TechSpot

Email Hacked, Keylogger?

By wwm1129
Feb 1, 2011
  1. Hi,

    I have been having problems with my email account, more specifically, my password has been changed numerous times without my consent. I am wondering if this could be a result from keyloggers/other viruses.

    Thank you!

    Here are my logs:
     
  2. wwm1129

    wwm1129 TS Rookie Topic Starter

    Melwarebyte Scan Log

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5643

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    1/31/2011 8:11:36 PM
    mbam-log-2011-01-31 (20-11-36).txt

    Scan type: Full scan (C:\|D:\|E:\|)
    Objects scanned: 313284
    Time elapsed: 3 hour(s), 1 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  3. wwm1129

    wwm1129 TS Rookie Topic Starter

    Gmer Log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-01 17:59:10
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320320AS rev.HP07
    Running: kqbzn89j.exe; Driver: C:\Users\Wendy\AppData\Local\Temp\pxldypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwAccessCheckAndAuditAlarm [0x8B359810]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwClose [0x8B35B970]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwDeleteKey [0x8B35B620]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwDeleteValueKey [0x8B35B400]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwDuplicateToken [0x8B3596A0]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwImpersonateClientOfPort [0x8B359140]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwOpenThreadToken [0x8B359610]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwOpenThreadTokenEx [0x8B359650]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwQueryInformationToken [0x8B359BF0]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwQueryValueKey [0x8B35AD50]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwReplaceKey [0x8B35B850]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwRestoreKey [0x8B35B730]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwSetInformationThread [0x8B359290]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwSetSecurityObject [0x8B35BA60]
    SSDT \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ZwSetValueKey [0x8B35AF10]

    Code \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) MmCreateSection
    Code \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) MmMapViewOfSection
    Code \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ObCreateObject
    Code \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.) ObOpenObjectByName

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C5D599 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C81F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!RtlSidHashLookup + 1F8 82C89708 4 Bytes [10, 98, 35, 8B]
    .text ntkrnlpa.exe!RtlSidHashLookup + 2B8 82C897C8 4 Bytes [70, B9, 35, 8B]
    .text ntkrnlpa.exe!RtlSidHashLookup + 38C 82C8989C 4 Bytes [20, B6, 35, 8B]
    .text ntkrnlpa.exe!RtlSidHashLookup + 398 82C898A8 4 Bytes [00, B4, 35, 8B]
    .text ntkrnlpa.exe!RtlSidHashLookup + 3B0 82C898C0 4 Bytes JMP B85F3947
    .text ...
    PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 27B 82E3C721 5 Bytes JMP 8B372900 \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.)
    PAGE ntkrnlpa.exe!MmCreateSection 82E3D197 5 Bytes JMP 8B372B00 \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.)
    PAGE ntkrnlpa.exe!ObCreateObject 82E3DDC2 5 Bytes JMP 8B372980 \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.)
    PAGE ntkrnlpa.exe!ObOpenObjectByName 82E61174 5 Bytes JMP 8B372A00 \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.)
    PAGE ntkrnlpa.exe!MmMapViewOfSection 82E99217 5 Bytes JMP 8B372A80 \SystemRoot\System32\Drivers\GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74322494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74305624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743056E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7432250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74318573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74314D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [743150CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743151A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [743166D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743182CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74318819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7431907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7431E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74314C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice GeSWall.sys (GeSWall driver/GentleSecurity S.a.r.l.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    Device tdx.sys (TDI Translation Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  4. wwm1129

    wwm1129 TS Rookie Topic Starter

    DDS log

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Wendy at 18:43:46.18 on Tue 02/01/2011
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.2074 [GMT -5:00]

    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\geswall\gswserv.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\SMINST\BLService.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\geswall\gswui.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\vsnp2uvc.exe
    C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Wendy\Downloads\dds(3).scr
    C:\Windows\system32\conhost.exe

    ============== Pseudo HJT Report ===============

    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    uSearch Bar =
    uStart Page = hxxp://www.yahoo.com/
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant =
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\geswall\gswui.exe,
    BHO: BobaBHOApp Class: {0832ff2c-0867-48ac-a446-3ec50fb4cc3a} - c:\bbplayer\BobaBHO.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Google Update] "c:\users\wendy\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
    mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
    mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [printutil] c:\users\wendy\appdata\local\temp\7zs2224\HPPDU.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\wendy\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Download All By FlashGet3 - c:\users\wendy\appdata\roaming\flashgetbho\GetAllUrl.htm
    IE: Download By FlashGet3 - c:\users\wendy\appdata\roaming\flashgetbho\GetUrl.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: juno.com
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Name-Space Handler: http\https - {C3238BEC-FEFC-46B7-9C86-0CD8200B4496} - c:\windows\system32\RichTX32.dll
    SEH: GeSWall Shell Extension: {f6acc71c-420b-4a95-905c-c7534706813c} - c:\program files\geswall\gswshext.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\wendy\appdata\roaming\mozilla\firefox\profiles\n3t6fd8l.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\users\wendy\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\users\wendy\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\users\wendy\appdata\roaming\move networks\plugins\npqmp071706000001.dll
    FF - plugin: c:\users\wendy\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\wendy\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\windows\system32\wat\npWatWeb.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\wendy\appdata\roaming\Move Networks
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============

    R0 GeSWall;GeSWall;c:\windows\system32\drivers\geswall.sys [2009-7-30 157184]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-30 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-30 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-30 61960]
    R2 gswserv;GeSWall service;c:\program files\geswall\gswserv.exe [2010-12-6 970752]
    R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-22 365952]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-22 193840]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-10-24 166912]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-20 136176]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-15 1343400]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

    =============== Created Last 30 ================

    2011-02-01 11:17:58 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{ef4ad6c4-7b8b-4536-88aa-f4332bb5bf1f}\mpengine.dll
    2011-01-30 23:39:01 -------- d-----w- c:\users\wendy\appdata\roaming\Malwarebytes
    2011-01-30 23:37:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-30 23:37:48 -------- d-----w- c:\progra~2\Malwarebytes
    2011-01-30 23:37:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-30 23:37:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-30 23:16:01 -------- d-----w- c:\windows\geswall
    2011-01-30 23:15:51 -------- d-----w- c:\program files\geswall
    2011-01-30 23:04:36 -------- d-----w- c:\users\wendy\appdata\roaming\Avira
    2011-01-30 23:02:34 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-01-30 23:02:33 -------- d-----w- c:\program files\Avira
    2011-01-30 23:02:33 -------- d-----w- c:\progra~2\Avira
    2011-01-30 22:10:10 -------- d-----w- c:\users\wendy\appdata\roaming\SUPERAntiSpyware.com
    2011-01-30 22:10:10 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
    2011-01-23 02:20:26 -------- d-----r- c:\program files\Skype
    2011-01-16 14:28:05 -------- d-----w- c:\users\wendy\appdata\local\AOL
    2011-01-16 14:28:05 -------- d-----w- c:\users\wendy\appdata\local\AIM
    2011-01-16 14:28:02 -------- d-----w- c:\progra~2\AIM
    2011-01-16 14:27:59 -------- d-----w- c:\program files\AIM
    2011-01-16 14:27:58 -------- d-----w- c:\program files\common files\Software Update Utility
    2011-01-16 14:27:55 -------- d-----w- c:\program files\common files\AOL
    2011-01-15 18:06:13 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-01-11 21:16:59 161792 ----a-w- c:\windows\system32\d3d10_1.dll

    ==================== Find3M ====================

    2010-12-06 15:01:02 675840 ----a-w- c:\windows\system32\gswgp.dll
    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
    2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
    2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb

    ============= FINISH: 18:45:33.35 ===============
     
  5. wwm1129

    wwm1129 TS Rookie Topic Starter

    Attach.txt

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/4/2010 6:06:42 PM
    System Uptime: 2/1/2011 6:37:44 PM (0 hours ago)

    Motherboard: Wistron | | 3612
    Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | CPU | 1200/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 287 GiB total, 209.32 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 1.433 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: SASDIFSV
    Device ID: ROOT\LEGACY_SASDIFSV\0000
    Manufacturer:
    Name: SASDIFSV
    PNP Device ID: ROOT\LEGACY_SASDIFSV\0000
    Service: SASDIFSV

    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: SASKUTIL
    Device ID: ROOT\LEGACY_SASKUTIL\0000
    Manufacturer:
    Name: SASKUTIL
    PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
    Service: SASKUTIL

    ==== System Restore Points ===================

    RP123: 12/17/2010 3:26:26 PM - Windows Update
    RP124: 12/21/2010 5:44:49 PM - Windows Update
    RP125: 12/24/2010 3:34:34 PM - Windows Update
    RP126: 12/28/2010 6:55:37 AM - Windows Update
    RP127: 12/30/2010 7:42:02 AM - Windows Update
    RP128: 12/31/2010 7:34:39 AM - Windows Update
    RP129: 1/4/2011 6:15:06 AM - Windows Update
    RP130: 1/7/2011 2:43:36 PM - Windows Update
    RP131: 1/7/2011 2:57:34 PM - Windows Update
    RP132: 1/11/2011 4:16:52 PM - Windows Update
    RP133: 1/12/2011 9:11:40 AM - Windows Update
    RP134: 1/14/2011 4:16:16 PM - Windows Update
    RP135: 1/15/2011 1:04:59 PM - Installed Java(TM) 6 Update 23
    RP136: 1/18/2011 6:25:17 AM - Windows Update
    RP137: 1/21/2011 3:15:54 PM - Windows Update
    RP138: 1/25/2011 4:26:06 PM - Windows Update
    RP139: 1/26/2011 10:00:40 PM - Windows Update
    RP140: 1/28/2011 2:37:55 PM - Windows Update
    RP141: 1/30/2011 6:15:11 PM - Installed GeSWall 2.9.1 Freeware
    RP142: 2/1/2011 6:17:21 AM - Windows Update

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1
    Adobe Shockwave Player
    Adobe Shockwave Player 11.5
    AIM 7
    AIO_Scan
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Driver Installation Program
    Avira AntiVir Personal - Free Antivirus
    AVS Update Manager 1.0
    AVS Video Converter 7
    AVS4YOU Software Navigator 1.4
    Bonjour
    BufferChm
    C5200
    C5200_Help
    Compatibility Pack for the 2007 Office system
    Conexant HD Audio
    Content Transfer
    Copy
    CustomerResearchQFolder
    CyberLink DVD Suite
    CyberLink YouCam
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    Download Updater (AOL LLC)
    ESU for Microsoft Vista
    eSupportQFolder
    Fax
    GeSWall 2.9.1 Freeware
    Google Earth Plug-in
    Google Talk Plugin
    Google Update Helper
    GPBaseService
    HDAUDIO Soft Data Fax Modem with SmartCP
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Customer Participation Program 10.0
    HP Doc Viewer
    HP Driver Diagnostics
    HP DVD Play 3.7
    HP Help and Support
    HP Imaging Device Functions 10.0
    HP Photosmart All-In-One Driver Software 10.0 Rel .2
    HP Quick Launch Buttons 6.40 H2
    HP Solution Center 10.0
    HP Total Care Advisor
    HP Total Care Setup
    HP Update
    HP User Guides 0118
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    HPNetworkAssistant
    HPProductAssistant
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 23
    Java(TM) 6 Update 7
    LabelPrint
    LightScribe System Software 1.14.17.1
    Malwarebytes' Anti-Malware
    MarketResearch
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Move Media Player
    Mozilla Firefox (3.6.10)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee Reveal
    NetWaiting
    Norton Internet Security
    Norton Security Scan
    OCR Software by I.R.I.S. 10.0
    OGA Notifier 2.0.0048.0
    PanoStandAlone
    PhotoScape
    Power2Go
    PowerDirector
    PS_AIO_02_ProductContext
    PS_AIO_02_Software
    PS_AIO_02_Software_Min
    QuickTime
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek USB 2.0 Card Reader
    Scan
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype Toolbars
    Skype™ 5.1
    SolutionCenter
    Status
    SUPERAntiSpyware
    Synaptics Pointing Device Driver
    Toolbox
    TrayApp
    Unity Web Player
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    WebReg

    ==== Event Viewer Messages From Past Week ========

    2/1/2011 6:40:16 PM, Error: Microsoft-Windows-WMPNSS-Service [14353] - A media delivery engine with ID '0' was not initialized due to error '0x800700b7' when adding the URL 'http://+:10243/WMPNSSv4/3714764274/'. Restart your computer, and then restart the WMPNetworkSvc service. If the problem persists, reinstall Windows Media Player if possible.
    2/1/2011 6:40:16 PM, Error: Microsoft-Windows-WMPNSS-Service [14349] - A new media server was not initialized because the Windows Media Delivery Engine did not initialize due to error '0x800700b7'. Restart your computer, and then restart the WMPNetworkSvc service. If the problem persists, reinstall Windows Media Player if possible.
    2/1/2011 6:39:48 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
    2/1/2011 6:39:46 PM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    2/1/2011 4:06:31 PM, Error: Service Control Manager [7034] - The GeSWall service service terminated unexpectedly. It has done this 1 time(s).
    1/31/2011 4:15:04 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    1/31/2011 4:15:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    1/31/2011 4:15:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    1/31/2011 4:15:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    1/31/2011 4:15:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    1/31/2011 4:15:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/31/2011 4:14:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    1/31/2011 4:14:39 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb DfsC discache NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL spldr ssmdrv tdx vwififlt Wanarpv6 WfpLwf
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/31/2011 4:14:37 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    1/31/2011 4:05:44 PM, Error: Service Control Manager [7038] - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    1/31/2011 4:05:44 PM, Error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147024846.
    1/31/2011 4:05:44 PM, Error: Service Control Manager [7000] - The Portable Device Enumerator Service service failed to start due to the following error: A system shutdown is in progress.
    1/31/2011 4:05:44 PM, Error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The pipe has been ended.
    1/31/2011 4:05:44 PM, Error: Service Control Manager [7000] - The Diagnostic Service Host service failed to start due to the following error: The service did not start due to a logon failure.
    1/31/2011 4:05:44 PM, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 0x80070032.
    1/31/2011 4:05:43 PM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The pipe has been ended.
    1/31/2011 4:05:42 PM, Error: Service Control Manager [7023] - The hpqcxs08 service terminated with the following error: %%-2147467243
    1/31/2011 4:05:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1069" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    1/31/2011 4:05:41 PM, Error: Service Control Manager [7038] - The WSearch service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    1/31/2011 4:05:41 PM, Error: Service Control Manager [7038] - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    1/31/2011 4:05:41 PM, Error: Service Control Manager [7038] - The netprofm service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    1/31/2011 4:05:41 PM, Error: Service Control Manager [7038] - The FontCache3.0.0.0 service was unable to log on as NT Authority\LocalService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    1/31/2011 4:05:41 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not start due to a logon failure.
    1/31/2011 4:05:41 PM, Error: Service Control Manager [7000] - The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not start due to a logon failure.
    1/31/2011 4:05:41 PM, Error: Service Control Manager [7000] - The Network List Service service failed to start due to the following error: The service did not start due to a logon failure.
    1/31/2011 4:05:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1069" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    1/30/2011 6:34:14 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    1/30/2011 6:28:00 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.
    1/30/2011 6:28:00 PM, Error: Service Control Manager [7000] - The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/30/2011 6:03:08 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
    1/28/2011 5:43:46 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer MANDYMOY-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A0D47FC9-8808-4ECD-835C-5CDAEA. The master browser is stopping or an election is being forced.
    1/27/2011 12:39:44 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Moy\Wendy SID (S-1-5-21-2239686510-729420797-886957577-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    1/26/2011 9:09:49 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    1/26/2011 12:19:32 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} and APPID {8BC3F05E-D86B-11D0-A075-00C04FB68820} to the user Moy\Guest SID (S-1-5-21-2239686510-729420797-886957577-501) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

    ==== End Of File ===========================
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. wwm1129

    wwm1129 TS Rookie Topic Starter

    MBRcheck log

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Home Premium Edition
    Windows Information: (build 7600), 32-bit
    Base Board Manufacturer: Wistron
    BIOS Manufacturer: Hewlett-Packard
    System Manufacturer: Hewlett-Packard
    System Product Name: HP G60 Notebook PC
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 197):
    0x82C02000 \SystemRoot\system32\ntkrnlpa.exe
    0x83012000 \SystemRoot\system32\halmacpi.dll
    0x80BD2000 \SystemRoot\system32\kdcom.dll
    0x8323F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x832B7000 \SystemRoot\system32\PSHED.dll
    0x832C8000 \SystemRoot\system32\BOOTVID.dll
    0x832D0000 \SystemRoot\system32\CLFS.SYS
    0x83312000 \SystemRoot\system32\CI.dll
    0x8AE1E000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8AE8F000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8AE9D000 \SystemRoot\system32\DRIVERS\ACPI.sys
    0x8AEE5000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
    0x8AEEE000 \SystemRoot\system32\DRIVERS\msisadrv.sys
    0x8AEF6000 \SystemRoot\system32\DRIVERS\pci.sys
    0x8AF20000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
    0x8AF2B000 \SystemRoot\System32\drivers\partmgr.sys
    0x8AF3C000 \SystemRoot\system32\DRIVERS\volmgr.sys
    0x8AF4C000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8AF97000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8AF9F000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8AFAA000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8AFC0000 \SystemRoot\system32\DRIVERS\atapi.sys
    0x8AFC9000 \SystemRoot\system32\DRIVERS\ataport.SYS
    0x8AFEC000 \SystemRoot\system32\DRIVERS\msahci.sys
    0x8AE00000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x8AE0E000 \SystemRoot\system32\DRIVERS\amdxata.sys
    0x833BD000 \SystemRoot\system32\drivers\fltmgr.sys
    0x83200000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8B00A000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8B139000 \SystemRoot\System32\Drivers\msrpc.sys
    0x8B164000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8B177000 \SystemRoot\System32\Drivers\cng.sys
    0x8B1D4000 \SystemRoot\System32\drivers\pcw.sys
    0x8B1E2000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x8B201000 \SystemRoot\system32\drivers\ndis.sys
    0x8B2B8000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8B2F6000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x8B40A000 \SystemRoot\System32\drivers\tcpip.sys
    0x8B553000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8B584000 \SystemRoot\system32\DRIVERS\volsnap.sys
    0x8B5C3000 \SystemRoot\System32\Drivers\spldr.sys
    0x8B5CB000 \SystemRoot\System32\drivers\rdyboost.sys
    0x8B31B000 \SystemRoot\System32\Drivers\mup.sys
    0x8B5F8000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x8B32B000 \SystemRoot\System32\Drivers\GeSWall.sys
    0x8B352000 \SystemRoot\System32\Drivers\TDI.SYS
    0x8B35D000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x8B38F000 \SystemRoot\system32\DRIVERS\disk.sys
    0x8B3A0000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x83211000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8B3EE000 \SystemRoot\System32\Drivers\Null.SYS
    0x8B3F5000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8B1EB000 \SystemRoot\System32\drivers\vga.sys
    0x8FA1D000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8FA3E000 \SystemRoot\System32\drivers\watchdog.sys
    0x8FA4B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8FA53000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8FA5B000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x8FA63000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8FA6E000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8FA7C000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8FA93000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8FAC5000 \SystemRoot\system32\drivers\afd.sys
    0x8FB1F000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x8FB26000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8FB45000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x8FB56000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8FB64000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8FB77000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8FB87000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0x8FB8D000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8FBCE000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8FBD8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8FBE2000 \SystemRoot\System32\drivers\discache.sys
    0x8FA00000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8FBEE000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x90819000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0x9083F000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x90860000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x90872000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x91415000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x91912000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x9087B000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x919C9000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x908B4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x919D4000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x908FF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x9091E000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x90A0B000 \SystemRoot\system32\DRIVERS\athr.sys
    0x90B1B000 \SystemRoot\system32\DRIVERS\vwifibus.sys
    0x90B25000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x90B3D000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
    0x90B42000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x90B4F000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x90B7F000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x90B81000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x90B8E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x90B92000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x90B98000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x90BA5000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x90BB7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x90BCF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x90BDA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x919E3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x90940000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x90957000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x90BFC000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x9096E000 \SystemRoot\system32\DRIVERS\ks.sys
    0x91400000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x909A2000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x909E6000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x93839000 \SystemRoot\system32\drivers\CHDRT32.sys
    0x93874000 \SystemRoot\system32\drivers\portcls.sys
    0x938A3000 \SystemRoot\system32\drivers\drmk.sys
    0x938BC000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
    0x938FA000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
    0x90E21000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    0x90ED6000 \SystemRoot\system32\drivers\modem.sys
    0x90EE3000 \SystemRoot\system32\drivers\IntcHdmi.sys
    0x90F04000 \SystemRoot\System32\Drivers\RtsUStor.sys
    0x90F30000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x97E16000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
    0x98169000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0x98177000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
    0x99F60000 \SystemRoot\System32\win32k.sys
    0x9817E000 \SystemRoot\System32\drivers\Dxapi.sys
    0x98188000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x98195000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x981A0000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x981AA000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x981BB000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x9A1C0000 \SystemRoot\System32\TSDDD.dll
    0x99E00000 \SystemRoot\System32\cdd.dll
    0x99E20000 \SystemRoot\System32\ATMFD.DLL
    0x981C6000 \SystemRoot\system32\drivers\luafv.sys
    0x981E1000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0x90F47000 \SystemRoot\system32\drivers\WudfPf.sys
    0x97E00000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x90F61000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x90FA7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x90FB7000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x981F6000 \SystemRoot\system32\DRIVERS\vwifimp.sys
    0x9B434000 \SystemRoot\system32\drivers\HTTP.sys
    0x9B4B9000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x9B4D2000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9B4E4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9B507000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x9B542000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9B575000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xAC418000 \SystemRoot\system32\drivers\peauth.sys
    0xAC4AF000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xAC4B9000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xAC4DA000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xAC4E7000 \SystemRoot\system32\DRIVERS\xaudio.sys
    0xAC4EF000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xAC53E000 \SystemRoot\System32\DRIVERS\srv.sys
    0xAC400000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0xAC409000 \??\C:\Users\Wendy\AppData\Local\Temp\mbr.sys
    0x776F0000 \Windows\System32\ntdll.dll
    0x47CB0000 \Windows\System32\smss.exe
    0x77930000 \Windows\System32\apisetschema.dll
    0x00880000 \Windows\System32\autochk.exe
    0x778C0000 \Windows\System32\difxapi.dll
    0x775F0000 \Windows\System32\wininet.dll
    0x77860000 \Windows\System32\shlwapi.dll
    0x77550000 \Windows\System32\usp10.dll
    0x77410000 \Windows\System32\urlmon.dll
    0x77360000 \Windows\System32\rpcrt4.dll
    0x772B0000 \Windows\System32\msvcrt.dll
    0x77840000 \Windows\System32\imm32.dll
    0x77290000 \Windows\System32\sechost.dll
    0x77200000 \Windows\System32\oleaut32.dll
    0x77130000 \Windows\System32\user32.dll
    0x764E0000 \Windows\System32\shell32.dll
    0x76340000 \Windows\System32\setupapi.dll
    0x76270000 \Windows\System32\msctf.dll
    0x761F0000 \Windows\System32\comdlg32.dll
    0x761A0000 \Windows\System32\gdi32.dll
    0x76040000 \Windows\System32\ole32.dll
    0x77830000 \Windows\System32\nsi.dll
    0x75FF0000 \Windows\System32\Wldap32.dll
    0x75F60000 \Windows\System32\clbcatq.dll
    0x75F50000 \Windows\System32\psapi.dll
    0x75D50000 \Windows\System32\iertutil.dll
    0x75C70000 \Windows\System32\kernel32.dll
    0x75C60000 \Windows\System32\lpk.dll
    0x75C50000 \Windows\System32\normaliz.dll
    0x75BB0000 \Windows\System32\advapi32.dll
    0x75B70000 \Windows\System32\ws2_32.dll
    0x75B40000 \Windows\System32\imagehlp.dll
    0x75A20000 \Windows\System32\crypt32.dll
    0x759F0000 \Windows\System32\wintrust.dll
    0x759D0000 \Windows\System32\devobj.dll
    0x75980000 \Windows\System32\KernelBase.dll
    0x75950000 \Windows\System32\cfgmgr32.dll
    0x758C0000 \Windows\System32\comctl32.dll
    0x758B0000 \Windows\System32\msasn1.dll

    Processes (total 79):
    0 System Idle Process
    4 System
    284 C:\Windows\System32\smss.exe
    416 csrss.exe
    468 C:\Windows\System32\wininit.exe
    476 csrss.exe
    524 C:\Windows\System32\services.exe
    556 C:\Windows\System32\lsass.exe
    564 C:\Windows\System32\winlogon.exe
    576 C:\Windows\System32\lsm.exe
    692 C:\Windows\System32\svchost.exe
    792 C:\Windows\System32\svchost.exe
    844 C:\Program Files\geswall\gswserv.exe
    988 C:\Windows\System32\svchost.exe
    1036 C:\Windows\System32\svchost.exe
    1068 C:\Windows\System32\svchost.exe
    1172 C:\Windows\System32\svchost.exe
    1260 C:\Windows\System32\svchost.exe
    1420 C:\Windows\System32\spoolsv.exe
    1468 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1488 C:\Windows\System32\svchost.exe
    1596 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1628 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1652 C:\Program Files\Bonjour\mDNSResponder.exe
    1700 C:\Windows\System32\svchost.exe
    1740 C:\Windows\System32\svchost.exe
    1768 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    1844 C:\Windows\System32\svchost.exe
    1876 C:\Windows\System32\svchost.exe
    1960 C:\Program Files\SMINST\BLService.exe
    1984 C:\Program Files\CyberLink\Shared files\RichVideo.exe
    1992 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    2000 C:\Windows\System32\conhost.exe
    424 C:\Windows\System32\drivers\XAudio.exe
    2168 C:\Program Files\geswall\gswui.exe
    2176 C:\Windows\System32\dwm.exe
    2244 C:\Windows\System32\taskhost.exe
    2260 C:\Windows\explorer.exe
    2644 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    2652 C:\Windows\vsnp2uvc.exe
    2660 C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
    2736 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    2748 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    2760 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    2772 C:\Program Files\HP\QuickPlay\QPService.exe
    2860 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2920 C:\Program Files\iTunes\iTunesHelper.exe
    2928 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    3056 C:\Windows\ehome\ehmsas.exe
    3168 C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    3204 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    3220 C:\Program Files\Windows Sidebar\sidebar.exe
    3456 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    4016 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    2216 C:\Windows\System32\SearchIndexer.exe
    2556 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    3188 C:\Program Files\iPod\bin\iPodService.exe
    3404 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    3720 WmiPrvSE.exe
    532 C:\Windows\System32\svchost.exe
    4244 C:\Program Files\Windows Media Player\wmpnetwk.exe
    4376 C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    4384 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    5836 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
    5964 C:\Windows\System32\svchost.exe
    2112 C:\Windows\System32\svchost.exe
    2968 C:\Program Files\AIM\aim.exe
    4536 C:\Program Files\Mozilla Firefox\firefox.exe
    1440 C:\Program Files\Mozilla Firefox\plugin-container.exe
    4396 C:\Program Files\iTunes\iTunes.exe
    5548 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
    5404 C:\Windows\System32\conhost.exe
    5208 C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    3648 C:\Windows\System32\conhost.exe
    5204 C:\Windows\System32\audiodg.exe
    3160 C:\Windows\System32\SearchProtocolHost.exe
    4640 C:\Users\Wendy\Downloads\MBRCheck.exe
    3408 C:\Windows\System32\conhost.exe
    2368 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000047`cab00000 (NTFS)

    PhysicalDrive0 Model Number: ST9320320AS, Rev: HP07

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


    Done!
     
  8. wwm1129

    wwm1129 TS Rookie Topic Starter

    Combofix log

    ComboFix 11-01-31.02 - Wendy 02/01/2011 21:01:48.1.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.2075 [GMT -5:00]
    Running from: c:\users\Wendy\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-02 to 2011-02-02 )))))))))))))))))))))))))))))))
    .

    2011-02-02 02:08 . 2011-02-02 02:08 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2011-02-02 02:08 . 2011-02-02 02:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-01 11:17 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EF4AD6C4-7B8B-4536-88AA-F4332BB5BF1F}\mpengine.dll
    2011-01-30 23:39 . 2011-01-30 23:39 -------- d-----w- c:\users\Wendy\AppData\Roaming\Malwarebytes
    2011-01-30 23:37 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-30 23:37 . 2011-01-30 23:37 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-30 23:37 . 2011-01-31 03:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-30 23:37 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-30 23:16 . 2011-01-30 23:16 -------- d-----w- c:\windows\geswall
    2011-01-30 23:15 . 2011-01-30 23:27 -------- d-----w- c:\program files\geswall
    2011-01-30 23:04 . 2011-01-30 23:04 -------- d-----w- c:\users\Wendy\AppData\Roaming\Avira
    2011-01-30 23:02 . 2010-12-13 13:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-01-30 23:02 . 2010-12-13 13:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-01-30 23:02 . 2011-01-30 23:02 -------- d-----w- c:\programdata\Avira
    2011-01-30 23:02 . 2011-01-30 23:02 -------- d-----w- c:\program files\Avira
    2011-01-30 22:10 . 2011-01-30 22:10 -------- d-----w- c:\users\Wendy\AppData\Roaming\SUPERAntiSpyware.com
    2011-01-30 22:10 . 2011-01-30 22:10 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-01-23 02:23 . 2011-01-23 15:32 -------- d-----w- c:\users\Wendy\AppData\Roaming\skypePM
    2011-01-23 02:20 . 2011-01-23 02:20 -------- d-----w- c:\program files\Common Files\Skype
    2011-01-23 02:20 . 2011-01-23 02:20 -------- d-----r- c:\program files\Skype
    2011-01-23 02:20 . 2011-01-23 16:32 -------- d-----w- c:\users\Wendy\AppData\Roaming\Skype
    2011-01-23 02:20 . 2011-01-23 02:20 -------- d-----w- c:\programdata\Skype
    2011-01-16 14:28 . 2011-01-16 14:28 -------- d-----w- c:\users\Wendy\AppData\Roaming\acccore
    2011-01-16 14:28 . 2011-01-16 14:28 -------- d-----w- c:\users\Wendy\AppData\Local\AOL
    2011-01-16 14:28 . 2011-01-16 14:28 -------- d-----w- c:\users\Wendy\AppData\Local\AIM
    2011-01-16 14:28 . 2011-01-16 14:28 -------- d-----w- c:\programdata\AIM
    2011-01-16 14:27 . 2011-01-16 14:28 -------- d-----w- c:\program files\AIM
    2011-01-16 14:27 . 2011-01-16 14:27 -------- d-----w- c:\program files\Common Files\Software Update Utility
    2011-01-16 14:27 . 2011-01-16 14:27 -------- d-----w- c:\program files\Common Files\AOL
    2011-01-15 18:06 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-01-11 21:16 . 2010-11-02 04:35 161792 ----a-w- c:\windows\system32\d3d10_1.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-06 15:01 . 2010-12-06 15:01 675840 ----a-w- c:\windows\system32\gswgp.dll
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-12 23:53 . 2010-07-31 10:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-04 05:52 . 2010-12-15 10:39 978944 ----a-w- c:\windows\system32\wininet.dll
    2010-11-04 05:48 . 2010-12-15 10:39 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-04 04:41 . 2010-12-15 10:39 386048 ----a-w- c:\windows\system32\html.iec
    2010-11-04 04:08 . 2010-12-15 10:39 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GeSWall]
    @="{F6ACC71C-420B-4a95-905C-C7534706813C}"
    [HKEY_CLASSES_ROOT\CLSID\{F6ACC71C-420B-4a95-905C-C7534706813C}]
    2010-12-07 18:36 737280 ----a-w- c:\program files\geswall\gswshext.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
    "Google Update"="c:\users\Wendy\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-11 133104]
    "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
    "snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
    "ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

    c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{F6ACC71C-420B-4a95-905C-C7534706813C}"= "c:\program files\geswall\gswshext.dll" [2010-12-07 737280]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 136176]
    R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-15 1343400]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
    S0 GeSWall;GeSWall; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
    S2 gswserv;GeSWall service;c:\program files\geswall\gswserv.exe [2010-12-06 970752]
    S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-04 166912]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - AvgTdiX

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 22:50]

    2011-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 22:50]

    2011-02-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2239686510-729420797-886957577-1000Core.job
    - c:\users\Wendy\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-11 14:16]

    2011-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2239686510-729420797-886957577-1000UA.job
    - c:\users\Wendy\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-11 14:16]

    2011-01-23 c:\windows\Tasks\HPCeeScheduleForWendy.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]

    2011-01-28 c:\windows\Tasks\Norton Security Scan for Wendy.job
    - c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-11-21 19:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    uInternet Settings,ProxyOverride = *.local
    IE: Download All By FlashGet3 - c:\users\Wendy\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
    IE: Download By FlashGet3 - c:\users\Wendy\AppData\Roaming\FlashGetBHO\GetUrl.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: juno.com
    Name-Space Handler: http\https - {C3238BEC-FEFC-46B7-9C86-0CD8200B4496} - c:\windows\System32\RichTX32.dll
    FF - ProfilePath - c:\users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\n3t6fd8l.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Wendy\AppData\Roaming\Move Networks
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{0832FF2C-0867-48AC-A446-3EC50FB4CC3A} - c:\bbplayer\BobaBHO.dll
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    AddRemove-CNXT_AUDIO_HDA - c:\program files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe
    AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - c:\program files\SUPERAntiSpyware\Uninstall.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(5400)
    c:\program files\geswall\gswshext.dll
    .
    Completion time: 2011-02-01 21:12:41
    ComboFix-quarantined-files.txt 2011-02-02 02:12

    Pre-Run: 224,395,694,080 bytes free
    Post-Run: 224,221,274,112 bytes free

    - - End Of File - - E6914FD0837016C373D21053EB116F4A
     
  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I don't see anything malicious in your logs.
     
  10. wwm1129

    wwm1129 TS Rookie Topic Starter

    Thank you so much for your help! It is very much appreciated.

    I still have a question for you though. My email and my father's email accounts have had their passwords reset without our knowledge. If nothing is malicious on my computer, what other possible explanations are there?
     
  11. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    What email programs are those?
     
  12. wwm1129

    wwm1129 TS Rookie Topic Starter

    yahoo and verizon
     
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Not clear there.
    Yahoo for you, Verizon for your dad, or....?
    Both web based mail?
     
  14. wwm1129

    wwm1129 TS Rookie Topic Starter

    Sorry about that.

    Yahoo for me, and verizon for my dad. They are both web-based emails.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Webmail can be hacked without necessarily having something bad on your computer.
    Webmail can be hacked from the outside.
    As I said, I don't see anything malicious on your computer.
     
  16. wwm1129

    wwm1129 TS Rookie Topic Starter

    Alright then. Again, thank you so much for your help!! I really appreciate it! Have a great day!
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Same to you :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...