TechSpot

Google redirect, hidden files, bluescreen when trying to start normally

By njfs589
Oct 3, 2011
  1. Hey there,

    First off, I just want to say thank you for existing and helping out so many folks. Kind of cool that this even exists. I'm afraid I have the same problem that a whole bunch of other people are having, so I'm sorry to pile on with the same issue, but if anyone could help me out I would really, really appreciate it.

    I first noticed something up when whenever I'd open Firefox, an ad page would open alongside my startup page, and every now and again when I'd open a new page while browsing. Then I noticed the google redirect, which happened for a couple weeks, after which time my files started to hide themselves until I couldn't see anything but the recycle bin. The Programs, Documents, Music, etc. folders were all empty. Then a bluescreen would appear whenever I tried to boot normally, so now I can only run in safe mode.

    I looked around on other forums (ha before finding this one that tells you not to do what other people were told to do, which is why I finally joined) and found the "unhide" program, so I can see most of my files again, although I still can't see Malwarebytes or Avira (I have to rightclick on something and click "scan with ..." to get either of those programs running). I also downloaded the mbrcheck, which told me I had either something infected or "non-standard," but to be honest I have no idea what any of this means, and I've given up trying to figure this out on my own. I'd appreciate any help so very much! Thank you and take care.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll be glad to help with the problem.

    There are several malwares popular now that do this number on computer users> hide the files, programs, icons, etc., tell you there is a critical error and you must do xxxxxxx, on an on with the problems it created and which are not 'real.' You've already found some of the files. That doesn't remove the malware though.

    But you need to stop running random programs or following help given to others. While we may run some of the same programs, how, when and what we do with the results is specific for that person.

    Please uninstall whatever you've run so far. I'd like you to use the links I give you. If you cannot connect to the internet to download the programs with the problem computer, use a clean computer and a clean flash drive. If you aren't sure the flash drive is clean, do the following:
    Disinfect flash drive:
    If you have Windows XP or Vista, you can use this:
    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    If you have Windows 7, you will need to use this:
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
    ==========================================
    I'd like you to run this after you finish with the flash drive, if needed:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ===================================
    Then please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Please paste the log in your next reply:
    TDSSKiller
    DDS> 2 logs
    Malwarebytes
    GMER
     
  3. njfs589

    njfs589 TS Rookie Topic Starter

    Wow, well thank you so much for helping me out, seriously. I really appreciate it.

    Okay, so here are all of my logs. At first, I thought you only wanted me to run the TDSS Killer if I had issues with a flash drive (which I didn't), and I didn't realize that may not have been the case until after I'd run all the other scans, so it came last chronologically. Does that make a difference? If not, here they all are:

    (EDIT: this was too long for one post, so I made it two. On this one are the TDSS and first DDS logs)

    TDSS Killer

    22:45:17.0302 1976 TDSS rootkit removing tool 2.6.4.0 Oct 3 2011 17:37:01
    22:45:17.0587 1976 ============================================================
    22:45:17.0588 1976 Current date / time: 2011/10/03 22:45:17.0587
    22:45:17.0588 1976 SystemInfo:
    22:45:17.0588 1976
    22:45:17.0588 1976 OS Version: 6.0.6000 ServicePack: 0.0
    22:45:17.0588 1976 Product type: Workstation
    22:45:17.0588 1976 ComputerName: BRIDGES
    22:45:17.0588 1976 UserName: Owner
    22:45:17.0588 1976 Windows directory: C:\Windows
    22:45:17.0588 1976 System windows directory: C:\Windows
    22:45:17.0588 1976 Processor architecture: Intel x86
    22:45:17.0588 1976 Number of processors: 2
    22:45:17.0588 1976 Page size: 0x1000
    22:45:17.0588 1976 Boot type: Safe boot with network
    22:45:17.0588 1976 ============================================================
    22:45:17.0901 1976 Initialize success
    22:45:21.0003 1420 ============================================================
    22:45:21.0003 1420 Scan started
    22:45:21.0003 1420 Mode: Manual;
    22:45:21.0003 1420 ============================================================
    22:45:21.0790 1420 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
    22:45:21.0798 1420 ACPI - ok
    22:45:21.0885 1420 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
    22:45:21.0897 1420 adp94xx - ok
    22:45:21.0942 1420 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
    22:45:21.0949 1420 adpahci - ok
    22:45:21.0978 1420 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
    22:45:21.0981 1420 adpu160m - ok
    22:45:22.0014 1420 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
    22:45:22.0018 1420 adpu320 - ok
    22:45:22.0072 1420 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
    22:45:22.0078 1420 AFD - ok
    22:45:22.0189 1420 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
    22:45:22.0191 1420 agp440 - ok
    22:45:22.0271 1420 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    22:45:22.0273 1420 aic78xx - ok
    22:45:22.0314 1420 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
    22:45:22.0315 1420 aliide - ok
    22:45:22.0343 1420 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
    22:45:22.0345 1420 amdagp - ok
    22:45:22.0380 1420 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
    22:45:22.0381 1420 amdide - ok
    22:45:22.0409 1420 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
    22:45:22.0410 1420 AmdK7 - ok
    22:45:22.0436 1420 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
    22:45:22.0438 1420 AmdK8 - ok
    22:45:22.0557 1420 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
    22:45:22.0560 1420 arc - ok
    22:45:22.0632 1420 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
    22:45:22.0635 1420 arcsas - ok
    22:45:22.0702 1420 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
    22:45:22.0703 1420 AsyncMac - ok
    22:45:22.0767 1420 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys
    22:45:22.0768 1420 atapi - ok
    22:45:22.0838 1420 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\Windows\system32\DRIVERS\avgntflt.sys
    22:45:22.0841 1420 avgntflt - ok
    22:45:22.0993 1420 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\Windows\system32\DRIVERS\avipbb.sys
    22:45:22.0997 1420 avipbb - ok
    22:45:23.0081 1420 BCM43XV (509f672686af40f95859fde67108449b) C:\Windows\system32\DRIVERS\bcmwl6.sys
    22:45:23.0104 1420 BCM43XV - ok
    22:45:23.0148 1420 BCM43XX (509f672686af40f95859fde67108449b) C:\Windows\system32\DRIVERS\bcmwl6.sys
    22:45:23.0153 1420 BCM43XX - ok
    22:45:23.0219 1420 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
    22:45:23.0220 1420 Beep - ok
    22:45:23.0302 1420 blbdrive - ok
    22:45:23.0429 1420 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
    22:45:23.0431 1420 bowser - ok
    22:45:23.0467 1420 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    22:45:23.0469 1420 BrFiltLo - ok
    22:45:23.0501 1420 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    22:45:23.0503 1420 BrFiltUp - ok
    22:45:23.0541 1420 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    22:45:23.0544 1420 Brserid - ok
    22:45:23.0576 1420 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    22:45:23.0578 1420 BrSerWdm - ok
    22:45:23.0613 1420 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    22:45:23.0615 1420 BrUsbMdm - ok
    22:45:23.0633 1420 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    22:45:23.0635 1420 BrUsbSer - ok
    22:45:23.0683 1420 BthEnum (a820438255f37ab8baa2bd59753a8d81) C:\Windows\system32\DRIVERS\BthEnum.sys
    22:45:23.0685 1420 BthEnum - ok
    22:45:23.0750 1420 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    22:45:23.0752 1420 BTHMODEM - ok
    22:45:23.0777 1420 BthPan (b8c3d9ddf85fd197c3e5f849fef71144) C:\Windows\system32\DRIVERS\bthpan.sys
    22:45:23.0780 1420 BthPan - ok
    22:45:23.0882 1420 BTHPORT (4a74bbb2b6761789f42a6613479bdb1d) C:\Windows\system32\Drivers\BTHport.sys
    22:45:23.0888 1420 BTHPORT - ok
    22:45:23.0923 1420 BTHUSB (1a407f9b707a06f55aa150f9aa072b09) C:\Windows\system32\Drivers\BTHUSB.sys
    22:45:23.0925 1420 BTHUSB - ok
    22:45:23.0970 1420 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
    22:45:23.0972 1420 cdfs - ok
    22:45:24.0023 1420 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
    22:45:24.0026 1420 cdrom - ok
    22:45:24.0071 1420 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
    22:45:24.0073 1420 circlass - ok
    22:45:24.0186 1420 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
    22:45:24.0192 1420 CLFS - ok
    22:45:24.0306 1420 CmBatt (ed97ad3df1b9005989eaf149bf06c821) C:\Windows\system32\DRIVERS\CmBatt.sys
    22:45:24.0308 1420 CmBatt - ok
    22:45:24.0341 1420 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
    22:45:24.0343 1420 cmdide - ok
    22:45:24.0384 1420 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\DRIVERS\compbatt.sys
    22:45:24.0386 1420 Compbatt - ok
    22:45:24.0413 1420 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
    22:45:24.0415 1420 crcdisk - ok
    22:45:24.0448 1420 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
    22:45:24.0450 1420 Crusoe - ok
    22:45:24.0502 1420 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
    22:45:24.0505 1420 DfsC - ok
    22:45:24.0640 1420 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
    22:45:24.0642 1420 disk - ok
    22:45:24.0717 1420 Dot4 (57b2d433a08b95e4f1b53a919937f3e5) C:\Windows\system32\DRIVERS\Dot4.sys
    22:45:24.0721 1420 Dot4 - ok
    22:45:24.0784 1420 Dot4Print (d93fa484bb62fbe7e5ef335c5415d3cf) C:\Windows\system32\DRIVERS\Dot4Prt.sys
    22:45:24.0786 1420 Dot4Print - ok
    22:45:24.0845 1420 Dot4Scan (8455e3fb3738ef33f0c6073a3efa013e) C:\Windows\system32\DRIVERS\Dot4Scan.sys
    22:45:24.0846 1420 Dot4Scan - ok
    22:45:24.0900 1420 dot4usb (599742c4260fb3e8edb3be148b8ce856) C:\Windows\system32\DRIVERS\dot4usb.sys
    22:45:24.0901 1420 dot4usb - ok
    22:45:25.0008 1420 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
    22:45:25.0010 1420 drmkaud - ok
    22:45:25.0078 1420 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys
    22:45:25.0101 1420 DXGKrnl - ok
    22:45:25.0147 1420 E100B (c0b00e55cf82d122d25983c7a6a53dea) C:\Windows\system32\DRIVERS\e100b325.sys
    22:45:25.0150 1420 E100B - ok
    22:45:25.0225 1420 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
    22:45:25.0229 1420 E1G60 - ok
    22:45:25.0306 1420 eabfiltr (a6476585b4fefee46a9f42e4d2bfdfa4) C:\Windows\system32\DRIVERS\eabfiltr.sys
    22:45:25.0307 1420 eabfiltr - ok
    22:45:25.0414 1420 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
    22:45:25.0418 1420 Ecache - ok
    22:45:25.0474 1420 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
    22:45:25.0482 1420 elxstor - ok
    22:45:25.0550 1420 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
    22:45:25.0554 1420 fastfat - ok
    22:45:25.0584 1420 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
    22:45:25.0586 1420 fdc - ok
    22:45:25.0641 1420 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
    22:45:25.0643 1420 FileInfo - ok
    22:45:25.0672 1420 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
    22:45:25.0674 1420 Filetrace - ok
    22:45:25.0697 1420 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
    22:45:25.0699 1420 flpydisk - ok
    22:45:25.0717 1420 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
    22:45:25.0722 1420 FltMgr - ok
    22:45:25.0771 1420 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
    22:45:25.0772 1420 Fs_Rec - ok
    22:45:25.0869 1420 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
    22:45:25.0872 1420 gagp30kx - ok
    22:45:25.0940 1420 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\Windows\system32\Drivers\GEARAspiWDM.sys
    22:45:25.0941 1420 GEARAspiWDM - ok
    22:45:26.0050 1420 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
    22:45:26.0051 1420 HBtnKey - ok
    22:45:26.0152 1420 HdAudAddService (de4020f928a2f8a6327f5687f36d361b) C:\Windows\system32\drivers\CHDART.sys
    22:45:26.0156 1420 HdAudAddService - ok
    22:45:26.0234 1420 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
    22:45:26.0235 1420 HDAudBus - ok
    22:45:26.0312 1420 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    22:45:26.0314 1420 HidBth - ok
    22:45:26.0360 1420 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    22:45:26.0361 1420 HidIr - ok
    22:45:26.0430 1420 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys
    22:45:26.0431 1420 HidUsb - ok
    22:45:26.0492 1420 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
    22:45:26.0494 1420 HpCISSs - ok
    22:45:26.0561 1420 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
    22:45:26.0566 1420 HSFHWAZL - ok
    22:45:26.0674 1420 HSF_DPV (53229dcf431d76434816cd29251168a0) C:\Windows\system32\DRIVERS\HSX_DPV.sys
    22:45:26.0708 1420 HSF_DPV - ok
    22:45:26.0994 1420 HSXHWAZL (31f949d452201f2f0af0c88d7db512cd) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
    22:45:27.0000 1420 HSXHWAZL - ok
    22:45:27.0098 1420 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys
    22:45:27.0107 1420 HTTP - ok
    22:45:27.0165 1420 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
    22:45:27.0167 1420 i2omp - ok
    22:45:27.0309 1420 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
    22:45:27.0311 1420 i8042prt - ok
    22:45:27.0403 1420 ialm (0215e1204d5410e50a5ea9d442fe7da3) C:\Windows\system32\DRIVERS\igdkmd32.sys
    22:45:27.0458 1420 ialm - ok
    22:45:27.0496 1420 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
    22:45:27.0502 1420 iaStorV - ok
    22:45:27.0592 1420 igfx (0215e1204d5410e50a5ea9d442fe7da3) C:\Windows\system32\DRIVERS\igdkmd32.sys
    22:45:27.0604 1420 igfx - ok
    22:45:27.0639 1420 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    22:45:27.0641 1420 iirsp - ok
    22:45:27.0777 1420 iLokDrvr (6ab0d1cddf4cdff2ee190a609db669f8) C:\Windows\system32\DRIVERS\iLokDrvr.sys
    22:45:27.0779 1420 iLokDrvr - ok
    22:45:27.0852 1420 intelide (988981c840084f480ba9e3319cebde1b) C:\Windows\system32\drivers\intelide.sys
    22:45:27.0853 1420 intelide - ok
    22:45:27.0908 1420 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
    22:45:27.0910 1420 intelppm - ok
    22:45:27.0978 1420 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    22:45:27.0980 1420 IpFilterDriver - ok
    22:45:28.0013 1420 IpInIp - ok
    22:45:28.0098 1420 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
    22:45:28.0100 1420 IPMIDRV - ok
    22:45:28.0193 1420 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
    22:45:28.0196 1420 IPNAT - ok
    22:45:28.0225 1420 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
    22:45:28.0226 1420 IRENUM - ok
    22:45:28.0256 1420 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
    22:45:28.0258 1420 isapnp - ok
    22:45:28.0295 1420 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
    22:45:28.0297 1420 iScsiPrt - ok
    22:45:28.0325 1420 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    22:45:28.0327 1420 iteatapi - ok
    22:45:28.0394 1420 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    22:45:28.0396 1420 iteraid - ok
    22:45:28.0452 1420 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
    22:45:28.0453 1420 kbdclass - ok
    22:45:28.0504 1420 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
    22:45:28.0505 1420 kbdhid - ok
    22:45:28.0579 1420 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
    22:45:28.0589 1420 KSecDD - ok
    22:45:28.0677 1420 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
    22:45:28.0679 1420 lltdio - ok
    22:45:28.0741 1420 LLUSBFLT (4ed28529be6266bc3c1eb18be925314a) C:\Windows\system32\drivers\llusbflt.sys
    22:45:28.0743 1420 LLUSBFLT - ok
    22:45:28.0775 1420 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
    22:45:28.0778 1420 LSI_FC - ok
    22:45:28.0809 1420 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
    22:45:28.0811 1420 LSI_SAS - ok
    22:45:28.0863 1420 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
    22:45:28.0865 1420 LSI_SCSI - ok
    22:45:28.0880 1420 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
    22:45:28.0883 1420 luafv - ok
    22:45:28.0961 1420 MAUSBJL (9fc4a139b9060d2070305bb6f13bdcf3) C:\Windows\system32\DRIVERS\mausbjl.sys
    22:45:28.0965 1420 MAUSBJL - ok
    22:45:29.0061 1420 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
    22:45:29.0062 1420 mdmxsdk - ok
    22:45:29.0141 1420 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
    22:45:29.0143 1420 megasas - ok
    22:45:29.0193 1420 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
    22:45:29.0195 1420 Modem - ok
    22:45:29.0302 1420 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
    22:45:29.0304 1420 monitor - ok
    22:45:29.0392 1420 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
    22:45:29.0393 1420 mouclass - ok
    22:45:29.0418 1420 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
    22:45:29.0420 1420 mouhid - ok
    22:45:29.0447 1420 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
    22:45:29.0450 1420 MountMgr - ok
    22:45:29.0506 1420 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
    22:45:29.0508 1420 mpio - ok
    22:45:29.0553 1420 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
    22:45:29.0555 1420 mpsdrv - ok
    22:45:29.0601 1420 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    22:45:29.0602 1420 Mraid35x - ok
    22:45:29.0666 1420 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
    22:45:29.0669 1420 MRxDAV - ok
    22:45:29.0734 1420 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
    22:45:29.0737 1420 mrxsmb - ok
    22:45:29.0808 1420 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    22:45:29.0813 1420 mrxsmb10 - ok
    22:45:29.0864 1420 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    22:45:29.0866 1420 mrxsmb20 - ok
    22:45:29.0910 1420 msahci (b2efb263600314babcf9dadb1cbba994) C:\Windows\system32\drivers\msahci.sys
    22:45:29.0911 1420 msahci - ok
    22:45:29.0958 1420 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
    22:45:29.0962 1420 msdsm - ok
    22:45:30.0009 1420 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
    22:45:30.0010 1420 Msfs - ok
    22:45:30.0035 1420 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys
    22:45:30.0037 1420 msisadrv - ok
    22:45:30.0083 1420 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
    22:45:30.0084 1420 MSKSSRV - ok
    22:45:30.0112 1420 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
    22:45:30.0114 1420 MSPCLOCK - ok
    22:45:30.0141 1420 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
    22:45:30.0143 1420 MSPQM - ok
    22:45:30.0219 1420 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
    22:45:30.0224 1420 MsRPC - ok
    22:45:30.0262 1420 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys
    22:45:30.0263 1420 mssmbios - ok
    22:45:30.0348 1420 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
    22:45:30.0349 1420 MSTEE - ok
    22:45:30.0390 1420 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
    22:45:30.0392 1420 Mup - ok
    22:45:30.0473 1420 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
    22:45:30.0477 1420 NativeWifiP - ok
    22:45:30.0565 1420 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
    22:45:30.0587 1420 NDIS - ok
    22:45:30.0669 1420 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
    22:45:30.0671 1420 NdisTapi - ok
    22:45:30.0727 1420 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
    22:45:30.0729 1420 Ndisuio - ok
    22:45:30.0778 1420 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
    22:45:30.0781 1420 NdisWan - ok
    22:45:30.0830 1420 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
    22:45:30.0831 1420 NDProxy - ok
    22:45:30.0890 1420 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
    22:45:30.0892 1420 NetBIOS - ok
    22:45:30.0920 1420 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
    22:45:30.0924 1420 netbt - ok
    22:45:31.0056 1420 NETw3v32 (acc6170d80c69e50145b370023b64ed3) C:\Windows\system32\DRIVERS\NETw3v32.sys
    22:45:31.0166 1420 NETw3v32 - ok
    22:45:31.0230 1420 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    22:45:31.0232 1420 nfrd960 - ok
    22:45:31.0275 1420 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
    22:45:31.0277 1420 Npfs - ok
    22:45:31.0300 1420 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
    22:45:31.0301 1420 nsiproxy - ok
    22:45:31.0402 1420 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
    22:45:31.0446 1420 Ntfs - ok
    22:45:31.0518 1420 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    22:45:31.0519 1420 ntrigdigi - ok
    22:45:31.0573 1420 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
    22:45:31.0574 1420 Null - ok
    22:45:31.0624 1420 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
    22:45:31.0627 1420 nvraid - ok
    22:45:31.0685 1420 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
    22:45:31.0687 1420 nvstor - ok
    22:45:31.0744 1420 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
    22:45:31.0747 1420 nv_agp - ok
    22:45:31.0779 1420 NwlnkFlt - ok
    22:45:31.0813 1420 NwlnkFwd - ok
    22:45:31.0900 1420 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
    22:45:31.0901 1420 ohci1394 - ok
    22:45:31.0930 1420 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
    22:45:31.0932 1420 Parport - ok
    22:45:31.0968 1420 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
    22:45:31.0970 1420 partmgr - ok
    22:45:32.0011 1420 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
    22:45:32.0012 1420 Parvdm - ok
    22:45:32.0180 1420 pbfilter (2f6e885c432927a186c2e352c8a1cbf4) C:\Program Files\PeerBlock\pbfilter.sys
    22:45:32.0182 1420 pbfilter - ok
    22:45:32.0309 1420 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys
    22:45:32.0321 1420 pci - ok
    22:45:32.0386 1420 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
    22:45:32.0393 1420 pciide - ok
    22:45:32.0446 1420 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    22:45:32.0451 1420 pcmcia - ok
    22:45:32.0526 1420 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    22:45:32.0560 1420 PEAUTH - ok
    22:45:32.0636 1420 PLUsbbc2 (deb5a23f8625d7d84daff899478a4893) C:\Windows\system32\Drivers\usbbc2.sys
    22:45:32.0638 1420 PLUsbbc2 - ok
    22:45:32.0753 1420 PptpMiniport (6c359ac71d7b550a0d41f9db4563ce05) C:\Windows\system32\DRIVERS\raspptp.sys
    22:45:32.0755 1420 PptpMiniport - ok
    22:45:32.0794 1420 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
    22:45:32.0796 1420 Processor - ok
    22:45:32.0850 1420 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
    22:45:32.0852 1420 PSched - ok
    22:45:32.0907 1420 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
    22:45:32.0908 1420 PxHelp20 - ok
    22:45:33.0003 1420 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
    22:45:33.0047 1420 ql2300 - ok
    22:45:33.0123 1420 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    22:45:33.0126 1420 ql40xx - ok
    22:45:33.0218 1420 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
    22:45:33.0219 1420 QWAVEdrv - ok
    22:45:33.0274 1420 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
    22:45:33.0275 1420 RasAcd - ok
    22:45:33.0327 1420 Rasl2tp (88587dd843e2059848995b407b67f6cf) C:\Windows\system32\DRIVERS\rasl2tp.sys
    22:45:33.0329 1420 Rasl2tp - ok
    22:45:33.0404 1420 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
    22:45:33.0406 1420 RasPppoe - ok
    22:45:33.0450 1420 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
    22:45:33.0455 1420 rdbss - ok
    22:45:33.0537 1420 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
    22:45:33.0538 1420 RDPCDD - ok
    22:45:33.0610 1420 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
    22:45:33.0615 1420 rdpdr - ok
    22:45:33.0658 1420 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
    22:45:33.0660 1420 RDPENCDD - ok
    22:45:33.0717 1420 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
    22:45:33.0721 1420 RDPWD - ok
    22:45:33.0786 1420 RFCOMM (7ec90c316177ba3f1bce92005264b447) C:\Windows\system32\DRIVERS\rfcomm.sys
    22:45:33.0788 1420 RFCOMM - ok
    22:45:33.0889 1420 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\Windows\system32\DRIVERS\rimmptsk.sys
    22:45:33.0891 1420 rimmptsk - ok
    22:45:33.0951 1420 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\Windows\system32\DRIVERS\rimsptsk.sys
    22:45:33.0953 1420 rimsptsk - ok
    22:45:33.0992 1420 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
    22:45:33.0993 1420 rismxdp - ok
    22:45:34.0058 1420 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
    22:45:34.0060 1420 rspndr - ok
    22:45:34.0136 1420 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    22:45:34.0138 1420 sbp2port - ok
    22:45:34.0261 1420 sdbus (7b3973cc28b8aa3e9e2e5d53e720e2c9) C:\Windows\system32\DRIVERS\sdbus.sys
    22:45:34.0264 1420 sdbus - ok
    22:45:34.0310 1420 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    22:45:34.0312 1420 secdrv - ok
    22:45:34.0364 1420 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
    22:45:34.0366 1420 Serenum - ok
    22:45:34.0430 1420 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
    22:45:34.0434 1420 Serial - ok
    22:45:34.0510 1420 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
    22:45:34.0511 1420 sermouse - ok
    22:45:34.0561 1420 sffdisk (51cf56aa8bcc241f134b420b8f850406) C:\Windows\system32\DRIVERS\sffdisk.sys
    22:45:34.0563 1420 sffdisk - ok
    22:45:34.0617 1420 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
    22:45:34.0618 1420 sffp_mmc - ok
    22:45:34.0672 1420 sffp_sd (8b08cab1267b2c377883fc9e56981f90) C:\Windows\system32\DRIVERS\sffp_sd.sys
    22:45:34.0674 1420 sffp_sd - ok
    22:45:34.0709 1420 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    22:45:34.0711 1420 sfloppy - ok
    22:45:34.0777 1420 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
    22:45:34.0779 1420 sisagp - ok
    22:45:34.0838 1420 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
    22:45:34.0840 1420 SiSRaid2 - ok
    22:45:34.0901 1420 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
    22:45:34.0904 1420 SiSRaid4 - ok
    22:45:34.0971 1420 SMARTMouseFilterx86 - ok
    22:45:35.0060 1420 SMARTVHidMini2000x86 - ok
    22:45:35.0112 1420 SMARTVTabletPCx86 - ok
    22:45:35.0160 1420 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
    22:45:35.0162 1420 Smb - ok
    22:45:35.0259 1420 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
    22:45:35.0261 1420 spldr - ok
    22:45:35.0347 1420 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
    22:45:35.0355 1420 srv - ok
    22:45:35.0463 1420 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
    22:45:35.0466 1420 srv2 - ok
    22:45:35.0526 1420 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
    22:45:35.0529 1420 srvnet - ok
    22:45:35.0593 1420 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
    22:45:35.0595 1420 ssmdrv - ok
    22:45:35.0677 1420 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys
    22:45:35.0678 1420 swenum - ok
    22:45:35.0731 1420 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    22:45:35.0733 1420 Symc8xx - ok
    22:45:35.0815 1420 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    22:45:35.0817 1420 Sym_hi - ok
    22:45:35.0904 1420 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    22:45:35.0906 1420 Sym_u3 - ok
    22:45:35.0978 1420 SynTP (81cf7aa63bb3cca31e1d1944c0a45fc7) C:\Windows\system32\DRIVERS\SynTP.sys
    22:45:35.0980 1420 SynTP - ok
    22:45:36.0071 1420 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
    22:45:36.0105 1420 Tcpip - ok
    22:45:36.0148 1420 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
    22:45:36.0156 1420 Tcpip6 - ok
    22:45:36.0214 1420 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
    22:45:36.0216 1420 tcpipreg - ok
    22:45:36.0311 1420 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
    22:45:36.0313 1420 TDPIPE - ok
    22:45:36.0342 1420 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
    22:45:36.0344 1420 TDTCP - ok
    22:45:36.0396 1420 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
    22:45:36.0399 1420 tdx - ok
    22:45:36.0439 1420 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys
    22:45:36.0440 1420 TermDD - ok
    22:45:36.0526 1420 TPkd (a00dbb3ccf4e0821dd531db8746a1374) C:\Windows\system32\drivers\TPkd.sys
    22:45:36.0529 1420 TPkd - ok
    22:45:36.0598 1420 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
    22:45:36.0599 1420 tssecsrv - ok
    22:45:36.0714 1420 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
    22:45:36.0716 1420 tunmp - ok
    22:45:36.0754 1420 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
    22:45:36.0756 1420 tunnel - ok
    22:45:36.0802 1420 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
    22:45:36.0804 1420 uagp35 - ok
    22:45:36.0836 1420 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
    22:45:36.0842 1420 udfs - ok
    22:45:36.0947 1420 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
    22:45:36.0950 1420 uliagpkx - ok
    22:45:37.0063 1420 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
    22:45:37.0068 1420 uliahci - ok
    22:45:37.0126 1420 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    22:45:37.0129 1420 UlSata - ok
    22:45:37.0192 1420 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    22:45:37.0196 1420 ulsata2 - ok
    22:45:37.0247 1420 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
    22:45:37.0249 1420 umbus - ok
    22:45:37.0354 1420 US122 (f0022b4a8c803d668dc80251214513af) C:\Windows\system32\Drivers\US122.sys
    22:45:37.0358 1420 US122 - ok
    22:45:37.0436 1420 US122DL (1d56be893dea1ff488de1495a59f71d5) C:\Windows\system32\Drivers\US122DL.sys
    22:45:37.0438 1420 US122DL - ok
    22:45:37.0499 1420 Us122WdmService (560763d08a54a981a63f7bb6a27ab7b4) C:\Windows\system32\Drivers\US122Wdm.sys
    22:45:37.0501 1420 Us122WdmService - ok
    22:45:37.0572 1420 usbaudio (f6bf998ae33e3fb6c7d27f0560f1173f) C:\Windows\system32\drivers\usbaudio.sys
    22:45:37.0575 1420 usbaudio - ok
    22:45:37.0629 1420 usbccgp (b0ba9caffe9b0555ec0317f30cb79cd2) C:\Windows\system32\DRIVERS\usbccgp.sys
    22:45:37.0631 1420 usbccgp - ok
    22:45:37.0686 1420 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    22:45:37.0689 1420 usbcir - ok
    22:45:37.0772 1420 usbehci (c9fcd05b0a80ea08c2768e5a279b14de) C:\Windows\system32\DRIVERS\usbehci.sys
    22:45:37.0775 1420 usbehci - ok
    22:45:37.0910 1420 usbfilter (80cfe695c3a32e846d3e79694ac528d1) C:\Windows\system32\DRIVERS\usbfilter.sys
    22:45:37.0911 1420 usbfilter - ok
    22:45:37.0965 1420 usbhub (5e44f7d957f7560da06bfe6b84b58a35) C:\Windows\system32\DRIVERS\usbhub.sys
    22:45:37.0970 1420 usbhub - ok
    22:45:38.0016 1420 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    22:45:38.0018 1420 usbohci - ok
    22:45:38.0076 1420 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys
    22:45:38.0078 1420 usbprint - ok
    22:45:38.0163 1420 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    22:45:38.0165 1420 USBSTOR - ok
    22:45:38.0203 1420 usbuhci (d864735b0bfcb65440960a0b7cc1a38d) C:\Windows\system32\DRIVERS\usbuhci.sys
    22:45:38.0205 1420 usbuhci - ok
    22:45:38.0278 1420 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
    22:45:38.0280 1420 vga - ok
    22:45:38.0315 1420 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
    22:45:38.0317 1420 VgaSave - ok
    22:45:38.0352 1420 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
    22:45:38.0354 1420 viaagp - ok
    22:45:38.0385 1420 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
    22:45:38.0387 1420 ViaC7 - ok
    22:45:38.0436 1420 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
    22:45:38.0438 1420 viaide - ok
    22:45:38.0513 1420 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys
    22:45:38.0516 1420 volmgr - ok
    22:45:38.0569 1420 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
    22:45:38.0577 1420 volmgrx - ok
    22:45:38.0652 1420 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
    22:45:38.0657 1420 volsnap - ok
    22:45:38.0726 1420 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
    22:45:38.0729 1420 vsmraid - ok
    22:45:38.0804 1420 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    22:45:38.0806 1420 WacomPen - ok
    22:45:38.0862 1420 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
    22:45:38.0865 1420 Wanarp - ok
    22:45:38.0882 1420 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
    22:45:38.0883 1420 Wanarpv6 - ok
    22:45:38.0953 1420 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
    22:45:38.0954 1420 Wd - ok
    22:45:39.0036 1420 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
    22:45:39.0037 1420 WDC_SAM - ok
    22:45:39.0096 1420 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
    22:45:39.0119 1420 Wdf01000 - ok
    22:45:39.0256 1420 winachsf (6d2350bb6e77e800fc4be4e5b7a2e89a) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
    22:45:39.0290 1420 winachsf - ok
    22:45:39.0359 1420 WmiAcpi (17eac0d023a65fa9b02114cc2baacad5) C:\Windows\system32\DRIVERS\wmiacpi.sys
    22:45:39.0360 1420 WmiAcpi - ok
    22:45:39.0481 1420 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
    22:45:39.0483 1420 WpdUsb - ok
    22:45:39.0549 1420 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
    22:45:39.0551 1420 ws2ifsl - ok
    22:45:39.0615 1420 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
    22:45:39.0618 1420 WUDFRd - ok
    22:45:39.0657 1420 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
    22:45:39.0659 1420 XAudio - ok
    22:45:39.0696 1420 MBR (0x1B8) (1a1a06f62e891045814007163c1c76c3) \Device\Harddisk0\DR0
    22:45:39.0732 1420 \Device\Harddisk0\DR0 - ok
    22:45:39.0736 1420 Boot (0x1200) (e209622fd7b46fbbee590070d828befd) \Device\Harddisk0\DR0\Partition0
    22:45:39.0738 1420 \Device\Harddisk0\DR0\Partition0 - ok
    22:45:39.0745 1420 Boot (0x1200) (90ee287c5d9cbd9370f5b1d8e1724630) \Device\Harddisk0\DR0\Partition1
    22:45:39.0746 1420 \Device\Harddisk0\DR0\Partition1 - ok
    22:45:39.0747 1420 ============================================================
    22:45:39.0747 1420 Scan finished
    22:45:39.0747 1420 ============================================================
    22:45:39.0763 0332 Detected object count: 0
    22:45:39.0763 0332 Actual detected object count: 0

    DDS

    .
    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 7.0.6000.17037
    Run by Owner at 22:38:30 on 2011-10-03
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.481 [GMT -4:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\Explorer.EXE
    C:\Windows\system32\igfxsrvc.exe
    C:\Users\Owner\Desktop\z4spnrqj.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.allmusic.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
    uRun: [RunSpySweeperScheduleAtStartup] "c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe" /ScheduleSweep=HPCeeScheduleForOwner
    uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_Plugin.exe -update plugin
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [QlbCtrl] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
    mRun: [HP Health Check Scheduler] "c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe"
    mRun: [WAWifiMessage] "c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe"
    mRun: [hpWirelessAssistant] "c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
    mRun: [DigidesignMMERefresh] "c:\program files\digidesign\drivers\MMERefresh.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes anti-malware\mbam.exe" /runcleanupscript
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [OpenCloud Security] c:\windows\system32\config\systemprofile\appdata\roaming\opencloud security\OpenCloud Security.exe
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    dRun: [UjhQbNTJwO.exe] c:\programdata\UjhQbNTJwO.exe
    StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    mPolicies-system: DisableTaskMgr = 1 (0x1)
    dPolicies-system: DisableTaskMgr = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    TCP: DhcpNameServer = 68.64.126.240 69.60.160.196
    TCP: Interfaces\{3FF3BBE2-486F-4C4D-BA82-376F2B16C76E} : DhcpNameServer = 10.5.1.3
    TCP: Interfaces\{738D09C6-F3B9-4EF4-9A69-9AF57149B7F7} : DhcpNameServer = 68.64.126.240 69.60.160.196
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\2dd8tblk.default\
    FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\owner\appdata\local\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071705000014.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\owner\appdata\roaming\Move Networks
    FF - Ext: XULRunner: {D7076421-191D-444F-AFFA-6041A8A1052A} - c:\users\owner\appdata\local\{D7076421-191D-444F-AFFA-6041A8A1052A}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-11-1 22072]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-18 136360]
    S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-18 269480]
    S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-18 66616]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
    S2 MAudioJamLabService;M-Audio JamLab Installer;c:\program files\m-audio\jamlab\jamlabinst.exe --> c:\program files\m-audio\jamlab\JamLabInst.exe [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
    S3 iLokDrvr;iLok;c:\windows\system32\drivers\ilokdrvr.sys [2007-9-5 54256]
    S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-5-3 4736]
    S3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);c:\windows\system32\drivers\mausbjl.sys [2009-9-18 131072]
    S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2011-8-27 20080]
    S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-5-3 8960]
    S3 US122;US122 Driver;c:\windows\system32\drivers\us122.sys [2008-1-4 131968]
    S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\us122dl.sys [2008-1-4 18304]
    S3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\us122wdm.sys [2008-1-4 39168]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
    .
    =============== Created Last 30 ================
    .
    2011-10-04 01:42:02 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{534144cf-3516-46f6-981d-81b659f9ed7e}\offreg.dll
    2011-10-04 01:40:53 54016 ----a-w- c:\windows\system32\drivers\newfdun.sys
    2011-10-04 01:32:34 709968 ----a-w- c:\windows\is-IB8IA.exe
    2011-09-24 04:29:28 2461696 ----a-w- c:\programdata\UjhQbNTJwO.exe
    2011-09-23 22:53:21 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{534144cf-3516-46f6-981d-81b659f9ed7e}\mpengine.dll
    2011-09-22 21:50:47 -------- d-----w- C:\OpenCloud Security
    2011-09-20 01:37:35 0 ----a-w- c:\windows\system32\0.7035102354645513.exe
    2011-09-18 22:11:49 0 ----a-w- c:\windows\system32\0.5173177838687654.exe
    2011-09-11 23:31:30 0 ----a-w- c:\users\owner\appdata\local\Ffeloyo.bin
    2011-09-11 23:31:28 -------- d-----w- c:\users\owner\appdata\local\{D7076421-191D-444F-AFFA-6041A8A1052A}
    .
    ==================== Find3M ====================
    .
    2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-14 00:55:31 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    .
    ============= FINISH: 22:39:19.13 ===============
     
  4. njfs589

    njfs589 TS Rookie Topic Starter

    (and here are the other two, the DDS "Attach" and the GMER)

    DDS Attach

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/11/2007 11:23:02 AM
    System Uptime: 10/3/2011 9:41:22 PM (1 hours ago)
    .
    Motherboard: Quanta | | 30BB
    Processor: Genuine Intel(R) CPU T2060 @ 1.60GHz | U2E1 | 1596/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 105 GiB total, 11.213 GiB free.
    D: is FIXED (NTFS) - 7 GiB total, 0.67 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    µTorrent
    3ivx MPEG-4 5.0.3 (remove only)
    7-Zip 9.20
    Acoustica Effects Pack
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8
    Adobe Shockwave Player
    ASL_HS_Installer32
    Audacity 1.2.6
    Avira AntiVir Personal - Free Antivirus
    Civilization III
    Conexant HD Audio
    Digidesign Free Bomb Factory Plug-Ins 7.4
    Digidesign Pro Tools M-Powered 7.4
    Digidesign Shared Plug-Ins 7.4
    DivX Codec
    DivX Content Uploader
    DivX Converter
    DivX Player
    DivX Setup
    Finale 2007 Demo
    Finale NotePad 2010
    Free M4a to MP3 Converter 6.1
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hewlett-Packard Active Check
    Hewlett-Packard Asset Agent for Health Check
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Connections (remove only)
    HP Customer Experience Enhancements
    HP Easy Setup - Core
    HP Easy Setup - Frontend
    HP Help and Support
    HP Quick Launch Buttons 6.10 B9
    HP QuickPlay 3.0
    HP Total Care Advisor
    HP Update
    HP User Guide 0048
    HP Wireless Assistant
    HPNetworkAssistant
    Intel(R) Graphics Media Accelerator Driver
    Interlok driver setup x32
    iTunes
    JamLab
    Java Auto Updater
    Java(TM) 6 Update 18
    Java(TM) SE Runtime Environment 6
    LightScribe 1.4.124.1
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Microsoft Works 2004 Setup Launcher
    Move Media Player
    Mozilla Firefox (3.6.23)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee autoProducer 5.0
    muvee Plugin 1.0
    My HP Games
    OpenOffice.org 3.2
    PCmover
    PeerBlock 1.1 (r518)
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Rhapsody Player Engine
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator EasyArchive
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD Basic v9
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Soft Data Fax Modem with SmartCP
    Sonic Activation Module
    Steinberg Cubase LE
    StreamTorrent 1.0
    Synaptics Pointing Device Driver
    TablEdit 2.65
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    US-122
    US122 Driver 3.40
    VC80CRTRedist - 8.0.50727.4053
    Viewpoint Media Player
    VLC media player 1.1.4
    .
    ==== End Of File ===========================

    GMER

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-10-03 22:29:20
    Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 FUJITSU_MHV2120BH_PL rev.892C
    Running: z4spnrqj.exe; Driver: C:\Users\Owner\AppData\Local\Temp\fwddqpob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  5. njfs589

    njfs589 TS Rookie Topic Starter

    PS All of this was done in Safe Mode, if that makes a difference. Thanks again, and so much!
     
  6. njfs589

    njfs589 TS Rookie Topic Starter

    PPS Forgot the Malwarebytes log. Here it is:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7622

    Windows 6.0.6000 (Safe Mode)
    Internet Explorer 7.0.6000.17037

    10/3/2011 9:39:42 PM
    mbam-log-2011-10-03 (21-39-42).txt

    Scan type: Quick scan
    Objects scanned: 190448
    Time elapsed: 3 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\Temp\gdfstr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Users\Owner\pizda_bkurl.dat (Malware.Trace) -> Quarantined and deleted successfully.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Edit: Forgot to ask you to take Spysweeper off of Startup. Here is the entry- it looks like you have it through HP:
    uRun: [RunSpySweeperScheduleAtStartup] "c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe" /ScheduleSweep=HPCeeScheduleForOwner
    =====================================
    Okay, here's your really bad guy:
    1. OpenCloud Security is a computer infection from the Rogue.WinAVPro family.It uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it.
    2. Once started it will do a fake scan on your computer that will state that there are numerous infections present. It is scripted to show fake scan results regardless of the computer you are on and how clean it is. There is a long list of fake 'security' or system' messages you may receive- Don't act on any of them.:
    3. You may have seen a screen like this::
    HERE of what you may have seen.
    ---------------------------
    This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software This was seen in the Mbam scan
    ====================================
    If you are in just plain Safe Mode, you need to reboot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select Safe Mode with Networking when the Windows Advanced Options menu appears, and then press ENTER.
    --------------------------------------
    We will first stop the proxy:
    Internet Explorer
    1. Under "Tools" in the browser tool bar select "Internet Options".
    2. In the "Internet Options" window that pops up, click the "Connections" tab at the top.
    3. Click "LAN Settings" near the bottom of the "Connections" section.
    4. If the "Proxy server" checkbox is marked with a check, click it to deselect/uncheck it.
    5. Click "OK" to close the "Local Area Network (LAN) Settings" window.
    6. Click "OK" to close the "Internet Options" window.
    7. You have completed removing the proxy settings for Internet Explorer.
    Firefox
    1. Under "Tools" in the browser tool bar select "Options".
    2. In the "Options" window that pops up, click the "Advanced" tab at the top.
    3. Click the "Network" subtab, and then click the "Settings" button in the "Connections" area.
    4. If "No proxy" isn't selected, click it to mark "No proxy" as your preference
    ==========================================
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • For Vista, right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    =====================================
    • Double-click on mbam-setup.exe again on your desktop.
    • Update and select Perform Full Scan option
      [*] Click on the Scan button.

      When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ==================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.


    Please leave the RKill, new MBAM and Combofix logs in your next reply.
     
  8. njfs589

    njfs589 TS Rookie Topic Starter

    Hey there,

    Thanks so much for your reply. I ran everything, with a couple caveats--I could not get into spysweeper to turn it off (i tried entering that text into the command prompt but it started me out in c:\Users\Owner, and I couldn't get it to do anything), and I could not get into avira to turn it off either before I ran everything (avira is still hidden, too). Also, rkill never asked me to reboot. Finally, just for the hell of it, I tried booting up normally again (after I'd done all of these processes and rebooted in safe mode), but I still got a bluescreen as windows was trying to load. Anyhow, thank you so very much again!

    Here are my logs:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 10/09/2011 at 15:45:09.
    Operating System: Windows Vista (TM) Home Premium


    Processes terminated by Rkill or while it was running:



    Rkill completed on 10/09/2011 at 15:45:12.

    ----------------------------------------
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7622

    Windows 6.0.6000 (Safe Mode)
    Internet Explorer 7.0.6000.17037

    10/9/2011 5:09:51 PM
    mbam-log-2011-10-09 (17-09-51).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 415658
    Time elapsed: 1 hour(s), 20 minute(s), 53 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\3MDJQ4UO\ex[6].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\6ENDNQ7X\ex[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\WDF997CU\ex[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

    ----------------------------------------------
    ComboFix 11-10-09.01 - Owner 10/09/2011 17:31:58.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.393 [GMT -4:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\UjhQbNTJwO.exe
    c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}
    c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}\chrome.manifest
    c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}\chrome\content\_cfg.js
    c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}\chrome\content\overlay.xul
    c:\users\Owner\AppData\Local\{D7076421-191D-444F-AFFA-6041A8A1052A}\install.rdf
    c:\windows\HPCPCUninstaller-6.3.2.139-6811507.exe
    c:\windows\system32\0.5173177838687654.exe
    c:\windows\system32\0.7035102354645513.exe
    c:\windows\system32\comct332.ocx
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-09 to 2011-10-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-09 21:11 . 2011-10-09 21:11 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\offreg.dll
    2011-10-09 21:10 . 2011-10-09 21:10 54016 ----a-w- c:\windows\system32\drivers\lmuy.sys
    2011-10-04 01:40 . 2011-10-04 01:40 54016 ----a-w- c:\windows\system32\drivers\newfdun.sys
    2011-10-04 01:32 . 2011-10-04 01:32 709968 ----a-w- c:\windows\is-IB8IA.exe
    2011-10-03 20:39 . 2011-10-03 20:39 -------- d-----w- c:\users\goober
    2011-09-23 22:53 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\mpengine.dll
    2011-09-22 21:50 . 2011-09-22 21:51 -------- d-----w- C:\OpenCloud Security
    2011-09-13 03:00 . 2011-09-13 03:00 -------- d-----w- c:\windows\Sun
    2011-09-11 23:31 . 2011-09-15 14:29 0 ----a-w- c:\users\Owner\AppData\Local\Ffeloyo.bin
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-31 21:00 . 2010-09-18 19:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-14 00:55 . 2010-09-18 20:34 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-07-14 00:55 . 2010-09-18 20:34 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RunSpySweeperScheduleAtStartup"="c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe" [2006-10-31 86016]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 281768]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes Anti-Malware\mbam.exe" [2011-08-31 1047208]
    "TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-25 274608]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
    .
    c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2006-11-24 23:33 167936 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-05-02 136360]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
    R2 MAudioJamLabService;M-Audio JamLab Installer;c:\program files\M-Audio\JamLab\JamLabInst.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
    R3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]
    R3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-05-03 4736]
    R3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);c:\windows\system32\DRIVERS\mausbjl.sys [2007-08-02 131072]
    R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 20080]
    R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2006-05-03 8960]
    R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
    R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
    R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
    R3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2007-08-29 131968]
    R3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2007-08-29 18304]
    R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2007-08-29 39168]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-02 22072]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ECACHE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
    .
    2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
    .
    2011-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000Core.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
    .
    2011-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000UA.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
    .
    2011-09-03 c:\windows\Tasks\HPCeeScheduleForOwner.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-18 00:08]
    .
    2011-10-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-616632193-1259257616-3665374468-1000.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.allmusic.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 68.64.126.240 69.60.160.196
    FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\2dd8tblk.default\
    FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Owner\AppData\Roaming\Move Networks
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-M-Audio Taskbar Icon - c:\windows\System32\M-AudioTaskBarIcon.exe
    HKU-Default-Run-UjhQbNTJwO.exe - c:\programdata\UjhQbNTJwO.exe
    MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
    AddRemove-7-Zip - c:\program files\7-Zip\Uninstall.exe
    AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
    AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe
    AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
    AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files\DivX\DivXPlayerUninstall.exe
    AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\program files\DivX\DivXConverterUninstall.exe
    AddRemove-{D050D7362D214723AD585B541FFB6C11} - c:\program files\DivX\DivXContentUploaderUninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-09 17:41
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-10-09 17:44:44
    ComboFix-quarantined-files.txt 2011-10-09 21:44
    .
    Pre-Run: 11,996,598,272 bytes free
    Post-Run: 11,982,880,768 bytes free
    .
    - - End Of File - - 58F8C3C44184AAAF4491C6F8F77D4CA9
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, let see if you can get this through:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    C:\Users\Owner\Desktop\z4spnrqj.exe
    c:\programdata\UjhQbNTJwO.exe
    c:\users\owner\appdata\local\Ffeloyo.bin
    Folder::C:\OpenCloud Security
    c:\windows\system32\0.7035102354645513.exe
    c:\windows\system32\0.5173177838687654.exe
    c:\users\owner\appdata\local\{D7076421-191D-444F-AFFA-6041A8A1052A}
    DDS::
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
    mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
    mRun: [OpenCloud Security] c:\windows\system32\config\systemprofile\appdata\roaming\opencloud security\OpenCloud Security.exe
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    dRun: [UjhQbNTJwO.exe] c:\programdata\UjhQbNTJwO.exe
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RunSpySweeperScheduleAtStartup"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ======================================
    Follow with download of maxhandle.exe by noahdfear to your desktop.
    • Double click maxhandle.exeand run the application
    • An active internet connection is required so that maxhandle.exe may download a tool from SysInternals
    • If Max++ is present the log will open automatically.
    • If Max++ is not found Nothing found! is echoed to the screen - no log is produced.
    • Log is saved to c:\maxhandle.txt

    Please post both of the logs in your next reply.
     
  10. njfs589

    njfs589 TS Rookie Topic Starter

    Hey there,

    Sorry it took me all week to get back to you. The screen on my laptop (infected computer) is cracked (huge black blotches on it), so I can only work on it when I'm able to bring a monitor home from my work computer, and I wasn't able to do that 'till this weekend. Anyhow, thank you again for your help.

    Here's my combofix log. I ran maxhandle but it said "nothing found!" so there's no log for that one. Thanks again and so much!


    ComboFix 11-10-16.02 - Owner 10/16/2011 16:58:19.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.509 [GMT -4:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\users\Owner\Desktop\CFScript.txt
    * Created a new restore point
    .
    FILE ::
    "c:\programdata\UjhQbNTJwO.exe"
    "c:\users\owner\appdata\local\Ffeloyo.bin"
    "c:\users\Owner\Desktop\z4spnrqj.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\owner\appdata\local\Ffeloyo.bin
    c:\users\Owner\Desktop\z4spnrqj.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-16 21:07 . 2011-10-16 21:07 -------- d-----w- c:\users\Owner\AppData\Local\temp
    2011-10-16 21:07 . 2011-10-16 21:07 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-10-09 21:10 . 2011-10-09 21:10 54016 ----a-w- c:\windows\system32\drivers\lmuy.sys
    2011-10-04 01:40 . 2011-10-04 01:40 54016 ----a-w- c:\windows\system32\drivers\newfdun.sys
    2011-10-04 01:32 . 2011-10-04 01:32 709968 ----a-w- c:\windows\is-IB8IA.exe
    2011-10-03 20:39 . 2011-10-03 20:39 -------- d-----w- c:\users\goober
    2011-09-23 22:53 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\mpengine.dll
    2011-09-22 21:50 . 2011-09-22 21:51 -------- d-----w- C:\OpenCloud Security
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-31 21:00 . 2010-09-18 19:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [BU]
    "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 281768]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes Anti-Malware\mbam.exe" [2011-08-31 1047208]
    "TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-25 274608]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "UjhQbNTJwO.exe"="c:\programdata\UjhQbNTJwO.exe" [BU]
    .
    c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    c:\program files\DivX\DivX Update\DivXUpdate.exe [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2006-11-24 23:33 167936 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-05-02 136360]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
    R2 MAudioJamLabService;M-Audio JamLab Installer;c:\program files\M-Audio\JamLab\JamLabInst.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
    R3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]
    R3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-05-03 4736]
    R3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);c:\windows\system32\DRIVERS\mausbjl.sys [2007-08-02 131072]
    R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 20080]
    R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2006-05-03 8960]
    R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
    R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
    R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
    R3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2007-08-29 131968]
    R3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2007-08-29 18304]
    R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2007-08-29 39168]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-02 22072]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ECACHE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
    .
    2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
    .
    2011-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000Core.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
    .
    2011-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000UA.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
    .
    2011-09-03 c:\windows\Tasks\HPCeeScheduleForOwner.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-18 00:08]
    .
    2011-10-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-616632193-1259257616-3665374468-1000.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.allmusic.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\2dd8tblk.default\
    FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Owner\AppData\Roaming\Move Networks
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-16 17:07
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-10-16 17:11:05
    ComboFix-quarantined-files.txt 2011-10-16 21:10
    ComboFix2.txt 2011-10-09 21:44
    .
    Pre-Run: 12,056,375,296 bytes free
    Post-Run: 12,027,953,152 bytes free
    .
    - - End Of File - - D5310843438F6C172535C07533EBF576
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can you tell me anything about these files?
    And did you include this in the script I had you run through Combofix?
    2011-09-22 21:51 -------- d-----w- C:\OpenCloud Security
    .
     
  12. njfs589

    njfs589 TS Rookie Topic Starter

    Hello again, and thank you again for your help.

    The only one I can tell you about is:
    2011-10-03 20:39 . 2011-10-03 20:39 -------- d-----w- c:\users\goober

    At one point (I suppose on October 3), I tried creating a new user account to see if I'd be able to boot my computer normally (aka not in safe mode), and called the new user "goober." It didn't work. The other lines I don't know anything about.

    And as for this,
    I'm fairly certain I just copied and pasted the script that you gave me, the script appears to be gone from my computer so I can't verify this 100%, but I can't imagine myself having done anything else. I certainly didn't alter the script in any way.

    Thank you again for all your help in this, most seriously. If you ever find yourself in eastern ky. there's a beer with your name on it. Have a great weekend.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome and thanks for the offer! Just a few more:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\is-IB8IA.exe
    c:\windows\system32\drivers\lmuy.sys
    Folder::
    C:\OpenCloud Security
    c:\users\Owner\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "UjhQbNTJwO.exe"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    =============================================
    Please use Windows Explorer> Right click on Start> Explore> My Computer> double click on Local Drove (C)> do a right click> Delete on OpenCloud Security

    Also while in WE, go to Programs. If there is a folder for OpenCloud Security> do a right click> Delete.

    Now look in Add/Remove Programs> If OpenCloud Security is there, uninstall it.

    If you do not see the C:\OpenCloud Security directory: After bringing up Windows Explorer: Tools> Folder Options> View tab> Check 'show hidden files and folders'> uncheck 'hide protected system files and folders (Recommended)> Confirm Yes to message> Apply> OK

    Then go ahead with the directions
    ====================================
    How is the system working now?
     
  14. njfs589

    njfs589 TS Rookie Topic Starter

    Okay, I ran the script into Combofix and have attached my log.

    I then deleted the shortcut to OpenCloud Security from C:\. I couldn't find the folder under Program Files or Program Data, and nothing OpenCloud Security-related was visible in Add/remove programs. I then unhid all folders, as instructed, but still couldn't find any in Program Files. So I searched my system for "opencloud," and got two copies of the same folder (and their path said they were both in some kind of "quarantine") and a VIR file. I deleted the folder. When I tried to delete the VIR file it told me I'd have to create a folder for it first, so I held off. I then deleted all from the Recycle Bin, and when I searched again, nothing "opencloud"-related came up.

    So I then restarted to make sure everything stuck, and then I restarted again and tried rebooting my computer normally, but the same thing happened again that's been happening--it tries to load the desktop but before anything appears on the screen (besides my background color), it flashes a bluescreen and shuts off the computer. So once again, I'm rolling in Safe Mode.

    Thanks again for the help. Here's the Combofix Log:

    ComboFix 11-10-23.03 - Owner 10/23/2011 23:42:32.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.511 [GMT -4:00]
    Running from: C:\Users\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Users\Owner\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    "c:\windows\is-IB8IA.exe"
    "c:\windows\system32\drivers\lmuy.sys"


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\OpenCloud Security
    C:\OpenCloud Security\OpenCloud Security.lnk
    c:\users\Default\AppData\Local\temp
    c:\users\Owner\AppData\Local\temp
    c:\users\Owner\AppData\Local\temp\RarSFX0\hand.bat
    c:\users\Owner\AppData\Local\temp\RarSFX0\sed.exe
    c:\users\Owner\AppData\Local\temp\RarSFX0\swreg.exe
    c:\users\Owner\AppData\Local\temp\RarSFX0\temp0
    c:\users\Owner\AppData\Local\temp\RarSFX0\temp3
    c:\users\Owner\AppData\Local\temp\RarSFX0\unzip.exe
    c:\users\Owner\AppData\Local\temp\RarSFX0\WGET.EXE
    c:\windows\is-IB8IA.exe
    c:\windows\system32\drivers\lmuy.sys


    ((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))


    2011-10-16 23:53:27 . 2011-10-23 21:50:30 56200 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\offreg.dll
    2011-10-16 22:46:49 . 2011-07-07 17:28:24 520496 ----a-w- C:\Windows\Listdlls.exe
    2011-10-16 22:46:40 . 2011-05-17 16:48:50 423288 ----a-w- C:\Windows\handle.exe
    2011-10-04 01:40:53 . 2011-10-04 01:40:53 54016 ----a-w- C:\Windows\system32\drivers\newfdun.sys
    2011-10-03 20:39:50 . 2011-10-03 20:39:51 -------- d-----w- C:\Users\goober
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-09-12 23:14:12 . 2011-09-23 22:53:21 7269712 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\mpengine.dll
    2011-08-31 21:00:50 . 2010-09-18 19:38:02 22216 ----a-w- C:\Windows\system32\drivers\mbam.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 05:02:46 815104]
    "IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-11-06 09:02:32 98304]
    "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-11-06 09:05:32 106496]
    "Persistence"="C:\Windows\system32\igfxpers.exe" [2006-11-06 09:02:18 81920]
    "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 18:58:18 159744]
    "HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 23:42:42 46704]
    "WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 17:56:54 317152]
    "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 17:32:36 472800]
    "SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 20:21:52 246504]
    "M-Audio Taskbar Icon"="C:\Windows\System32\M-AudioTaskBarIcon.exe" [BU]
    "DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 03:35:10 77824]
    "avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 16:48:14 281768]
    "Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes Anti-Malware\mbam.exe" [2011-08-31 21:00:48 1047208]
    "TkBellExe"="C:\Program Files\Real\RealPlayer\Update\realsched.exe" [2010-12-25 03:07:02 274608]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-08 01:39:18 44128]

    C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 07:11:42 49152 ----a-w- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2007-03-14 23:05:48 257088 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2006-11-24 23:33:52 167936 ----a-w- C:\Program Files\HP\QuickPlay\QPService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-02-16 14:54:04 282624 ----a-w- C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2011-05-02 01:01:47 136360]
    R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21:57 135664]
    R2 MAudioJamLabService;M-Audio JamLab Installer;C:\Program Files\M-Audio\JamLab\JamLabInst.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21:57 135664]
    R3 iLokDrvr;iLok;C:\Windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 16:05:02 54256]
    R3 LLUSBFLT;LLUSBFLT;C:\Windows\system32\drivers\llusbflt.sys [2006-05-03 13:19:36 4736]
    R3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);C:\Windows\system32\DRIVERS\mausbjl.sys [2007-08-02 18:50:00 131072]
    R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2010-11-07 02:24:32 20080]
    R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;C:\Windows\system32\Drivers\usbbc2.sys [2006-05-03 13:19:36 8960]
    R3 SMARTMouseFilterx86;HID-compliant mouse;C:\Windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
    R3 SMARTVHidMini2000x86;SMART HID Device;C:\Windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
    R3 SMARTVTabletPCx86;SMART Virtual TabletPC;C:\Windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
    R3 US122;US122 Driver;C:\Windows\system32\Drivers\US122.sys [2007-08-29 10:20:02 131968]
    R3 US122DL;US122 Firmware Downloader;C:\Windows\system32\Drivers\US122DL.sys [2007-08-29 10:20:34 18304]
    R3 Us122WdmService;US122 Wdm Audio;C:\Windows\system32\Drivers\US122Wdm.sys [2007-08-29 10:20:48 39168]
    R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam.sys [2008-05-06 22:06:00 11520]
    S3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys [2010-11-02 03:33:19 22072]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ECACHE

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ

    Contents of the 'Scheduled Tasks' folder

    2011-10-16 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-10 06:22:14 . 2010-01-10 06:21:57]

    2011-09-24 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-10 06:22:14 . 2010-01-10 06:21:57]

    2011-09-19 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000Core.job
    - C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27:55 . 2011-07-13 12:27:51]

    2011-09-24 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000UA.job
    - C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27:55 . 2011-07-13 12:27:51]

    2011-09-03 C:\Windows\Tasks\HPCeeScheduleForOwner.job
    - C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-18 04:26:38 . 2006-10-31 00:08:36]

    2011-10-24 C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-616632193-1259257616-3665374468-1000.job
    - C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33:50 . 2010-11-05 17:33:50]


    ------- Supplementary Scan -------

    uStart Page = hxxp://www.allmusic.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
    IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\2dd8tblk.default\
    FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\Owner\AppData\Roaming\Move Networks
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}


    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-23 23:51:22
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"

    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    Completion time: 2011-10-23 23:54:31
    ComboFix-quarantined-files.txt 2011-10-24 03:54:14
    ComboFix2.txt 2011-10-16 21:11:05
    ComboFix3.txt 2011-10-09 21:44:44

    Pre-Run: 11,948,613,632 bytes free
    Post-Run: 11,919,065,088 bytes free

    - - End Of File - - E0AAF4DCF6A7E45092C78BA23C20B10D
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, looks like you got Open Cloud off the system! Just a few entries to remove:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    About the BSOD on boot into Normal:
    We need to look and see if there is an error corresponding to the time this happens. Errors are time-coded, so you have to check the time on the computer clock when this happens. Force it if necessary, and note the time. Then do the following:


    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.
    (Courtesy rev-Olie)
    =======================================
    There should be a consistent error occurring at the failed boot time. But you will get errors about some processes and groups of processes not starting>> that will be due to the fact that you're running in Safe Mode and some processes don't start in Safe Mode. I will sort those out and ignore them.

    The important thing is that the scan covers at lease one of the times you try to boot into normal mode and get the BSOD- so noting the time is important.
     
  16. njfs589

    njfs589 TS Rookie Topic Starter

    Allright, so below I've posted the Combofix Log, but before that I've posted what VEW gave me, which seems to be nothing. I intentionally tried booting normally and forced a bluescreen and shutdown at 8:44 p.m., yet nothing here. Do you know any reason why this may be? Thanks so much.

    Vino's Event Viewer v01c run on Windows Vista in English
    Report run at 24/10/2011 8:50:26 PM

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    ----------------------------------------

    ComboFix 11-10-24.04 - Owner 10/24/2011 20:26:35.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.523 [GMT -4:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\users\Owner\Desktop\CFScript.txt
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-25 00:36 . 2011-10-25 00:36 -------- d-----w- c:\users\Owner\AppData\Local\temp
    2011-10-25 00:36 . 2011-10-25 00:36 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-10-24 04:20 . 2011-10-25 00:01 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\offreg.dll
    2011-10-16 22:46 . 2011-07-07 17:28 520496 ----a-w- c:\windows\Listdlls.exe
    2011-10-16 22:46 . 2011-05-17 16:48 423288 ----a-w- c:\windows\handle.exe
    2011-10-04 01:40 . 2011-10-04 01:40 54016 ----a-w- c:\windows\system32\drivers\newfdun.sys
    2011-10-03 20:39 . 2011-10-03 20:39 -------- d-----w- c:\users\goober
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-12 23:14 . 2011-09-23 22:53 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{534144CF-3516-46F6-981D-81B659F9ED7E}\mpengine.dll
    2011-08-31 21:00 . 2010-09-18 19:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [BU]
    "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 281768]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes Anti-Malware\mbam.exe" [2011-08-31 1047208]
    "TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-25 274608]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "UjhQbNTJwO.exe"="c:\programdata\UjhQbNTJwO.exe" [BU]
    .
    c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    c:\program files\DivX\DivX Update\DivXUpdate.exe [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2006-11-24 23:33 167936 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-05-02 136360]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
    R2 MAudioJamLabService;M-Audio JamLab Installer;c:\program files\M-Audio\JamLab\JamLabInst.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
    R3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]
    R3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-05-03 4736]
    R3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);c:\windows\system32\DRIVERS\mausbjl.sys [2007-08-02 131072]
    R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 20080]
    R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2006-05-03 8960]
    R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [x]
    R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
    R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [x]
    R3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2007-08-29 131968]
    R3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2007-08-29 18304]
    R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2007-08-29 39168]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-02 22072]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ECACHE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
    .
    2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 06:21]
    .
    2011-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000Core.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
    .
    2011-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-616632193-1259257616-3665374468-1000UA.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-13 12:27]
    .
    2011-09-03 c:\windows\Tasks\HPCeeScheduleForOwner.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-18 00:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.allmusic.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\2dd8tblk.default\
    FF - prefs.js: browser.startup.homepage - hxxp://dictionary.reference.com/wordoftheday/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Owner\AppData\Roaming\Move Networks
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-24 20:36
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-10-24 20:38:44
    ComboFix-quarantined-files.txt 2011-10-25 00:38
    ComboFix2.txt 2011-10-24 03:54
    ComboFix3.txt 2011-10-16 21:11
    ComboFix4.txt 2011-10-09 21:44
    .
    Pre-Run: 11,994,951,680 bytes free
    Post-Run: 11,958,034,432 bytes free
    .
    - - End Of File - - 8B80279199069238BFD5EA71CCFAAAD7
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The Event Viewer results could be: 1. There were no errors at all (I've never seen a log with none!) or 2. that for some reason, the scan didn't work.

    Have a look manually:

    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.
    ================================
    Let' go ahead and check this. In an earlier post you mentioned you had something 'non-standard'
    Bootkit Remover:

    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =====================================
    Don't act on this- the following is FYI only:
    Results should be one of the following:
    • OK (DOS/Win32 Boot code found)
      - MBR boot code is clean.
    • Unknown boot code
      - MBR boot code is modified. This practically corresponds to either
      an active bootkit infection, or a custom boot manager installed (such
      as GRUB).
    • Controlled by rootkit!
      - a bootkit with self-hiding capabilities is detected.
    ==============================================
     
  18. njfs589

    njfs589 TS Rookie Topic Starter

    Hey there,

    So no events showed up on the event viewer either. When you click "Application" under Windows Logs, it says "Event Viewer cannot open the event log or custom view. Verify that Event Log service is running." I then went to "Log Properties-Application" and clicked the "subscribe" tab, where a box popped up that told me "To work with subscriptions, the Windows Event Collector Service must be running and configured. Do you want to start the service...?" I clicked "yes," but it said "Unable to start service. Cannot start service wecsvc on computer." So maybe that's why no logs showed up in VEW either? Do viruses / rootkits / whatever I've got ever attack Event Viewing functionality? Seems pretty sinister.

    And as for the bootkitremover.rar, when I left-clicked on it, it said "file not found!". I right clicked on it and saved the target to the desktop, where "bootkit_remover.rar" now sits, but I can't extract anything from it using 7-zip; it doesn't work, saying "Cannot open the file as archive."

    Thanks again and as always for your help.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. I've been meaning to ask you> what cause the damage to the laptop monitor?

    I'm not sure this is a software problem. but there is one file that keeps reappearing. It's described as Company: NetPlay Software
    Description: Instant Demo Application that need to be identified:
    The file is c:\programdata\UjhQbNTJwO.exe

    It has a free trial and after that, the price starts at $200.00 and goes up according to the version.
    It does not show in the installed programs and is being started from the Registry.

    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      c:\programdata\UjhQbNTJwO.exe
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
    ======================================
    I'd like you to try the Bootkit scan again: I'm not sure this was done correctly. Remove the download you have now first:

    This wording might be a bit easier:

    Download bootkitremover.rar and save to your desktop.

    NOTE: This is a file compressed with Winrar. If you do not have the means to unpack it, you can download and install 7-zip .

    [*] Double-click on the remover.exe file to run the program.
    (Vista users,right click on remover.exe and click Run As Administrator.)


    * Unpack remover.exe from the bootkit_remover.rar archive and save it to your Desktop
    * Doubleclick remover.exe to run the tool
    * A DOS window will open with the results of the scan
    * Rightclick that window and choose Select all
    * Simultaneously press [CTRL] + C (copy) and paste the text in your next reply.
     
  20. njfs589

    njfs589 TS Rookie Topic Starter

    Apologies for my delay, I was out of town all week and as this computer is barely even functional anymore, I left it behind. I'm still not exactly certain what damaged the screen; all I know is I was crashing at a friend's house and left it there in the morning, and when I came back in the evening it was like this, with huge black splotches obscuring much of the screen. Somebody must have stepped on it or something.

    I feel really silly that I can't perform the simple tasks you're asking of me. I tried inputting "c:\programdata\UjhQbNTJwO.exe" into any of those 3 sites, but each of them said that path wasn't correct, "File Not Found."

    And I don't know what I'm doing wrong with the bootkitremover.rar. I downloaded it to the desktop, like you said. I right-clicked in an effort to Run As Administrator (because I am using Vista) but that wasn't an option given to me on the right-click menu. I also went under the 7-zip heading that pops up when you right click it and tried to extract it, but 7-zip said the same thing it did last time-- "0 Can not open file 'C:\Users\Owner\Desktop\bootkit_remover.rar' as archive."

    Do you think I'm at the point with this where I just ought to back up my info, wipe windows, and start over? I somehow ended up with some more google redirecting issues (only with firefox, though), and I'm not sure if this thing is ever going to end. I don't have my installation disk (lost it years ago) so I'd have to fudge something I guess, but it seems like this thing may just be shot, and it'd be super nice to be able to have audio again, and to not see everything in this crappy blown-up-way-too-big resolution that safe mode runs.

    Thank you again and so much for all your help. Have a great night.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. You have a couple of unusual processes on the system

    ============================================
    1. The operating system was installed 4 years ago, but I don't see any SP updates or Windows Updates- only some for MS Office.
    2. There are no Restore Points
    3. You are running file sharing programs: µTorrent, StreamTorrent 1.0
    4. These programs are out of date: Adobe Reader 8, Java(TM) 6 Update 18
    5. The presence of previously mentioned programs, the lack of updates, the inability to find the path to run programs points me to have you run this:

    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...