03-02 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
    IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{1631550F-191D-4826-B069-D9439253D926} - c:\program files\PriceGong\2.1.0\PriceGongIE.dll
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
    SafeBoot-mcmscsvc
    SafeBoot-MCODS



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-03 00:14
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-01-03 00:17:51
    ComboFix-quarantined-files.txt 2011-01-03 00:17

    Pre-Run: 43,514,380,288 bytes free
    Post-Run: 43,856,216,064 bytes free

    - - End Of File - - 8C4F4A41FFE1D133CF2269747DFF5024

    =========================================================

    It's 12:40 am her so I'm gonna have to crash out, I'll log in again tomorrow,

    Thanks again,

    Phill.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, one down! Please run this online virus scan:


    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ==========================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  5. phillj

    phillj TS Rookie Topic Starter

    Hi Bob,

    ESET log.txt:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK

    ESET "Found list"

    C:\Qoobox\Quarantine\C\Windows\system32\Drivers\vsmraid.sys.vir Win32/Olmarik.ZC trojan
    C:\TDSSKiller_Quarantine\02.01.2011_23.06.55\tdl30000\svc0000\tsk0000.dta Win32/Olmarik.ZC trojan
    C:\TDSSKiller_Quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0004.dta a variant of Win32/Olmarik.ADZ trojan
    C:\Users\Maria\Music\Jennifer Hudson\Invisible.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan


    Hijackthis:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 22:14:02, on 03/01/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18928)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\SweetIM\Messenger\SweetIM.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
    C:\Windows\system32\wuauclt.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
    O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-GB\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - (no file)
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - (no file)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_b9d13b43\aestsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_b9d13b43\STacSV.exe
    O23 - Service: STSService - Unknown owner - C:\Program Files\AllMusicConverter Media Suite\STSService.exe (file missing)
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 10560 bytes
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes
      :Files  
      C:\TDSSKiller_Quarantine\02.01.2011_23.06.55\tdl30000\svc0000\tsk0000.dta 
      C:\TDSSKiller_Quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0004.dta 
      C:\Users\Maria\Music\Jennifer Hudson\Invisible.mp3 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ============================================
    Please reopen HijackThis to 'du system scan only.' Check eaach of the following, if present:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...esario&pf=cnnb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...esario&pf=cnnb
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - (no file)
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - (no file)


    Close all Windows except HijackThis and click on "Fix Checked."
    =========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\AC94.tmp
    c:\windows\system32\819D.tmp
    c:\program files\allmusicconverter media suite\stsservice.exe
    c:\users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASDIFS V.SYS
    c:\users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASKUTI L.SYS
    c:\program files\allmusicconverter media suite\STSService.exe
    Folder::
    C:\TDSSKiller_Quarantine
    Drive::
    STSService
    SASDIFSV
    SASKUTIL
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I recommend that you take these off of startup: All HP processes, Cyberlink, printer related, media players, web cam. Use the msconfig utility:

    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

    For any processes that you unchecked on Startup that have corresponding Services (023 processes in HJT), reset Startup type to Manual:
    Start> Run> type in services.msc> double click on the Services, change Automatic to Manual for Startup type
     
  7. phillj

    phillj TS Rookie Topic Starter

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\TDSSKiller_Quarantine\02.01.2011_23.06.55\tdl30000\svc0000\tsk0000.dta moved successfully.
    C:\TDSSKiller_Quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0004.dta moved successfully.
    C:\Users\Maria\Music\Jennifer Hudson\Invisible.mp3 moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 41656 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Maria
    ->Temp folder emptied: 2091158 bytes
    ->Temporary Internet Files folder emptied: 161925220 bytes
    ->Java cache emptied: 653847 bytes
    ->Google Chrome cache emptied: 6835584 bytes
    ->Apple Safari cache emptied: 5258240 bytes
    ->Flash cache emptied: 88536 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 12288 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1049495 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 12732218 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 75905 bytes
    RecycleBin emptied: 1406538 bytes

    Total Files Cleaned = 183.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 01052011_181334


    ============================================

    ComboFix 11-01-04.06 - Maria 05/01/2011 18:24:59.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3002.2082 [GMT 0:00]
    Running from: c:\users\Maria\Desktop\ComboFix.exe
    Command switches used :: e:\combofix2\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    FILE ::
    "c:\program files\allmusicconverter media suite\STSService.exe"
    "c:\users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASDIFS V.SYS"
    "c:\users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASKUTI L.SYS"
    "c:\windows\system32\819D.tmp"
    "c:\windows\system32\AC94.tmp"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\object.ini
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\svc0000\object.ini
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\svc0000\tsk0000.ini
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\svc0000\tsk0001.dta
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\svc0000\tsk0001.ini
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0003.dta
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\02.01.2011_23.06.55\tdl30000\tdlfs0000\tsk0004.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
    .

    2011-01-05 18:31 . 2011-01-05 18:31 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-05 18:13 . 2011-01-05 18:13 -------- d-----w- C:\_OTM
    2011-01-04 13:11 . 2011-01-04 13:11 -------- d-----w- c:\users\Maria\AppData\Roaming\Auslogics
    2011-01-04 13:11 . 2011-01-04 13:11 -------- d-----w- c:\program files\Auslogics
    2011-01-04 09:47 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2011-01-04 09:47 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
    2011-01-04 09:39 . 2011-01-04 09:39 -------- d-----w- c:\program files\Microsoft Silverlight
    2011-01-03 22:11 . 2011-01-03 22:14 -------- d-----w- C:\HijackThis
    2011-01-03 21:01 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2011-01-03 21:01 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
    2011-01-03 21:01 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2011-01-03 21:01 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
    2011-01-03 21:01 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-01-03 21:01 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-01-03 21:01 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-01-03 21:01 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
    2011-01-03 21:01 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2011-01-03 21:01 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
    2011-01-03 21:01 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
    2011-01-03 20:59 . 2010-06-17 18:08 10926592 ----a-w- c:\program files\Movie Maker\MOVIEMK.dll
    2011-01-03 20:59 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
    2011-01-03 20:59 . 2010-06-17 16:16 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
    2011-01-03 20:59 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
    2011-01-03 20:59 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-01-03 20:59 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-01-03 20:59 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2011-01-03 20:59 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-01-03 20:59 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-01-03 20:59 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-01-03 20:59 . 2010-08-31 15:44 531968 ----a-w- c:\windows\system32\comctl32.dll
    2011-01-03 20:50 . 2010-11-16 12:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{89891547-542A-4BE5-85D1-D9DA14CA84E3}\mpengine.dll
    2011-01-03 20:50 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
    2011-01-03 20:41 . 2011-01-03 20:41 -------- d-----w- c:\program files\ESET
    2011-01-03 00:17 . 2011-01-05 18:31 -------- d-----w- c:\users\Maria\AppData\Local\temp
    2011-01-02 20:00 . 2011-01-02 20:00 -------- d-----w- c:\users\Maria\AppData\Roaming\Malwarebytes
    2011-01-02 19:59 . 2011-01-02 19:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-02 19:00 . 2011-01-02 19:00 -------- d-----w- c:\users\Maria\Pavark
    2010-12-31 00:01 . 2011-01-04 10:55 -------- d-----w- c:\program files\Sophos
    2010-12-30 23:48 . 2010-12-30 23:48 -------- d-----w- C:\TFC
    2010-12-30 21:53 . 2010-12-30 21:53 -------- d-----w- c:\users\Maria\AppData\Roaming\SUPERAntiSpyware.com
    2010-12-30 21:53 . 2010-12-30 21:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-12-17 18:27 . 1998-10-29 16:45 306688 ----a-w- c:\windows\IsUninst.exe
    2010-12-09 17:47 . 2010-12-09 17:47 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 10:41 . 2009-12-16 12:03 222080 ------w- c:\windows\system32\MpSigStub.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-16 39408]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-10 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-10 175128]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-10 153624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-06-03 450652]

    c:\users\Maria\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2008-10-09 15:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2008-12-08 23:34 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
    2008-11-18 18:57 966656 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-11-17 20:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2008-06-09 17:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
    2008-10-10 20:24 206128 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2008-09-24 00:21 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 11:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
    2008-12-04 05:15 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
    2008-06-14 02:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
    2008-10-30 19:51 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
    2008-06-14 02:11 210216 ------w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
    2008-12-24 22:45 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WirelessAssistant]
    2008-12-08 19:25 432432 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

    R1 SASDIFSV;SASDIFSV;c:\users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
    R1 SASKUTIL;SASKUTIL;c:\users\Maria\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 135664]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-12-05 222512]
    R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2010-05-21 23096]
    R3 STSService;STSService;c:\program files\AllMusicConverter Media Suite\STSService.exe [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_827e372d\aestsrv.exe [2009-03-02 81920]
    S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
    S2 litsgt;litsgt;c:\windows\system32\DRIVERS\litsgt.sys [2009-11-17 137344]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-12-24 365952]
    S2 tansgt;tansgt;c:\windows\system32\DRIVERS\tansgt.sys [2009-11-17 12032]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-09-10 112640]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ezSharedSvc

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 11:39]

    2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 11:39]

    2010-12-14 c:\windows\Tasks\HPCeeScheduleForMaria.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-03-02 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
    IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    MSConfigStartUp-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-05 18:31
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-01-05 18:33:52
    ComboFix-quarantined-files.txt 2011-01-05 18:33
    ComboFix2.txt 2011-01-03 00:17

    Pre-Run: 37,380,464,640 bytes free
    Post-Run: 37,340,545,024 bytes free

    - - End Of File - - 73AE259416A6E4255D39CD0A9BB2CCA3
     
  8. phillj

    phillj TS Rookie Topic Starter

    Hi,

    I don't wish to be rude or anything, but I haven't heard anything for 4 days now, please can I have update on what I should do next, my neighbour is desparate for her computer back.

    Many Thanks,

    Phill.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    My fault- sorry- got way behind over the holidays. Combofix looks good. I have some concern about a removal of %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe> this is a process related to the touchpad on a laptop. If there is any problem using it, this needs to be rechecked on startup.

    I see you have already gone on and removed Mbam and Eset- we usually leave those on until finished, then remove all the cleaning tools.

    You did not give me any indication of remaining problems, but I'd like you to run HijackThis to be sure there are no bad entries remaining: After I check that, I'll have you remove the cleaning tools:
    ============================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  10. phillj

    phillj TS Rookie Topic Starter

    Hi Bob,

    No worries, it gets a bit mad this time of year. I had to return the laptop in the end, the owner wanted it back, in the end I ran ESET again but this time let it clean any files it found, I then went on and removed the cleaning tools, I'm 99% certain it's OK as there weren't any further problems and I have told her to come straight back to me if she has any suspicions, I can get it back to do another Hijack this scan to be sure.

    Also I was paid a small amount to do this, and as you have done much of the work I would like to make a donation to you or somewhere of your choice, please let me know where you'd like this done.

    Thanks again for all your help, and happy new year.

    Phill.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for the update Phil and you offer to share your payment. I personally don't accept donations, neither does TechSpot. But many of the programs and sites we frequently ask for help to allow them to continue keeping up the site. When you come across one of those, help them out so all of us can continue to benefit from their good work.

    I see this in OTM: Total Files Cleaned = 183.00 mb. This is a significant number of files. You might want to pass on that maintenance should be done on a regular basis to include a disc cleanup, temporary internet file deletions, defrag, review of program and uninstallation of any not being used.

    Tell your friend to stay away from sites like:
    ClickPotato>> (Adware.ClickPotato)
    FunWeb Search>> (Adware.MyWebSearch) > Smileys, 3D Cursor, Wallpaper, etc.
    popcaploader games>> (Spyware.OnlineGames)

    and not to go near any files sharing programs or sites- unless he/she accepts the malware that also comes with the shared files.

    You know where we are if you need help again.
     
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.