TechSpot

Crypt.AQLW infection

By skuzzi
Apr 21, 2012
  1. One of my computers was infected with the Crypt.AQLW trojan several weeks ago. In the menatime, it's been offline and unused; just now getting to deal with the nastiness. I can run MBAM and GMER, but get gibberish with the DDS.

    Thanks for your assistance extricating the machine from the mire. Logs posted below:
    skuzzi

    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.21.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Me :: DOMUS1 [administrator]

    Protection: Enabled

    4/21/2012 12:53:03 AM
    mbam-log-2012-04-21 (00-53-03).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 252486
    Time elapsed: 5 minute(s), 1 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-04-21 01:09:33
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 Hitachi_HDP725050GLA360 rev.GM4OA5CA
    Running: fqq6g1o5.exe; Driver: D:\DOCUME~1\Me\LOCALS~1\Temp\kfldapog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- Processes - GMER 1.0.15 ----

    Process D:\WINDOWS\system32\ping.exe (*** hidden *** ) 3716

    ---- EOF - GMER 1.0.15 ----
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'll be glad to help with the malware- let's see if we cn get rid of the 'gibberish'.

    Please download the corresponding file for your operating system:

    XP
    Vista
    Windows 7

    Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

    You should then be able to run DDS.scr. It's usually the .scr file extension cauing the problem.
    ===============================================
    I'd like you to run Combofix- IF AVG or CA is your antivirus program, you will need to run the App Remover to temporarily uninstall it as Combofix will not run with it on the system. IF you do not have either of these, you can skip the AppRemover and just disable the current security:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one: Use only if you had to remove AVG or CA.
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ====================================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. skuzzi

    skuzzi TS Rookie Topic Starter

    After following your instructions, I was able to get DDS to run and also ran ComboFix. Logs are pasted below. (I believe the infection occurred around April 4th - looking at the logs, the event logging shows only one week.)
    Thanks for your help
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
    Run by Me at 9:51:48 on 2012-04-21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1447 [GMT -6:00]
    .
    .
    ============== Running Processes ===============
    .
    D:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    D:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Bonjour\mDNSResponder.exe
    d:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    D:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    D:\WINDOWS\system32\svchost.exe -k imgsvc
    D:\Program Files\PowerISO\PWRISOVM.EXE
    D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    D:\Program Files\Common Files\Java\Java Update\jusched.exe
    D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    D:\Program Files\MSI\Common\RaUI.exe
    D:\Program Files\Rainmeter\Rainmeter.exe
    D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    D:\Program Files\iPod\bin\iPodService.exe
    D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    D:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    D:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
    mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [HDAudDeck] d:\program files\via\viaudioi\hdadeck\HDeck.exe 1
    mRun: [PWRISOVM.EXE] d:\program files\poweriso\PWRISOVM.EXE
    mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [<NO NAME>]
    mRun: [Adobe_ID0EYTHM] d:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
    mRun: [APSDaemon] "d:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [Malwarebytes' Anti-Malware] "d:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: d:\docume~1\me\startm~1\programs\startup\openof~1.lnk - d:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: d:\docume~1\me\startm~1\programs\startup\rainme~1.lnk - d:\program files\rainmeter\Rainmeter.exe
    StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - d:\program files\common files\autodesk shared\acstart16.exe
    StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - d:\program files\hewlett-packard\aio\hp officejet 7100 series\bin\hpogrp07.exe
    StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\msiwir~1.lnk - d:\program files\msi\common\RaUI.exe
    IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - d:\documents and settings\me\application data\mozilla\firefox\profiles\vugw0kov.default\
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
    FF - plugin: d:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: d:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: d:\program files\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: d:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: d:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: d:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: d:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-4 654408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-1-6 2348864]
    R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [2012-4-4 22344]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;d:\windows\system32\drivers\viahduaa.sys [2012-1-6 993280]
    S2 webrootcommagentservice;Btserial;d:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;d:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
    S3 cpudrv;cpudrv;d:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
    S3 WDC_SAM;WD SCSI Pass Thru driver;d:\windows\system32\drivers\wdcsam.sys [2012-3-15 11520]
    .
    =============== Created Last 30 ================
    .
    2012-04-21 06:08:15 148480 ------w- d:\windows\system32\dllcache\imagehlp.dll
    2012-04-05 00:14:51 -------- d-----w- d:\documents and settings\me\application data\Malwarebytes
    2012-04-05 00:14:37 -------- d-----w- d:\documents and settings\all users\application data\Malwarebytes
    2012-04-05 00:14:36 22344 ----a-w- d:\windows\system32\drivers\mbam.sys
    2012-04-05 00:14:36 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
    2012-04-04 23:30:44 388096 ----a-r- d:\documents and settings\me\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2012-04-04 04:17:15 0 --sha-w- d:\windows\system32\dds_trash_log.cmd
    2012-04-04 02:51:37 73728 ----a-w- d:\windows\system32\javacpl.cpl
    2012-04-04 02:51:37 476904 ----a-w- d:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2012-04-04 02:47:09 418464 ----a-w- d:\windows\system32\FlashPlayerApp.exe
    2012-03-25 19:03:07 753664 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
    2012-03-25 19:03:07 69714 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
    2012-03-25 19:03:07 5632 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
    2012-03-25 19:03:07 274432 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
    2012-03-25 19:03:07 200836 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
    2012-03-25 19:03:07 184320 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
    2012-03-25 19:03:06 331908 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
    2012-03-25 17:08:39 -------- d-----w- d:\documents and settings\me\local settings\application data\IsolatedStorage
    2012-03-23 03:36:19 733184 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll
    2012-03-23 03:36:19 69715 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll
    2012-03-23 03:36:19 5632 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe
    2012-03-23 03:36:19 266240 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll
    2012-03-23 03:36:19 172032 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll
    2012-03-23 03:36:18 303236 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll
    2012-03-23 03:36:18 180356 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll
    2012-03-23 03:18:55 110592 ----a-w- d:\windows\system32\tsccvid.dll
    .
    ==================== Find3M ====================
    .
    2012-04-04 04:38:23 70304 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-04 02:51:27 472808 ----a-w- d:\windows\system32\deployJava1.dll
    2012-03-16 03:39:59 28672 ----a-w- d:\windows\system32\qttask.exe
    2012-03-01 11:01:32 916992 ----a-w- d:\windows\system32\wininet.dll
    2012-03-01 11:01:32 43520 ----a-w- d:\windows\system32\licmgr10.dll
    2012-03-01 11:01:32 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
    2012-02-29 14:08:49 178176 ----a-w- d:\windows\system32\wintrust.dll
    2012-02-29 14:08:49 148480 ----a-w- d:\windows\system32\imagehlp.dll
    2012-02-29 12:17:40 385024 ----a-w- d:\windows\system32\html.iec
    2012-02-29 04:20:55 127 ----a-w- d:\windows\sophos.tmp
    2012-02-15 17:01:50 4547944 ----a-w- d:\windows\system32\usbaaplrc.dll
    2012-02-15 17:01:50 43520 ----a-w- d:\windows\system32\drivers\usbaapl.sys
    2012-02-07 17:02:40 1070352 ----a-w- d:\windows\system32\MSCOMCTL.OCX
    2012-02-03 09:26:17 1869184 ----a-w- d:\windows\system32\win32k.sys
    .
    ============= FINISH: 9:52:15.18 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/6/2011 9:57:26 AM
    System Uptime: 4/21/2012 9:38:46 AM (0 hours ago)
    .
    Motherboard: ASRock | | G41M-LE
    Processor: Pentium(R) Dual-Core CPU E5200 @ 2.50GHz | CPUSocket | 2500/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 244 GiB total, 111.716 GiB free.
    D: is FIXED (NTFS) - 73 GiB total, 3.662 GiB free.
    E: is FIXED (NTFS) - 148 GiB total, 16.518 GiB free.
    F: is CDROM ()
    Q: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 802.11g PCI Turbo Wireless Adapter
    Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_B8341462&REV_00\4&CF81C54&0&08F0
    Manufacturer: Ralink Technology, Inc.
    Name: 802.11g PCI Turbo Wireless Adapter
    PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_B8341462&REV_00\4&CF81C54&0&08F0
    Service: RT61
    .
    ==== System Restore Points ===================
    .
    RP178: 4/2/2012 10:42:48 PM - System Checkpoint
    RP179: 4/3/2012 3:00:14 AM - Software Distribution Service 3.0
    RP180: 4/3/2012 8:50:51 PM - Removed Java(TM) 6 Update 22
    RP181: 4/3/2012 11:11:36 PM - Software Distribution Service 3.0
    RP182: 4/4/2012 5:30:42 PM - Installed HiJackThis
    RP183: 4/5/2012 3:00:45 AM - Software Distribution Service 3.0
    RP184: 4/6/2012 3:00:14 AM - Software Distribution Service 3.0
    RP185: 4/7/2012 3:00:14 AM - Software Distribution Service 3.0
    RP186: 4/8/2012 3:00:13 AM - Software Distribution Service 3.0
    RP187: 4/9/2012 3:00:14 AM - Software Distribution Service 3.0
    RP188: 4/10/2012 3:00:15 AM - Software Distribution Service 3.0
    RP189: 4/11/2012 3:00:14 AM - Software Distribution Service 3.0
    RP190: 4/12/2012 3:00:14 AM - Software Distribution Service 3.0
    RP191: 4/13/2012 3:00:15 AM - Software Distribution Service 3.0
    RP192: 4/14/2012 3:00:14 AM - Software Distribution Service 3.0
    RP193: 4/15/2012 3:00:14 AM - Software Distribution Service 3.0
    RP194: 4/16/2012 3:00:15 AM - Software Distribution Service 3.0
    RP195: 4/17/2012 3:00:21 AM - Software Distribution Service 3.0
    RP196: 4/18/2012 3:00:14 AM - Software Distribution Service 3.0
    RP197: 4/19/2012 3:00:14 AM - Software Distribution Service 3.0
    RP198: 4/20/2012 3:00:16 AM - Software Distribution Service 3.0
    RP199: 4/21/2012 1:12:12 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    .
    %WS4_ARP_DISPLAY%
    µTorrent
    Add or Remove Adobe Creative Suite 3 Master Collection
    Adobe Acrobat 8 Professional
    Adobe After Effects CS3
    Adobe After Effects CS3 Presets
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Contribute CS3
    Adobe Creative Suite 3 Master Collection
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe Encore CS3
    Adobe Encore CS3 Codecs
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Fireworks CS3
    Adobe Flash CS3
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Flash Video Encoder
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3 Functional Content
    Adobe Premiere Pro CS3 Third Party Content
    Adobe Reader X (10.1.2)
    Adobe Setup
    Adobe SING CS3
    Adobe Soundbooth CS3
    Adobe Soundbooth CS3 Codecs
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe Version Cue CS3 Server
    Adobe Video Profiles
    Adobe WAS CS3
    Adobe WinSoft Linguistics Plugin
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    AHV content for Acrobat and Flash
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AutoCAD Architecture 2010
    AutoCAD Architecture 2010 Language Pack - English
    Autodesk Architectural Desktop 2005
    Autodesk Design Review 2010
    Autodesk DWF Viewer
    Bonjour
    DVDFab 7.0.9.2 (05/08/2010)
    EVGA Precision 2.1.1
    Higher Score on the SAT/PSAT
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB954550-v5)
    hp officejet 7100 series
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 31
    Magic ISO Maker v5.4 (build 0251)
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Service Pack 1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Mozilla Firefox 11.0 (x86 en-US)
    MSI Wireless LAN Card
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB973685)
    NVIDIA Control Panel 290.53
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA Graphics Driver 290.53
    NVIDIA Install Application
    NVIDIA nView 136.02
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.11.1107
    NVIDIA Update 1.6.24
    NVIDIA Update Components
    OpenOffice.org 3.3
    PDF Settings
    Platform
    PowerISO
    QuickTime
    Rainmeter
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Recover Keys
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    SES Driver
    SpeedyPC
    System Requirements Lab for Intel
    TurboTax 2008
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wnmiper
    TurboTax 2008 wrapper
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wnmiper
    TurboTax 2009 wrapper
    TurboTax 2010
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wnmiper
    TurboTax 2010 wrapper
    TurboTax Deluxe 2007
    TurboTax Deluxe Deduction Maximizer 2006
    TurboTax Home & Business 2006
    TurboTax ItsDeductible 2006
    TurboTax Premier 2004
    TurboTax Premier 2005
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2598306) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VIA Platform Device Manager
    VLC media player 1.1.11
    WebFldrs XP
    WexTech AnswerWorks
    Winamp
    Winamp Detector Plug-in
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    WinRAR 4.01 (32-bit)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/19/2012 4:56:29 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
    4/18/2012 12:33:30 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    4/18/2012 10:31:46 AM, error: Service Control Manager [7023] - The Btserial service terminated with the following error: Access is denied.
    4/18/2012 10:31:35 AM, error: Service Control Manager [7023] - The Sp_clamsrv service terminated with the following error: Access is denied.
    4/18/2012 10:31:35 AM, error: Service Control Manager [7023] - The Pdlnecfg service terminated with the following error: The specified module could not be found.
    4/18/2012 10:31:35 AM, error: Service Control Manager [7023] - The Mksvirmonsvc service terminated with the following error: The specified module could not be found.
    4/18/2012 10:31:35 AM, error: Service Control Manager [7023] - The GoProto service terminated with the following error: The specified module could not be found.
    4/18/2012 10:29:48 AM, error: dmboot [3] - dmboot: Failed to start volume Volume4 (N:)
    4/17/2012 3:01:15 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007f0f4: Security Update for Windows XP (KB2481109).
    .
    ==== End Of File ===========================

    ComboFix 12-04-20.03 - Me 04/21/2012 10:24:06.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1677 [GMT -6:00]
    Running from: d:\documents and settings\Me\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    d:\documents and settings\Me\Application Data\inst.exe
    D:\setup.exe
    d:\windows\$NtUninstallKB14012$
    d:\windows\$NtUninstallKB14012$\1514368255\@
    d:\windows\$NtUninstallKB14012$\1514368255\cfg.ini
    d:\windows\$NtUninstallKB14012$\1514368255\Desktop.ini
    d:\windows\$NtUninstallKB14012$\1514368255\L\syjvwjii
    d:\windows\$NtUninstallKB14012$\1514368255\oemid
    d:\windows\$NtUninstallKB14012$\1514368255\U\00000001.@
    d:\windows\$NtUninstallKB14012$\1514368255\U\00000002.@
    d:\windows\$NtUninstallKB14012$\1514368255\U\00000004.@
    d:\windows\$NtUninstallKB14012$\1514368255\U\80000000.@
    d:\windows\$NtUninstallKB14012$\1514368255\U\80000004.@
    d:\windows\$NtUninstallKB14012$\1514368255\U\80000032.@
    d:\windows\$NtUninstallKB14012$\1514368255\version
    d:\windows\$NtUninstallKB14012$\4175661304
    d:\windows\dasetup.log
    d:\windows\system\VB40032.DLL
    d:\windows\system32\dds_trash_log.cmd
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-21 to 2012-04-21 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\wbem\snmp
    2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\xircom
    2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\program files\microsoft frontpage
    2012-04-21 06:08 . 2012-02-29 14:08 148480 ------w- d:\windows\system32\dllcache\imagehlp.dll
    2012-04-13 16:28 . 2012-04-13 16:28 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    2012-04-05 00:14 . 2012-04-05 00:14 -------- d-----w- d:\documents and settings\Me\Application Data\Malwarebytes
    2012-04-05 00:14 . 2012-04-05 00:14 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-05 00:14 . 2012-04-21 06:03 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
    2012-04-05 00:14 . 2012-04-04 21:56 22344 ----a-w- d:\windows\system32\drivers\mbam.sys
    2012-04-05 00:08 . 2012-04-05 00:08 -------- d-----w- d:\documents and settings\Administrator
    2012-04-04 23:30 . 2012-04-04 23:30 388096 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-04-04 04:37 . 2012-04-04 04:37 -------- d-sh--w- d:\documents and settings\NetworkService\PrivacIE
    2012-04-04 02:53 . 2012-04-04 02:53 -------- d-----w- d:\program files\Common Files\Java
    2012-04-04 02:51 . 2012-04-04 02:51 73728 ----a-w- d:\windows\system32\javacpl.cpl
    2012-04-04 02:51 . 2012-04-04 02:51 476904 ----a-w- d:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2012-04-04 02:47 . 2012-04-04 04:38 418464 ----a-w- d:\windows\system32\FlashPlayerApp.exe
    2012-03-25 19:03 . 2012-03-25 19:03 200836 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
    2012-03-25 19:03 . 2005-04-04 05:02 753664 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
    2012-03-25 19:03 . 2005-04-04 05:02 69714 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
    2012-03-25 19:03 . 2005-04-04 05:01 274432 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
    2012-03-25 19:03 . 2005-04-04 05:00 184320 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
    2012-03-25 19:03 . 2005-04-04 04:59 5632 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
    2012-03-25 19:03 . 2012-03-25 19:03 331908 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
    2012-03-25 17:24 . 2012-03-25 17:24 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\IsolatedStorage
    2012-03-25 17:08 . 2012-03-25 17:08 -------- d-----w- d:\documents and settings\Me\Local Settings\Application Data\IsolatedStorage
    2012-03-23 03:36 . 2004-04-19 05:42 733184 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iKernel.dll
    2012-03-23 03:36 . 2004-04-19 05:40 69715 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\ctor.dll
    2012-03-23 03:36 . 2004-04-19 05:39 266240 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iscript.dll
    2012-03-23 03:36 . 2004-04-19 05:39 172032 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iuser.dll
    2012-03-23 03:36 . 2004-04-19 05:39 5632 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\DotNetInstaller.exe
    2012-03-23 03:36 . 2012-03-23 03:36 303236 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\setup.dll
    2012-03-23 03:36 . 2012-03-23 03:36 180356 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iGdi.dll
    2012-03-23 03:18 . 2003-04-16 07:10 110592 ----a-w- d:\windows\system32\tsccvid.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-04 04:38 . 2011-12-06 18:25 70304 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-04 02:51 . 2011-12-17 07:55 472808 ----a-w- d:\windows\system32\deployJava1.dll
    2012-03-20 23:33 . 2012-03-20 23:33 40960 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
    2012-03-16 03:39 . 2012-03-16 03:39 28672 ----a-w- d:\windows\system32\qttask.exe
    2012-03-01 11:01 . 2009-03-08 02:34 916992 ----a-w- d:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2009-03-08 02:34 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
    2012-03-01 11:01 . 2009-03-08 02:34 43520 ----a-w- d:\windows\system32\licmgr10.dll
    2012-02-29 14:08 . 2008-11-13 13:18 178176 ----a-w- d:\windows\system32\wintrust.dll
    2012-02-29 14:08 . 2008-04-14 11:00 148480 ----a-w- d:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2009-03-08 02:35 385024 ----a-w- d:\windows\system32\html.iec
    2012-02-29 04:20 . 2012-02-29 04:20 127 ----a-w- d:\windows\sophos.tmp
    2012-02-15 17:01 . 2012-03-15 22:36 4547944 ----a-w- d:\windows\system32\usbaaplrc.dll
    2012-02-15 17:01 . 2012-03-15 22:36 43520 ----a-w- d:\windows\system32\drivers\usbaapl.sys
    2012-02-07 17:02 . 2012-02-07 17:02 1070352 ----a-w- d:\windows\system32\MSCOMCTL.OCX
    2012-02-03 09:26 . 2009-02-09 10:08 1869184 ----a-w- d:\windows\system32\win32k.sys
    2012-03-18 05:21 . 2011-12-06 18:11 97208 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-03-26 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . d:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . d:\windows\system32\dllcache\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "HDAudDeck"="d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-01-09 33570816]
    "PWRISOVM.EXE"="d:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
    "Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
    "APSDaemon"="d:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
    "SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    d:\documents and settings\Me\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - d:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    Rainmeter.lnk - d:\program files\Rainmeter\Rainmeter.exe [2012-1-8 105160]
    .
    d:\documents and settings\All Users\Start Menu\Programs\Startup\
    AutoCAD Startup Accelerator.lnk - d:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
    HPAiODevice(hp officejet 7100 series) - 1.lnk - d:\program files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2003-6-25 495682]
    MSI Wireless Utility.lnk - d:\program files\MSI\Common\RaUI.exe [2011-12-6 425984]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0d:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
    "d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "d:\\Program Files\\uTorrent\\uTorrent.exe"=
    "d:\\Documents and Settings\\Me\\My Documents\\Downloads\\utorrent.exe"=
    "d:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "d:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "d:\\Program Files\\iTunes\\iTunes.exe"=
    "d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/4/2012 6:14 PM 654408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [1/6/2012 8:56 AM 2348864]
    R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [4/4/2012 6:14 PM 22344]
    R3 pcouffin;VSO Software pcouffin;d:\windows\system32\drivers\pcouffin.sys [1/8/2012 11:23 AM 47360]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;d:\windows\system32\drivers\viahduaa.sys [1/6/2012 12:28 PM 993280]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 8:47 PM 253600]
    S3 cpudrv;cpudrv;d:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
    S3 WDC_SAM;WD SCSI Pass Thru driver;d:\windows\system32\drivers\wdcsam.sys [3/15/2012 4:38 PM 11520]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    lvusbsta
    ctljystk
    HssSrv
    se2Dnd5
    cltnetcnservice
    nimxdfk
    F700imd
    dvpapi
    pgsql-8.0
    us30sys
    QPSched
    dlbu_device
    dcpflics
    webrootcommagentservice
    tavsvc
    firelm01
    MTC0001_ESB
    IntelC51
    vaiomediaplatform-videoserver-appserver
    SE27obex
    se59obex
    winpppoverethernet
    quickbooksdb
    agnwifi
    viagfx
    oracleorahome811cman
    awecho
    regmon701
    Si3114r5
    gearsecurity
    icm10blk
    ntsyslog
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-21 d:\windows\Tasks\Adobe Flash Player Updater.job
    - d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 04:38]
    .
    2012-04-20 d:\windows\Tasks\AppleSoftwareUpdate.job
    - d:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
    .
    2012-04-20 d:\windows\Tasks\SpeedyPC Program Check.job
    - d:\program files\SpeedyPC\SpeedyPC.exe [2010-05-19 23:10]
    .
    2012-04-19 d:\windows\Tasks\SpeedyPC.job
    - d:\program files\SpeedyPC\SpeedyPC.exe [2010-05-19 23:10]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    FF - ProfilePath - d:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-21 10:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HDAudDeck = d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(4008)
    d:\windows\system32\WININET.dll
    d:\windows\system32\msi.dll
    d:\windows\system32\ieframe.dll
    d:\windows\system32\webcheck.dll
    d:\windows\system32\WPDShServiceObj.dll
    d:\windows\system32\PortableDeviceTypes.dll
    d:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    d:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    d:\program files\Bonjour\mDNSResponder.exe
    d:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    d:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    d:\program files\Java\jre6\bin\jqs.exe
    d:\program files\OpenOffice.org 3\program\soffice.exe
    d:\windows\system32\wscntfy.exe
    d:\program files\OpenOffice.org 3\program\soffice.bin
    d:\program files\iPod\bin\iPodService.exe
    d:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    d:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    d:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    d:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-21 10:38:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-21 16:38
    .
    Pre-Run: 3,792,707,584 bytes free
    Post-Run: 4,777,283,584 bytes free
    .
    - - End Of File - - 731CEFD1711A401CA2F78354ADAF7337
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can you tell me please if you intentionally disabled the SFC> System File Checker?
    Also tell me if you open Internet Explorer, do you get a page with a green background and hear a sound like a whistle?

    There is an entry that can be caused by a Worm: mWinlogon: SfcDisable=-99 (0xffffff9d)

    RenameLoi.A is a worm that carries out several modifications in the Windows Registry, which prevent the user from working with the computer as usual. These modifications prevent the user from carrying out the following actions, among others:
    • Viewing the processes that are being run through the Task Manager.
    • Modifying the configuration of the features of the folders.
    • This spreads through local, removable and mapped drives, making copies of itself in them.
    • Additionally, it modifies the start and search page of Internet Explorer.

      It disables Windows File Protection (WFP). This implies that the Windows protected files can be modified, which could cause problems with the operating system and the installed programs
      ------------------------------------------------------------------
      Are you experiencing any of the above?
      ----------------------------------------------------------------
      I would like you to completely disable SpeedyPC to include the Scheduled Task for it that you have set. This is a registry cleaner- something we don't recommend to anyone as the risks outweigh any small benefit you may get. Feel free to uninstall it.

      You have several pieces of software loading and running in the background, the function being to make the PC and surfing go faster. But what you haven't considered is that these are starting on boot and running in the background, using resources from the system. (I'll specify those for you later.)

      All you tell me is>
      You do not give me any details of what found this malware or any particular problems you were having.
      =================================================
      I also note these 2 drives:
      But all the processes in the logs are on the D Drive instead of the C Drive. Could this be the reason?
      ================================================
      Before we run other scans let's check this:
      To run the Eset Online Virus Scan:
      If you use Internet Explorer:
      1. Open the ESETOnlineScan
      2. Skip to #4 to "Continue with the directions"

        If you are using a browser other than Internet Explorer
      3. Open Eset Smart Installer
        [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
        [o] Double click on the desktop icon to run.
        [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
      4. Continue with the directions.
      5. Check 'Yes I accept terms of use.'
      6. Click Start button
      7. Accept any security warnings from your browser.
        [​IMG]
      8. Uncheck 'Remove found threats'
      9. Check 'Scan archives/
      10. Leave remaining settings as is.
      11. Press the Start button.
      12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
      13. When the scan completes, press List of found threats
      14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
      15. Push the Back button, then Finish
      NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

      Please answer my questions and leave the Eset log in your next reply. I will be giving you some script to run through Combofix after the above.
     
  5. skuzzi

    skuzzi TS Rookie Topic Starter


    Bobbye –

    I have not intentionally disabled the System File checker. When opening IE, I get through to msn.com. (I don’t typically use IE, using Firefox instead. I believe after running ComboFix, the computer rebooted and the IE desktop icon (re)appeared. I wouldn’t normally have the desktop icon.)

    Jumping to run ESET online through IE, I get a popup window with a “Failed load” ‘x’ in the window (like a missing image response or missing ActiveX?). So am running it through the download and my usual FireFox.

    Back to your request for more basic info – you’re right- I lacked supplying much info with my first post. Since this occurred several weeks ago, I’ll try to retrace the unfolding events. AVG AV Free Edition 2012 started with an alert to 2 Trojans – Crypt.AQLW and ?. I attempted to heal/quarantine the infections however the alerts continued to appear. Often the infected file name changes and cannot be found or is inaccessible, and occur in the Windows/system32 folder. In proceeding through the process on TechSpot, I removed AVG as requested and am not sure about the logs which might be more informative than my memory. On or about April 3 or 4, I was updating Java and Flash and afterwards, I started noticing the AVG alerts. I downloaded MBAM and HiJack This and installed on 4.4.2012 in order to look for suspicious activity.

    Regarding any other symptoms, the computer seems to function fine albeit with AVG finding infected files, and infected system restore points. I almost immediately disconnected from the internet/network and stopped using the machine except to retrieve data files via flash drive. Looking in the Task manager I couldn’t find unusual processes; likewise in Windows files, I looked for newly created/modified files with no obvious answers. The four symptoms you list that relate to the RenameLoi.A worm don’t seem to be my symptoms.

    Regarding the C and D drives – I have OS on both drives. D drive is the main drive I use; at the moment, I have been intending to scrub the C drive as “corrupt and unstable”. On booting, often the chkdsk utility runs on C drive. I understand that C is usually (and used to be on this machine) the “main” drive.

    Regarding Speedy PC – I have never used it; and recognize its lack of value. I will uninstall.

    Please be aware that I have been using a flash drive to transfer files rather than connect to my network or internet. If in fact the malware is replicating on other drives, I will to to deal with this as well. I have been maintaining internet silence with the infected machine except for brief intervals such as ESET download and earlier MBAM updates.

    the ESET log is pasted below……….

    C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP101\A0185121.exe a variant of Win32/InstallCore.D application
    C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP102\A0185885.exe Win32/Toolbar.Zugo application
    C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP46\A0140870.exe a variant of Win32/InstallCore.D application
    C:\WINDOWS\Temp\jar_cache1286996826794414652.tmp a variant of Java/Exploit.CVE-2011-3544.A trojan
    D:\Documents and Settings\Me\Local Settings\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\Cache\7\E9\8A9FCd01 HTML/Iframe.B.Gen virus
    D:\Documents and Settings\Me\My Documents\Downloads\architecturaldesktop2005keygenparadox.zip a variant of Win32/Kryptik.ADSH trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP181\A0034908.sys Win32/Sirefef.DA trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP181\A0035911.sys Win32/Sirefef.DA trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP181\A0035965.sys Win32/Sirefef.DA trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP181\A0036005.sys Win32/Sirefef.DA trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP182\A0036052.sys Win32/Sirefef.DA trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP182\A0036093.sys Win32/Sirefef.DA trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP196\A0038716.dll Win32/Sirefef.ER trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP196\A0038717.dll Win32/Sirefef.ER trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP196\A0039702.sys Win32/Sirefef.DA trojan
    D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP198\A0039832.sys Win32/Sirefef.DA trojan
     
  6. skuzzi

    skuzzi TS Rookie Topic Starter

    Bobbye -

    While waiting for your response, I installed MSE (MS security essentials) and inadverently after installing, MSE scanned the computer and deleted the found infections - including Win32/Sirefef.AH and Win32/Sireef.AC and several other Java exploits (on the old C: Drive). [​IMG]

    I apologize as I know this contradicts TS instructions and messes with the current diagnosis and solution. I await your advice.

    skuzzi
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My delay-sorry. Unavoidable.

    The Win32/Sirefef.DA trojan seen are in the System Volume- those are where the Restore points are kee. They are no longer active and could only affect the system if you did a System Resore and happened to choose one of the infected points. I have you set a new clean restore point and remove the old restore points at the end of cleaning.

    Virus scanners can't read locations. So MSE, like Eset, is likely identifying this malware in the restore point. This is a protected, system file and isn't 'quarantined or deleted' in a security scan, even though it may say that,

    The only new entries in Eset are these:


    #1 is in the Java cache. Malware usually finds it's way there due to an outdated version of Java on the system. It is on the C Drive.
    #2 is in the Firefox cache. It can be cleared as follows:
    Clear Firefox Cache
    1. Open Firefox> Click on Tools> Options
    2. Select the Advanced panel.
    3. Click on the Network tab
    4. In the Offline Storage section, click Clear Now.
    [​IMG]
    #3 is malware from a pirated program. I will set up the move for all 3 entries. But to continue support, you will have to uninstall the pirated program.


    Please download OTMovit by Old Timerand save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\WINDOWS\Temp\jar_cache1286996826794414652.tmp 
      D:\Documents and Settings\Me\Local Settings\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\Cache\7\E9\8A9FCd01 
      D:\Documents and Settings\Me\My Documents\Downloads\architecturaldesktop2005keygenparadox.zip 
      
      :Commands
      [purity]
      [emptytemp]
      [*][emptyjavacache]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ================================================================
    You should also disinfect your flash drive.
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
     
  8. skuzzi

    skuzzi TS Rookie Topic Starter

    OTM has been running for 12 hours and seems to be frozen.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please stop OTM. Reboot the computer and run the following:

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    Remove this:

    and any other pirated programs you have. After this has been done, run the Eset scanner again.

    Please note: if you want to continue getting support, any pirated software on the system will have to be removed first.
    ===========================================
    You may have gotten this infection by using cracks or keygens> here's what it is:
    Source: Anvisoft

    Even if we remove all of the entries we find, the system may already be compromised and a Backdoor may be in place.
     
  10. skuzzi

    skuzzi TS Rookie Topic Starter

    Here are results of the two scans:

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\program files\adobe\adobe premiere pro cs3\plug-ins\en_us\vstplugins\decrackler1.dll
    c:\program files\adobe\adobe premiere pro cs3\plug-ins\en_us\vstplugins\decrackler2.dll
    c:\program files\adobe\adobe premiere pro cs3\plug-ins\en_us\vstplugins\decrackler6.dll
    scanner sequence 3.CP.11.PVABCJ
    ----- EOF -----

    ESET Scan#2:

    C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP101\A0185121.exe a variant of Win32/InstallCore.D application
    C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP102\A0185885.exe Win32/Toolbar.Zugo application
    C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP46\A0140870.exe a variant of Win32/InstallCore.D application

    skuzzi
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To continue support, please review my comments about the pirated program.
     
  12. skuzzi

    skuzzi TS Rookie Topic Starter

    I thought I had - what are you referring to that I still need to remove.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This was what I was referring to:
    Strange: although OTM didn't complete, the files I had for removal do not show up in the recent Eset scan.

    Please give me an update on how the system is doing now.
    =================================================
    This needs to be run also:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
    • If malicious objects are found, they will show in the Scan results and offer three (3) options.
    • Select the action Cure to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • Click Continue.
    • Next, the utility applies selected actions and outputs the result. Save and paste in your next reply.
    • A reboot is required after disinfection.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
     
  14. skuzzi

    skuzzi TS Rookie Topic Starter

    OK -

    Regarding the system status - all is generally quiet. Throughout the process working with TS, the AVG and now MSEssentials typically would find and "quarantine" various files - Crypt.AQLW and Win32/Sirefef.AH. The last time that these were found was on 4.28.12, after I had tried running OTM and the machine froze. For the last 48+ hours though no activity. I remain offline/disconnected from the network.

    Do I try running OTM again?

    Ran TDSSkiller with no negative detection. Log posted below.

    21:28:14.0734 2820 TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43
    21:28:14.0750 2820 ============================================================
    21:28:14.0750 2820 Current date / time: 2012/05/01 21:28:14.0750
    21:28:14.0750 2820 SystemInfo:
    21:28:14.0750 2820
    21:28:14.0750 2820 OS Version: 5.1.2600 ServicePack: 3.0
    21:28:14.0750 2820 Product type: Workstation
    21:28:14.0750 2820 ComputerName: DOMUS1
    21:28:14.0750 2820 UserName: Me
    21:28:14.0750 2820 Windows directory: D:\WINDOWS
    21:28:14.0750 2820 System windows directory: D:\WINDOWS
    21:28:14.0750 2820 Processor architecture: Intel x86
    21:28:14.0750 2820 Number of processors: 2
    21:28:14.0750 2820 Page size: 0x1000
    21:28:14.0750 2820 Boot type: Normal boot
    21:28:14.0750 2820 ============================================================
    21:28:16.0750 2820 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    21:28:16.0765 2820 Drive \Device\Harddisk1\DR32 - Size: 0xF0000000 (3.75 Gb), SectorSize: 0x200, Cylinders: 0x1E9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
    21:28:16.0781 2820 ============================================================
    21:28:16.0781 2820 \Device\Harddisk0\DR0:
    21:28:16.0781 2820 MBR partitions:
    21:28:16.0781 2820 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1E849D80
    21:28:16.0781 2820 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1E849DBF, BlocksNum 0x927B619
    21:28:16.0781 2820 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x27AC53D8, BlocksNum 0x128BF869
    21:28:16.0781 2820 \Device\Harddisk1\DR32:
    21:28:16.0781 2820 MBR partitions:
    21:28:16.0781 2820 \Device\Harddisk1\DR32\Partition0: MBR, Type 0xB, StartLBA 0x20, BlocksNum 0x77FFE0
    21:28:16.0781 2820 ============================================================
    21:28:16.0828 2820 C: <-> \Device\Harddisk0\DR0\Partition0
    21:28:16.0890 2820 D: <-> \Device\Harddisk0\DR0\Partition1
    21:28:16.0937 2820 E: <-> \Device\Harddisk0\DR0\Partition2
    21:28:16.0937 2820 ============================================================
    21:28:16.0937 2820 Initialize success
    21:28:16.0937 2820 ============================================================
    21:28:18.0609 0520 ============================================================
    21:28:18.0609 0520 Scan started
    21:28:18.0609 0520 Mode: Manual;
    21:28:18.0609 0520 ============================================================
    21:28:19.0968 0520 Abiosdsk - ok
    21:28:19.0968 0520 abp480n5 - ok
    21:28:20.0000 0520 ACPI (8fd99680a539792a30e97944fdaecf17) D:\WINDOWS\system32\DRIVERS\ACPI.sys
    21:28:20.0015 0520 ACPI - ok
    21:28:20.0031 0520 ACPIEC (9859c0f6936e723e4892d7141b1327d5) D:\WINDOWS\system32\drivers\ACPIEC.sys
    21:28:20.0031 0520 ACPIEC - ok
    21:28:20.0109 0520 Adobe Version Cue CS3 (14c23516c990dcd6052152cf034dde40) D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    21:28:20.0109 0520 Adobe Version Cue CS3 - ok
    21:28:20.0171 0520 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) D:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    21:28:20.0171 0520 AdobeFlashPlayerUpdateSvc - ok
    21:28:20.0171 0520 adpu160m - ok
    21:28:20.0203 0520 aec (8bed39e3c35d6a489438b8141717a557) D:\WINDOWS\system32\drivers\aec.sys
    21:28:20.0218 0520 aec - ok
    21:28:20.0234 0520 AegisP (2f7f3e8da380325866e566f5d5ec23d5) D:\WINDOWS\system32\DRIVERS\AegisP.sys
    21:28:20.0234 0520 AegisP - ok
    21:28:20.0265 0520 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) D:\WINDOWS\System32\drivers\afd.sys
    21:28:20.0265 0520 AFD - ok
    21:28:20.0281 0520 agnwifi - ok
    21:28:20.0281 0520 Aha154x - ok
    21:28:20.0281 0520 aic78u2 - ok
    21:28:20.0281 0520 aic78xx - ok
    21:28:20.0312 0520 Alerter (a9a3daa780ca6c9671a19d52456705b4) D:\WINDOWS\system32\alrsvc.dll
    21:28:20.0312 0520 Alerter - ok
    21:28:20.0328 0520 ALG (8c515081584a38aa007909cd02020b3d) D:\WINDOWS\System32\alg.exe
    21:28:20.0328 0520 ALG - ok
    21:28:20.0328 0520 AliIde - ok
    21:28:20.0328 0520 amsint - ok
    21:28:20.0375 0520 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    21:28:20.0375 0520 Apple Mobile Device - ok
    21:28:20.0406 0520 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) D:\WINDOWS\System32\appmgmts.dll
    21:28:20.0406 0520 AppMgmt - ok
    21:28:20.0406 0520 asc - ok
    21:28:20.0406 0520 asc3350p - ok
    21:28:20.0406 0520 asc3550 - ok
    21:28:20.0500 0520 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
    21:28:20.0500 0520 aspnet_state - ok
    21:28:20.0515 0520 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) D:\WINDOWS\system32\DRIVERS\asyncmac.sys
    21:28:20.0515 0520 AsyncMac - ok
    21:28:20.0531 0520 atapi (9f3a2f5aa6875c72bf062c712cfa2674) D:\WINDOWS\system32\DRIVERS\atapi.sys
    21:28:20.0531 0520 atapi - ok
    21:28:20.0531 0520 Atdisk - ok
    21:28:20.0562 0520 Atmarpc (9916c1225104ba14794209cfa8012159) D:\WINDOWS\system32\DRIVERS\atmarpc.sys
    21:28:20.0562 0520 Atmarpc - ok
    21:28:20.0593 0520 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) D:\WINDOWS\System32\audiosrv.dll
    21:28:20.0593 0520 AudioSrv - ok
    21:28:20.0625 0520 audstub (d9f724aa26c010a217c97606b160ed68) D:\WINDOWS\system32\DRIVERS\audstub.sys
    21:28:20.0625 0520 audstub - ok
    21:28:20.0656 0520 Autodesk Licensing Service - ok
    21:28:20.0656 0520 awecho - ok
    21:28:20.0687 0520 Beep (da1f27d85e0d1525f6621372e7b685e9) D:\WINDOWS\system32\drivers\Beep.sys
    21:28:20.0687 0520 Beep - ok
    21:28:20.0718 0520 BITS (574738f61fca2935f5265dc4e5691314) D:\WINDOWS\system32\qmgr.dll
    21:28:20.0781 0520 BITS - ok
    21:28:20.0828 0520 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) D:\Program Files\Bonjour\mDNSResponder.exe
    21:28:20.0828 0520 Bonjour Service - ok
    21:28:20.0859 0520 Browser (7e39a3edc13b076e70fdb9a6f6d7a4b4) D:\WINDOWS\System32\browser.dll
    21:28:20.0859 0520 Browser - ok
    21:28:20.0859 0520 catchme - ok
    21:28:20.0890 0520 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) D:\WINDOWS\system32\drivers\cbidf2k.sys
    21:28:20.0890 0520 cbidf2k - ok
    21:28:20.0890 0520 cd20xrnt - ok
    21:28:20.0906 0520 Cdaudio (c1b486a7658353d33a10cc15211a873b) D:\WINDOWS\system32\drivers\Cdaudio.sys
    21:28:20.0906 0520 Cdaudio - ok
    21:28:20.0937 0520 Cdfs (c885b02847f5d2fd45a24e219ed93b32) D:\WINDOWS\system32\drivers\Cdfs.sys
    21:28:20.0937 0520 Cdfs - ok
    21:28:20.0953 0520 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) D:\WINDOWS\system32\DRIVERS\cdrom.sys
    21:28:20.0953 0520 Cdrom - ok
    21:28:20.0953 0520 Changer - ok
    21:28:20.0968 0520 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) D:\WINDOWS\system32\cisvc.exe
    21:28:20.0968 0520 CiSvc - ok
    21:28:20.0968 0520 ClipSrv (34cbe729f38138217f9c80212a2a0c82) D:\WINDOWS\system32\clipsrv.exe
    21:28:20.0968 0520 ClipSrv - ok
    21:28:21.0062 0520 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) d:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    21:28:21.0062 0520 clr_optimization_v2.0.50727_32 - ok
    21:28:21.0062 0520 cltnetcnservice - ok
    21:28:21.0062 0520 CmdIde - ok
    21:28:21.0062 0520 COMSysApp - ok
    21:28:21.0078 0520 Cpqarray - ok
    21:28:21.0109 0520 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) D:\Program Files\SystemRequirementsLab\cpudrv.sys
    21:28:21.0109 0520 cpudrv - ok
    21:28:21.0125 0520 CryptSvc (3d4e199942e29207970e04315d02ad3b) D:\WINDOWS\System32\cryptsvc.dll
    21:28:21.0125 0520 CryptSvc - ok
    21:28:21.0125 0520 ctljystk - ok
    21:28:21.0125 0520 dac2w2k - ok
    21:28:21.0140 0520 dac960nt - ok
    21:28:21.0171 0520 DcomLaunch (6b27a5c03dfb94b4245739065431322c) D:\WINDOWS\system32\rpcss.dll
    21:28:21.0187 0520 DcomLaunch - ok
    21:28:21.0187 0520 dcpflics - ok
    21:28:21.0203 0520 Dhcp (c51de19619d50cbd03708647aca10e70) D:\WINDOWS\System32\dhcpcsvc.dll
    21:28:21.0203 0520 Dhcp - ok
    21:28:21.0203 0520 Disk (47b6aaec570f2c11d8bad80a064d8ed1) D:\WINDOWS\system32\DRIVERS\disk.sys
    21:28:21.0203 0520 Disk - ok
    21:28:21.0218 0520 dlbu_device - ok
    21:28:21.0218 0520 dmadmin - ok
    21:28:21.0250 0520 dmboot (d992fe1274bde0f84ad826acae022a41) D:\WINDOWS\system32\drivers\dmboot.sys
    21:28:21.0265 0520 dmboot - ok
    21:28:21.0296 0520 dmio (7c824cf7bbde77d95c08005717a95f6f) D:\WINDOWS\system32\drivers\dmio.sys
    21:28:21.0296 0520 dmio - ok
    21:28:21.0312 0520 dmload (e9317282a63ca4d188c0df5e09c6ac5f) D:\WINDOWS\system32\drivers\dmload.sys
    21:28:21.0312 0520 dmload - ok
    21:28:21.0328 0520 dmserver (57edec2e5f59f0335e92f35184bc8631) D:\WINDOWS\System32\dmserver.dll
    21:28:21.0328 0520 dmserver - ok
    21:28:21.0359 0520 DMusic (8a208dfcf89792a484e76c40e5f50b45) D:\WINDOWS\system32\drivers\DMusic.sys
    21:28:21.0359 0520 DMusic - ok
    21:28:21.0390 0520 Dnscache (d977659ae4d8ece5286d99d1ed34614d) D:\WINDOWS\System32\dnsrslvr.dll
    21:28:21.0390 0520 Dnscache - ok
    21:28:21.0406 0520 Dot3svc (b4109c8c3d54c83246997a777724f318) D:\WINDOWS\System32\dot3svc.dll
    21:28:21.0406 0520 Dot3svc - ok
    21:28:21.0437 0520 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) D:\WINDOWS\system32\DRIVERS\Dot4.sys
    21:28:21.0437 0520 dot4 - ok
    21:28:21.0453 0520 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) D:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    21:28:21.0453 0520 Dot4Print - ok
    21:28:21.0468 0520 Dot4Scan (bd05306428da63369692477ddc0f6f5f) D:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
    21:28:21.0468 0520 Dot4Scan - ok
    21:28:21.0468 0520 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) D:\WINDOWS\system32\DRIVERS\dot4usb.sys
    21:28:21.0468 0520 dot4usb - ok
    21:28:21.0484 0520 dpti2o - ok
    21:28:21.0484 0520 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) D:\WINDOWS\system32\drivers\drmkaud.sys
    21:28:21.0484 0520 drmkaud - ok
    21:28:21.0500 0520 EapHost (2187855a7703adef0cef9ee4285182cc) D:\WINDOWS\System32\eapsvc.dll
    21:28:21.0500 0520 EapHost - ok
    21:28:21.0531 0520 ERSvc (bc93b4a066477954555966d77fec9ecb) D:\WINDOWS\System32\ersvc.dll
    21:28:21.0531 0520 ERSvc - ok
    21:28:21.0546 0520 Eventlog (65df52f5b8b6e9bbd183505225c37315) D:\WINDOWS\system32\services.exe
    21:28:21.0546 0520 Eventlog - ok
    21:28:21.0578 0520 EventSystem (f17f6226bdc0cd5f0bef0daf84d29bec) D:\WINDOWS\system32\es.dll
    21:28:21.0578 0520 EventSystem - ok
    21:28:21.0609 0520 exFat (4d893323dae445e34a4c9038b0551bc9) D:\WINDOWS\system32\drivers\exFat.sys
    21:28:21.0609 0520 exFat - ok
    21:28:21.0609 0520 F700imd - ok
    21:28:21.0640 0520 Fastfat (38d332a6d56af32635675f132548343e) D:\WINDOWS\system32\drivers\Fastfat.sys
    21:28:21.0640 0520 Fastfat - ok
    21:28:21.0671 0520 FastUserSwitchingCompatibility (888cd7b39c37e13a2419becfaaf0a28c) D:\WINDOWS\System32\shsvcs.dll
    21:28:21.0671 0520 FastUserSwitchingCompatibility - ok
    21:28:21.0687 0520 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) D:\WINDOWS\system32\DRIVERS\fdc.sys
    21:28:21.0687 0520 Fdc - ok
    21:28:21.0703 0520 Fips (d45926117eb9fa946a6af572fbe1caa3) D:\WINDOWS\system32\drivers\Fips.sys
    21:28:21.0703 0520 Fips - ok
    21:28:21.0703 0520 firelm01 - ok
    21:28:21.0781 0520 FLEXnet Licensing Service (f76d04f7413b07daa029f6520b64b4e8) D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    21:28:21.0781 0520 FLEXnet Licensing Service - ok
    21:28:21.0796 0520 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) D:\WINDOWS\system32\DRIVERS\flpydisk.sys
    21:28:21.0796 0520 Flpydisk - ok
    21:28:21.0812 0520 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) D:\WINDOWS\system32\DRIVERS\fltMgr.sys
    21:28:21.0812 0520 FltMgr - ok
    21:28:21.0890 0520 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) d:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    21:28:21.0890 0520 FontCache3.0.0.0 - ok
    21:28:21.0921 0520 Fs_Rec (30d42943a54704ef13e2562911dbfcea) D:\WINDOWS\system32\drivers\Fs_Rec.sys
    21:28:21.0921 0520 Fs_Rec - ok
    21:28:21.0937 0520 Ftdisk (6ac26732762483366c3969c9e4d2259d) D:\WINDOWS\system32\DRIVERS\ftdisk.sys
    21:28:21.0937 0520 Ftdisk - ok
    21:28:21.0953 0520 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) D:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    21:28:21.0953 0520 GEARAspiWDM - ok
    21:28:21.0953 0520 gearsecurity - ok
    21:28:22.0000 0520 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) D:\WINDOWS\system32\DRIVERS\msgpc.sys
    21:28:22.0000 0520 Gpc - ok
    21:28:22.0031 0520 HDAudBus (573c7d0a32852b48f3058cfd8026f511) D:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    21:28:22.0031 0520 HDAudBus - ok
    21:28:22.0078 0520 helpsvc - ok
    21:28:22.0093 0520 HidServ - ok
    21:28:22.0093 0520 hidusb (ccf82c5ec8a7326c3066de870c06daf1) D:\WINDOWS\system32\DRIVERS\hidusb.sys
    21:28:22.0093 0520 hidusb - ok
    21:28:22.0109 0520 hkmsvc (8878bd685e490239777bfe51320b88e9) D:\WINDOWS\System32\kmsvc.dll
    21:28:22.0109 0520 hkmsvc - ok
    21:28:22.0109 0520 hpn - ok
    21:28:22.0125 0520 HssSrv - ok
    21:28:22.0140 0520 HTTP (f80a415ef82cd06ffaf0d971528ead38) D:\WINDOWS\system32\Drivers\HTTP.sys
    21:28:22.0156 0520 HTTP - ok
    21:28:22.0187 0520 HTTPFilter (6100a808600f44d999cebdef8841c7a3) D:\WINDOWS\System32\w3ssl.dll
    21:28:22.0187 0520 HTTPFilter - ok
    21:28:22.0187 0520 i2omgmt - ok
    21:28:22.0187 0520 i2omp - ok
    21:28:22.0203 0520 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) D:\WINDOWS\system32\DRIVERS\i8042prt.sys
    21:28:22.0203 0520 i8042prt - ok
    21:28:22.0218 0520 icm10blk - ok
    21:28:22.0265 0520 idsvc (c01ac32dc5c03076cfb852cb5da5229c) d:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    21:28:22.0265 0520 idsvc - ok
    21:28:22.0312 0520 Imapi (083a052659f5310dd8b6a6cb05edcf8e) D:\WINDOWS\system32\DRIVERS\imapi.sys
    21:28:22.0312 0520 Imapi - ok
    21:28:22.0593 0520 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) D:\WINDOWS\system32\imapi.exe
    21:28:22.0593 0520 ImapiService - ok
    21:28:22.0593 0520 ini910u - ok
    21:28:22.0593 0520 IntelC51 - ok
    21:28:22.0625 0520 IntelIde (b5466a9250342a7aa0cd1fba13420678) D:\WINDOWS\system32\DRIVERS\intelide.sys
    21:28:22.0625 0520 IntelIde - ok
    21:28:22.0640 0520 intelppm (8c953733d8f36eb2133f5bb58808b66b) D:\WINDOWS\system32\DRIVERS\intelppm.sys
    21:28:22.0640 0520 intelppm - ok
    21:28:22.0750 0520 IntuitUpdateService (3dc635b66dd7412e1c9c3a77b8d78f25) D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    21:28:22.0750 0520 IntuitUpdateService - ok
    21:28:22.0765 0520 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) D:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    21:28:22.0765 0520 Ip6Fw - ok
    21:28:22.0796 0520 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) D:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    21:28:22.0796 0520 IpFilterDriver - ok
    21:28:22.0812 0520 IpInIp (b87ab476dcf76e72010632b5550955f5) D:\WINDOWS\system32\DRIVERS\ipinip.sys
    21:28:22.0812 0520 IpInIp - ok
    21:28:22.0828 0520 IpNat (cc748ea12c6effde940ee98098bf96bb) D:\WINDOWS\system32\DRIVERS\ipnat.sys
    21:28:22.0843 0520 IpNat - ok
    21:28:22.0875 0520 iPod Service (ce004777b92dea56fe14ec900d20baa4) D:\Program Files\iPod\bin\iPodService.exe
    21:28:22.0890 0520 iPod Service - ok
    21:28:22.0921 0520 IPSec (23c74d75e36e7158768dd63d92789a91) D:\WINDOWS\system32\DRIVERS\ipsec.sys
    21:28:22.0921 0520 IPSec - ok
    21:28:22.0937 0520 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) D:\WINDOWS\system32\DRIVERS\irenum.sys
    21:28:22.0937 0520 IRENUM - ok
    21:28:22.0953 0520 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) D:\WINDOWS\system32\DRIVERS\isapnp.sys
    21:28:22.0953 0520 isapnp - ok
    21:28:23.0046 0520 JavaQuickStarterService (0a5709543986843d37a92290b7838340) D:\Program Files\Java\jre6\bin\jqs.exe
    21:28:23.0046 0520 JavaQuickStarterService - ok
    21:28:23.0078 0520 Kbdclass (463c1ec80cd17420a542b7f36a36f128) D:\WINDOWS\system32\DRIVERS\kbdclass.sys
    21:28:23.0078 0520 Kbdclass - ok
    21:28:23.0109 0520 kmixer (692bcf44383d056aed41b045a323d378) D:\WINDOWS\system32\drivers\kmixer.sys
    21:28:23.0109 0520 kmixer - ok
    21:28:23.0125 0520 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) D:\WINDOWS\system32\drivers\KSecDD.sys
    21:28:23.0125 0520 KSecDD - ok
    21:28:23.0171 0520 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) D:\WINDOWS\System32\srvsvc.dll
    21:28:23.0171 0520 LanmanServer - ok
    21:28:23.0203 0520 lanmanworkstation (3b9324d60dd321bab7bf6f77931d3fd1) D:\WINDOWS\System32\wkssvc.dll
    21:28:23.0203 0520 lanmanworkstation - ok
    21:28:23.0203 0520 lbrtfdc - ok
    21:28:23.0234 0520 LmHosts (a7db739ae99a796d91580147e919cc59) D:\WINDOWS\System32\lmhsvc.dll
    21:28:23.0250 0520 LmHosts - ok
    21:28:23.0250 0520 lvusbsta - ok
    21:28:23.0281 0520 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) D:\WINDOWS\system32\drivers\mbam.sys
    21:28:23.0281 0520 MBAMProtector - ok
    21:28:23.0343 0520 MBAMService (ba400ed640bca1eae5c727ae17c10207) D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    21:28:23.0343 0520 MBAMService - ok
    21:28:23.0375 0520 Messenger (986b1ff5814366d71e0ac5755c88f2d3) D:\WINDOWS\System32\msgsvc.dll
    21:28:23.0390 0520 Messenger - ok
    21:28:23.0406 0520 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) D:\WINDOWS\system32\drivers\mnmdd.sys
    21:28:23.0406 0520 mnmdd - ok
    21:28:23.0437 0520 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) D:\WINDOWS\system32\mnmsrvc.exe
    21:28:23.0437 0520 mnmsrvc - ok
    21:28:23.0453 0520 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) D:\WINDOWS\system32\drivers\Modem.sys
    21:28:23.0453 0520 Modem - ok
    21:28:23.0500 0520 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) D:\WINDOWS\system32\drivers\monfilt.sys
    21:28:23.0515 0520 monfilt - ok
    21:28:23.0546 0520 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) D:\WINDOWS\system32\DRIVERS\mouclass.sys
    21:28:23.0546 0520 Mouclass - ok
    21:28:23.0562 0520 mouhid (b1c303e17fb9d46e87a98e4ba6769685) D:\WINDOWS\system32\DRIVERS\mouhid.sys
    21:28:23.0562 0520 mouhid - ok
    21:28:23.0578 0520 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) D:\WINDOWS\system32\drivers\MountMgr.sys
    21:28:23.0578 0520 MountMgr - ok
    21:28:23.0609 0520 MpFilter (fee0baded54222e9f1dae9541212aab1) D:\WINDOWS\system32\DRIVERS\MpFilter.sys
    21:28:23.0609 0520 MpFilter - ok
    21:28:23.0718 0520 MpKslfbde9dc8 (a69630d039c38018689190234f866d77) D:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C2D4FD19-BC36-4C79-9B01-128AAED58D90}\MpKslfbde9dc8.sys
    21:28:23.0718 0520 MpKslfbde9dc8 - ok
    21:28:23.0718 0520 mraid35x - ok
    21:28:23.0734 0520 MRxDAV (65e818c473e220b6ab762e1966296fd1) D:\WINDOWS\system32\DRIVERS\mrxdav.sys
    21:28:23.0734 0520 MRxDAV - ok
    21:28:23.0796 0520 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) D:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    21:28:23.0796 0520 MRxSmb - ok
    21:28:23.0828 0520 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) D:\WINDOWS\system32\msdtc.exe
    21:28:23.0828 0520 MSDTC - ok
    21:28:23.0828 0520 Msfs (c941ea2454ba8350021d774daf0f1027) D:\WINDOWS\system32\drivers\Msfs.sys
    21:28:23.0828 0520 Msfs - ok
    21:28:23.0828 0520 MSIServer - ok
    21:28:23.0843 0520 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) D:\WINDOWS\system32\drivers\MSKSSRV.sys
    21:28:23.0843 0520 MSKSSRV - ok
    21:28:23.0921 0520 MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) D:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    21:28:23.0921 0520 MsMpSvc - ok
    21:28:23.0937 0520 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) D:\WINDOWS\system32\drivers\MSPCLOCK.sys
    21:28:23.0937 0520 MSPCLOCK - ok
    21:28:23.0953 0520 MSPQM (bad59648ba099da4a17680b39730cb3d) D:\WINDOWS\system32\drivers\MSPQM.sys
    21:28:23.0953 0520 MSPQM - ok
    21:28:23.0968 0520 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) D:\WINDOWS\system32\DRIVERS\mssmbios.sys
    21:28:23.0968 0520 mssmbios - ok
    21:28:23.0968 0520 MTC0001_ESB - ok
    21:28:23.0984 0520 Mup (f7b1ad991491f02af6da70b00b8bf114) D:\WINDOWS\system32\drivers\Mup.sys
    21:28:23.0984 0520 Mup - ok
    21:28:24.0015 0520 napagent (0102140028fad045756796e1c685d695) D:\WINDOWS\System32\qagentrt.dll
    21:28:24.0031 0520 napagent - ok
    21:28:24.0046 0520 NDIS (b5b1080d35974c0e718d64280761bcd5) D:\WINDOWS\system32\drivers\NDIS.sys
    21:28:24.0046 0520 NDIS - ok
    21:28:24.0078 0520 NdisTapi (0109c4f3850dfbab279542515386ae22) D:\WINDOWS\system32\DRIVERS\ndistapi.sys
    21:28:24.0078 0520 NdisTapi - ok
    21:28:24.0093 0520 Ndisuio (f927a4434c5028758a842943ef1a3849) D:\WINDOWS\system32\DRIVERS\ndisuio.sys
    21:28:24.0093 0520 Ndisuio - ok
    21:28:24.0093 0520 NdisWan (b053a8411045fd0664b389a090cb2bbc) D:\WINDOWS\system32\DRIVERS\ndiswan.sys
    21:28:24.0109 0520 NdisWan - ok
    21:28:24.0140 0520 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) D:\WINDOWS\system32\drivers\NDProxy.sys
    21:28:24.0140 0520 NDProxy - ok
    21:28:24.0156 0520 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) D:\WINDOWS\system32\DRIVERS\netbios.sys
    21:28:24.0156 0520 NetBIOS - ok
    21:28:24.0171 0520 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) D:\WINDOWS\system32\DRIVERS\netbt.sys
    21:28:24.0171 0520 NetBT - ok
    21:28:24.0203 0520 NetDDE (b857ba82860d7ff85ae29b095645563b) D:\WINDOWS\system32\netdde.exe
    21:28:24.0203 0520 NetDDE - ok
    21:28:24.0218 0520 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) D:\WINDOWS\system32\netdde.exe
    21:28:24.0218 0520 NetDDEdsdm - ok
    21:28:24.0234 0520 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
    21:28:24.0234 0520 Netlogon - ok
    21:28:24.0281 0520 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) D:\WINDOWS\System32\netman.dll
    21:28:24.0281 0520 Netman - ok
    21:28:24.0359 0520 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) d:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    21:28:24.0359 0520 NetTcpPortSharing - ok
    21:28:24.0359 0520 nimxdfk - ok
    21:28:24.0390 0520 Nla (290c1a30defc723bbe10910ac2d6f6d0) D:\WINDOWS\System32\mswsock.dll
    21:28:24.0390 0520 Nla - ok
    21:28:24.0390 0520 Npfs (3182d64ae053d6fb034f44b6def8034a) D:\WINDOWS\system32\drivers\Npfs.sys
    21:28:24.0390 0520 Npfs - ok
    21:28:24.0421 0520 Ntfs (4c51d5275ae8a16999edfe7e647d00de) D:\WINDOWS\system32\drivers\Ntfs.sys
    21:28:24.0437 0520 Ntfs - ok
    21:28:24.0437 0520 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
    21:28:24.0437 0520 NtLmSsp - ok
    21:28:24.0468 0520 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) D:\WINDOWS\system32\ntmssvc.dll
    21:28:24.0468 0520 NtmsSvc - ok
    21:28:24.0468 0520 ntsyslog - ok
    21:28:24.0500 0520 Null (73c1e1f395918bc2c6dd67af7591a3ad) D:\WINDOWS\system32\drivers\Null.sys
    21:28:24.0500 0520 Null - ok
    21:28:24.0812 0520 nv (ed9816dbaf6689542ea7d022631906a1) D:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    21:28:25.0000 0520 nv - ok
    21:28:25.0109 0520 NVSvc (08d8b80a3c0453a043968831d44c5c9f) D:\WINDOWS\system32\nvsvc32.exe
    21:28:25.0109 0520 NVSvc - ok
    21:28:25.0234 0520 nvUpdatusService (1284f91493fc353281b015345a043f4d) D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    21:28:25.0265 0520 nvUpdatusService - ok
    21:28:25.0328 0520 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) D:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    21:28:25.0328 0520 NwlnkFlt - ok
    21:28:25.0328 0520 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) D:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    21:28:25.0328 0520 NwlnkFwd - ok
    21:28:25.0421 0520 odserv (785f487a64950f3cb8e9f16253ba3b7b) D:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
    21:28:25.0421 0520 odserv - ok
    21:28:25.0437 0520 oracleorahome811cman - ok
    21:28:25.0468 0520 ose (5a432a042dae460abe7199b758e8606c) D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    21:28:25.0468 0520 ose - ok
    21:28:25.0500 0520 Parport (5575faf8f97ce5e713d108c2a58d7c7c) D:\WINDOWS\system32\DRIVERS\parport.sys
    21:28:25.0500 0520 Parport - ok
    21:28:25.0515 0520 PartMgr (beb3ba25197665d82ec7065b724171c6) D:\WINDOWS\system32\drivers\PartMgr.sys
    21:28:25.0515 0520 PartMgr - ok
    21:28:25.0531 0520 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) D:\WINDOWS\system32\drivers\ParVdm.sys
    21:28:25.0531 0520 ParVdm - ok
    21:28:25.0546 0520 PCI (a219903ccf74233761d92bef471a07b1) D:\WINDOWS\system32\DRIVERS\pci.sys
    21:28:25.0546 0520 PCI - ok
    21:28:25.0546 0520 PCIDump - ok
    21:28:25.0562 0520 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) D:\WINDOWS\system32\drivers\PCIIde.sys
    21:28:25.0562 0520 PCIIde - ok
    21:28:25.0578 0520 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) D:\WINDOWS\system32\drivers\Pcmcia.sys
    21:28:25.0578 0520 Pcmcia - ok
    21:28:25.0609 0520 pcouffin (5b6c11de7e839c05248ced8825470fef) D:\WINDOWS\system32\Drivers\pcouffin.sys
    21:28:25.0609 0520 pcouffin - ok
    21:28:25.0609 0520 PDCOMP - ok
    21:28:25.0609 0520 PDFRAME - ok
    21:28:25.0609 0520 PDRELI - ok
    21:28:25.0625 0520 PDRFRAME - ok
    21:28:25.0625 0520 perc2 - ok
    21:28:25.0625 0520 perc2hib - ok
    21:28:25.0625 0520 pgsql-8.0 - ok
    21:28:25.0656 0520 PlugPlay (65df52f5b8b6e9bbd183505225c37315) D:\WINDOWS\system32\services.exe
    21:28:25.0656 0520 PlugPlay - ok
    21:28:25.0703 0520 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
    21:28:25.0703 0520 PolicyAgent - ok
    21:28:25.0718 0520 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) D:\WINDOWS\system32\DRIVERS\raspptp.sys
    21:28:25.0718 0520 PptpMiniport - ok
    21:28:25.0734 0520 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
    21:28:25.0734 0520 ProtectedStorage - ok
    21:28:25.0734 0520 PSched (09298ec810b07e5d582cb3a3f9255424) D:\WINDOWS\system32\DRIVERS\psched.sys
    21:28:25.0734 0520 PSched - ok
    21:28:25.0750 0520 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) D:\WINDOWS\system32\DRIVERS\ptilink.sys
    21:28:25.0750 0520 Ptilink - ok
    21:28:25.0765 0520 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) D:\WINDOWS\system32\Drivers\PxHelp20.sys
    21:28:25.0765 0520 PxHelp20 - ok
    21:28:25.0765 0520 ql1080 - ok
    21:28:25.0765 0520 Ql10wnt - ok
    21:28:25.0781 0520 ql12160 - ok
    21:28:25.0781 0520 ql1240 - ok
    21:28:25.0781 0520 ql1280 - ok
    21:28:25.0781 0520 QPSched - ok
    21:28:25.0796 0520 quickbooksdb - ok
    21:28:25.0812 0520 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) D:\WINDOWS\system32\DRIVERS\rasacd.sys
    21:28:25.0812 0520 RasAcd - ok
    21:28:25.0828 0520 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) D:\WINDOWS\System32\rasauto.dll
    21:28:25.0828 0520 RasAuto - ok
    21:28:25.0843 0520 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) D:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    21:28:25.0843 0520 Rasl2tp - ok
    21:28:25.0859 0520 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) D:\WINDOWS\System32\rasmans.dll
    21:28:25.0875 0520 RasMan - ok
    21:28:25.0875 0520 RasPppoe (5bc962f2654137c9909c3d4603587dee) D:\WINDOWS\system32\DRIVERS\raspppoe.sys
    21:28:25.0875 0520 RasPppoe - ok
    21:28:25.0875 0520 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) D:\WINDOWS\system32\DRIVERS\raspti.sys
    21:28:25.0875 0520 Raspti - ok
    21:28:25.0890 0520 Rdbss (77050c6615f6eb5402f832b27fd695e0) D:\WINDOWS\system32\DRIVERS\rdbss.sys
    21:28:25.0906 0520 Rdbss - ok
    21:28:25.0906 0520 RDPCDD (4912d5b403614ce99c28420f75353332) D:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    21:28:25.0906 0520 RDPCDD - ok
    21:28:25.0937 0520 rdpdr (c694a927eb7c354f7ae97955043a9641) D:\WINDOWS\system32\DRIVERS\rdpdr.sys
    21:28:25.0937 0520 rdpdr - ok
    21:28:25.0968 0520 RDPWD (2d293b720c206473a05950ce007db12a) D:\WINDOWS\system32\drivers\RDPWD.sys
    21:28:25.0968 0520 RDPWD - ok
    21:28:25.0984 0520 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) D:\WINDOWS\system32\sessmgr.exe
    21:28:25.0984 0520 RDSessMgr - ok
    21:28:26.0000 0520 redbook (f828dd7e1419b6653894a8f97a0094c5) D:\WINDOWS\system32\DRIVERS\redbook.sys
    21:28:26.0000 0520 redbook - ok
    21:28:26.0000 0520 regmon701 - ok
    21:28:26.0031 0520 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) D:\WINDOWS\System32\mprdim.dll
    21:28:26.0031 0520 RemoteAccess - ok
    21:28:26.0062 0520 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) D:\WINDOWS\system32\regsvc.dll
    21:28:26.0062 0520 RemoteRegistry - ok
    21:28:26.0078 0520 RpcLocator (aaed593f84afa419bbae8572af87cf6a) D:\WINDOWS\system32\locator.exe
    21:28:26.0078 0520 RpcLocator - ok
    21:28:26.0109 0520 RpcSs (6b27a5c03dfb94b4245739065431322c) D:\WINDOWS\System32\rpcss.dll
    21:28:26.0109 0520 RpcSs - ok
    21:28:26.0156 0520 rspndr (743d7d59767073a617b1dcc6c546f234) D:\WINDOWS\system32\DRIVERS\rspndr.sys
    21:28:26.0156 0520 rspndr - ok
    21:28:26.0171 0520 RSVP (471b3f9741d762abe75e9deea4787e47) D:\WINDOWS\system32\rsvp.exe
    21:28:26.0171 0520 RSVP - ok
    21:28:26.0218 0520 RT61 (1d72a1ab4d4860291b67bffe6862093a) D:\WINDOWS\system32\DRIVERS\RT61.sys
    21:28:26.0218 0520 RT61 - ok
    21:28:26.0250 0520 RTLE8023xp (cb9310a5a910648d359c99a857e22a54) D:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    21:28:26.0250 0520 RTLE8023xp - ok
    21:28:26.0265 0520 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
    21:28:26.0265 0520 SamSs - ok
    21:28:26.0296 0520 SCardSvr (86d007e7a654b9a71d1d7d856b104353) D:\WINDOWS\System32\SCardSvr.exe
    21:28:26.0296 0520 SCardSvr - ok
    21:28:26.0328 0520 SCDEmu (f441ba47bd8610cb9536965bd7d1f943) D:\WINDOWS\system32\drivers\SCDEmu.sys
    21:28:26.0328 0520 SCDEmu - ok
    21:28:26.0359 0520 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) D:\WINDOWS\system32\schedsvc.dll
    21:28:26.0359 0520 Schedule - ok
    21:28:26.0359 0520 SE27obex - ok
    21:28:26.0359 0520 se2Dnd5 - ok
    21:28:26.0375 0520 se59obex - ok
    21:28:26.0390 0520 Secdrv (90a3935d05b494a5a39d37e71f09a677) D:\WINDOWS\system32\DRIVERS\secdrv.sys
    21:28:26.0390 0520 Secdrv - ok
    21:28:26.0406 0520 seclogon (cbe612e2bb6a10e3563336191eda1250) D:\WINDOWS\System32\seclogon.dll
    21:28:26.0406 0520 seclogon - ok
    21:28:26.0437 0520 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) D:\WINDOWS\system32\sens.dll
    21:28:26.0437 0520 SENS - ok
    21:28:26.0453 0520 serenum (0f29512ccd6bead730039fb4bd2c85ce) D:\WINDOWS\system32\DRIVERS\serenum.sys
    21:28:26.0453 0520 serenum - ok
    21:28:26.0453 0520 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) D:\WINDOWS\system32\DRIVERS\serial.sys
    21:28:26.0453 0520 Serial - ok
    21:28:26.0468 0520 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) D:\WINDOWS\system32\drivers\Sfloppy.sys
    21:28:26.0468 0520 Sfloppy - ok
    21:28:26.0484 0520 SharedAccess (4f10a2fa76b5bd54cd68afa94e8adb39) D:\WINDOWS\System32\ipnathlp.dll
    21:28:26.0484 0520 SharedAccess - ok
    21:28:26.0515 0520 ShellHWDetection (888cd7b39c37e13a2419becfaaf0a28c) D:\WINDOWS\System32\shsvcs.dll
    21:28:26.0531 0520 ShellHWDetection - ok
    21:28:26.0531 0520 Si3114r5 - ok
    21:28:26.0531 0520 Simbad - ok
    21:28:26.0531 0520 Sparrow - ok
    21:28:26.0562 0520 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) D:\WINDOWS\system32\drivers\splitter.sys
    21:28:26.0562 0520 splitter - ok
    21:28:26.0593 0520 Spooler (60784f891563fb1b767f70117fc2428f) D:\WINDOWS\system32\spoolsv.exe
    21:28:26.0593 0520 Spooler - ok
    21:28:26.0640 0520 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) D:\WINDOWS\system32\DRIVERS\sr.sys
    21:28:26.0640 0520 sr - ok
    21:28:26.0656 0520 srservice (3805df0ac4296a34ba4bf93b346cc378) D:\WINDOWS\system32\srsvc.dll
    21:28:26.0656 0520 srservice - ok
    21:28:26.0687 0520 Srv (9b390283569ea58d43d2586032b892f5) D:\WINDOWS\system32\DRIVERS\srv.sys
    21:28:26.0687 0520 Srv - ok
    21:28:26.0718 0520 SSDPSRV (0a5679b3714edab99e357057ee88fca6) D:\WINDOWS\System32\ssdpsrv.dll
    21:28:26.0718 0520 SSDPSRV - ok
    21:28:26.0765 0520 stisvc (8bad69cbac032d4bbacfce0306174c30) D:\WINDOWS\system32\wiaservc.dll
    21:28:26.0765 0520 stisvc - ok
    21:28:26.0796 0520 swenum (3941d127aef12e93addf6fe6ee027e0f) D:\WINDOWS\system32\DRIVERS\swenum.sys
    21:28:26.0796 0520 swenum - ok
    21:28:26.0812 0520 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) D:\WINDOWS\system32\drivers\swmidi.sys
    21:28:26.0812 0520 swmidi - ok
    21:28:26.0812 0520 SwPrv - ok
    21:28:26.0812 0520 symc810 - ok
    21:28:26.0828 0520 symc8xx - ok
    21:28:26.0828 0520 sym_hi - ok
    21:28:26.0828 0520 sym_u3 - ok
    21:28:26.0828 0520 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) D:\WINDOWS\system32\drivers\sysaudio.sys
    21:28:26.0828 0520 sysaudio - ok
    21:28:26.0843 0520 SysmonLog (c7abbc59b43274b1109df6b24d617051) D:\WINDOWS\system32\smlogsvc.exe
    21:28:26.0843 0520 SysmonLog - ok
    21:28:26.0859 0520 TapiSrv (e2b32b10acc5d97623275aafb67e5f03) D:\WINDOWS\System32\tapisrv.dll
    21:28:26.0875 0520 TapiSrv - ok
    21:28:26.0875 0520 tavsvc - ok
    21:28:26.0890 0520 Tcpip (25a740d70e8007814a48d3fa1b34fa34) D:\WINDOWS\system32\DRIVERS\tcpip.sys
    21:28:26.0890 0520 Tcpip - ok
    21:28:26.0921 0520 TDPIPE (6471a66807f5e104e4885f5b67349397) D:\WINDOWS\system32\drivers\TDPIPE.sys
    21:28:26.0921 0520 TDPIPE - ok
    21:28:26.0937 0520 TDTCP (c0578456f29e5f26285f81b7b71fe57d) D:\WINDOWS\system32\drivers\TDTCP.sys
    21:28:26.0937 0520 TDTCP - ok
    21:28:26.0953 0520 TermDD (88155247177638048422893737429d9e) D:\WINDOWS\system32\DRIVERS\termdd.sys
    21:28:26.0953 0520 TermDD - ok
    21:28:26.0968 0520 TermService (37981a741ad7b04258e87129ffe79ab9) D:\WINDOWS\System32\termsrv.dll
    21:28:26.0984 0520 TermService - ok
    21:28:27.0015 0520 Themes (888cd7b39c37e13a2419becfaaf0a28c) D:\WINDOWS\System32\shsvcs.dll
    21:28:27.0015 0520 Themes - ok
    21:28:27.0046 0520 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) D:\WINDOWS\system32\tlntsvr.exe
    21:28:27.0046 0520 TlntSvr - ok
    21:28:27.0046 0520 TosIde - ok
    21:28:27.0062 0520 TrkWks (55bca12f7f523d35ca3cb833c725f54e) D:\WINDOWS\system32\trkwks.dll
    21:28:27.0062 0520 TrkWks - ok
    21:28:27.0078 0520 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) D:\WINDOWS\system32\drivers\Udfs.sys
    21:28:27.0078 0520 Udfs - ok
    21:28:27.0093 0520 ultra - ok
    21:28:27.0125 0520 Update (402ddc88356b1bac0ee3dd1580c76a31) D:\WINDOWS\system32\DRIVERS\update.sys
    21:28:27.0125 0520 Update - ok
    21:28:27.0156 0520 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) D:\WINDOWS\System32\upnphost.dll
    21:28:27.0156 0520 upnphost - ok
    21:28:27.0171 0520 UPS (05365fb38fca1e98f7a566aaaf5d1815) D:\WINDOWS\System32\ups.exe
    21:28:27.0171 0520 UPS - ok
    21:28:27.0171 0520 us30sys - ok
    21:28:27.0203 0520 USBAAPL (eafe1e00739afe6c51487a050e772e17) D:\WINDOWS\system32\Drivers\usbaapl.sys
    21:28:27.0203 0520 USBAAPL - ok
    21:28:27.0234 0520 usbccgp (c18d6c74953621346df6b0a11f80c1cc) D:\WINDOWS\system32\DRIVERS\usbccgp.sys
    21:28:27.0234 0520 usbccgp - ok
    21:28:27.0250 0520 usbehci (152ee0baa614388273a0b9ae9c9fd5a0) D:\WINDOWS\system32\DRIVERS\usbehci.sys
    21:28:27.0250 0520 usbehci - ok
    21:28:27.0250 0520 usbhub (1ab3cdde553b6e064d2e754efe20285c) D:\WINDOWS\system32\DRIVERS\usbhub.sys
    21:28:27.0265 0520 usbhub - ok
    21:28:27.0281 0520 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) D:\WINDOWS\system32\DRIVERS\usbscan.sys
    21:28:27.0296 0520 usbscan - ok
    21:28:27.0312 0520 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    21:28:27.0328 0520 USBSTOR - ok
    21:28:27.0343 0520 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) D:\WINDOWS\system32\DRIVERS\usbuhci.sys
    21:28:27.0343 0520 usbuhci - ok
    21:28:27.0343 0520 vaiomediaplatform-videoserver-appserver - ok
    21:28:27.0343 0520 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) D:\WINDOWS\System32\drivers\vga.sys
    21:28:27.0359 0520 VgaSave - ok
    21:28:27.0359 0520 viagfx - ok
    21:28:27.0406 0520 VIAHdAudAddService (1422f65bcec926077f541025c40cf93a) D:\WINDOWS\system32\drivers\viahduaa.sys
    21:28:27.0421 0520 VIAHdAudAddService - ok
    21:28:27.0421 0520 ViaIde - ok
    21:28:27.0437 0520 VolSnap (4c8fcb5cc53aab716d810740fe59d025) D:\WINDOWS\system32\drivers\VolSnap.sys
    21:28:27.0437 0520 VolSnap - ok
    21:28:27.0468 0520 VSS (7a9db3a67c333bf0bd42e42b8596854b) D:\WINDOWS\System32\vssvc.exe
    21:28:27.0468 0520 VSS - ok
    21:28:27.0484 0520 W32Time (9f8a0d0cbb2fa265a754516128c00e22) D:\WINDOWS\system32\w32time.dll
    21:28:27.0484 0520 W32Time - ok
    21:28:27.0500 0520 Wanarp (e20b95baedb550f32dd489265c1da1f6) D:\WINDOWS\system32\DRIVERS\wanarp.sys
    21:28:27.0500 0520 Wanarp - ok
    21:28:27.0531 0520 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) D:\WINDOWS\system32\DRIVERS\wdcsam.sys
    21:28:27.0531 0520 WDC_SAM - ok
    21:28:27.0531 0520 WDICA - ok
    21:28:27.0546 0520 wdmaud (6768acf64b18196494413695f0c3a00f) D:\WINDOWS\system32\drivers\wdmaud.sys
    21:28:27.0546 0520 wdmaud - ok
    21:28:27.0562 0520 WebClient (77a354e28153ad2d5e120a5a8687bc06) D:\WINDOWS\System32\webclnt.dll
    21:28:27.0562 0520 WebClient - ok
    21:28:27.0562 0520 webrootcommagentservice - ok
    21:28:27.0625 0520 winmgmt (2d0e4ed081963804ccc196a0929275b5) D:\WINDOWS\system32\wbem\WMIsvc.dll
    21:28:27.0625 0520 winmgmt - ok
    21:28:27.0640 0520 winpppoverethernet - ok
    21:28:27.0671 0520 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) D:\WINDOWS\system32\MsPMSNSv.dll
    21:28:27.0671 0520 WmdmPmSN - ok
    21:28:27.0718 0520 Wmi (e76f8807070ed04e7408a86d6d3a6137) D:\WINDOWS\System32\advapi32.dll
    21:28:27.0718 0520 Wmi - ok
    21:28:27.0750 0520 WmiApSrv (e0673f1106e62a68d2257e376079f821) D:\WINDOWS\system32\wbem\wmiapsrv.exe
    21:28:27.0750 0520 WmiApSrv - ok
    21:28:27.0859 0520 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) D:\Program Files\Windows Media Player\WMPNetwk.exe
    21:28:27.0875 0520 WMPNetworkSvc - ok
    21:28:27.0921 0520 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) D:\WINDOWS\System32\drivers\ws2ifsl.sys
    21:28:27.0921 0520 WS2IFSL - ok
    21:28:27.0953 0520 wscsvc (7c278e6408d1dce642230c0585a854d5) D:\WINDOWS\system32\wscsvc.dll
    21:28:27.0953 0520 wscsvc - ok
    21:28:28.0046 0520 wuauserv (aae1a6ffba2b0436e91795120f48c461) C:\WINDOWS\system32\wuauserv.dll
    21:28:28.0062 0520 wuauserv - ok
    21:28:28.0093 0520 WudfPf (f15feafffbb3644ccc80c5da584e6311) D:\WINDOWS\system32\DRIVERS\WudfPf.sys
    21:28:28.0093 0520 WudfPf - ok
    21:28:28.0093 0520 WudfRd (28b524262bce6de1f7ef9f510ba3985b) D:\WINDOWS\system32\DRIVERS\wudfrd.sys
    21:28:28.0093 0520 WudfRd - ok
    21:28:28.0109 0520 WudfSvc (05231c04253c5bc30b26cbaae680ed89) D:\WINDOWS\System32\WUDFSvc.dll
    21:28:28.0125 0520 WudfSvc - ok
    21:28:28.0171 0520 WZCSVC (349b8d2bb755e8c3b0e3e82a87663e55) D:\WINDOWS\System32\wzcsvc.dll
    21:28:28.0171 0520 WZCSVC - ok
    21:28:28.0187 0520 xmlprov (295d21f14c335b53cb8154e5b1f892b9) D:\WINDOWS\System32\xmlprov.dll
    21:28:28.0203 0520 xmlprov - ok
    21:28:28.0234 0520 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    21:28:28.0359 0520 \Device\Harddisk0\DR0 - ok
    21:28:28.0375 0520 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR32
    21:28:30.0562 0520 \Device\Harddisk1\DR32 - ok
    21:28:30.0562 0520 Boot (0x1200) (b9fed1c489af71d17adee18fc2dff436) \Device\Harddisk0\DR0\Partition0
    21:28:30.0562 0520 \Device\Harddisk0\DR0\Partition0 - ok
    21:28:30.0578 0520 Boot (0x1200) (242d91a369c59a4d3cbeeb1bee23e594) \Device\Harddisk0\DR0\Partition1
    21:28:30.0578 0520 \Device\Harddisk0\DR0\Partition1 - ok
    21:28:30.0593 0520 Boot (0x1200) (1ea16fa355571e402cc503ac7f7d6b00) \Device\Harddisk0\DR0\Partition2
    21:28:30.0593 0520 \Device\Harddisk0\DR0\Partition2 - ok
    21:28:30.0593 0520 Boot (0x1200) (16071b33dbf7fc36615a4c0853c672d5) \Device\Harddisk1\DR32\Partition0
    21:28:30.0593 0520 \Device\Harddisk1\DR32\Partition0 - ok
    21:28:30.0593 0520 ============================================================
    21:28:30.0593 0520 Scan finished
    21:28:30.0593 0520 ============================================================
    21:28:30.0609 3068 Detected object count: 0
    21:28:30.0609 3068 Actual detected object count: 0
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, a few FYIs:
    1. I explained that virus scans do not read locations. So when AVG or MSE shows an entry in System Volume or Qoobox, those have already been handled. Scan will continue to show them, but they are not active. At the end of cleaning, you will drop the old restore points and set a new, clean one. The Qoobox folder will be removed when Combofix is uninstalled.
    2. TDSSKiller is clean.
    3.
    This should just be a shortcut- you can do a right click to confirm, then delete.

    4. Is there any particular reason you have these on the Startup menu?
    A note about boosters, meters, optimizers, etc. They usually use more of the system resources just to run to make any significant difference.

    5.
    Don't forget to uninstall this, delete the program folder and stop the Scheduled Tasks.

    6.
    Both of these update sreens have pre-checked processes. These are usually TB or BHO. Look for them before you download and uncheck them. Also, when installing, choose 'Custom Install' instead of 'Standard. You may be able to avoid bundled processes this way.
    =====================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    d:\windows\sophos.tmp
    FileLook::
    d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
    c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\ALSysIO.sys
    d:\windows\system32\dllcache\imagehlp.dll
    DDS::
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\uTorrent\\uTorrent.exe"=-
    "d:\\Documents and Settings\\Me\\My Documents\\Downloads\\utorrent.exe"=-
    Clearjavacache::
    Driver::
    ALSysIO
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    How is system doing now?
     
  16. skuzzi

    skuzzi TS Rookie Topic Starter

    Ran the ComboFix and the log is pasted below.

    Removed SpeedyPC; as well as start-up items. Is there a guided procedure for examining the start-up items/running processes? Since I review our home's computers, often there are 60+ processes running and the machines seem to slow down over time with additional programs/add-ons. It would be useful to be able to eliminate some of those start-up background items that are consuming resources.

    The computer seems to be stable - a major improvement. However, I haven't been using it very much throughout this process.


    ComboFix 12-05-07.02 - Me 05/07/2012 9:28.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1260 [GMT -6:00]
    Running from: d:\documents and settings\Me\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-07 to 2012-05-07 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-07 14:43 . 2012-05-07 14:43 56200 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDB52BF3-8753-4C38-A2F6-E0AF85562D29}\offreg.dll
    2012-05-07 14:39 . 2012-04-13 06:36 6734704 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-05-07 14:39 . 2012-04-13 06:36 6734704 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDB52BF3-8753-4C38-A2F6-E0AF85562D29}\mpengine.dll
    2012-04-30 19:39 . 2012-04-30 19:39 1409 ----a-w- d:\windows\QTFont.for
    2012-04-28 04:35 . 2012-04-28 04:35 -------- d-----w- D:\_OTM
    2012-04-27 04:03 . 2012-04-27 04:03 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2012-04-25 03:13 . 2012-01-31 12:44 237072 ------w- d:\windows\system32\MpSigStub.exe
    2012-04-25 03:05 . 2012-04-25 03:05 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
    2012-04-25 03:05 . 2012-04-25 03:05 -------- d-----w- d:\program files\Microsoft Security Client
    2012-04-23 03:29 . 2012-04-23 03:29 -------- d-----w- d:\program files\ESET
    2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\wbem\snmp
    2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\xircom
    2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\program files\microsoft frontpage
    2012-04-21 06:08 . 2012-02-29 14:08 148480 ------w- d:\windows\system32\dllcache\imagehlp.dll
    2012-04-13 16:28 . 2012-04-13 16:28 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-23 05:18 . 2012-04-04 02:47 418464 ----a-w- d:\windows\system32\FlashPlayerApp.exe
    2012-04-23 05:18 . 2011-12-06 18:25 70304 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-04 23:30 . 2012-04-04 23:30 388096 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-04-04 21:56 . 2012-04-05 00:14 22344 ----a-w- d:\windows\system32\drivers\mbam.sys
    2012-04-04 02:51 . 2012-04-04 02:51 73728 ----a-w- d:\windows\system32\javacpl.cpl
    2012-04-04 02:51 . 2011-12-17 07:55 472808 ----a-w- d:\windows\system32\deployJava1.dll
    2012-03-20 23:33 . 2012-03-20 23:33 40960 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
    2012-03-16 03:39 . 2012-03-16 03:39 28672 ----a-w- d:\windows\system32\qttask.exe
    2012-03-01 11:01 . 2009-03-08 02:34 916992 ----a-w- d:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2009-03-08 02:34 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
    2012-03-01 11:01 . 2009-03-08 02:34 43520 ----a-w- d:\windows\system32\licmgr10.dll
    2012-02-29 14:08 . 2008-11-13 13:18 178176 ----a-w- d:\windows\system32\wintrust.dll
    2012-02-29 14:08 . 2008-04-14 11:00 148480 ----a-w- d:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2009-03-08 02:35 385024 ----a-w- d:\windows\system32\html.iec
    2012-02-29 04:20 . 2012-02-29 04:20 127 ----a-w- d:\windows\sophos.tmp
    2012-02-15 17:01 . 2012-03-15 22:36 4547944 ----a-w- d:\windows\system32\usbaaplrc.dll
    2012-02-15 17:01 . 2012-03-15 22:36 43520 ----a-w- d:\windows\system32\drivers\usbaapl.sys
    2012-02-07 17:02 . 2012-02-07 17:02 1070352 ----a-w- d:\windows\system32\MSCOMCTL.OCX
    2012-03-18 05:21 . 2011-12-06 18:11 97208 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-03-26 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . d:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . d:\windows\system32\dllcache\tcpip.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-21_16.34.35 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-05-07 14:31 . 2012-05-07 14:31 16384 d:\windows\Temp\Perflib_Perfdata_780.dat
    + 2012-04-23 05:18 . 2012-04-23 05:18 353440 d:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_Plugin.exe
    + 2012-04-23 04:19 . 2012-04-23 04:19 353440 d:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe
    + 2012-04-23 04:19 . 2012-04-23 04:19 424608 d:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.dll
    + 2012-04-04 02:47 . 2012-04-23 05:18 253088 d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    + 2011-04-18 19:18 . 2011-04-18 19:18 165648 d:\windows\system32\drivers\MpFilter.sys
    + 2012-04-25 03:05 . 2012-04-25 03:05 785920 d:\windows\Installer\11bb89b8.msi
    + 2012-04-25 03:05 . 2012-04-25 03:05 483840 d:\windows\Installer\11bb89b0.msi
    + 2012-04-25 03:05 . 2012-04-25 03:05 301056 d:\windows\Installer\11bb89a9.msi
    + 2007-02-26 07:01 . 2007-02-26 07:01 437160 d:\windows\Installer\$PatchCache$\Managed\000021599B0090400000000000F01FEC\12.0.6012\DWTRIG20.EXE
    + 2006-10-27 00:48 . 2006-10-27 00:48 439568 d:\windows\Installer\$PatchCache$\Managed\000021599B0090400000000000F01FEC\12.0.6012\DWDCW20.DLL
    + 2012-04-23 05:18 . 2012-04-23 05:18 8797344 d:\windows\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll
    + 2011-06-06 18:55 . 2011-06-06 18:55 1189004 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
    + 2012-04-04 13:32 . 2012-04-04 13:32 16613376 d:\windows\Installer\c8621.msp
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "HDAudDeck"="d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-01-09 33570816]
    "PWRISOVM.EXE"="d:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
    "Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
    "APSDaemon"="d:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
    "SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    "MSC"="d:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
    .
    d:\documents and settings\All Users\Start Menu\Programs\Startup\
    AutoCAD Startup Accelerator.lnk - d:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
    HPAiODevice(hp officejet 7100 series) - 1.lnk - d:\program files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2003-6-25 495682]
    MSI Wireless Utility.lnk - d:\program files\MSI\Common\RaUI.exe [2011-12-6 425984]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0d:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
    "d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "d:\\Program Files\\uTorrent\\uTorrent.exe"=
    "d:\\Documents and Settings\\Me\\My Documents\\Downloads\\utorrent.exe"=
    "d:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "d:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "d:\\Program Files\\iTunes\\iTunes.exe"=
    "d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/4/2012 6:14 PM 654408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [1/6/2012 8:56 AM 2348864]
    R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [4/4/2012 6:14 PM 22344]
    R3 pcouffin;VSO Software pcouffin;d:\windows\system32\drivers\pcouffin.sys [1/8/2012 11:23 AM 47360]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;d:\windows\system32\drivers\viahduaa.sys [1/6/2012 12:28 PM 993280]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 8:47 PM 253088]
    S3 cpudrv;cpudrv;d:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
    S3 WDC_SAM;WD SCSI Pass Thru driver;d:\windows\system32\drivers\wdcsam.sys [3/15/2012 4:38 PM 11520]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    lvusbsta
    ctljystk
    HssSrv
    se2Dnd5
    cltnetcnservice
    nimxdfk
    F700imd
    dvpapi
    pgsql-8.0
    us30sys
    QPSched
    dlbu_device
    dcpflics
    webrootcommagentservice
    tavsvc
    firelm01
    MTC0001_ESB
    IntelC51
    vaiomediaplatform-videoserver-appserver
    SE27obex
    se59obex
    winpppoverethernet
    quickbooksdb
    agnwifi
    viagfx
    oracleorahome811cman
    awecho
    regmon701
    Si3114r5
    gearsecurity
    icm10blk
    ntsyslog
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-07 d:\windows\Tasks\Adobe Flash Player Updater.job
    - d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 05:18]
    .
    2012-05-04 d:\windows\Tasks\AppleSoftwareUpdate.job
    - d:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    TCP: DhcpNameServer = 192.168.11.1
    FF - ProfilePath - d:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
    .
    .
    ------- File Associations -------
    .
    .scr=AutoCADScriptFile
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-07 09:32
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HDAudDeck = d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(904)
    d:\windows\system32\WININET.dll
    d:\windows\system32\msi.dll
    d:\windows\system32\ieframe.dll
    d:\windows\system32\webcheck.dll
    d:\windows\system32\WPDShServiceObj.dll
    d:\windows\system32\PortableDeviceTypes.dll
    d:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2012-05-07 09:33:24
    ComboFix-quarantined-files.txt 2012-05-07 15:33
    ComboFix2.txt 2012-05-07 15:22
    ComboFix3.txt 2012-04-21 16:38
    ComboFix4.txt 2010-09-07 19:37
    ComboFix5.txt 2012-05-07 15:27
    .
    Pre-Run: 5,480,136,704 bytes free
    Post-Run: 5,468,545,024 bytes free
    .
    - - End Of File - - 2A6C166837B28CF760BEB2DE1F6025F4
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The What: Startup Menu: Using msconfig utility
    The only processes that have to be checked on the Startup Menu are:
    1. Antivirus
    2. Firewall- if using 3rd party FW like Comodo
    3. Touchpad if using laptop
    4. Network processes (2-3) is using Pure Magic/Cisco.
    Nothing else> not printer or camera or Cyber anything> no auto-updates
    Average reasonable number of processes to see running in the Task Manager is 35-40

    The How: To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you do not need to start on boot.
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.[/QUOTE]

    The Where: Do not handle Services using msconfig> access by click on Start> Run> type in services.msc> Find the Service you want and double click to open> Set Startup Type as recommended. You may find the best to do in Safe Mode because you will have to set Dependencies also:

    Black Viper’s Windows XP x86 (32-bit) Service Pack 3 Service Configurations

    Chart is below the car

    The Add ons: This can be a vulnerability:
    Always make sure the most current version is installed> Active X entries for Java, Adobe, Flash, Shockwave should be current.
    Best advice for the Add-ons: The fewer the better. Too many or problem add-ons may cause runtime errors.

    Restore Points: Always have Restore Points available. Create a shortcut for restore points. Drag it from the desktop to the QuickLaunch Toolbar. Very handy and a good reminder.

    And the bottom line: Use a good search engine to identify a process.
    Don't add or remove a process unless you know what it's for.
     
    skuzzi likes this.
  18. skuzzi

    skuzzi TS Rookie Topic Starter

    Many thanks for the advice on start-up and processes.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome.

    But it appears we may have gotten sidetracked. You didn't run this script through Combofix- please do that now and leave it new log it will generate:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    d:\windows\sophos.tmp
    FileLook::
    d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
    c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\ALSysIO.sys
    d:\windows\system32\dllcache\imagehlp.dll
    DDS::
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\uTorrent\\uTorrent.exe"=-
    "d:\\Documents and Settings\\Me\\My Documents\\Downloads\\utorrent.exe"=-
    Clearjavacache::
    Driver::
    ALSysIO
    Clearjavacache::
     
    Driver::
     
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    I note that you have had Combofix on the system for 2 years.
    My directions were :
     
  20. skuzzi

    skuzzi TS Rookie Topic Starter

    I uninstalled Combofix and re-installed.
    I ran ComboFix with the CFscript; log pasted below.


    ComboFix 12-05-08.02 - Me 05/08/2012 21:41:51.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1123 [GMT -6:00]
    Running from: d:\documents and settings\Me\Desktop\ComboFix.exe
    Command switches used :: d:\documents and settings\Me\Desktop\CFscript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    FILE ::
    "d:\windows\sophos.tmp"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    d:\windows\sophos.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-09 to 2012-05-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-09 03:29 . 2012-05-09 03:29 56200 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4FF25B8-9133-4644-B392-4EFD613AB353}\offreg.dll
    2012-05-09 03:29 . 2012-05-09 03:29 29904 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4FF25B8-9133-4644-B392-4EFD613AB353}\MpKslb0533e77.sys
    2012-04-23 03:29 . 2012-04-23 03:29 -------- d-----w- d:\program files\ESET
    2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\wbem\snmp
    2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\xircom
    2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\program files\microsoft frontpage
    2012-04-21 06:08 . 2012-02-29 14:08 148480 ------w- d:\windows\system32\dllcache\imagehlp.dll
    2012-04-13 16:28 . 2012-04-13 16:28 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-07 17:18 . 2012-04-04 02:47 419488 ----a-w- d:\windows\system32\FlashPlayerApp.exe
    2012-05-07 17:18 . 2011-12-06 18:25 70304 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-04 23:30 . 2012-04-04 23:30 388096 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-04-04 21:56 . 2012-04-05 00:14 22344 ----a-w- d:\windows\system32\drivers\mbam.sys
    2012-04-04 02:51 . 2012-04-04 02:51 73728 ----a-w- d:\windows\system32\javacpl.cpl
    2012-04-04 02:51 . 2011-12-17 07:55 472808 ----a-w- d:\windows\system32\deployJava1.dll
    2012-03-21 02:44 . 2011-04-18 19:18 171064 ----a-w- d:\windows\system32\drivers\MpFilter.sys
    2012-03-20 23:33 . 2012-03-20 23:33 40960 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
    2012-03-16 03:39 . 2012-03-16 03:39 28672 ----a-w- d:\windows\system32\qttask.exe
    2012-03-01 11:01 . 2009-03-08 02:34 916992 ----a-w- d:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2009-03-08 02:34 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
    2012-03-01 11:01 . 2009-03-08 02:34 43520 ----a-w- d:\windows\system32\licmgr10.dll
    2012-02-29 14:08 . 2008-11-13 13:18 178176 ----a-w- d:\windows\system32\wintrust.dll
    2012-02-29 14:08 . 2008-04-14 11:00 148480 ----a-w- d:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2009-03-08 02:35 385024 ----a-w- d:\windows\system32\html.iec
    2012-02-15 17:01 . 2012-03-15 22:36 4547944 ----a-w- d:\windows\system32\usbaaplrc.dll
    2012-02-15 17:01 . 2012-03-15 22:36 43520 ----a-w- d:\windows\system32\drivers\usbaapl.sys
    2012-05-08 01:04 . 2011-12-06 18:11 97208 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe ---
    Company: VIA Technologies, Inc.
    File Description: HDeck MFC Application
    File Version: 5, 2, 0, 0
    Product Name: HDeck Application
    Copyright: Copyright (C) 2005
    Original Filename: HDeck.EXE
    File size: 33570816
    Created time: 2012-01-06 18:29
    Modified time: 2009-01-09 20:49
    MD5: F937BCE9A6CD1B0847B45923F94A90E0
    SHA1: E49248611F055628D735DBEFC9B9B227B6AC2E05
    .
    .
    --- d:\windows\system32\dllcache\imagehlp.dll ---
    Company: Microsoft Corporation
    File Description: Windows NT Image Helper
    File Version: 5.1.2600.6198 (xpsp_sp3_qfe.120229-1630)
    Product Name: Microsoft® Windows® Operating System
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: IMAGEHLP.DLL
    File size: 148480
    Created time: 2012-04-21 06:08
    Modified time: 2012-02-29 14:08
    MD5: 2557B78A91D24E68C8873B04D7D6D9BB
    SHA1: 8DDFCD71B6CF3C6495AF4D76966661438D301337
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-03-26 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . d:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . d:\windows\system32\dllcache\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "HDAudDeck"="d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-01-09 33570816]
    "Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
    "APSDaemon"="d:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
    "SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    "MSC"="d:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
    .
    d:\documents and settings\All Users\Start Menu\Programs\Startup\
    AutoCAD Startup Accelerator.lnk - d:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
    MSI Wireless Utility.lnk - d:\program files\MSI\Common\RaUI.exe [2011-12-6 425984]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0d:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
    path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
    backup=d:\windows\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    2009-03-15 10:15 180224 ----a-w- d:\program files\PowerISO\PWRISOVM.EXE
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
    "d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "d:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "d:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "d:\\Program Files\\iTunes\\iTunes.exe"=
    "d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    .
    R1 MpKslb0533e77;MpKslb0533e77;d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4FF25B8-9133-4644-B392-4EFD613AB353}\MpKslb0533e77.sys [5/8/2012 9:29 PM 29904]
    R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/4/2012 6:14 PM 654408]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [1/6/2012 8:56 AM 2348864]
    R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [4/4/2012 6:14 PM 22344]
    R3 pcouffin;VSO Software pcouffin;d:\windows\system32\drivers\pcouffin.sys [1/8/2012 11:23 AM 47360]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;d:\windows\system32\drivers\viahduaa.sys [1/6/2012 12:28 PM 993280]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 8:47 PM 257696]
    S3 cpudrv;cpudrv;d:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
    S3 MozillaMaintenance;Mozilla Maintenance Service;d:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/7/2012 7:04 PM 129976]
    S3 WDC_SAM;WD SCSI Pass Thru driver;d:\windows\system32\drivers\wdcsam.sys [3/15/2012 4:38 PM 11520]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLB0533E77
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    lvusbsta
    ctljystk
    HssSrv
    se2Dnd5
    cltnetcnservice
    nimxdfk
    F700imd
    dvpapi
    pgsql-8.0
    us30sys
    QPSched
    dlbu_device
    dcpflics
    webrootcommagentservice
    tavsvc
    firelm01
    MTC0001_ESB
    IntelC51
    vaiomediaplatform-videoserver-appserver
    SE27obex
    se59obex
    winpppoverethernet
    quickbooksdb
    agnwifi
    viagfx
    oracleorahome811cman
    awecho
    regmon701
    Si3114r5
    gearsecurity
    icm10blk
    ntsyslog
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-08 d:\windows\Tasks\Adobe Flash Player Updater.job
    - d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 17:18]
    .
    2012-05-04 d:\windows\Tasks\AppleSoftwareUpdate.job
    - d:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    TCP: DhcpNameServer = 192.168.11.1
    FF - ProfilePath - d:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-08 21:46
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HDAudDeck = d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
    .
    Completion time: 2012-05-08 21:47:54
    ComboFix-quarantined-files.txt 2012-05-09 03:47
    .
    Pre-Run: 8,021,127,168 bytes free
    Post-Run: 8,023,330,816 bytes free
    .
    - - End Of File - - 5414836F05557470B7A198723BE3614F
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, all good in Combofix. 3 entries were confirmed as the legitimate process.

    Last scan: Please update an run the Eset scan once more.

    Previous problems were resolved- yes?
     
  22. skuzzi

    skuzzi TS Rookie Topic Starter

    I ran the ESET scan and have posted the results below - only found infected old restore points on drive C. I'd be happy to delete those as I was planning to scrub the C Drive and install Windows 7 on that partition.

    Regarding the original problems that brought me here, they have been resolved. And with the reduction of running start-up processes, the machine performs more smoothly and I am much calmer.

    skuzzi
     
  23. skuzzi

    skuzzi TS Rookie Topic Starter

    Oops -

    ESET Scan below

    C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP101\A0185121.exe a variant of Win32/InstallCore.D application
    C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP102\A0185885.exe Win32/Toolbar.Zugo application
    C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP46\A0140870.exe a variant of Win32/InstallCore.D application
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good- system is clean.The following will handle those restore points. FYI> those Win32InstallCore.D application entries most likely came from downloads on CNet. They require you add an Active X Object to get their downloads> that's what it is,

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
    • Choose Disc Cleanup
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin

    Stay safe- surf wisely!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...