also @ TechSpot: Blizzard talks Diablo 3 facts, nerfing and buffs for legendary items

TechSpot

TechSpot News Products Downloads Forums

[Active] Google redirect, hidden files, bluescreen when trying to start normally

Discussion in 'Virus and Malware Removal' started by njfs589, Oct 3, 2011.

Page 1 of 2

njfs589 Newcomer, in training

Hey there,

First off, I just want to say thank you for existing and helping out so many folks. Kind of cool that this even exists. I'm afraid I have the same problem that a whole bunch of other people are having, so I'm sorry to pile on with the same issue, but if anyone could help me out I would really, really appreciate it.

I first noticed something up when whenever I'd open Firefox, an ad page would open alongside my startup page, and every now and again when I'd open a new page while browsing. Then I noticed the google redirect, which happened for a couple weeks, after which time my files started to hide themselves until I couldn't see anything but the recycle bin. The Programs, Documents, Music, etc. folders were all empty. Then a bluescreen would appear whenever I tried to boot normally, so now I can only run in safe mode.

I looked around on other forums (ha before finding this one that tells you not to do what other people were told to do, which is why I finally joined) and found the "unhide" program, so I can see most of my files again, although I still can't see Malwarebytes or Avira (I have to rightclick on something and click "scan with ..." to get either of those programs running). I also downloaded the mbrcheck, which told me I had either something infected or "non-standard," but to be honest I have no idea what any of this means, and I've given up trying to figure this out on my own. I'd appreciate any help so very much! Thank you and take care.

njfs589, Oct 3, 2011

#1
Bobbye Helper on the Fringe
Welcome to TechSpot! I'll be glad to help with the problem.

There are several malwares popular now that do this number on computer users> hide the files, programs, icons, etc., tell you there is a critical error and you must do xxxxxxx, on an on with the problems it created and which are not 'real.' You've already found some of the files. That doesn't remove the malware though.

I also downloaded the mbrcheck, which told me I had either something infected or "non-standard," but to be honest I have no idea what any of this means,

But you need to stop running random programs or following help given to others. While we may run some of the same programs, how, when and what we do with the results is specific for that person.

Please uninstall whatever you've run so far. I'd like you to use the links I give you. If you cannot connect to the internet to download the programs with the problem computer, use a clean computer and a clean flash drive. If you aren't sure the flash drive is clean, do the following:
Disinfect flash drive:
If you have Windows XP or Vista, you can use this:
Please disinfect all movable drives

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.

Wait until it has finished scanning and then exit the program.

Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
If you have Windows 7, you will need to use this:

Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.

Install and run it.

Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

==========================================
I'd like you to run this after you finish with the flash drive, if needed:

Download the file TDSSKiller.zip and save to the desktop.
(If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)

Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.

Double click on TDSSKiller.exe. to run the scan

When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).

Select the action Quarantine to quarantine detected objects.
The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43

After clicking Next, the utility applies selected actions and outputs the result.

A reboot is required after disinfection.

===================================
Then please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
==================================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.

Read my instructions carefully. If you don't understand or have a problem, ask me.

If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.

Follow the order of the tasks I give you. Order is crucial in cleaning process.

File sharing programs should be uninstalled or disabled during the cleaning process..

Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
Please paste the log in your next reply:
TDSSKiller
DDS> 2 logs
Malwarebytes
GMER
Bobbye, Oct 3, 2011

#2
njfs589 Newcomer, in training

Wow, well thank you so much for helping me out, seriously. I really appreciate it.

Okay, so here are all of my logs. At first, I thought you only wanted me to run the TDSS Killer if I had issues with a flash drive (which I didn't), and I didn't realize that may not have been the case until after I'd run all the other scans, so it came last chronologically. Does that make a difference? If not, here they all are:

(EDIT: this was too long for one post, so I made it two. On this one are the TDSS and first DDS logs)

TDSS Killer

22:45:17.0302 1976 TDSS rootkit removing tool 2.6.4.0 Oct 3 2011 17:37:01
22:45:17.0587 1976 ============================================================
22:45:17.0588 1976 Current date / time: 2011/10/03 22:45:17.0587
22:45:17.0588 1976 SystemInfo:
22:45:17.0588 1976
22:45:17.0588 1976 OS Version: 6.0.6000 ServicePack: 0.0
22:45:17.0588 1976 Product type: Workstation
22:45:17.0588 1976 ComputerName: BRIDGES
22:45:17.0588 1976 UserName: Owner
22:45:17.0588 1976 Windows directory: C:\Windows
22:45:17.0588 1976 System windows directory: C:\Windows
22:45:17.0588 1976 Processor architecture: Intel x86
22:45:17.0588 1976 Number of processors: 2
22:45:17.0588 1976 Page size: 0x1000
22:45:17.0588 1976 Boot type: Safe boot with network
22:45:17.0588 1976 ============================================================
22:45:17.0901 1976 Initialize success
22:45:21.0003 1420 ============================================================
22:45:21.0003 1420 Scan started
22:45:21.0003 1420 Mode: Manual;
22:45:21.0003 1420 ============================================================
22:45:21.0790 1420 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
22:45:21.0798 1420 ACPI - ok
22:45:21.0885 1420 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
22:45:21.0897 1420 adp94xx - ok
22:45:21.0942 1420 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
22:45:21.0949 1420 adpahci - ok
22:45:21.0978 1420 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
22:45:21.0981 1420 adpu160m - ok
22:45:22.0014 1420 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
22:45:22.0018 1420 adpu320 - ok
22:45:22.0072 1420 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
22:45:22.0078 1420 AFD - ok
22:45:22.0189 1420 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
22:45:22.0191 1420 agp440 - ok
22:45:22.0271 1420 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
22:45:22.0273 1420 aic78xx - ok
22:45:22.0314 1420 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
22:45:22.0315 1420 aliide - ok
22:45:22.0343 1420 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
22:45:22.0345 1420 amdagp - ok
22:45:22.0380 1420 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
22:45:22.0381 1420 amdide - ok
22:45:22.0409 1420 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
22:45:22.0410 1420 AmdK7 - ok
22:45:22.0436 1420 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
22:45:22.0438 1420 AmdK8 - ok
22:45:22.0557 1420 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
22:45:22.0560 1420 arc - ok
22:45:22.0632 1420 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
22:45:22.0635 1420 arcsas - ok
22:45:22.0702 1420 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
22:45:22.0703 1420 AsyncMac - ok
22:45:22.0767 1420 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys
22:45:22.0768 1420 atapi - ok
22:45:22.0838 1420 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\Windows\system32\DRIVERS\avgntflt.sys
22:45:22.0841 1420 avgntflt - ok
22:45:22.0993 1420 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\Windows\system32\DRIVERS\avipbb.sys
22:45:22.0997 1420 avipbb - ok
22:45:23.0081 1420 BCM43XV (509f672686af40f95859fde67108449b) C:\Windows\system32\DRIVERS\bcmwl6.sys
22:45:23.0104 1420 BCM43XV - ok
22:45:23.0148 1420 BCM43XX (509f672686af40f95859fde67108449b) C:\Windows\system32\DRIVERS\bcmwl6.sys
22:45:23.0153 1420 BCM43XX - ok
22:45:23.0219 1420 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
22:45:23.0220 1420 Beep - ok
22:45:23.0302 1420 blbdrive - ok
22:45:23.0429 1420 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
22:45:23.0431 1420 bowser - ok
22:45:23.0467 1420 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
22:45:23.0469 1420 BrFiltLo - ok
22:45:23.0501 1420 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
22:45:23.0503 1420 BrFiltUp - ok
22:45:23.0541 1420 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
22:45:23.0544 1420 Brserid - ok
22:45:23.0576 1420 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
22:45:23.0578 1420 BrSerWdm - ok
22:45:23.0613 1420 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
22:45:23.0615 1420 BrUsbMdm - ok
22:45:23.0633 1420 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
22:45:23.0635 1420 BrUsbSer - ok
22:45:23.0683 1420 BthEnum (a820438255f37ab8baa2bd59753a8d81) C:\Windows\system32\DRIVERS\BthEnum.sys
22:45:23.0685 1420 BthEnum - ok
22:45:23.0750 1420 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
22:45:23.0752 1420 BTHMODEM - ok
22:45:23.0777 1420 BthPan (b8c3d9ddf85fd197c3e5f849fef71144) C:\Windows\system32\DRIVERS\bthpan.sys
22:45:23.0780 1420 BthPan - ok
22:45:23.0882 1420 BTHPORT (4a74bbb2b6761789f42a6613479bdb1d) C:\Windows\system32\Drivers\BTHport.sys
22:45:23.0888 1420 BTHPORT - ok
22:45:23.0923 1420 BTHUSB (1a407f9b707a06f55aa150f9aa072b09) C:\Windows\system32\Drivers\BTHUSB.sys
22:45:23.0925 1420 BTHUSB - ok
22:45:23.0970 1420 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
22:45:23.0972 1420 cdfs - ok
22:45:24.0023 1420 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
22:45:24.0026 1420 cdrom - ok
22:45:24.0071 1420 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
22:45:24.0073 1420 circlass - ok
22:45:24.0186 1420 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
22:45:24.0192 1420 CLFS - ok
22:45:24.0306 1420 CmBatt (ed97ad3df1b9005989eaf149bf06c821) C:\Windows\system32\DRIVERS\CmBatt.sys
22:45:24.0308 1420 CmBatt - ok
22:45:24.0341 1420 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
22:45:24.0343 1420 cmdide - ok
22:45:24.0384 1420 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\DRIVERS\compbatt.sys
22:45:24.0386 1420 Compbatt - ok
22:45:24.0413 1420 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
22:45:24.0415 1420 crcdisk - ok
22:45:24.0448 1420 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
22:45:24.0450 1420 Crusoe - ok
22:45:24.0502 1420 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
22:45:24.0505 1420 DfsC - ok
22:45:24.0640 1420 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
22:45:24.0642 1420 disk - ok
22:45:24.0717 1420 Dot4 (57b2d433a08b95e4f1b53a919937f3e5) C:\Windows\system32\DRIVERS\Dot4.sys
22:45:24.0721 1420 Dot4 - ok
22:45:24.0784 1420 Dot4Print (d93fa484bb62fbe7e5ef335c5415d3cf) C:\Windows\system32\DRIVERS\Dot4Prt.sys
22:45:24.0786 1420 Dot4Print - ok
22:45:24.0845 1420 Dot4Scan (8455e3fb3738ef33f0c6073a3efa013e) C:\Windows\system32\DRIVERS\Dot4Scan.sys
22:45:24.0846 1420 Dot4Scan - ok
22:45:24.0900 1420 dot4usb (599742c4260fb3e8edb3be148b8ce856) C:\Windows\system32\DRIVERS\dot4usb.sys
22:45:24.0901 1420 dot4usb - ok
22:45:25.0008 1420 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
22:45:25.0010 1420 drmkaud - ok
22:45:25.0078 1420 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys
22:45:25.0101 1420 DXGKrnl - ok
22:45:25.0147 1420 E100B (c0b00e55cf82d122d25983c7a6a53dea) C:\Windows\system32\DRIVERS\e100b325.sys
22:45:25.0150 1420 E100B - ok
22:45:25.0225 1420 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
22:45:25.0229 1420 E1G60 - ok
22:45:25.0306 1420 eabfiltr (a6476585b4fefee46a9f42e4d2bfdfa4) C:\Windows\system32\DRIVERS\eabfiltr.sys
22:45:25.0307 1420 eabfiltr - ok
22:45:25.0414 1420 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
22:45:25.0418 1420 Ecache - ok
22:45:25.0474 1420 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
22:45:25.0482 1420 elxstor - ok
22:45:25.0550 1420 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
22:45:25.0554 1420 fastfat - ok
22:45:25.0584 1420 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
22:45:25.0586 1420 fdc - ok
22:45:25.0641 1420 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
22:45:25.0643 1420 FileInfo - ok
22:45:25.0672 1420 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
22:45:25.0674 1420 Filetrace - ok
22:45:25.0697 1420 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
22:45:25.0699 1420 flpydisk - ok
22:45:25.0717 1420 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
22:45:25.0722 1420 FltMgr - ok
22:45:25.0771 1420 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
22:45:25.0772 1420 Fs_Rec - ok
22:45:25.0869 1420 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
22:45:25.0872 1420 gagp30kx - ok
22:45:25.0940 1420 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\Windows\system32\Drivers\GEARAspiWDM.sys
22:45:25.0941 1420 GEARAspiWDM - ok
22:45:26.0050 1420 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
22:45:26.0051 1420 HBtnKey - ok
22:45:26.0152 1420 HdAudAddService (de4020f928a2f8a6327f5687f36d361b) C:\Windows\system32\drivers\CHDART.sys
22:45:26.0156 1420 HdAudAddService - ok
22:45:26.0234 1420 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
22:45:26.0235 1420 HDAudBus - ok
22:45:26.0312 1420 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
22:45:26.0314 1420 HidBth - ok
22:45:26.0360 1420 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
22:45:26.0361 1420 HidIr - ok
22:45:26.0430 1420 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys
22:45:26.0431 1420 HidUsb - ok
22:45:26.0492 1420 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
22:45:26.0494 1420 HpCISSs - ok
22:45:26.0561 1420 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
22:45:26.0566 1420 HSFHWAZL - ok
22:45:26.0674 1420 HSF_DPV (53229dcf431d76434816cd29251168a0) C:\Windows\system32\DRIVERS\HSX_DPV.sys
22:45:26.0708 1420 HSF_DPV - ok
22:45:26.0994 1420 HSXHWAZL (31f949d452201f2f0af0c88d7db512cd) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
22:45:27.0000 1420 HSXHWAZL - ok
22:45:27.0098 1420 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys
22:45:27.0107 1420 HTTP - ok
22:45:27.0165 1420 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
22:45:27.0167 1420 i2omp - ok
22:45:27.0309 1420 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
22:45:27.0311 1420 i8042prt - ok
22:45:27.0403 1420 ialm (0215e1204d5410e50a5ea9d442fe7da3) C:\Windows\system32\DRIVERS\igdkmd32.sys
22:45:27.0458 1420 ialm - ok
22:45:27.0496 1420 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
22:45:27.0502 1420 iaStorV - ok
22:45:27.0592 1420 igfx (0215e1204d5410e50a5ea9d442fe7da3) C:\Windows\system32\DRIVERS\igdkmd32.sys
22:45:27.0604 1420 igfx - ok
22:45:27.0639 1420 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
22:45:27.0641 1420 iirsp - ok
22:45:27.0777 1420 iLokDrvr (6ab0d1cddf4cdff2ee190a609db669f8) C:\Windows\system32\DRIVERS\iLokDrvr.sys
22:45:27.0779 1420 iLokDrvr - ok
22:45:27.0852 1420 intelide (988981c840084f480ba9e3319cebde1b) C:\Windows\system32\drivers\intelide.sys
22:45:27.0853 1420 intelide - ok
22:45:27.0908 1420 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
22:45:27.0910 1420 intelppm - ok
22:45:27.0978 1420 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
22:45:27.0980 1420 IpFilterDriver - ok
22:45:28.0013 1420 IpInIp - ok
22:45:28.0098 1420 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
22:45:28.0100 1420 IPMIDRV - ok
22:45:28.0193 1420 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
22:45:28.0196 1420 IPNAT - ok
22:45:28.0225 1420 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
22:45:28.0226 1420 IRENUM - ok
22:45:28.0256 1420 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
22:45:28.0258 1420 isapnp - ok
22:45:28.0295 1420 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
22:45:28.0297 1420 iScsiPrt - ok
22:45:28.0325 1420 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
22:45:28.0327 1420 iteatapi - ok
22:45:28.0394 1420 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
22:45:28.0396 1420 iteraid - ok
22:45:28.0452 1420 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
22:45:28.0453 1420 kbdclass - ok
22:45:28.0504 1420 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
22:45:28.0505 1420 kbdhid - ok
22:45:28.0579 1420 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
22:45:28.0589 1420 KSecDD - ok
22:45:28.0677 1420 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
22:45:28.0679 1420 lltdio - ok
22:45:28.0741 1420 LLUSBFLT (4ed28529be6266bc3c1eb18be925314a) C:\Windows\system32\drivers\llusbflt.sys
22:45:28.0743 1420 LLUSBFLT - ok
22:45:28.0775 1420 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
22:45:28.0778 1420 LSI_FC - ok
22:45:28.0809 1420 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
22:45:28.0811 1420 LSI_SAS - ok
22:45:28.0863 1420 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
22:45:28.0865 1420 LSI_SCSI - ok
22:45:28.0880 1420 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
22:45:28.0883 1420 luafv - ok
22:45:28.0961 1420 MAUSBJL (9fc4a139b9060d2070305bb6f13bdcf3) C:\Windows\system32\DRIVERS\mausbjl.sys
22:45:28.0965 1420 MAUSBJL - ok
22:45:29.0061 1420 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
22:45:29.0062 1420 mdmxsdk - ok
22:45:29.0141 1420 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
22:45:29.0143 1420 megasas - ok
22:45:29.0193 1420 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
22:45:29.0195 1420 Modem - ok
22:45:29.0302 1420 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
22:45:29.0304 1420 monitor - ok
22:45:29.0392 1420 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
22:45:29.0393 1420 mouclass - ok
22:45:29.0418 1420 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
22:45:29.0420 1420 mouhid - ok
22:45:29.0447 1420 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
22:45:29.0450 1420 MountMgr - ok
22:45:29.0506 1420 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
22:45:29.0508 1420 mpio - ok
22:45:29.0553 1420 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
22:45:29.0555 1420 mpsdrv - ok
22:45:29.0601 1420 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
22:45:29.0602 1420 Mraid35x - ok
22:45:29.0666 1420 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
22:45:29.0669 1420 MRxDAV - ok
22:45:29.0734 1420 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
22:45:29.0737 1420 mrxsmb - ok
22:45:29.0808 1420 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
22:45:29.0813 1420 mrxsmb10 - ok
22:45:29.0864 1420 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
22:45:29.0866 1420 mrxsmb20 - ok
22:45:29.0910 1420 msahci (b2efb263600314babcf9dadb1cbba994) C:\Windows\system32\drivers\msahci.sys
22:45:29.0911 1420 msahci - ok
22:45:29.0958 1420 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
22:45:29.0962 1420 msdsm - ok
22:45:30.0009 1420 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
22:45:30.0010 1420 Msfs - ok
22:45:30.0035 1420 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys
22:45:30.0037 1420 msisadrv - ok
22:45:30.0083 1420 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
22:45:30.0084 1420 MSKSSRV - ok
22:45:30.0112 1420 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
22:45:30.0114 1420 MSPCLOCK - ok
22:45:30.0141 1420 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
22:45:30.0143 1420 MSPQM - ok
22:45:30.0219 1420 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
22:45:30.0224 1420 MsRPC - ok
22:45:30.0262 1420 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys
22:45:30.0263 1420 mssmbios - ok
22:45:30.0348 1420 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
22:45:30.0349 1420 MSTEE - ok
22:45:30.0390 1420 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
22:45:30.0392 1420 Mup - ok
22:45:30.0473 1420 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
22:45:30.0477 1420 NativeWifiP - ok
22:45:30.0565 1420 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
22:45:30.0587 1420 NDIS - ok
22:45:30.0669 1420 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
22:45:30.0671 1420 NdisTapi - ok
22:45:30.0727 1420 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
22:45:30.0729 1420 Ndisuio - ok
22:45:30.0778 1420 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
22:45:30.0781 1420 NdisWan - ok
22:45:30.0830 1420 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
22:45:30.0831 1420 NDProxy - ok
22:45:30.0890 1420 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
22:45:30.0892 1420 NetBIOS - ok
22:45:30.0920 1420 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
22:45:30.0924 1420 netbt - ok
22:45:31.0056 1420 NETw3v32 (acc6170d80c69e50145b370023b64ed3) C:\Windows\system32\DRIVERS\NETw3v32.sys
22:45:31.0166 1420 NETw3v32 - ok
22:45:31.0230 1420 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
22:45:31.0232 1420 nfrd960 - ok
22:45:31.0275 1420 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
22:45:31.0277 1420 Npfs - ok
22:45:31.0300 1420 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
22:45:31.0301 1420 nsiproxy - ok
22:45:31.0402 1420 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
22:45:31.0446 1420 Ntfs - ok
22:45:31.0518 1420 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
22:45:31.0519 1420 ntrigdigi - ok
22:45:31.0573 1420 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
22:45:31.0574 1420 Null - ok
22:45:31.0624 1420 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
22:45:31.0627 1420 nvraid - ok
22:45:31.0685 1420 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
22:45:31.0687 1420 nvstor - ok
22:45:31.0744 1420 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
22:45:31.0747 1420 nv_agp - ok
22:45:31.0779 1420 NwlnkFlt - ok
22:45:31.0813 1420 NwlnkFwd - ok
22:45:31.0900 1420 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
22:45:31.0901 1420 ohci1394 - ok
22:45:31.0930 1420 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
22:45:31.0932 1420 Parport - ok
22:45:31.0968 1420 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
22:45:31.0970 1420 partmgr - ok
22:45:32.0011 1420 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
22:45:32.0012 1420 Parvdm - ok
22:45:32.0180 1420 pbfilter (2f6e885c432927a186c2e352c8a1cbf4) C:\Program Files\PeerBlock\pbfilter.sys
22:45:32.0182 1420 pbfilter - ok
22:45:32.0309 1420 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys
22:45:32.0321 1420 pci - ok
22:45:32.0386 1420 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
22:45:32.0393 1420 pciide - ok
22:45:32.0446 1420 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
22:45:32.0451 1420 pcmcia - ok
22:45:32.0526 1420 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
22:45:32.0560 1420 PEAUTH - ok
22:45:32.0636 1420 PLUsbbc2 (deb5a23f8625d7d84daff899478a4893) C:\Windows\system32\Drivers\usbbc2.sys
22:45:32.0638 1420 PLUsbbc2 - ok
22:45:32.0753 1420 PptpMiniport (6c359ac71d7b550a0d41f9db4563ce05) C:\Windows\system32\DRIVERS\raspptp.sys
22:45:32.0755 1420 PptpMiniport - ok
22:45:32.0794 1420 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
22:45:32.0796 1420 Processor - ok
22:45:32.0850 1420 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
22:45:32.0852 1420 PSched - ok
22:45:32.0907 1420 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
22:45:32.0908 1420 PxHelp20 - ok
22:45:33.0003 1420 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
22:45:33.0047 1420 ql2300 - ok
22:45:33.0123 1420 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
22:45:33.0126 1420 ql40xx - ok
22:45:33.0218 1420 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
22:45:33.0219 1420 QWAVEdrv - ok
22:45:33.0274 1420 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
22:45:33.0275 1420 RasAcd - ok
22:45:33.0327 1420 Rasl2tp (88587dd843e2059848995b407b67f6cf) C:\Windows\system32\DRIVERS\rasl2tp.sys
22:45:33.0329 1420 Rasl2tp - ok
22:45:33.0404 1420 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
22:45:33.0406 1420 RasPppoe - ok
22:45:33.0450 1420 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
22:45:33.0455 1420 rdbss - ok
22:45:33.0537 1420 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
22:45:33.0538 1420 RDPCDD - ok
22:45:33.0610 1420 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
22:45:33.0615 1420 rdpdr - ok
22:45:33.0658 1420 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
22:45:33.0660 1420 RDPENCDD - ok
22:45:33.0717 1420 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
22:45:33.0721 1420 RDPWD - ok
22:45:33.0786 1420 RFCOMM (7ec90c316177ba3f1bce92005264b447) C:\Windows\system32\DRIVERS\rfcomm.sys
22:45:33.0788 1420 RFCOMM - ok
22:45:33.0889 1420 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\Windows\system32\DRIVERS\rimmptsk.sys
22:45:33.0891 1420 rimmptsk - ok
22:45:33.0951 1420 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\Windows\system32\DRIVERS\rimsptsk.sys
22:45:33.0953 1420 rimsptsk - ok
22:45:33.0992 1420 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
22:45:33.0993 1420 rismxdp - ok
22:45:34.0058 1420 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
22:45:34.0060 1420 rspndr - ok
22:45:34.0136 1420 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
22:45:34.0138 1420 sbp2port - ok
22:45:34.0261 1420 sdbus (7b3973cc28b8aa3e9e2e5d53e720e2c9) C:\Windows\system32\DRIVERS\sdbus.sys
22:45:34.0264 1420 sdbus - ok
22:45:34.0310 1420 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
22:45:34.0312 1420 secdrv - ok
22:45:34.0364 1420 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
22:45:34.0366 1420 Serenum - ok
22:45:34.0430 1420 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
22:45:34.0434 1420 Serial - ok
22:45:34.0510 1420 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
22:45:34.0511 1420 sermouse - ok
22:45:34.0561 1420 sffdisk (51cf56aa8bcc241f134b420b8f850406) C:\Windows\system32\DRIVERS\sffdisk.sys
22:45:34.0563 1420 sffdisk - ok
22:45:34.0617 1420 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
22:45:34.0618 1420 sffp_mmc - ok
22:45:34.0672 1420 sffp_sd (8b08cab1267b2c377883fc9e56981f90) C:\Windows\system32\DRIVERS\sffp_sd.sys
22:45:34.0674 1420 sffp_sd - ok
22:45:34.0709 1420 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
22:45:34.0711 1420 sfloppy - ok
22:45:34.0777 1420 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
22:45:34.0779 1420 sisagp - ok
22:45:34.0838 1420 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
22:45:34.0840 1420 SiSRaid2 - ok
22:45:34.0901 1420 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
22:45:34.0904 1420 SiSRaid4 - ok
22:45:34.0971 1420 SMARTMouseFilterx86 - ok
22:45:35.0060 1420 SMARTVHidMini2000x86 - ok
22:45:35.0112 1420 SMARTVTabletPCx86 - ok
22:45:35.0160 1420 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
22:45:35.0162 1420 Smb - ok
22:45:35.0259 1420 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
22:45:35.0261 1420 spldr - ok
22:45:35.0347 1420 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
22:45:35.0355 1420 srv - ok
22:45:35.0463 1420 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
22:45:35.0466 1420 srv2 - ok
22:45:35.0526 1420 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
22:45:35.0529 1420 srvnet - ok
22:45:35.0593 1420 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
22:45:35.0595 1420 ssmdrv - ok
22:45:35.0677 1420 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys
22:45:35.0678 1420 swenum - ok
22:45:35.0731 1420 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
22:45:35.0733 1420 Symc8xx - ok
22:45:35.0815 1420 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
22:45:35.0817 1420 Sym_hi - ok
22:45:35.0904 1420 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
22:45:35.0906 1420 Sym_u3 - ok
22:45:35.0978 1420 SynTP (81cf7aa63bb3cca31e1d1944c0a45fc7) C:\Windows\system32\DRIVERS\SynTP.sys
22:45:35.0980 1420 SynTP - ok
22:45:36.0071 1420 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
22:45:36.0105 1420 Tcpip - ok
22:45:36.0148 1420 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
22:45:36.0156 1420 Tcpip6 - ok
22:45:36.0214 1420 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
22:45:36.0216 1420 tcpipreg - ok
22:45:36.0311 1420 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
22:45:36.0313 1420 TDPIPE - ok
22:45:36.0342 1420 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
22:45:36.0344 1420 TDTCP - ok
22:45:36.0396 1420 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
22:45:36.0399 1420 tdx - ok
22:45:36.0439 1420 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys
22:45:36.0440 1420 TermDD - ok
22:45:36.0526 1420 TPkd (a00dbb3ccf4e0821dd531db8746a1374) C:\Windows\system32\drivers\TPkd.sys
22:45:36.0529 1420 TPkd - ok
22:45:36.0598 1420 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
22:45:36.0599 1420 tssecsrv - ok
22:45:36.0714 1420 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
22:45:36.0716 1420 tunmp - ok
22:45:36.0754 1420 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
22:45:36.0756 1420 tunnel - ok
22:45:36.0802 1420 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
22:45:36.0804 1420 uagp35 - ok
22:45:36.0836 1420 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
22:45:36.0842 1420 udfs - ok
22:45:36.0947 1420 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
22:45:36.0950 1420 uliagpkx - ok
22:45:37.0063 1420 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
22:45:37.0068 1420 uliahci - ok
22:45:37.0126 1420 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
22:45:37.0129 1420 UlSata - ok
22:45:37.0192 1420 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
22:45:37.0196 1420 ulsata2 - ok
22:45:37.0247 1420 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
22:45:37.0249 1420 umbus - ok
22:45:37.0354 1420 US122 (f0022b4a8c803d668dc80251214513af) C:\Windows\system32\Drivers\US122.sys
22:45:37.0358 1420 US122 - ok
22:45:37.0436 1420 US122DL (1d56be893dea1ff488de1495a59f71d5) C:\Windows\system32\Drivers\US122DL.sys
22:45:37.0438 1420 US122DL - ok
22:45:37.0499 1420 Us122WdmService (560763d08a54a981a63f7bb6a27ab7b4) C:\Windows\system32\Drivers\US122Wdm.sys
22:45:37.0501 1420 Us122WdmService - ok
22:45:37.0572 1420 usbaudio (f6bf998ae33e3fb6c7d27f0560f1173f) C:\Windows\system32\drivers\usbaudio.sys
22:45:37.0575 1420 usbaudio - ok
22:45:37.0629 1420 usbccgp (b0ba9caffe9b0555ec0317f30cb79cd2) C:\Windows\system32\DRIVERS\usbccgp.sys
22:45:37.0631 1420 usbccgp - ok
22:45:37.0686 1420 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
22:45:37.0689 1420 usbcir - ok
22:45:37.0772 1420 usbehci (c9fcd05b0a80ea08c2768e5a279b14de) C:\Windows\system32\DRIVERS\usbehci.sys
22:45:37.0775 1420 usbehci - ok
22:45:37.0910 1420 usbfilter (80cfe695c3a32e846d3e79694ac528d1) C:\Windows\system32\DRIVERS\usbfilter.sys
22:45:37.0911 1420 usbfilter - ok
22:45:37.0965 1420 usbhub (5e44f7d957f7560da06bfe6b84b58a35) C:\Windows\system32\DRIVERS\usbhub.sys
22:45:37.0970 1420 usbhub - ok
22:45:38.0016 1420 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
22:45:38.0018 1420 usbohci - ok
22:45:38.0076 1420 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys
22:45:38.0078 1420 usbprint - ok
22:45:38.0163 1420 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
22:45:38.0165 1420 USBSTOR - ok
22:45:38.0203 1420 usbuhci (d864735b0bfcb65440960a0b7cc1a38d) C:\Windows\system32\DRIVERS\usbuhci.sys
22:45:38.0205 1420 usbuhci - ok
22:45:38.0278 1420 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
22:45:38.0280 1420 vga - ok
22:45:38.0315 1420 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
22:45:38.0317 1420 VgaSave - ok
22:45:38.0352 1420 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
22:45:38.0354 1420 viaagp - ok
22:45:38.0385 1420 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
22:45:38.0387 1420 ViaC7 - ok
22:45:38.0436 1420 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
22:45:38.0438 1420 viaide - ok
22:45:38.0513 1420 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys
22:45:38.0516 1420 volmgr - ok
22:45:38.0569 1420 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
22:45:38.0577 1420 volmgrx - ok
22:45:38.0652 1420 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
22:45:38.0657 1420 volsnap - ok
22:45:38.0726 1420 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
22:45:38.0729 1420 vsmraid - ok
22:45:38.0804 1420 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
22:45:38.0806 1420 WacomPen - ok
22:45:38.0862 1420 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
22:45:38.0865 1420 Wanarp - ok
22:45:38.0882 1420 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
22:45:38.0883 1420 Wanarpv6 - ok
22:45:38.0953 1420 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
22:45:38.0954 1420 Wd - ok
22:45:39.0036 1420 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
22:45:39.0037 1420 WDC_SAM - ok
22:45:39.0096 1420 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
22:45:39.0119 1420 Wdf01000 - ok
22:45:39.0256 1420 winachsf (6d2350bb6e77e800fc4be4e5b7a2e89a) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
22:45:39.0290 1420 winachsf - ok
22:45:39.0359 1420 WmiAcpi (17eac0d023a65fa9b02114cc2baacad5) C:\Windows\system32\DRIVERS\wmiacpi.sys
22:45:39.0360 1420 WmiAcpi - ok
22:45:39.0481 1420 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
22:45:39.0483 1420 WpdUsb - ok
22:45:39.0549 1420 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
22:45:39.0551 1420 ws2ifsl - ok
22:45:39.0615 1420 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
22:45:39.0618 1420 WUDFRd - ok
22:45:39.0657 1420 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
22:45:39.0659 1420 XAudio - ok
22:45:39.0696 1420 MBR (0x1B8) (1a1a06f62e891045814007163c1c76c3) \Device\Harddisk0\DR0
22:45:39.0732 1420 \Device\Harddisk0\DR0 - ok
22:45:39.0736 1420 Boot (0x1200) (e209622fd7b46fbbee590070d828befd) \Device\Harddisk0\DR0\Partition0
22:45:39.0738 1420 \Device\Harddisk0\DR0\Partition0 - ok
22:45:39.0745 1420 Boot (0x1200) (90ee287c5d9cbd9370f5b1d8e1724630) \Device\Harddisk0\DR0\Partition1
22:45:39.0746 1420 \Device\Harddisk0\DR0\Partition1 - ok
22:45:39.0747 1420 ============================================================
22:45:39.0747 1420 Scan finished
22:45:39.0747 1420 ============================================================
22:45:39.0763 0332 Detected object count: 0
22:45:39.0763 0332 Actual detected object count: 0

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.6000.17037
Run by Owner at 22:38:30 on 2011-10-03
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.481 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Users\Owner\Desktop\z4spnrqj.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.allmusic.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [RunSpySweeperScheduleAtStartup] "c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe" /ScheduleSweep=HPCeeScheduleForOwner
uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_Plugin.exe -update plugin
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QlbCtrl] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [HP Health Check Scheduler] "c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe"
mRun: [WAWifiMessage] "c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe"
mRun: [hpWirelessAssistant] "c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [DigidesignMMERefresh] "c:\program files\digidesign\drivers\MMERefresh.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes anti-malware\mbam.exe" /runcleanupscript
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [OpenCloud Security] c:\windows\system32\config\systemprofile\appdata\roaming\opencloud security\OpenCloud Security.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
dRun: [UjhQbNTJwO.exe] c:\programdata\UjhQbNTJwO.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: DhcpNameServer = 68.64.126.240 69.60.160.196
TCP: Interfaces\{3FF3BBE2-486F-4C4D-BA82-376F2B16C76E} : DhcpNameServer = 10.5.1.3
TCP: Interfaces\{738D09C6-F3B9-4EF4-9A69-9AF57149B7F7} : DhcpNameServer = 68.64.126.240 69.60.160.196
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\2dd8tblk.default\
FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\owner\appdata\local\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071705000014.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\owner\appdata\roaming\Move Networks
FF - Ext: XULRunner: {D7076421-191D-444F-AFFA-6041A8A1052A} - c:\users\owner\appdata\local\{D7076421-191D-444F-AFFA-6041A8A1052A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-11-1 22072]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-18 136360]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-18 269480]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-18 66616]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S2 MAudioJamLabService;M-Audio JamLab Installer;c:\program files\m-audio\jamlab\jamlabinst.exe --> c:\program files\m-audio\jamlab\JamLabInst.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\ilokdrvr.sys [2007-9-5 54256]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-5-3 4736]
S3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);c:\windows\system32\drivers\mausbjl.sys [2009-9-18 131072]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2011-8-27 20080]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-5-3 8960]
S3 US122;US122 Driver;c:\windows\system32\drivers\us122.sys [2008-1-4 131968]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\us122dl.sys [2008-1-4 18304]
S3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\us122wdm.sys [2008-1-4 39168]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-10-04 01:42:02 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{534144cf-3516-46f6-981d-81b659f9ed7e}\offreg.dll
2011-10-04 01:40:53 54016 ----a-w- c:\windows\system32\drivers\newfdun.sys
2011-10-04 01:32:34 709968 ----a-w- c:\windows\is-IB8IA.exe
2011-09-24 04:29:28 2461696 ----a-w- c:\programdata\UjhQbNTJwO.exe
2011-09-23 22:53:21 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{534144cf-3516-46f6-981d-81b659f9ed7e}\mpengine.dll
2011-09-22 21:50:47 -------- d-----w- C:\OpenCloud Security
2011-09-20 01:37:35 0 ----a-w- c:\windows\system32\0.7035102354645513.exe
2011-09-18 22:11:49 0 ----a-w- c:\windows\system32\0.5173177838687654.exe
2011-09-11 23:31:30 0 ----a-w- c:\users\owner\appdata\local\Ffeloyo.bin
2011-09-11 23:31:28 -------- d-----w- c:\users\owner\appdata\local\{D7076421-191D-444F-AFFA-6041A8A1052A}
.
==================== Find3M ====================
.
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-14 00:55:31 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
============= FINISH: 22:39:19.13 ===============

njfs589, Oct 3, 2011

#3
njfs589 Newcomer, in training

(and here are the other two, the DDS "Attach" and the GMER)

DDS Attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 3/11/2007 11:23:02 AM
System Uptime: 10/3/2011 9:41:22 PM (1 hours ago)
.
Motherboard: Quanta | | 30BB
Processor: Genuine Intel(R) CPU T2060 @ 1.60GHz | U2E1 | 1596/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 105 GiB total, 11.213 GiB free.
D: is FIXED (NTFS) - 7 GiB total, 0.67 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
µTorrent
3ivx MPEG-4 5.0.3 (remove only)
7-Zip 9.20
Acoustica Effects Pack
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
Adobe Shockwave Player
ASL_HS_Installer32
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Civilization III
Conexant HD Audio
Digidesign Free Bomb Factory Plug-Ins 7.4
Digidesign Pro Tools M-Powered 7.4
Digidesign Shared Plug-Ins 7.4
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Setup
Finale 2007 Demo
Finale NotePad 2010
Free M4a to MP3 Converter 6.1
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Connections (remove only)
HP Customer Experience Enhancements
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Quick Launch Buttons 6.10 B9
HP QuickPlay 3.0
HP Total Care Advisor
HP Update
HP User Guide 0048
HP Wireless Assistant
HPNetworkAssistant
Intel(R) Graphics Media Accelerator Driver
Interlok driver setup x32
iTunes
JamLab
Java Auto Updater
Java(TM) 6 Update 18
Java(TM) SE Runtime Environment 6
LightScribe 1.4.124.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Microsoft Works 2004 Setup Launcher
Move Media Player
Mozilla Firefox (3.6.23)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 5.0
muvee Plugin 1.0
My HP Games
OpenOffice.org 3.2
PCmover
PeerBlock 1.1 (r518)
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Rhapsody Player Engine
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Soft Data Fax Modem with SmartCP
Sonic Activation Module
Steinberg Cubase LE
StreamTorrent 1.0
Synaptics Pointing Device Driver
TablEdit 2.65
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
US-122
US122 Driver 3.40
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
VLC media player 1.1.4
.
==== End Of File ===========================

GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-03 22:29:20
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 FUJITSU_MHV2120BH_PL rev.892C
Running: z4spnrqj.exe; Driver: C:\Users\Owner\AppData\Local\Temp\fwddqpob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

njfs589, Oct 3, 2011

#4
njfs589 Newcomer, in training

PS All of this was done in Safe Mode, if that makes a difference. Thanks again, and so much!

njfs589, Oct 3, 2011

#5
njfs589 Newcomer, in training

PPS Forgot the Malwarebytes log. Here it is:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.17037

10/3/2011 9:39:42 PM
mbam-log-2011-10-03 (21-39-42).txt

Scan type: Quick scan
Objects scanned: 190448
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\gdfstr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Owner\pizda_bkurl.dat (Malware.Trace) -> Quarantined and deleted successfully.

njfs589, Oct 3, 2011

#6
Bobbye Helper on the Fringe
Edit: Forgot to ask you to take Spysweeper off of Startup. Here is the entry- it looks like you have it through HP:
uRun: [RunSpySweeperScheduleAtStartup] "c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe" /ScheduleSweep=HPCeeScheduleForOwner
=====================================
Okay, here's your really bad guy:
1. OpenCloud Security is a computer infection from the Rogue.WinAVPro family.It uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it.
2. Once started it will do a fake scan on your computer that will state that there are numerous infections present. It is scripted to show fake scan results regardless of the computer you are on and how clean it is. There is a long list of fake 'security' or system' messages you may receive- Don't act on any of them.:
3. You may have seen a screen like this::
HERE of what you may have seen.
---------------------------
This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software This was seen in the Mbam scan
====================================
If you are in just plain Safe Mode, you need to reboot into Safe Mode with Networking

Restart your computer and start pressing the F8 key on your keyboard.

Select Safe Mode with Networking when the Windows Advanced Options menu appears, and then press ENTER.

--------------------------------------
We will first stop the proxy:
Internet Explorer
1. Under "Tools" in the browser tool bar select "Internet Options".
2. In the "Internet Options" window that pops up, click the "Connections" tab at the top.
3. Click "LAN Settings" near the bottom of the "Connections" section.
4. If the "Proxy server" checkbox is marked with a check, click it to deselect/uncheck it.
5. Click "OK" to close the "Local Area Network (LAN) Settings" window.
6. Click "OK" to close the "Internet Options" window.
7. You have completed removing the proxy settings for Internet Explorer.
Firefox
1. Under "Tools" in the browser tool bar select "Options".
2. In the "Options" window that pops up, click the "Advanced" tab at the top.
3. Click the "Network" subtab, and then click the "Settings" button in the "Connections" area.
4. If "No proxy" isn't selected, click it to mark "No proxy" as your preference
==========================================
Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 3 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com

Rkill.scr

Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

For Vista, right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

=====================================

Double-click on mbam-setup.exe again on your desktop.

Update and select Perform Full Scan option
[*] Click on the Scan button.
When scan has finished, you will see this image:

Click on OK to close box and continue.

Click on the Show Results button.

Click on the Remove Selected button to remove all the listed malware.

At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

==================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

Please leave the RKill, new MBAM and Combofix logs in your next reply.
Bobbye, Oct 6, 2011

#7
njfs589 Newcomer, in training

Hey there,

Thanks so much for your reply. I ran everything, with a couple caveats--I could not get into spysweeper to turn it off (i tried entering that text into the command prompt but it started me out in c:\Users\Owner, and I couldn't get it to do anything), and I could not get into avira to turn it off either before I ran everything (avira is still hidden, too). Also, rkill never asked me to reboot. Finally, just for the hell of it, I tried booting up normally again (after I'd done all of these processes and rebooted in safe mode), but I still got a bluescreen as windows was trying to load. Anyhow, thank you so very much again!

Here are my logs:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 10/09/2011 at 15:45:09.
Operating System: Windows Vista (TM) Home Premium

Processes terminated by Rkill or while it was running:

Rkill completed on 10/09/2011 at 15:45:12.

----------------------------------------
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.17037

10/9/2011 5:09:51 PM
mbam-log-2011-10-09 (17-09-51).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 415658
Time elapsed: 1 hour(s), 20 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\3MDJQ4UO\ex[6].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\6ENDNQ7X\ex[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\WDF997CU\ex[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

----------------------------------------------
ComboFix 11-10-09.01 - Owner 10/09/2011 17:31:58.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.393 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\UjhQbNTJwO.exe
c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}
c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}\chrome.manifest
c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}\chrome\content\_cfg.js
c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}\chrome\content\overlay.xul
c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}\install.rdf
c:\windows\HPCPCUninstaller-6.3.2.139-6811507.exe
c:\windows\system32\0.5173177838687654.exe
c:\windows\system32\0.7035102354645513.exe
c:\windows\system32\comct332.ocx
.
.
((((((((((((((((((((((((( Files Created from 2011-09-09 to 2011-10-09 )))))))))))))))))))))))))))))))
.
.
2011-10-09 21:11 . 2011-10-09 21:11 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\offreg.dll
2011-10-09 21:10 . 2011-10-09 21:10 54016 ----a-w- c:\windows\system32\drivers\lmuy.sys
2011-10-04 01:40 . 2011-10-04 01:40 54016 ----a-w- c:\windows\system32\drivers\newfdun.sys
2011-10-04 01:32 . 2011-10-04 01:32 709968 ----a-w- c:\windows\is-IB8IA.exe
2011-10-03 20:39 . 2011-10-03 20:39 -------- d-----w- c:\users\goober
2011-09-23 22:53 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\mpengine.dll
2011-09-22 21:50 . 2011-09-22 21:51 -------- d-----w- C:\OpenCloud Security
2011-09-13 03:00 . 2011-09-13 03:00 -------- d-----w- c:\windows\Sun
2011-09-11 23:31 . 2011-09-15 14:29 0 ----a-w- c:\users\Owner\AppData\Local\Ffeloyo.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 21:00 . 2010-09-18 19:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-14 00:55 . 2010-09-18 20:34 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-14 00:55 . 2010-09-18 20:34 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RunSpySweeperScheduleAtStartup"="c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe" [2006-10-31 86016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 281768]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes Anti-Malware\mbam.exe" [2011-08-31 1047208]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-25 274608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-11-24 23:33 167936 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-05-02 136360]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
R2 MAudioJamLabService;M-Audio JamLab Installer;c:\program files\M-Audio\JamLab\JamLabInst.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
R3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]
R3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-05-03 4736]
R3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);c:\windows\system32\DRIVERS\mausbjl.sys [2007-08-02 131072]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 20080]
R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2006-05-03 8960]
R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
R3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2007-08-29 131968]
R3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2007-08-29 18304]
R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2007-08-29 39168]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-02 22072]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
.
2011-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
.
2011-09-03 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-18 00:08]
.
2011-10-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-616632193-1259257616-3665374468-1000.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.allmusic.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.64.126.240 69.60.160.196
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\2dd8tblk.default\
FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Owner\AppData\Roaming\Move Networks
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-M-Audio Taskbar Icon - c:\windows\System32\M-AudioTaskBarIcon.exe
HKU-Default-Run-UjhQbNTJwO.exe - c:\programdata\UjhQbNTJwO.exe
MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
AddRemove-7-Zip - c:\program files\7-Zip\Uninstall.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files\DivX\DivXPlayerUninstall.exe
AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\program files\DivX\DivXConverterUninstall.exe
AddRemove-{D050D7362D214723AD585B541FFB6C11} - c:\program files\DivX\DivXContentUploaderUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-09 17:41
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-09 17:44:44
ComboFix-quarantined-files.txt 2011-10-09 21:44
.
Pre-Run: 11,996,598,272 bytes free
Post-Run: 11,982,880,768 bytes free
.
- - End Of File - - 58F8C3C44184AAAF4491C6F8F77D4CA9

njfs589, Oct 9, 2011

#8

Bobbye Helper on the Fringe

Okay, let see if you can get this through:
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
C:\Users\Owner\Desktop\z4spnrqj.exe
c:\programdata\UjhQbNTJwO.exe
c:\users\owner\appdata\local\Ffeloyo.bin
Folder::C:\OpenCloud Security
c:\windows\system32\0.7035102354645513.exe
c:\windows\system32\0.5173177838687654.exe
c:\users\owner\appdata\local\{D7076421-191D-444F-AFFA-6041A8A1052A}
DDS::
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [OpenCloud Security] c:\windows\system32\config\systemprofile\appdata\roaming\opencloud security\OpenCloud Security.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
dRun: [UjhQbNTJwO.exe] c:\programdata\UjhQbNTJwO.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RunSpySweeperScheduleAtStartup"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
======================================
Follow with download of maxhandle.exe by noahdfear to your desktop.

Double click maxhandle.exeand run the application

An active internet connection is required so that maxhandle.exe may download a tool from SysInternals

If Max++ is present the log will open automatically.

If Max++ is not found Nothing found! is echoed to the screen - no log is produced.

Log is saved to c:\maxhandle.txt

Please post both of the logs in your next reply.

Bobbye, Oct 10, 2011

#9

njfs589 Newcomer, in training

Hey there,

Sorry it took me all week to get back to you. The screen on my laptop (infected computer) is cracked (huge black blotches on it), so I can only work on it when I'm able to bring a monitor home from my work computer, and I wasn't able to do that 'till this weekend. Anyhow, thank you again for your help.

Here's my combofix log. I ran maxhandle but it said "nothing found!" so there's no log for that one. Thanks again and so much!

ComboFix 11-10-16.02 - Owner 10/16/2011 16:58:19.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.509 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
* Created a new restore point
.
FILE ::
"c:\programdata\UjhQbNTJwO.exe"
"c:\users\owner\appdata\local\Ffeloyo.bin"
"c:\users\Owner\Desktop\z4spnrqj.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\owner\appdata\local\Ffeloyo.bin
c:\users\Owner\Desktop\z4spnrqj.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-16 21:07 . 2011-10-16 21:07 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-10-16 21:07 . 2011-10-16 21:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-09 21:10 . 2011-10-09 21:10 54016 ----a-w- c:\windows\system32\drivers\lmuy.sys
2011-10-04 01:40 . 2011-10-04 01:40 54016 ----a-w- c:\windows\system32\drivers\newfdun.sys
2011-10-04 01:32 . 2011-10-04 01:32 709968 ----a-w- c:\windows\is-IB8IA.exe
2011-10-03 20:39 . 2011-10-03 20:39 -------- d-----w- c:\users\goober
2011-09-23 22:53 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\mpengine.dll
2011-09-22 21:50 . 2011-09-22 21:51 -------- d-----w- C:\OpenCloud Security
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 21:00 . 2010-09-18 19:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [BU]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 281768]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes Anti-Malware\mbam.exe" [2011-08-31 1047208]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-25 274608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"UjhQbNTJwO.exe"="c:\programdata\UjhQbNTJwO.exe" [BU]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
c:\program files\DivX\DivX Update\DivXUpdate.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-11-24 23:33 167936 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-05-02 136360]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
R2 MAudioJamLabService;M-Audio JamLab Installer;c:\program files\M-Audio\JamLab\JamLabInst.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
R3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]
R3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-05-03 4736]
R3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);c:\windows\system32\DRIVERS\mausbjl.sys [2007-08-02 131072]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 20080]
R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2006-05-03 8960]
R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
R3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2007-08-29 131968]
R3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2007-08-29 18304]
R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2007-08-29 39168]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-02 22072]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
.
2011-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
.
2011-09-03 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-18 00:08]
.
2011-10-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-616632193-1259257616-3665374468-1000.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.allmusic.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\2dd8tblk.default\
FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Owner\AppData\Roaming\Move Networks
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-16 17:07
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-16 17:11:05
ComboFix-quarantined-files.txt 2011-10-16 21:10
ComboFix2.txt 2011-10-09 21:44
.
Pre-Run: 12,056,375,296 bytes free
Post-Run: 12,027,953,152 bytes free
.
- - End Of File - - D5310843438F6C172535C07533EBF576

njfs589, Oct 16, 2011

#10
Bobbye Helper on the Fringe

Can you tell me anything about these files?

2011-10-09 21:10 54016 ----a-w- c:\windows\system32\drivers\lmuy.sys
2011-10-04 01:40 . 2011-10-04 01:40 54016 ----a-w- c:\windows\system32\drivers\newfdun.sys
2011-10-04 01:32 . 2011-10-04 01:32 709968 ----a-w- c:\windows\is-IB8IA.exe
2011-10-03 20:39 . 2011-10-03 20:39 -------- d-----w- c:\users\goober

And did you include this in the script I had you run through Combofix?
2011-09-22 21:51 -------- d-----w- C:\OpenCloud Security
.

Bobbye, Oct 18, 2011

#11
njfs589 Newcomer, in training

Hello again, and thank you again for your help.

The only one I can tell you about is:
2011-10-03 20:39 . 2011-10-03 20:39 -------- d-----w- c:\users\goober

At one point (I suppose on October 3), I tried creating a new user account to see if I'd be able to boot my computer normally (aka not in safe mode), and called the new user "goober." It didn't work. The other lines I don't know anything about.

And as for this,

And did you include this in the script I had you run through Combofix?
2011-09-22 21:51 -------- d-----w- C:\OpenCloud Security

I'm fairly certain I just copied and pasted the script that you gave me, the script appears to be gone from my computer so I can't verify this 100%, but I can't imagine myself having done anything else. I certainly didn't alter the script in any way.

Thank you again for all your help in this, most seriously. If you ever find yourself in eastern ky. there's a beer with your name on it. Have a great weekend.

njfs589, Oct 21, 2011

#12
Bobbye Helper on the Fringe
You're welcome and thanks for the offer! Just a few more:

Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Code:

File:: c:\windows\is-IB8IA.exe c:\windows\system32\drivers\lmuy.sys Folder:: C:\OpenCloud Security c:\users\Owner\AppData\Local\temp c:\users\Default\AppData\Local\temp Registry:: [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "UjhQbNTJwO.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
=============================================
Please use Windows Explorer> Right click on Start> Explore> My Computer> double click on Local Drove (C)> do a right click> Delete on OpenCloud Security

Also while in WE, go to Programs. If there is a folder for OpenCloud Security> do a right click> Delete.

Now look in Add/Remove Programs> If OpenCloud Security is there, uninstall it.

If you do not see the C:\OpenCloud Security directory: After bringing up Windows Explorer: Tools> Folder Options> View tab> Check 'show hidden files and folders'> uncheck 'hide protected system files and folders (Recommended)> Confirm Yes to message> Apply> OK

Then go ahead with the directions
====================================
How is the system working now?
Bobbye, Oct 23, 2011

#13
njfs589 Newcomer, in training

Okay, I ran the script into Combofix and have attached my log.

I then deleted the shortcut to OpenCloud Security from C:\. I couldn't find the folder under Program Files or Program Data, and nothing OpenCloud Security-related was visible in Add/remove programs. I then unhid all folders, as instructed, but still couldn't find any in Program Files. So I searched my system for "opencloud," and got two copies of the same folder (and their path said they were both in some kind of "quarantine") and a VIR file. I deleted the folder. When I tried to delete the VIR file it told me I'd have to create a folder for it first, so I held off. I then deleted all from the Recycle Bin, and when I searched again, nothing "opencloud"-related came up.

So I then restarted to make sure everything stuck, and then I restarted again and tried rebooting my computer normally, but the same thing happened again that's been happening--it tries to load the desktop but before anything appears on the screen (besides my background color), it flashes a bluescreen and shuts off the computer. So once again, I'm rolling in Safe Mode.

Thanks again for the help. Here's the Combofix Log:

ComboFix 11-10-23.03 - Owner 10/23/2011 23:42:32.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.511 [GMT -4:00]
Running from: C:\Users\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Users\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\is-IB8IA.exe"
"c:\windows\system32\drivers\lmuy.sys"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\OpenCloud Security
C:\OpenCloud Security\OpenCloud Security.lnk
c:\users\Default\AppData\Local\temp
c:\users\Owner\AppData\Local\temp
c:\users\Owner\AppData\Local\temp\RarSFX0\hand.bat
c:\users\Owner\AppData\Local\temp\RarSFX0\sed.exe
c:\users\Owner\AppData\Local\temp\RarSFX0\swreg.exe
c:\users\Owner\AppData\Local\temp\RarSFX0\temp0
c:\users\Owner\AppData\Local\temp\RarSFX0\temp3
c:\users\Owner\AppData\Local\temp\RarSFX0\unzip.exe
c:\users\Owner\AppData\Local\temp\RarSFX0\WGET.EXE
c:\windows\is-IB8IA.exe
c:\windows\system32\drivers\lmuy.sys

((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))

2011-10-16 23:53:27 . 2011-10-23 21:50:30 56200 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\offreg.dll
2011-10-16 22:46:49 . 2011-07-07 17:28:24 520496 ----a-w- C:\Windows\Listdlls.exe
2011-10-16 22:46:40 . 2011-05-17 16:48:50 423288 ----a-w- C:\Windows\handle.exe
2011-10-04 01:40:53 . 2011-10-04 01:40:53 54016 ----a-w- C:\Windows\system32\drivers\newfdun.sys
2011-10-03 20:39:50 . 2011-10-03 20:39:51 -------- d-----w- C:\Users\goober
.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-09-12 23:14:12 . 2011-09-23 22:53:21 7269712 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\mpengine.dll
2011-08-31 21:00:50 . 2010-09-18 19:38:02 22216 ----a-w- C:\Windows\system32\drivers\mbam.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 05:02:46 815104]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-11-06 09:02:32 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-11-06 09:05:32 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-11-06 09:02:18 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 18:58:18 159744]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 23:42:42 46704]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 17:56:54 317152]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 17:32:36 472800]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 20:21:52 246504]
"M-Audio Taskbar Icon"="C:\Windows\System32\M-AudioTaskBarIcon.exe" [BU]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 03:35:10 77824]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 16:48:14 281768]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes Anti-Malware\mbam.exe" [2011-08-31 21:00:48 1047208]
"TkBellExe"="C:\Program Files\Real\RealPlayer\Update\realsched.exe" [2010-12-25 03:07:02 274608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-08 01:39:18 44128]

C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
C:\Program Files\DivX\DivX Update\DivXUpdate.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11:42 49152 ----a-w- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 23:05:48 257088 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-11-24 23:33:52 167936 ----a-w- C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 14:54:04 282624 ----a-w- C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2011-05-02 01:01:47 136360]
R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21:57 135664]
R2 MAudioJamLabService;M-Audio JamLab Installer;C:\Program Files\M-Audio\JamLab\JamLabInst.exe [x]
R3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21:57 135664]
R3 iLokDrvr;iLok;C:\Windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 16:05:02 54256]
R3 LLUSBFLT;LLUSBFLT;C:\Windows\system32\drivers\llusbflt.sys [2006-05-03 13:19:36 4736]
R3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);C:\Windows\system32\DRIVERS\mausbjl.sys [2007-08-02 18:50:00 131072]
R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2010-11-07 02:24:32 20080]
R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;C:\Windows\system32\Drivers\usbbc2.sys [2006-05-03 13:19:36 8960]
R3 SMARTMouseFilterx86;HID-compliant mouse;C:\Windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
R3 SMARTVHidMini2000x86;SMART HID Device;C:\Windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
R3 SMARTVTabletPCx86;SMART Virtual TabletPC;C:\Windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
R3 US122;US122 Driver;C:\Windows\system32\Drivers\US122.sys [2007-08-29 10:20:02 131968]
R3 US122DL;US122 Firmware Downloader;C:\Windows\system32\Drivers\US122DL.sys [2007-08-29 10:20:34 18304]
R3 Us122WdmService;US122 Wdm Audio;C:\Windows\system32\Drivers\US122Wdm.sys [2007-08-29 10:20:48 39168]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam.sys [2008-05-06 22:06:00 11520]
S3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys [2010-11-02 03:33:19 22072]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

Contents of the 'Scheduled Tasks' folder

2011-10-16 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-10 06:22:14 . 2010-01-10 06:21:57]

2011-09-24 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-10 06:22:14 . 2010-01-10 06:21:57]

2011-09-19 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000Core.job
- C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27:55 . 2011-07-13 12:27:51]

2011-09-24 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000UA.job
- C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27:55 . 2011-07-13 12:27:51]

2011-09-03 C:\Windows\Tasks\HPCeeScheduleForOwner.job
- C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-18 04:26:38 . 2006-10-31 00:08:36]

2011-10-24 C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-616632193-1259257616-3665374468-1000.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33:50 . 2010-11-05 17:33:50]

------- Supplementary Scan -------

uStart Page = hxxp://www.allmusic.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\2dd8tblk.default\
FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\Owner\AppData\Roaming\Move Networks
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-23 23:51:22
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

Completion time: 2011-10-23 23:54:31
ComboFix-quarantined-files.txt 2011-10-24 03:54:14
ComboFix2.txt 2011-10-16 21:11:05
ComboFix3.txt 2011-10-09 21:44:44

Pre-Run: 11,948,613,632 bytes free
Post-Run: 11,919,065,088 bytes free

- - End Of File - - E0AAF4DCF6A7E45092C78BA23C20B10D

njfs589, Oct 24, 2011

#14
Bobbye Helper on the Fringe
Okay, looks like you got Open Cloud off the system! Just a few entries to remove:

Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Code:

File:: Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=- [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=- [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
About the BSOD on boot into Normal:
We need to look and see if there is an error corresponding to the time this happens. Errors are time-coded, so you have to check the time on the computer clock when this happens. Force it if necessary, and note the time. Then do the following:

Please download VEW and save it to your Desktop:

Setting up the program

Double-click VEW.exe to run.

Select log to query, select

Application

System

Under Select type to list, select:

Critical (Vista only)

Error

Click the radio button for Number of events

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

Load the log

In Notepad, click Edit> Select all

Then press Edit > Copy

Press Ctrl+V on your keyboard to paste the log to your next reply.

(Courtesy rev-Olie)
=======================================
There should be a consistent error occurring at the failed boot time. But you will get errors about some processes and groups of processes not starting>> that will be due to the fact that you're running in Safe Mode and some processes don't start in Safe Mode. I will sort those out and ignore them.

The important thing is that the scan covers at lease one of the times you try to boot into normal mode and get the BSOD- so noting the time is important.
Bobbye, Oct 24, 2011

#15
njfs589 Newcomer, in training

Allright, so below I've posted the Combofix Log, but before that I've posted what VEW gave me, which seems to be nothing. I intentionally tried booting normally and forced a bluescreen and shutdown at 8:44 p.m., yet nothing here. Do you know any reason why this may be? Thanks so much.

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 24/10/2011 8:50:26 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

----------------------------------------

ComboFix 11-10-24.04 - Owner 10/24/2011 20:26:35.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.523 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
.
.
2011-10-25 00:36 . 2011-10-25 00:36 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-10-25 00:36 . 2011-10-25 00:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-24 04:20 . 2011-10-25 00:01 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\offreg.dll
2011-10-16 22:46 . 2011-07-07 17:28 520496 ----a-w- c:\windows\Listdlls.exe
2011-10-16 22:46 . 2011-05-17 16:48 423288 ----a-w- c:\windows\handle.exe
2011-10-04 01:40 . 2011-10-04 01:40 54016 ----a-w- c:\windows\system32\drivers\newfdun.sys
2011-10-03 20:39 . 2011-10-03 20:39 -------- d-----w- c:\users\goober
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-12 23:14 . 2011-09-23 22:53 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\mpengine.dll
2011-08-31 21:00 . 2010-09-18 19:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [BU]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 281768]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes Anti-Malware\mbam.exe" [2011-08-31 1047208]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-25 274608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"UjhQbNTJwO.exe"="c:\programdata\UjhQbNTJwO.exe" [BU]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
c:\program files\DivX\DivX Update\DivXUpdate.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-11-24 23:33 167936 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-05-02 136360]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
R2 MAudioJamLabService;M-Audio JamLab Installer;c:\program files\M-Audio\JamLab\JamLabInst.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
R3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]
R3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-05-03 4736]
R3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);c:\windows\system32\DRIVERS\mausbjl.sys [2007-08-02 131072]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 20080]
R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2006-05-03 8960]
R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
R3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2007-08-29 131968]
R3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2007-08-29 18304]
R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2007-08-29 39168]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-02 22072]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
.
2011-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
.
2011-09-03 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-18 00:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.allmusic.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\2dd8tblk.default\
FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Owner\AppData\Roaming\Move Networks
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-24 20:36
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-24 20:38:44
ComboFix-quarantined-files.txt 2011-10-25 00:38
ComboFix2.txt 2011-10-24 03:54
ComboFix3.txt 2011-10-16 21:11
ComboFix4.txt 2011-10-09 21:44
.
Pre-Run: 11,994,951,680 bytes free
Post-Run: 11,958,034,432 bytes free
.
- - End Of File - - 8B80279199069238BFD5EA71CCFAAAD7

njfs589, Oct 24, 2011

#16
Bobbye Helper on the Fringe
The Event Viewer results could be: 1. There were no errors at all (I've never seen a log with none!) or 2. that for some reason, the scan didn't work.

Have a look manually:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

You can ignore Warnings and Information Events.

If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.

You don't need to include the lines of code in the box below the Description, if any.

Please do not copy the entire Event log.

================================
Let' go ahead and check this. In an earlier post you mentioned you had something 'non-standard'
Bootkit Remover:

Download bootkitremover.rar and save to your desktop.

Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )

Double-click on the remover.exe file to run the program.
(Vista/7 users,right click on remover.exe and click Run As Administrator.)

You will see a black screen with data

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Paste the output in your next reply.

=====================================
Don't act on this- the following is FYI only:
Results should be one of the following:

OK (DOS/Win32 Boot code found)
- MBR boot code is clean.

Unknown boot code
- MBR boot code is modified. This practically corresponds to either
an active bootkit infection, or a custom boot manager installed (such
as GRUB).

Controlled by rootkit!
- a bootkit with self-hiding capabilities is detected.

==============================================
Bobbye, Oct 26, 2011

#17
njfs589 Newcomer, in training

Hey there,

So no events showed up on the event viewer either. When you click "Application" under Windows Logs, it says "Event Viewer cannot open the event log or custom view. Verify that Event Log service is running." I then went to "Log Properties-Application" and clicked the "subscribe" tab, where a box popped up that told me "To work with subscriptions, the Windows Event Collector Service must be running and configured. Do you want to start the service...?" I clicked "yes," but it said "Unable to start service. Cannot start service wecsvc on computer." So maybe that's why no logs showed up in VEW either? Do viruses / rootkits / whatever I've got ever attack Event Viewing functionality? Seems pretty sinister.

And as for the bootkitremover.rar, when I left-clicked on it, it said "file not found!". I right clicked on it and saved the target to the desktop, where "bootkit_remover.rar" now sits, but I can't extract anything from it using 7-zip; it doesn't work, saying "Cannot open the file as archive."

Thanks again and as always for your help.

njfs589, Oct 26, 2011

#18
Bobbye Helper on the Fringe
You're welcome. I've been meaning to ask you> what cause the damage to the laptop monitor?

I'm not sure this is a software problem. but there is one file that keeps reappearing. It's described as Company: NetPlay Software
Description: Instant Demo Application that need to be identified:
The file is c:\programdata\UjhQbNTJwO.exe

It has a free trial and after that, the price starts at $200.00 and goes up according to the version.
It does not show in the installed programs and is being started from the Registry.

Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

[1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code:

c:\programdata\UjhQbNTJwO.exe

[2]. At the upload site, click once inside the window next to Browse.
[3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
[4]. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
[5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
[6]. Paste the contents of the Clipboard in your next reply.

======================================
I'd like you to try the Bootkit scan again: I'm not sure this was done correctly. Remove the download you have now first:

And as for the bootkitremover.rar, when I left-clicked on it, it said "file not found!". I right clicked on it and saved the target to the desktop, where "bootkit_remover.rar" now sits, but I can't extract anything from it using 7-zip; it doesn't work, saying "Cannot open the file as archive."

This wording might be a bit easier:

Download bootkitremover.rar and save to your desktop.

NOTE: This is a file compressed with Winrar. If you do not have the means to unpack it, you can download and install 7-zip .

[*] Double-click on the remover.exe file to run the program.
(Vista users,right click on remover.exe and click Run As Administrator.)

* Unpack remover.exe from the bootkit_remover.rar archive and save it to your Desktop
* Doubleclick remover.exe to run the tool
* A DOS window will open with the results of the scan
* Rightclick that window and choose Select all
* Simultaneously press [CTRL] + C (copy) and paste the text in your next reply.
Bobbye, Oct 28, 2011

#19
njfs589 Newcomer, in training

Apologies for my delay, I was out of town all week and as this computer is barely even functional anymore, I left it behind. I'm still not exactly certain what damaged the screen; all I know is I was crashing at a friend's house and left it there in the morning, and when I came back in the evening it was like this, with huge black splotches obscuring much of the screen. Somebody must have stepped on it or something.

I feel really silly that I can't perform the simple tasks you're asking of me. I tried inputting "c:\programdata\UjhQbNTJwO.exe" into any of those 3 sites, but each of them said that path wasn't correct, "File Not Found."

And I don't know what I'm doing wrong with the bootkitremover.rar. I downloaded it to the desktop, like you said. I right-clicked in an effort to Run As Administrator (because I am using Vista) but that wasn't an option given to me on the right-click menu. I also went under the 7-zip heading that pops up when you right click it and tried to extract it, but 7-zip said the same thing it did last time-- "0 Can not open file 'C:\Users\Owner\Desktop\bootkit_remover.rar' as archive."

Do you think I'm at the point with this where I just ought to back up my info, wipe windows, and start over? I somehow ended up with some more google redirecting issues (only with firefox, though), and I'm not sure if this thing is ever going to end. I don't have my installation disk (lost it years ago) so I'd have to fudge something I guess, but it seems like this thing may just be shot, and it'd be super nice to be able to have audio again, and to not see everything in this crappy blown-up-way-too-big resolution that safe mode runs.

Thank you again and so much for all your help. Have a great night.

njfs589, Nov 6, 2011

#20

(You must log in or sign up to reply here.)

Page 1 of 2

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved