TechSpot

Nasty virus on computer

By AliciaArkansas
Apr 26, 2012
  1. Hi My name is Alicia. I'm so glad I found your website and some people who could possibly help me because my computer has some nasty viruses and I'm not sure what to do next. I've followed all your instructions on the sticky post on the forum and ran the 3 logs for MalewareBytes, Gmer, and DDS (see logs below). I'm an intelligent person but I do not know much about computers other than where the on button is because I'm a single mom and don't have much time to mess with the pc.

    Basically here are my problems... The other day I thought I'd be cool and clean my computer up because I'm tired of all the programs that have accumulated in the startup and my program list is so long that it covered my entire screen. So i started deleting and uninstalling old things I didn't use and ran some sort of cleaner called cc cleaner I believe, cleared out my temp files and all that good stuff. Then I downloaded a program called steam so I could buy games for my kids.

    1. Next thing I know when I go to certain websites, like my university e-mail which uses google email, I get an error and can't open the page (I use chrome) but it works with internet explorer which I hate. The error says "The site's security certificate is signed using a weak signature algorithm!"

    2. random pages pop up in another tab for crap like women's health and other ads frequently.

    3. Half the time when I click on a link to go to a page it takes me to a totally different website with ads and such.

    First thing I did was run Malewarebytes which says I have a rootkit but it can't be deleted when I select delete Quarantined items then asks me to restart to delete it. So i do that and I still have the problem. I ran another scan same thing. Did it 3 times. So I ran AVG which found nothing. Next thing I did was dance around my computer with a dead chicken... Not really but you get the point! Please see logs in next post.
     
  2. AliciaArkansas

    AliciaArkansas TS Rookie Topic Starter

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 912042601

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    4/25/2012 11:27:10 PM
    mbam-log-2012-04-25 (23-27-10).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 164374
    Time elapsed: 57 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\system32\fsma.dll (RootKit.0Access.H) -> Delete on reboot.

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\fsma.dll (RootKit.0Access.H) -> Delete on reboot.
    c:\documents and settings\administrator\application data\Sun\Java\deployment\cache\6.0\36\165b0664-2c1907a5 (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
    c:\documents and settings\administrator\application data\Sun\Java\deployment\cache\6.0\56\78ea68f8-217e19ca (Trojan.FakeAlert.VGen) -> Quarantined and deleted successfully.
     
  3. AliciaArkansas

    AliciaArkansas TS Rookie Topic Starter

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-04-26 02:00:12
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-22LSA0 rev.06.01D06
    Running: j6zknpbt.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpog.sys
    ---- System - GMER 1.0.15 ----
    SSDT sppk.sys ZwEnumerateKey [0xB7EC5CA4]
    SSDT sppk.sys ZwEnumerateValueKey [0xB7EC6032]
    ---- Devices - GMER 1.0.15 ----
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1b [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort2 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort3 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\VClone \Device\Scsi\VClone1 89C461F8
    Device \Driver\a1m7b30v \Device\Scsi\a1m7b30v1Port5Path0Target0Lun0 89BAB500
    Device \Driver\a1m7b30v \Device\Scsi\a1m7b30v1 89BAB500
    Device \Driver\VClone \Device\Scsi\VClone1Port4Path0Target0Lun0 89C461F8
    Device \FileSystem\Ntfs \Ntfs 89E521F8
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    ---- Processes - GMER 1.0.15 ----
    Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3788
    ---- EOF - GMER 1.0.15 ----
     
  4. AliciaArkansas

    AliciaArkansas TS Rookie Topic Starter

    DDS.txt
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
    Run by Administrator at 2:13:58 on 2012-04-26
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1241 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Pando Networks\Media Booster\PMB.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: Search the Web - c:\program files\sweetim\toolbars\internet explorer\resources\menuext.html
    IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: Interfaces\{C6DA8D22-8FB1-49C6-8F14-BEAF68B8EC05} : NameServer = 68.94.156.1,68.94.157.1
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ov3wgo5u.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: browser.search.selectedEngine - SweetIM Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071504000001.dll
    FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000011.dll
    FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ov3wgo5u.default\extensions\reader_plugin@ebrary.com\plugins\NPinfotl.dll
    FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
    FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\administrator\application data\Move Networks
    FF - Ext: Poster: {d48a39ba-8f80-4fce-8ee1-bc710561c55d} - %profile%\extensions\{d48a39ba-8f80-4fce-8ee1-bc710561c55d}
    FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.com
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-17 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-17 27784]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-17 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-17 908056]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-17 297752]
    R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-2-28 1373576]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-29 366152]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-29 22216]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1c9e3f9fd9ba96e;Google Update Service (gupdate1c9e3f9fd9ba96e);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\wusb54gscv2.sys --> c:\windows\system32\drivers\WUSB54GSCV2.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-04-25 04:01:54--------d-----w-c:\program files\common files\Steam
    2012-04-24 22:34:400--sha-w-c:\windows\system32\dds_trash_log.cmd
    2012-04-13 19:12:39--------d-----w-c:\program files\common files\Symantec Shared
    2012-04-13 19:12:31--------d-----w-c:\documents and settings\all users\application data\Norton
    2012-04-13 19:12:28--------d-----w-c:\documents and settings\all users\application data\NortonInstaller
    .
    ==================== Find3M ====================
    .
    2009-06-05 17:09:38774144----a-w-c:\program files\RngInterstitial.dll
    .
    ============= FINISH: 2:14:40.04 ===============
     
  5. AliciaArkansas

    AliciaArkansas TS Rookie Topic Starter

    attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/17/2009 9:31:41 PM
    System Uptime: 4/26/2012 2:01:25 AM (0 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA74GM-S2
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket M2 | 2611/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 12.605 GiB free.
    D: is FIXED (NTFS) - 98 GiB total, 60.894 GiB free.
    E: is FIXED (NTFS) - 135 GiB total, 24.824 GiB free.
    F: is CDROM (UDF)
    G: is CDROM ()
    H: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP941: 1/27/2012 9:20:08 AM - System Checkpoint
    RP942: 1/28/2012 10:10:17 AM - System Checkpoint
    RP943: 1/29/2012 3:41:00 PM - System Checkpoint
    RP944: 1/30/2012 4:07:54 PM - System Checkpoint
    RP945: 1/31/2012 5:07:54 PM - System Checkpoint
    RP946: 2/1/2012 9:27:17 PM - System Checkpoint
    RP947: 2/2/2012 9:50:24 PM - System Checkpoint
    RP948: 2/3/2012 10:36:37 PM - System Checkpoint
    RP949: 2/4/2012 11:50:26 PM - System Checkpoint
    RP950: 2/6/2012 12:06:28 AM - System Checkpoint
    RP951: 2/7/2012 1:06:28 AM - System Checkpoint
    RP952: 2/8/2012 2:06:28 AM - System Checkpoint
    RP953: 2/9/2012 3:04:23 AM - System Checkpoint
    RP954: 2/10/2012 3:57:44 AM - System Checkpoint
    RP955: 2/11/2012 4:53:37 AM - System Checkpoint
    RP956: 2/12/2012 5:53:34 AM - System Checkpoint
    RP957: 2/13/2012 6:53:34 AM - System Checkpoint
    RP958: 2/14/2012 6:59:11 AM - System Checkpoint
    RP959: 2/15/2012 7:04:16 AM - System Checkpoint
    RP960: 2/16/2012 7:52:30 AM - System Checkpoint
    RP961: 2/17/2012 8:52:30 AM - System Checkpoint
    RP962: 2/18/2012 9:52:30 AM - System Checkpoint
    RP963: 2/19/2012 12:59:25 PM - System Checkpoint
    RP964: 2/20/2012 1:00:56 PM - System Checkpoint
    RP965: 2/21/2012 1:52:04 PM - System Checkpoint
    RP966: 2/22/2012 3:32:51 PM - System Checkpoint
    RP967: 2/23/2012 3:48:52 PM - System Checkpoint
    RP968: 2/24/2012 3:52:14 PM - System Checkpoint
    RP969: 2/25/2012 9:35:03 PM - System Checkpoint
    RP970: 2/27/2012 12:23:34 AM - System Checkpoint
    RP971: 2/28/2012 12:46:50 AM - System Checkpoint
    RP972: 2/29/2012 1:39:30 AM - System Checkpoint
    RP973: 3/1/2012 2:35:03 AM - System Checkpoint
    RP974: 3/2/2012 3:33:54 AM - System Checkpoint
    RP975: 3/3/2012 4:33:54 AM - System Checkpoint
    RP976: 4/4/2012 10:50:43 AM - System Checkpoint
    RP977: 3/4/2012 3:50:20 PM - System Checkpoint
    RP978: 3/5/2012 5:06:15 PM - System Checkpoint
    RP979: 3/6/2012 5:37:57 PM - System Checkpoint
    RP980: 3/7/2012 6:01:11 PM - System Checkpoint
    RP981: 3/8/2012 8:29:23 PM - System Checkpoint
    RP982: 3/9/2012 8:32:46 PM - System Checkpoint
    RP983: 3/10/2012 9:32:46 PM - System Checkpoint
    RP984: 3/11/2012 10:12:04 PM - System Checkpoint
    RP985: 3/12/2012 10:31:40 PM - System Checkpoint
    RP986: 3/13/2012 10:48:01 PM - System Checkpoint
    RP987: 3/14/2012 11:55:41 PM - System Checkpoint
    RP988: 3/16/2012 11:35:52 AM - System Checkpoint
    RP989: 3/17/2012 11:08:24 PM - System Checkpoint
    RP990: 3/18/2012 11:11:04 PM - System Checkpoint
    RP991: 3/20/2012 12:57:57 PM - System Checkpoint
    RP992: 3/21/2012 1:23:04 PM - System Checkpoint
    RP993: 3/22/2012 4:11:38 PM - System Checkpoint
    RP994: 3/23/2012 5:25:57 PM - System Checkpoint
    RP995: 3/24/2012 5:44:29 PM - System Checkpoint
    RP996: 3/25/2012 5:59:07 PM - System Checkpoint
    RP997: 3/27/2012 12:11:02 AM - System Checkpoint
    RP998: 3/28/2012 12:54:10 AM - System Checkpoint
    RP999: 3/29/2012 2:45:02 AM - System Checkpoint
    RP1000: 3/30/2012 3:32:34 AM - System Checkpoint
    RP1001: 3/31/2012 3:55:51 AM - System Checkpoint
    RP1002: 4/1/2012 4:54:52 AM - System Checkpoint
    RP1003: 4/2/2012 5:52:45 AM - System Checkpoint
    RP1004: 4/3/2012 6:51:49 AM - System Checkpoint
    RP1005: 4/4/2012 7:56:05 AM - System Checkpoint
    RP1006: 4/5/2012 8:51:49 AM - System Checkpoint
    RP1007: 4/6/2012 9:50:41 AM - System Checkpoint
    RP1008: 4/7/2012 10:50:41 AM - System Checkpoint
    RP1009: 4/8/2012 1:48:00 PM - System Checkpoint
    RP1010: 4/9/2012 1:59:36 PM - System Checkpoint
    RP1011: 4/10/2012 2:48:31 PM - System Checkpoint
    RP1012: 4/11/2012 2:52:35 PM - System Checkpoint
    RP1013: 4/12/2012 2:59:15 PM - System Checkpoint
    RP1014: 4/13/2012 3:01:55 PM - System Checkpoint
    RP1015: 4/14/2012 3:42:49 PM - System Checkpoint
    RP1016: 4/15/2012 5:31:46 PM - System Checkpoint
    RP1017: 4/16/2012 5:34:24 PM - System Checkpoint
    RP1018: 4/17/2012 5:35:59 PM - System Checkpoint
    RP1019: 4/18/2012 9:31:58 PM - System Checkpoint
    RP1020: 4/20/2012 10:42:33 AM - System Checkpoint
    RP1021: 4/21/2012 11:18:08 AM - System Checkpoint
    RP1022: 4/22/2012 1:13:35 PM - System Checkpoint
    RP1023: 4/23/2012 1:59:18 PM - System Checkpoint
    RP1024: 4/24/2012 2:18:23 PM - System Checkpoint
    RP1025: 4/24/2012 11:01:52 PM - Installed Steam
    RP1026: 4/24/2012 11:48:35 PM - Removed 1701 A.D. Demo
    RP1027: 4/24/2012 11:57:58 PM - Removed Eu3 - DEMO
    RP1028: 4/25/2012 12:30:37 AM - Removed Windows Live Upload Tool
    RP1029: 4/26/2012 12:33:12 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop 7.0
    Adobe Reader 9.1
    Adobe Shockwave Player 11.5
    AiO_Scan_CDA
    AMD Processor Driver
    AT&T U-verse Setup
    AVG Free 8.5
    Black & White® 2
    Browser Configuration Utility
    CCleaner
    Compatibility Pack for the 2007 Office system
    Conquest 4.0
    Dawn of Discovery
    Diner Dash - Hometown Hero
    Download Updater (AOL LLC)
    DVDFab Ghosthunter release 6.0.1.0
    Europa Universalis III
    Facebook Plug-In
    Family Tree Maker
    Farm Frenzy: Ancient Rome
    Farm Frenzy: Gone Fishing
    Free Video to Flash Converter version 4.1
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB958655-v2)
    HOTLLAMA Media Player
    HP Deskjet 3050A J611 series Basic Device Software
    HP Deskjet 3050A J611 series Help
    HP Photo Creations
    HP PSC & OfficeJet 6.1.A
    HP Update
    ImgBurn
    InterActual Player
    InterVideo WinDVD 7
    Java Auto Updater
    Java(TM) 6 Update 20
    Junk Mail filter update
    K-Lite Codec Pack 3.1.5 Full
    Little Shop of Treasures
    LogMeIn Hamachi
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 1
    Microsoft .NET Framework 3.0 Service Pack 1
    Microsoft .NET Framework 3.5
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Age of Empires II
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Help Viewer 1.0
    Microsoft Office Word Viewer 2003
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Visual C++ 2010 Express - ENU
    Microsoft WSE 3.0 Runtime
    Microsoft XML Parser
    Move Media Player
    Mozilla Firefox (3.6.20)
    MSVCRT
    MSXML 4.0 SP2 Parser and SDK
    NVIDIA Drivers
    NVIDIA PhysX
    Pando Media Booster
    Pinnacle VideoSpin
    QFolder
    QuickTime
    RealArcade
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    Roads of Rome 3
    RollerCoaster Tycoon 3 Platinum
    Scan
    Segoe UI
    SkyGazer 4
    Skype™ 5.5
    Solid YouTube Downloader and Converter FileBulldog Toolbar
    Sothink SWF Quicker
    Starcraft
    StarCraft II
    Steam
    Stronghold 2
    The Sims Medieval
    TheSkyX First Light Edition
    VirtualCloneDrive
    VLC media player 0.9.9
    Web Games Player Plugin
    WebFldrs XP
    Wedding Dash
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Movie Maker 2.0
    WinRAR 4.01 (32-bit)
    Wireless USB Card
    World of Warcraft
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/25/2012 7:48:33 PM, error: Print [19] - Sharing printer failed + 1722, Printer HPDeskjet F300 series share name Printer.
    4/25/2012 12:05:37 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    4/25/2012 11:30:35 PM, error: Service Control Manager [7023] - The Digisptiservice service terminated with the following error: The specified module could not be found.
    4/25/2012 10:05:52 PM, error: Service Control Manager [7023] - The Sntnlusb service terminated with the following error: The specified module could not be found.
    4/25/2012 10:04:25 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    4/19/2012 7:56:28 PM, error: Service Control Manager [7034] - The LogMeIn Hamachi Tunneling Engine service terminated unexpectedly. It has done this 1 time(s).
    4/19/2012 7:56:03 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good Morning Alicia. I'll be glad to help with the malware. You have a rootkit that will take some going to find all entries to remove. You also are infected with a Backdoor- we can't guarantee that a system hasn't already been compromised, but let's check out a few things:

    First, you ran an outdated version of Malwarebytes. I'd like you to remove that and download it again from this link: There are some changes so please read my instructions carefully.

    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Full Scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ===================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
    • If malicious objects are found, they will show in the Scan results and offer three (3) options.
    • Select the action Cure to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • Click Continue.
    • Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    ==========================================================
    Please leave the logs for the new Malwarebytes, Combofix and TDSSKiller in your next reply. Be sure to let me know if you experience any problems with the scan or new problems with the system.
    =========================================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  7. AliciaArkansas

    AliciaArkansas TS Rookie Topic Starter

    Thank you for your quick response. I have downloaded the new version of Malwarebytes and below is my new log. I have go class for the next 5 hours and will get the rest done tonight after class or in the morning. Also, after downloading the new malwarebytes it's going nuts. Every 2 or 3 seconds for the last 2 hours while I been doing homework a note will pop up from my system tray saying it successfully blocked access to a potential malicious website then has a number like 83.133.122.75 Type: outgoing. Didn't know if you needed to know that! Also, every 15 minutes or so the entire Malwarebytes program pops up asking me if I want to Quarantine rootkit and I always click yes.
    ======================================
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.26.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 6.0.2900.5512
    Administrator :: ALICIA [administrator]

    Protection: Disabled

    4/26/2012 11:40:05 AM
    mbam-log-2012-04-26 (11-40-05).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 443302
    Time elapsed: 2 hour(s), 14 minute(s), 57 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\WINDOWS\system32\SGIR.dll (RootKit.0Access.H) -> Delete on reboot.

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\WINDOWS\system32\SGIR.dll (RootKit.0Access.H) -> Delete on reboot.
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090800.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090801.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

    (end)
     
  8. AliciaArkansas

    AliciaArkansas TS Rookie Topic Starter

    Bobbye,
    I've followed your instructions in the order you gave them. In the previous reply is my new Malewarebytes log and below is my Combofix and TDSSKiller log. I did run into a problem when trying to run Combofix. Your directions said to disable all antivirus programs but every time I turned off Malewarebytes my computer seemed to be getting attacked worse and I couldn't do anything, such as starting the CF program, even when I tried to turn the internet off. After about 4 attempts of doing this and having to do a hard reboot I ran Combofix with Malewarebytes on.

    After following your directions, the note boxes from Malewarebytes icon in the system tray which say "successfully blocked access to a potential malicious website" every 2 or 3 seconds have stopped. My computer is faster and I can access my university email without getting blocked and the red crossed out https:// in the search box is gone. Does this mean that my computer is healed?

    ================================================
    CF Log

    ComboFix 12-04-26.01 - Administrator 04/26/2012 21:30:59.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1728 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Application Data\fegnqddd.exe
    c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\searchplugins\bing-zugo.xml
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Application Data\TEMP
    c:\program files\somototoolbar\vmNTemplatex.dll
    c:\windows\$NtUninstallKB30749$
    c:\windows\$NtUninstallKB30749$\11903000
    c:\windows\$NtUninstallKB30749$\1757417693\@
    c:\windows\$NtUninstallKB30749$\1757417693\cfg.ini
    c:\windows\$NtUninstallKB30749$\1757417693\Desktop.ini
    c:\windows\$NtUninstallKB30749$\1757417693\L\hxiaemkh
    c:\windows\$NtUninstallKB30749$\1757417693\oemid
    c:\windows\$NtUninstallKB30749$\1757417693\U\00000001.@
    c:\windows\$NtUninstallKB30749$\1757417693\U\00000002.@
    c:\windows\$NtUninstallKB30749$\1757417693\U\00000004.@
    c:\windows\$NtUninstallKB30749$\1757417693\U\80000000.@
    c:\windows\$NtUninstallKB30749$\1757417693\U\80000004.@
    c:\windows\$NtUninstallKB30749$\1757417693\U\80000032.@
    c:\windows\$NtUninstallKB30749$\1757417693\version
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\urttemp
    c:\windows\system32\urttemp\fusion.dll
    c:\windows\system32\urttemp\mscoree.dll
    c:\windows\system32\urttemp\mscoree.dll.local
    c:\windows\system32\urttemp\mscorsn.dll
    c:\windows\system32\urttemp\mscorwks.dll
    c:\windows\system32\urttemp\msvcr71.dll
    c:\windows\system32\urttemp\regtlib.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-27 02:43 . 2012-04-27 02:4340776----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
    2012-04-26 16:38 . 2012-04-04 20:5622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-04-25 04:01 . 2012-04-25 04:01--------d-----w-c:\program files\Common Files\Steam
    2012-04-24 22:57 . 2012-04-24 22:57--------d-s---w-c:\documents and settings\NetworkService\UserData
    2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\program files\Common Files\Symantec Shared
    2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\documents and settings\All Users\Application Data\Norton
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-05 17:09 . 2009-06-05 17:09774144----a-w-c:\program files\RngInterstitial.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-18 39408]
    "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-10-29 3077528]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-17 113664]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-7-5 278528]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
    2012-02-28 23:381987976----a-w-c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2009-05-01 05:311657376----a-w-c:\windows\system32\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2011-10-13 14:2717351304----a-r-c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2012-04-25 04:021242448----a-w-d:\steam games\Steam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
    "c:\\Program Files\\Starcraft\\StarCraft.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
    "c:\\Program Files\\Ubisoft\\Related Designs\\Dawn of Discovery\\tools\\Anno4Web.exe"=
    "c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "57924:TCP"= 57924:TCP:pando Media Booster
    "57924:UDP"= 57924:UDP:pando Media Booster
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/15/2009 6:36 PM 721904]
    R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 6:38 PM 1373576]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2012 11:38 AM 654408]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/26/2012 11:38 AM 22344]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/26/2012 9:43 PM 40776]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate1c9e3f9fd9ba96e;Google Update Service (gupdate1c9e3f9fd9ba96e);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2.sys --> c:\windows\system32\DRIVERS\WUSB54GSCV2.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMSWISSARMY
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Intels51
    NETw3x32
    3dkeybd
    StkAMini
    fcprintservice
    hsf_dpv
    icdsptsv
    mmc_2K
    wampmysqld
    rdnaoflsvc
    vvoice
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
    .
    2012-04-27 c:\windows\Tasks\HP Photo Creations Messager.job
    - c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{C6DA8D22-8FB1-49C6-8F14-BEAF68B8EC05}: NameServer = 68.94.156.1,68.94.157.1
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: browser.search.selectedEngine - SweetIM Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Administrator\Application Data\Move Networks
    FF - Ext: Poster: {d48a39ba-8f80-4fce-8ee1-bc710561c55d} - %profile%\extensions\{d48a39ba-8f80-4fce-8ee1-bc710561c55d}
    FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.com
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
    Notify-avgrsstarter - (no file)
    MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
    MSConfigStartUp-uTorrent - c:\documents and settings\Administrator\My Documents\Downloads\utorrent.exe
    AddRemove-VLC media player - c:\program files\VideoLAN\VLC\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-26 21:43
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2976)
    c:\windows\system32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\wscntfy.exe
    c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-04-26 21:47:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-27 02:46
    .
    Pre-Run: 13,430,509,568 bytes free
    Post-Run: 15,459,385,344 bytes free
    .
    - - End Of File - - 2462689C9DB34D3EF810CD0CEDCC9361

     
  9. AliciaArkansas

    AliciaArkansas TS Rookie Topic Starter

    TDSSKiller Log


    21:48:40.0703 2832TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43
    21:48:41.0203 2832============================================================
    21:48:41.0203 2832Current date / time: 2012/04/26 21:48:41.0203
    21:48:41.0203 2832SystemInfo:
    21:48:41.0203 2832
    21:48:41.0203 2832OS Version: 5.1.2600 ServicePack: 3.0
    21:48:41.0203 2832Product type: Workstation
    21:48:41.0203 2832ComputerName: ALICIA
    21:48:41.0203 2832UserName: Administrator
    21:48:41.0203 2832Windows directory: C:\WINDOWS
    21:48:41.0203 2832System windows directory: C:\WINDOWS
    21:48:41.0203 2832Processor architecture: Intel x86
    21:48:41.0203 2832Number of processors: 2
    21:48:41.0203 2832Page size: 0x1000
    21:48:41.0203 2832Boot type: Normal boot
    21:48:41.0203 2832============================================================
    21:48:42.0359 2832Drive \Device\Harddisk0\DR0 - Size: 0x12A1E0DE00 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    21:48:42.0375 2832Drive \Device\Harddisk1\DR1 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    21:48:42.0375 2832============================================================
    21:48:42.0375 2832\Device\Harddisk0\DR0:
    21:48:42.0375 2832MBR partitions:
    21:48:42.0375 2832\Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950E482
    21:48:42.0375 2832\Device\Harddisk1\DR1:
    21:48:42.0375 2832MBR partitions:
    21:48:42.0375 2832\Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xC34F28D
    21:48:42.0406 2832\Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0xC34F30B, BlocksNum 0x10E55C6E
    21:48:42.0406 2832============================================================
    21:48:42.0421 2832C: <-> \Device\Harddisk0\DR0\Partition0
    21:48:42.0468 2832D: <-> \Device\Harddisk1\DR1\Partition0
    21:48:42.0484 2832E: <-> \Device\Harddisk1\DR1\Partition1
    21:48:42.0484 2832============================================================
    21:48:42.0484 2832Initialize success
    21:48:42.0484 2832============================================================
    21:48:48.0734 3804============================================================
    21:48:48.0734 3804Scan started
    21:48:48.0734 3804Mode: Manual;
    21:48:48.0734 3804============================================================
    21:48:48.0984 38043dkeybd - ok
    21:48:49.0000 3804Abiosdsk - ok
    21:48:49.0015 3804abp480n5 - ok
    21:48:49.0046 3804ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    21:48:49.0046 3804ACPI - ok
    21:48:49.0078 3804ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    21:48:49.0078 3804ACPIEC - ok
    21:48:49.0078 3804adpu160m - ok
    21:48:49.0109 3804aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    21:48:49.0109 3804aec - ok
    21:48:49.0156 3804AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
    21:48:49.0156 3804AFD - ok
    21:48:49.0156 3804Aha154x - ok
    21:48:49.0156 3804aic78u2 - ok
    21:48:49.0171 3804aic78xx - ok
    21:48:49.0218 3804Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
    21:48:49.0218 3804Alerter - ok
    21:48:49.0234 3804ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
    21:48:49.0234 3804ALG - ok
    21:48:49.0234 3804AliIde - ok
    21:48:49.0250 3804AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    21:48:49.0250 3804AmdK8 - ok
    21:48:49.0265 3804amsint - ok
    21:48:49.0281 3804AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
    21:48:49.0281 3804AppMgmt - ok
    21:48:49.0281 3804asc - ok
    21:48:49.0296 3804asc3350p - ok
    21:48:49.0296 3804asc3550 - ok
    21:48:49.0468 3804aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
    21:48:49.0468 3804aspnet_state - ok
    21:48:49.0468 3804AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    21:48:49.0468 3804AsyncMac - ok
    21:48:49.0484 3804atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    21:48:49.0484 3804atapi - ok
    21:48:49.0484 3804Atdisk - ok
    21:48:49.0531 3804atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\WINDOWS\system32\DRIVERS\atksgt.sys
    21:48:49.0546 3804atksgt - ok
    21:48:49.0562 3804Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    21:48:49.0562 3804Atmarpc - ok
    21:48:49.0578 3804AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
    21:48:49.0578 3804AudioSrv - ok
    21:48:49.0609 3804audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    21:48:49.0609 3804audstub - ok
    21:48:49.0625 3804Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    21:48:49.0625 3804Beep - ok
    21:48:49.0671 3804BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
    21:48:49.0671 3804BITS - ok
    21:48:49.0687 3804Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
    21:48:49.0687 3804Browser - ok
    21:48:49.0703 3804BUFADPT (df306fdaf60511b1f117b34a575abe07) C:\WINDOWS\system32\BUFADPT.SYS
    21:48:49.0703 3804BUFADPT - ok
    21:48:49.0703 3804catchme - ok
    21:48:49.0734 3804cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    21:48:49.0734 3804cbidf2k - ok
    21:48:49.0734 3804cd20xrnt - ok
    21:48:49.0765 3804Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    21:48:49.0765 3804Cdaudio - ok
    21:48:49.0796 3804Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    21:48:49.0812 3804Cdfs - ok
    21:48:49.0828 3804Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    21:48:49.0828 3804Cdrom - ok
    21:48:49.0843 3804Changer - ok
    21:48:49.0859 3804CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
    21:48:49.0859 3804CiSvc - ok
    21:48:49.0875 3804ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
    21:48:49.0875 3804ClipSrv - ok
    21:48:49.0953 3804clr_optimization_v2.0.50727_32 (234b1bc2796483e1f5c3f26649fb3388) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    21:48:49.0953 3804clr_optimization_v2.0.50727_32 - ok
    21:48:49.0984 3804clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    21:48:49.0984 3804clr_optimization_v4.0.30319_32 - ok
    21:48:49.0984 3804CmdIde - ok
    21:48:50.0000 3804COMSysApp - ok
    21:48:50.0000 3804Cpqarray - ok
    21:48:50.0046 3804CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
    21:48:50.0046 3804CryptSvc - ok
    21:48:50.0046 3804dac2w2k - ok
    21:48:50.0062 3804dac960nt - ok
    21:48:50.0109 3804DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
    21:48:50.0109 3804DcomLaunch - ok
    21:48:50.0125 3804Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
    21:48:50.0125 3804Dhcp - ok
    21:48:50.0140 3804Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    21:48:50.0140 3804Disk - ok
    21:48:50.0140 3804dmadmin - ok
    21:48:50.0203 3804dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    21:48:50.0234 3804dmboot - ok
    21:48:50.0265 3804dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    21:48:50.0265 3804dmio - ok
    21:48:50.0281 3804dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    21:48:50.0281 3804dmload - ok
    21:48:50.0296 3804dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
    21:48:50.0296 3804dmserver - ok
    21:48:50.0328 3804DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    21:48:50.0328 3804DMusic - ok
    21:48:50.0343 3804Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
    21:48:50.0343 3804Dnscache - ok
    21:48:50.0359 3804Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
    21:48:50.0359 3804Dot3svc - ok
    21:48:50.0375 3804dpti2o - ok
    21:48:50.0390 3804drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    21:48:50.0390 3804drmkaud - ok
    21:48:50.0406 3804EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
    21:48:50.0406 3804EapHost - ok
    21:48:50.0437 3804ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
    21:48:50.0437 3804ElbyCDIO - ok
    21:48:50.0437 3804ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
    21:48:50.0437 3804ERSvc - ok
    21:48:50.0484 3804Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
    21:48:50.0484 3804Eventlog - ok
    21:48:50.0531 3804EventSystem (19a799805b24990867b00c120d300c3a) C:\WINDOWS\system32\es.dll
    21:48:50.0531 3804EventSystem - ok
    21:48:50.0562 3804Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    21:48:50.0562 3804Fastfat - ok
    21:48:50.0593 3804FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
    21:48:50.0609 3804FastUserSwitchingCompatibility - ok
    21:48:50.0609 3804fcprintservice - ok
    21:48:50.0625 3804Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    21:48:50.0625 3804Fdc - ok
    21:48:50.0640 3804Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    21:48:50.0640 3804Fips - ok
    21:48:50.0640 3804Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    21:48:50.0640 3804Flpydisk - ok
    21:48:50.0671 3804FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    21:48:50.0671 3804FltMgr - ok
    21:48:50.0796 3804FontCache3.0.0.0 (993883524aa9cf1c90e1545411a9ac9c) C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    21:48:50.0796 3804FontCache3.0.0.0 - ok
    21:48:50.0828 3804Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    21:48:50.0828 3804Fs_Rec - ok
    21:48:50.0843 3804Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    21:48:50.0843 3804Ftdisk - ok
    21:48:50.0859 3804gdrv (c6e3105b8c68c35cc1eb26a00fd1a8c6) C:\WINDOWS\gdrv.sys
    21:48:50.0859 3804gdrv - ok
    21:48:50.0890 3804Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    21:48:50.0890 3804Gpc - ok
    21:48:50.0906 3804GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS
    21:48:50.0921 3804GTNDIS5 - ok
    21:48:51.0046 3804gupdate1c9e3f9fd9ba96e (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
    21:48:51.0046 3804gupdate1c9e3f9fd9ba96e - ok
    21:48:51.0046 3804gupdatem (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
    21:48:51.0046 3804gupdatem - ok
    21:48:51.0093 3804gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    21:48:51.0093 3804gusvc - ok
    21:48:51.0125 3804hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
    21:48:51.0125 3804hamachi - ok
    21:48:51.0218 3804Hamachi2Svc (fa89c0429821c7c429eec7a0ce1c02d3) C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    21:48:51.0234 3804Hamachi2Svc - ok
    21:48:51.0265 3804HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    21:48:51.0265 3804HDAudBus - ok
    21:48:51.0312 3804helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
    21:48:51.0312 3804helpsvc - ok
    21:48:51.0343 3804HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
    21:48:51.0343 3804HidServ - ok
    21:48:51.0375 3804hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    21:48:51.0375 3804hidusb - ok
    21:48:51.0406 3804hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
    21:48:51.0406 3804hkmsvc - ok
    21:48:51.0406 3804hpn - ok
    21:48:51.0453 3804HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    21:48:51.0453 3804HPZid412 - ok
    21:48:51.0468 3804HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    21:48:51.0468 3804HPZipr12 - ok
    21:48:51.0484 3804HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    21:48:51.0484 3804HPZius12 - ok
    21:48:51.0500 3804hsf_dpv - ok
    21:48:51.0515 3804HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
    21:48:51.0531 3804HTTP - ok
    21:48:51.0578 3804HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
    21:48:51.0578 3804HTTPFilter - ok
    21:48:51.0578 3804i2omgmt - ok
    21:48:51.0578 3804i2omp - ok
    21:48:51.0625 3804i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    21:48:51.0625 3804i8042prt - ok
    21:48:51.0625 3804icdsptsv - ok
    21:48:51.0796 3804idsvc (e7cc3aeaed9893a88876744cd439f76c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    21:48:51.0812 3804idsvc - ok
    21:48:51.0859 3804Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    21:48:51.0859 3804Imapi - ok
    21:48:51.0890 3804ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
    21:48:51.0890 3804ImapiService - ok
    21:48:51.0890 3804ini910u - ok
    21:48:52.0109 3804IntcAzAudAddService (2feb5bf0312e1cb76cd2caa875cbaa5d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    21:48:52.0125 3804IntcAzAudAddService - ok
    21:48:52.0218 3804IntelIde - ok
    21:48:52.0218 3804Intels51 - ok
    21:48:52.0265 3804Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    21:48:52.0265 3804Ip6Fw - ok
    21:48:52.0312 3804IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    21:48:52.0312 3804IpFilterDriver - ok
    21:48:52.0343 3804IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    21:48:52.0343 3804IpInIp - ok
    21:48:52.0359 3804IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    21:48:52.0359 3804IpNat - ok
    21:48:52.0390 3804IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    21:48:52.0390 3804IPSec - ok
    21:48:52.0421 3804IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    21:48:52.0421 3804IRENUM - ok
    21:48:52.0453 3804isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    21:48:52.0453 3804isapnp - ok
    21:48:52.0546 3804JavaQuickStarterService (1834c96fb1f9280bcf6ddfa6de8338bf) C:\Program Files\Java\jre6\bin\jqs.exe
    21:48:52.0546 3804JavaQuickStarterService - ok
    21:48:52.0562 3804Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    21:48:52.0562 3804Kbdclass - ok
    21:48:52.0593 3804kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    21:48:52.0593 3804kbdhid - ok
    21:48:52.0609 3804kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    21:48:52.0609 3804kmixer - ok
    21:48:52.0656 3804KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
    21:48:52.0656 3804KSecDD - ok
    21:48:52.0671 3804LanmanServer (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
    21:48:52.0687 3804LanmanServer - ok
    21:48:52.0718 3804lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll
    21:48:52.0718 3804lanmanworkstation - ok
    21:48:52.0718 3804lbrtfdc - ok
    21:48:52.0765 3804lirsgt (f8a7212d0864ef5e9185fb95e6623f4d) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
    21:48:52.0765 3804lirsgt - ok
    21:48:52.0781 3804LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
    21:48:52.0781 3804LmHosts - ok
    21:48:52.0812 3804MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
    21:48:52.0812 3804MBAMProtector - ok
    21:48:52.0875 3804MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    21:48:52.0875 3804MBAMService - ok
    21:48:52.0968 3804McciCMService (f8b823414a22dbf3bec10dcaa5f93cd8) C:\Program Files\Common Files\Motive\McciCMService.exe
    21:48:52.0984 3804McciCMService - ok
    21:48:53.0000 3804Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
    21:48:53.0000 3804Messenger - ok
    21:48:53.0000 3804mmc_2K - ok
    21:48:53.0015 3804mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    21:48:53.0015 3804mnmdd - ok
    21:48:53.0031 3804mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
    21:48:53.0031 3804mnmsrvc - ok
    21:48:53.0062 3804Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    21:48:53.0062 3804Modem - ok
    21:48:53.0093 3804Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    21:48:53.0093 3804Mouclass - ok
    21:48:53.0125 3804mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    21:48:53.0140 3804mouhid - ok
    21:48:53.0140 3804MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    21:48:53.0140 3804MountMgr - ok
    21:48:53.0140 3804mraid35x - ok
    21:48:53.0187 3804MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    21:48:53.0187 3804MREMP50 - ok
    21:48:53.0187 3804MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    21:48:53.0203 3804MRESP50 - ok
    21:48:53.0218 3804MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    21:48:53.0218 3804MRxDAV - ok
    21:48:53.0250 3804MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    21:48:53.0265 3804MRxSmb - ok
    21:48:53.0296 3804MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
    21:48:53.0296 3804MSDTC - ok
    21:48:53.0312 3804Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    21:48:53.0312 3804Msfs - ok
    21:48:53.0312 3804MSIServer - ok
    21:48:53.0359 3804MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    21:48:53.0359 3804MSKSSRV - ok
    21:48:53.0375 3804MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    21:48:53.0375 3804MSPCLOCK - ok
    21:48:53.0375 3804MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    21:48:53.0390 3804MSPQM - ok
    21:48:53.0406 3804mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    21:48:53.0406 3804mssmbios - ok
    21:48:53.0406 3804Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    21:48:53.0421 3804Mup - ok
    21:48:53.0453 3804napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
    21:48:53.0468 3804napagent - ok
    21:48:53.0484 3804NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    21:48:53.0484 3804NDIS - ok
    21:48:53.0515 3804NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    21:48:53.0515 3804NdisTapi - ok
    21:48:53.0546 3804Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    21:48:53.0546 3804Ndisuio - ok
    21:48:53.0562 3804NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    21:48:53.0562 3804NdisWan - ok
    21:48:53.0578 3804NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    21:48:53.0578 3804NDProxy - ok
    21:48:53.0593 3804NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    21:48:53.0593 3804NetBIOS - ok
    21:48:53.0609 3804NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    21:48:53.0625 3804NetBT - ok
    21:48:53.0656 3804NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
    21:48:53.0656 3804NetDDE - ok
    21:48:53.0656 3804NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
    21:48:53.0656 3804NetDDEdsdm - ok
    21:48:53.0687 3804Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    21:48:53.0687 3804Netlogon - ok
    21:48:53.0734 3804Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
    21:48:53.0734 3804Netman - ok
    21:48:53.0890 3804NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
    21:48:53.0890 3804NetTcpPortSharing - ok
    21:48:53.0890 3804NETw3x32 - ok
    21:48:53.0937 3804Nla (b4138e99236f0f57d4cf49bae98a0746) C:\WINDOWS\System32\mswsock.dll
    21:48:53.0937 3804Nla - ok
    21:48:53.0937 3804Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    21:48:53.0937 3804Npfs - ok
    21:48:53.0984 3804Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    21:48:53.0984 3804Ntfs - ok
    21:48:53.0984 3804NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    21:48:53.0984 3804NtLmSsp - ok
    21:48:54.0031 3804NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
    21:48:54.0031 3804NtmsSvc - ok
    21:48:54.0046 3804Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    21:48:54.0046 3804Null - ok
    21:48:54.0359 3804nv (406ddab2b05d94d4818e97ff050d1bc6) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    21:48:54.0562 3804nv - ok
    21:48:54.0640 3804nvsvc (b3adef87ee4eca88380d730b92bdb231) C:\WINDOWS\system32\nvsvc32.exe
    21:48:54.0640 3804nvsvc - ok
    21:48:54.0703 3804NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    21:48:54.0703 3804NwlnkFlt - ok
    21:48:54.0718 3804NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    21:48:54.0718 3804NwlnkFwd - ok
    21:48:54.0812 3804ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    21:48:54.0812 3804ose - ok
    21:48:54.0859 3804Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    21:48:54.0859 3804Parport - ok
    21:48:54.0875 3804PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    21:48:54.0875 3804PartMgr - ok
    21:48:54.0890 3804ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    21:48:54.0890 3804ParVdm - ok
    21:48:54.0906 3804PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    21:48:54.0906 3804PCI - ok
    21:48:54.0906 3804PCIDump - ok
    21:48:54.0921 3804PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    21:48:54.0921 3804PCIIde - ok
    21:48:54.0937 3804Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    21:48:54.0953 3804Pcmcia - ok
    21:48:54.0953 3804PDCOMP - ok
    21:48:54.0953 3804PDFRAME - ok
    21:48:54.0968 3804PDRELI - ok
    21:48:54.0968 3804PDRFRAME - ok
    21:48:54.0968 3804perc2 - ok
    21:48:54.0984 3804perc2hib - ok
    21:48:55.0015 3804PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
    21:48:55.0015 3804PlugPlay - ok
    21:48:55.0046 3804Pml Driver HPZ12 (a38b3ce68e7f126190cde4aa3fdf050f) C:\WINDOWS\system32\HPZipm12.exe
    21:48:55.0046 3804Pml Driver HPZ12 - ok
    21:48:55.0062 3804PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    21:48:55.0062 3804PolicyAgent - ok
    21:48:55.0062 3804PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    21:48:55.0062 3804PptpMiniport - ok
    21:48:55.0093 3804Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    21:48:55.0093 3804Processor - ok
    21:48:55.0093 3804ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    21:48:55.0093 3804ProtectedStorage - ok
    21:48:55.0109 3804PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    21:48:55.0125 3804PSched - ok
    21:48:55.0140 3804Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    21:48:55.0140 3804Ptilink - ok
    21:48:55.0140 3804ql1080 - ok
    21:48:55.0156 3804Ql10wnt - ok
    21:48:55.0156 3804ql12160 - ok
    21:48:55.0171 3804ql1240 - ok
    21:48:55.0171 3804ql1280 - ok
    21:48:55.0203 3804RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    21:48:55.0203 3804RasAcd - ok
    21:48:55.0234 3804RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
    21:48:55.0234 3804RasAuto - ok
    21:48:55.0265 3804Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    21:48:55.0265 3804Rasl2tp - ok
    21:48:55.0281 3804RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
    21:48:55.0281 3804RasMan - ok
    21:48:55.0296 3804RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    21:48:55.0296 3804RasPppoe - ok
    21:48:55.0296 3804Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    21:48:55.0296 3804Raspti - ok
    21:48:55.0312 3804Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    21:48:55.0328 3804Rdbss - ok
    21:48:55.0328 3804rdnaoflsvc - ok
    21:48:55.0343 3804RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    21:48:55.0343 3804RDPCDD - ok
    21:48:55.0390 3804rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    21:48:55.0390 3804rdpdr - ok
    21:48:55.0671 3804RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    21:48:55.0671 3804RDPWD - ok
    21:48:55.0703 3804RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
    21:48:55.0718 3804RDSessMgr - ok
    21:48:55.0750 3804redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    21:48:55.0750 3804redbook - ok
    21:48:55.0781 3804RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
    21:48:55.0781 3804RemoteAccess - ok
    21:48:55.0812 3804RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
    21:48:55.0812 3804RemoteRegistry - ok
    21:48:55.0843 3804RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
    21:48:55.0843 3804RpcLocator - ok
    21:48:55.0906 3804RpcSs (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\System32\rpcss.dll
    21:48:55.0906 3804RpcSs - ok
    21:48:55.0937 3804RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
    21:48:55.0937 3804RSVP - ok
    21:48:55.0984 3804RT73 (da4980fad2b7d86d6ed8e35e3874f65e) C:\WINDOWS\system32\DRIVERS\rt73.sys
    21:48:56.0000 3804RT73 - ok
    21:48:56.0031 3804RTLE8023xp (839141088ad7ee90f5b441b2d1afd22c) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    21:48:56.0031 3804RTLE8023xp - ok
    21:48:56.0062 3804SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    21:48:56.0062 3804SamSs - ok
    21:48:56.0093 3804SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
    21:48:56.0109 3804SCardSvr - ok
    21:48:56.0140 3804Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
    21:48:56.0140 3804Schedule - ok
    21:48:56.0156 3804Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    21:48:56.0156 3804Secdrv - ok
    21:48:56.0187 3804seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
    21:48:56.0187 3804seclogon - ok
    21:48:56.0203 3804SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
    21:48:56.0203 3804SENS - ok
    21:48:56.0234 3804Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    21:48:56.0234 3804Serial - ok
    21:48:56.0296 3804Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    21:48:56.0296 3804Sfloppy - ok
    21:48:56.0328 3804SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
    21:48:56.0343 3804SharedAccess - ok
    21:48:56.0375 3804ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
    21:48:56.0375 3804ShellHWDetection - ok
    21:48:56.0375 3804Simbad - ok
    21:48:56.0390 3804Sparrow - ok
    21:48:56.0421 3804splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    21:48:56.0421 3804splitter - ok
    21:48:56.0437 3804Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe
    21:48:56.0437 3804Spooler - ok
    21:48:56.0500 3804sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
    21:48:56.0500 3804Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
    21:48:56.0500 3804sptd ( LockedFile.Multi.Generic ) - warning
    21:48:56.0500 3804sptd - detected LockedFile.Multi.Generic (1)
    21:48:56.0531 3804sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    21:48:56.0546 3804sr - ok
    21:48:56.0562 3804srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
    21:48:56.0562 3804srservice - ok
    21:48:56.0593 3804Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
    21:48:56.0593 3804Srv - ok
    21:48:56.0625 3804SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
    21:48:56.0625 3804SSDPSRV - ok
    21:48:56.0687 3804Steam Client Service - ok
    21:48:56.0734 3804stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
    21:48:56.0750 3804stisvc - ok
    21:48:56.0750 3804StkAMini - ok
    21:48:56.0765 3804swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    21:48:56.0765 3804swenum - ok
    21:48:56.0796 3804swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    21:48:56.0796 3804swmidi - ok
    21:48:56.0796 3804SwPrv - ok
    21:48:56.0796 3804symc810 - ok
    21:48:56.0812 3804symc8xx - ok
    21:48:56.0812 3804sym_hi - ok
    21:48:56.0812 3804sym_u3 - ok
    21:48:56.0843 3804sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    21:48:56.0843 3804sysaudio - ok
    21:48:56.0875 3804SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
    21:48:56.0875 3804SysmonLog - ok
    21:48:56.0890 3804TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
    21:48:56.0890 3804TapiSrv - ok
    21:48:56.0921 3804Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    21:48:56.0921 3804Tcpip - ok
    21:48:56.0953 3804TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    21:48:56.0953 3804TDPIPE - ok
    21:48:56.0953 3804TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    21:48:56.0953 3804TDTCP - ok
    21:48:56.0984 3804TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    21:48:56.0984 3804TermDD - ok
    21:48:57.0031 3804TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
    21:48:57.0031 3804TermService - ok
    21:48:57.0046 3804Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
    21:48:57.0046 3804Themes - ok
    21:48:57.0078 3804TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
    21:48:57.0078 3804TlntSvr - ok
    21:48:57.0093 3804TosIde - ok
    21:48:57.0125 3804TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
    21:48:57.0125 3804TrkWks - ok
    21:48:57.0140 3804Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    21:48:57.0156 3804Udfs - ok
    21:48:57.0156 3804ultra - ok
    21:48:57.0218 3804Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    21:48:57.0218 3804Update - ok
    21:48:57.0250 3804upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
    21:48:57.0250 3804upnphost - ok
    21:48:57.0250 3804UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
    21:48:57.0250 3804UPS - ok
    21:48:57.0296 3804usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    21:48:57.0296 3804usbccgp - ok
    21:48:57.0312 3804usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    21:48:57.0312 3804usbehci - ok
    21:48:57.0312 3804usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    21:48:57.0312 3804usbhub - ok
    21:48:57.0328 3804usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    21:48:57.0328 3804usbohci - ok
    21:48:57.0375 3804usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    21:48:57.0375 3804usbprint - ok
    21:48:57.0406 3804usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    21:48:57.0406 3804usbscan - ok
    21:48:57.0453 3804USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    21:48:57.0453 3804USBSTOR - ok
    21:48:57.0468 3804VClone (2cc2660b3ec3434c88d2c808dd7937d4) C:\WINDOWS\system32\DRIVERS\VClone.sys
    21:48:57.0468 3804VClone - ok
    21:48:57.0484 3804VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    21:48:57.0484 3804VgaSave - ok
    21:48:57.0500 3804ViaIde - ok
    21:48:57.0515 3804VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    21:48:57.0515 3804VolSnap - ok
    21:48:57.0562 3804VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
    21:48:57.0562 3804VSS - ok
    21:48:57.0578 3804vvoice - ok
    21:48:57.0609 3804W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
    21:48:57.0609 3804W32Time - ok
    21:48:57.0625 3804wampmysqld - ok
    21:48:57.0656 3804Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    21:48:57.0656 3804Wanarp - ok
    21:48:57.0656 3804WDICA - ok
    21:48:57.0687 3804wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    21:48:57.0703 3804wdmaud - ok
    21:48:57.0734 3804WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
    21:48:57.0734 3804WebClient - ok
    21:48:57.0812 3804winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
    21:48:57.0812 3804winmgmt - ok
    21:48:57.0843 3804WmdmPmSN (f4db1f1417ff329e8ff217d5c474d5d7) C:\WINDOWS\system32\MsPMSNSv.dll
    21:48:57.0843 3804WmdmPmSN - ok
    21:48:57.0890 3804Wmi (bab489a5fe26f2d0c910cf7af7e4cf92) C:\WINDOWS\System32\advapi32.dll
    21:48:57.0890 3804Wmi - ok
    21:48:57.0921 3804WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
    21:48:57.0937 3804WmiApSrv - ok
    21:48:58.0093 3804WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    21:48:58.0125 3804WPFFontCache_v0400 - ok
    21:48:58.0171 3804WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    21:48:58.0171 3804WS2IFSL - ok
    21:48:58.0187 3804wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
    21:48:58.0203 3804wscsvc - ok
    21:48:58.0234 3804wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
    21:48:58.0234 3804wuauserv - ok
    21:48:58.0234 3804WUSB54GSCV2 - ok
    21:48:58.0265 3804WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
    21:48:58.0281 3804WZCSVC - ok
    21:48:58.0312 3804xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
    21:48:58.0312 3804xmlprov - ok
    21:48:58.0328 3804MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    21:48:58.0437 3804\Device\Harddisk0\DR0 - ok
    21:48:58.0437 3804MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
    21:48:58.0546 3804\Device\Harddisk1\DR1 - ok
    21:48:58.0546 3804Boot (0x1200) (6c4d039391b5a85019a75bf46acbf1c0) \Device\Harddisk0\DR0\Partition0
    21:48:58.0546 3804\Device\Harddisk0\DR0\Partition0 - ok
    21:48:58.0562 3804Boot (0x1200) (e0ae1736a69a6b479669278dc93d61f6) \Device\Harddisk1\DR1\Partition0
    21:48:58.0562 3804\Device\Harddisk1\DR1\Partition0 - ok
    21:48:58.0562 3804Boot (0x1200) (b4993675494671af9a46a7dbc1218bd7) \Device\Harddisk1\DR1\Partition1
    21:48:58.0578 3804\Device\Harddisk1\DR1\Partition1 - ok
    21:48:58.0578 3804============================================================
    21:48:58.0578 3804Scan finished
    21:48:58.0578 3804============================================================
    21:48:58.0578 3388Detected object count: 1
    21:48:58.0578 3388Actual detected object count: 1
    21:49:53.0156 3388C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
    21:49:53.0156 3388sptd ( LockedFile.Multi.Generic ) - User select action: Quarantine
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Things to know:
    1. The Alerts from Mbam blocking outgoing access are from the malware. It is trying to remotely connect to server. The IP you gave is a site in Germany. While the popups may be annoying, as the malware is removed, they should stop. It is a good thing that the access is being blocked.
    2. I have removed processes for AVG Secure Search. It is NOT doing it's job. I highly recommend using the Web of Trust (WOT) add-on is a safe surfing tool for your browser. It rates site in 4 areas and will prevent sites with poor reputations from loading.
    3. The Somoto Toolbar[ is bundled with other 3rd party programs and should not be on the system.
    4. The plugin SweetIM in Firefox should be removed.
    5.Virtual Clone Drive, part of CloneCD CD/DVD copying sofware has been discontinued and should be removed. Note: Located in c:\program files\Elaborate Bytes\VirtualCloneDrive

    Please uninstall #3,4,5. Then use Windows explorer to access Compouter> Local Drive(C)> Programs> Do a right click> Delete on each program folder you uninstalled.
    -----------------------------------------------
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\dds_trash_log.cmd
    DDS::
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
    TB: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
    Extra::
    Firefox:: 
    Firefox-: - Profile- c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ov3wgo5u.default\
    Firefox-: prefs.js- Search.DeafaultURL
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VirtualCloneDrive"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please update the following:
    Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
    Adobe Reader > Current is vX(10.xx)> Adobe Reader Update
    Java(TM) > Current is v6u31> Java Updates .
    Uninstall any earlier versions in of both as they are vulnerabilities for the system.
    --====================
    I need to replace a file so we need to look for a clean file:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      sptd.sys
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  11. AliciaArkansas

    AliciaArkansas TS Rookie Topic Starter

    Completed!

    CFlog
    ========
    ComboFix 12-04-26.01 - Administrator 04/27/2012 13:22:46.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1367 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    .
    FILE ::
    "c:\windows\system32\dds_trash_log.cmd"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-27 02:49 . 2012-04-27 02:49--------d-----w-C:\TDSSKiller_Quarantine
    2012-04-26 16:38 . 2012-04-04 20:5622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-04-25 04:01 . 2012-04-25 04:01--------d-----w-c:\program files\Common Files\Steam
    2012-04-24 22:57 . 2012-04-24 22:57--------d-s---w-c:\documents and settings\NetworkService\UserData
    2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\program files\Common Files\Symantec Shared
    2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\documents and settings\All Users\Application Data\Norton
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-05 17:09 . 2009-06-05 17:09774144----a-w-c:\program files\RngInterstitial.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-27_02.43.20 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-27 02:53 . 2012-04-27 02:5316384 c:\windows\Temp\Perflib_Perfdata_620.dat
    + 2001-08-23 12:00 . 2012-04-27 02:4787674 c:\windows\system32\perfc009.dat
    - 2001-08-23 12:00 . 2012-04-18 19:0687674 c:\windows\system32\perfc009.dat
    + 2001-08-23 12:00 . 2012-04-27 02:47502402 c:\windows\system32\perfh009.dat
    - 2001-08-23 12:00 . 2012-04-18 19:06502402 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-18 39408]
    "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-10-29 3077528]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-17 113664]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-7-5 278528]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
    2012-02-28 23:381987976----a-w-c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2009-05-01 05:311657376----a-w-c:\windows\system32\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2012-04-25 04:021242448----a-w-d:\steam games\Steam.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
    "c:\\Program Files\\Starcraft\\StarCraft.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
    "c:\\Program Files\\Ubisoft\\Related Designs\\Dawn of Discovery\\tools\\Anno4Web.exe"=
    "c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "57924:TCP"= 57924:TCP:pando Media Booster
    "57924:UDP"= 57924:UDP:pando Media Booster
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/15/2009 6:36 PM 721904]
    R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 6:38 PM 1373576]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2012 11:38 AM 654408]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/26/2012 11:38 AM 22344]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate1c9e3f9fd9ba96e;Google Update Service (gupdate1c9e3f9fd9ba96e);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2.sys --> c:\windows\system32\DRIVERS\WUSB54GSCV2.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - ElbyCDIO
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Intels51
    NETw3x32
    3dkeybd
    StkAMini
    fcprintservice
    hsf_dpv
    icdsptsv
    mmc_2K
    wampmysqld
    rdnaoflsvc
    vvoice
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
    .
    2012-04-27 c:\windows\Tasks\HP Photo Creations Messager.job
    - c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{C6DA8D22-8FB1-49C6-8F14-BEAF68B8EC05}: NameServer = 68.94.156.1,68.94.157.1
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Administrator\Application Data\Move Networks
    FF - Ext: Poster: {d48a39ba-8f80-4fce-8ee1-bc710561c55d} - %profile%\extensions\{d48a39ba-8f80-4fce-8ee1-bc710561c55d}
    FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.com
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-27 13:30
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3620)
    c:\windows\system32\msi.dll
    .
    Completion time: 2012-04-27 13:31:49
    ComboFix-quarantined-files.txt 2012-04-27 18:31
    ComboFix2.txt 2012-04-27 02:47
    .
    Pre-Run: 15,510,802,432 bytes free
    Post-Run: 15,506,968,576 bytes free
    .
    - - End Of File - - 6245B3D69548AD9BEE05AB3043452F78
    ===============================================
    System Look
    SystemLook 30.07.11 by jpshortstuff
    Log created at 14:02 on 27/04/2012 by Administrator
    Administrator - Elevation successful
    ========== filefind ==========
    Searching for "sptd.sys"
    C:\WINDOWS\system32\drivers\sptd.sys--a---- 721904 bytes[23:36 15/07/2009][23:36 15/07/2009] (Unable to calculate MD5)
    -= EOF =-
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is looking good! What problems remain, if any?

    Regarding this:
    Remind me to help you with this when we finish. I'll give you instructions on the right way to do it and what you need and don't need to start and run in the background. I'll suggest safe "cleaners", tell you why you shouldn't use a Registry Cleaner, how to uninstall a program and remove the program folder, what you don't need on the Startup Menu and the few processes you do need and why you can't just delete one entry to remove in some cases.
    ===========================================
    We need to get one setting fixed:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Extra::
    Firefox::
    Firefox-: - Profile- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\
    Firefox-: - prefs.js- Search.DefaultURL
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    I'd like to run an online virus scan:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Please leave the log in your next reply.
     
  13. AliciaArkansas

    AliciaArkansas TS Rookie Topic Starter

    Bobbye,
    It seems that no problems remain and the computer is running much smoother now with no unusual behavior. But, ESETOnline found some things. See below.

    New CF Log

    ComboFix 12-04-26.01 - Administrator 04/28/2012 16:21:52.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1348 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-27 19:01 . 2012-04-27 19:01--------d-----w-c:\program files\Common Files\Java
    2012-04-27 19:01 . 2012-04-27 19:0173728----a-w-c:\windows\system32\javacpl.cpl
    2012-04-27 02:49 . 2012-04-27 02:49--------d-----w-C:\TDSSKiller_Quarantine
    2012-04-26 16:38 . 2012-04-04 20:5622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-04-25 04:01 . 2012-04-25 04:01--------d-----w-c:\program files\Common Files\Steam
    2012-04-24 22:57 . 2012-04-24 22:57--------d-s---w-c:\documents and settings\NetworkService\UserData
    2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\program files\Common Files\Symantec Shared
    2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\documents and settings\All Users\Application Data\Norton
    2012-04-04 05:53 . 2012-04-04 05:53182160----a-w-c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2012-04-04 05:53 . 2012-04-04 05:53182160----a-w-c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-27 19:01 . 2010-04-15 20:23472808----a-w-c:\windows\system32\deployJava1.dll
    2009-06-05 17:09 . 2009-06-05 17:09774144----a-w-c:\program files\RngInterstitial.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-27_02.43.20 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-27 19:01 . 2012-04-27 19:0116384 c:\windows\Temp\Perflib_Perfdata_570.dat
    + 2001-08-23 12:00 . 2012-04-27 02:4787674 c:\windows\system32\perfc009.dat
    - 2001-08-23 12:00 . 2012-04-18 19:0687674 c:\windows\system32\perfc009.dat
    + 2011-06-06 17:55 . 2011-06-06 17:5517304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
    + 2011-06-06 17:55 . 2011-06-06 17:5535736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
    + 2011-06-06 17:55 . 2011-06-06 17:5588992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
    + 2011-06-06 17:55 . 2011-06-06 17:5594608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
    + 2011-06-06 17:55 . 2011-06-06 17:5549064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
    + 2011-06-06 17:55 . 2011-06-06 17:5517824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
    + 2011-06-06 17:55 . 2011-06-06 17:5563912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
    + 2011-06-06 17:55 . 2011-06-06 17:5564928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
    + 2011-06-06 17:55 . 2011-06-06 17:5563384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
    + 2001-08-23 12:00 . 2012-04-27 02:47502402 c:\windows\system32\perfh009.dat
    - 2001-08-23 12:00 . 2012-04-18 19:06502402 c:\windows\system32\perfh009.dat
    + 2012-04-27 19:01 . 2012-04-27 19:01157472 c:\windows\system32\javaws.exe
    + 2012-04-27 19:01 . 2012-04-27 19:01149280 c:\windows\system32\javaw.exe
    + 2012-04-27 19:01 . 2012-04-27 19:01149280 c:\windows\system32\java.exe
    + 2012-04-27 19:01 . 2012-04-27 19:01203776 c:\windows\Installer\365a484.msi
    + 2012-04-27 19:01 . 2012-04-27 19:01901120 c:\windows\Installer\365a47d.msi
    + 2011-06-06 17:55 . 2011-06-06 17:55249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55937920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearm.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
    + 2011-06-06 17:55 . 2011-06-06 17:55296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
    + 2011-06-06 17:55 . 2011-06-06 17:55205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
    + 2012-04-27 18:59 . 2012-04-27 18:592295808 c:\windows\Installer\365a477.msi
    + 2011-06-06 17:55 . 2011-06-06 17:552215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
    + 2011-06-06 17:55 . 2011-06-06 17:551189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
    + 2011-06-06 17:55 . 2011-06-06 17:556543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
    + 2011-06-06 17:55 . 2011-06-06 17:551240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
    + 2011-06-06 17:55 . 2011-06-06 17:551480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
    + 2012-04-04 11:17 . 2012-04-04 11:1716613376 c:\windows\Installer\365a478.msp
    + 2011-06-06 17:55 . 2011-06-06 17:5524731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-18 39408]
    "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-10-29 3077528]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-17 113664]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-7-5 278528]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
    2012-02-28 23:381987976----a-w-c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2009-05-01 05:311657376----a-w-c:\windows\system32\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2012-04-25 04:021242448----a-w-d:\steam games\Steam.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
    "c:\\Program Files\\Starcraft\\StarCraft.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
    "c:\\Program Files\\Ubisoft\\Related Designs\\Dawn of Discovery\\tools\\Anno4Web.exe"=
    "c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "57924:TCP"= 57924:TCP:pando Media Booster
    "57924:UDP"= 57924:UDP:pando Media Booster
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/15/2009 6:36 PM 721904]
    R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 6:38 PM 1373576]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2012 11:38 AM 654408]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/26/2012 11:38 AM 22344]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate1c9e3f9fd9ba96e;Google Update Service (gupdate1c9e3f9fd9ba96e);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2.sys --> c:\windows\system32\DRIVERS\WUSB54GSCV2.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - JAVAQUICKSTARTERSERVICE
    *Deregistered* - ElbyCDIO
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Intels51
    NETw3x32
    3dkeybd
    StkAMini
    fcprintservice
    hsf_dpv
    icdsptsv
    mmc_2K
    wampmysqld
    rdnaoflsvc
    vvoice
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
    .
    2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
    .
    2012-04-28 c:\windows\Tasks\HP Photo Creations Messager.job
    - c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{C6DA8D22-8FB1-49C6-8F14-BEAF68B8EC05}: NameServer = 68.94.156.1,68.94.157.1
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Administrator\Application Data\Move Networks
    FF - Ext: Poster: {d48a39ba-8f80-4fce-8ee1-bc710561c55d} - %profile%\extensions\{d48a39ba-8f80-4fce-8ee1-bc710561c55d}
    FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.com
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-28 16:26
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3888)
    c:\windows\system32\msi.dll
    .
    Completion time: 2012-04-28 16:27:57
    ComboFix-quarantined-files.txt 2012-04-28 21:27
    ComboFix2.txt 2012-04-27 18:31
    ComboFix3.txt 2012-04-27 02:47
    .
    Pre-Run: 14,815,543,296 bytes free
    Post-Run: 14,803,599,360 bytes free
    .
    - - End Of File - - 3C6511DE4E1FB3A589C3970118610D99
    ESETOnline LOG
    C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\fegnqddd.exe.virWin32/Agent.PAZ trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090685.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090699.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090757.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090770.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090783.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1028\A0090964.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1028\A0090976.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1028\A0090988.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1028\A0091002.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091022.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091041.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091058.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091082.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091111.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091135.sysWin32/Sirefef.DA trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091343.exeWin32/Agent.PAZ trojan
    C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0094461.exeWin32/Agent.PAZ trojan
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Glad to hear the problems have been resolved.

    There are no new entries in the Eset scan. The Qoobox is where Combofix puts the files it quarantined. They are no longer active and will be removed when Combofix is uninstalled. System Volume is where restore points are kept. the malware in the restore point is not active on the system unless you do a system restore and happen to pick one of those infected restore points. Because of that, at the end of cleaning, I will have you set a new, clean restore point and drop the old ones. Unfortunately, virus scanners can't read 'location.'

    *NewlyCreated* - JAVAQUICKSTARTERSERVICE> Unfortunately, when you update Java, Sun throws this in. It doesn't need to run:
    Click on Start> Run> type in services.msc> Enter> Double click on Java Quick Start> Change the Startup type to Disabled> Stop the Service.
    Exit Services.
    ================================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
    • Choose Disc Cleanup
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
    Empty the Recycle Bin
    ==============================================
    You may find the following helpful: (Links are Bold Blue)
    Tips for added security and safer browsing:
    1. Browser Security
      [o] Making Internet Explorer Safer
      [o] Use a Site Advisor..
    2. Have layered Security:
      [o]Antivirus Software(only one):
      [o]Firewall (only one)
    3. Antispyware/Security: I recommend all of the following:
      [o]Spywareblaster:Protects against bad ActiveX.
      [o]IE/Spyad Restricts bad domains.
      [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
    4. Stay current on updates:
      [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
      [o] Adobe Reade. Uninstall old.
      [o]Java Uninstall old.
    5. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
      (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    6. Do regular Maintenance
      [o]To include Disc Cleanup, Defrag, Error Check/
      [o]Remove Temporary Internet Files regularly:TFC
    7. Understand Restore Points: System Restore Guide
    8. Practice Safe Email Handling
    9. [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...