Solved Progressively slower internet on Clean(?) computer

Status
Not open for further replies.
M

MicroShader

Posts: 22   +0
I was wondering if someone here could help, or point me in the right direction/forum.

Here's the situation: Over the last few months we (family and myself) have been noticing that the internet has progressively been getting slower and slower. (No, we haven't run afoul of any caps or anything like that. The connection speed hasn't been fast enough to allow us to get that much data!) Being somewhat techno-savvy I've run S&D Spybot Scanner and Malwarebytes on our various computers and they have all come up clean, but I'm not 100% sure. I know that they miss one or two things beyond my expertise level, hence the post here.

The net connection comes into ASDL modem, hits a Switch/Router and then is split between 5 computers. We use to get about 50kB/s, now we're struggling to get 5-10 kB/s, regardless of which computers are on or the time of day.

Before we go complain to the ISP, I'd like to eliminate the computers as a possible source. I've made sure that all computers have Anti-viruses (avast!) and firewalls of various flavors.

My computer is running Windows 7 Pro, and Online Armor. I've noticed that my computer does occasionally shot off weird requests that appear on the firewall, but I've been putting that down to Windows 7 update. I haven't knowingly installed any Browser Helpers or anything like that... none that I can recall at the moment.

Please find the various logs from 8 step process for my computer. Do I need to run HiJackThis?

---- Malwarebytes Anti-Malware log----

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6113

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

21/03/2011 2:17:48 PM
mbam-log-2011-03-21 (14-17-48).txt

Scan type: Quick scan
Objects scanned: 151269
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----GMER log ----

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-21 14:21:47
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3250318AS rev.CC44
Running: 3x1s5kki.exe; Driver: C:\Users\Michael\AppData\Local\Temp\ugloypob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x90AE582E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 851821F8
Device \Driver\atapi \Device\Ide\IdePort0 851821F8
Device \Driver\atapi \Device\Ide\IdePort1 851821F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 851821F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 851821F8
Device \Driver\a17te2sg \Device\Scsi\a17te2sg1Port2Path0Target0Lun0 864DD320
Device \Driver\a17te2sg \Device\Scsi\a17te2sg1 864DD320
Device \FileSystem\Ntfs \Ntfs 851841F8
Device \FileSystem\fastfat \Fat 873CE1F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\tdx \Device\Ip OAmon.sys
Device \Driver\tdx \Device\Tcp OAmon.sys
Device \Driver\tdx \Device\Udp OAmon.sys
Device \Driver\tdx \Device\RawIp OAmon.sys

---- EOF - GMER 1.0.15 ----


---- DDS log: DDS.txt----

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Michael at 14:23:16.46 on Mon 21/03/2011
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.3070.2005 [GMT 10:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Online Armor Firewall *Enabled* {5841EF60-F43F-AE8D-642F-D79F12883626}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
D:\Program Files\Online Armor\OAcat.exe
D:\Program Files\Online Armor\oasrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
D:\Program Files\Ashampoo Magical Defrag 3\defragtaskbar.exe
D:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
D:\Program Files\Online Armor\oaui.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Windows\System32\StikyNot.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
D:\Program Files\Ashampoo Core Tuner\ACTHelperService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\Program Files\Ashampoo Magical Defrag 3\defragservice.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
D:\Program Files\Ashampoo Magical Defrag 3\defragmonitorservice.exe
D:\Program Files\Ashampoo Magical Defrag 3\defragActivityMonitor.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskeng.exe
C:\Users\Michael\Downloads\dds.scr
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\jr6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo!7 Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [PlayNC Launcher]
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DefragTaskBar] "d:\program files\ashampoo magical defrag 3\defragtaskbar.exe"
mRun: [Ashampoo Core Tuner] d:\program files\ashampoo core tuner\autostarter.exe
mRun: [WordWeb] "d:\program files\wordweb\wweb32.exe" -startup
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [@OnlineArmor GUI] "d:\program files\online armor\OAui.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download with GetRight - d:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - d:\program files\getright\GRbrowse.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: {EB9D824D-F1DB-491F-A89D-B32705065FB3} = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - d:\progra~1\online~1\oaevent.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\2tnep8uy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\jr6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\jr6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Amazon Toolbar: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-14 294608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-11-4 202064]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2010-9-2 38856]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-11-4 25000]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2010/01/13 23:32:39];c:\program files\cyberlink\powerdvd dx\000.fcl [2010-1-13 87536]
R2 acthelper;Ashampoo CoreTuner Helper Service;d:\program files\ashampoo core tuner\ACTHelperService.exe [2010-1-18 902488]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-4-7 176128]
R2 Ashampoo Defrag Service;Ashampoo Defrag Service;d:\program files\ashampoo magical defrag 3\defragservice.exe [2010-1-18 890208]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-14 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-14 51280]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-20 40384]
R2 OAcat;Online Armor Helper Service;d:\program files\online armor\oacat.exe [2010-11-4 380784]
R2 SBSDWSCService;SBSD Security Center Service;d:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-18 1153368]
R2 SvcOnlineArmor;Online Armor;d:\program files\online armor\oasrv.exe [2010-11-4 3653208]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-1-26 7566848]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-1-26 238592]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-14 229888]
R3 OAnet;OnlineArmor Service;c:\windows\system32\drivers\OAnet.sys [2010-11-4 29120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 DfSdkS;Defragmentation-Service;d:\program files\ashampoo winoptimizer 6\DfSdkS.exe [2010-1-18 406016]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-21 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-1 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-27 1343400]
.
=============== Created Last 30 ================
.
2011-03-09 23:39:06 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-03-09 23:39:06 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-03-09 23:39:06 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-03-09 23:39:02 850944 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 23:39:02 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-09 23:39:02 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 23:39:02 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-03 23:31:43 -------- d-----w- c:\users\michael\appdata\local\assembly
2011-03-01 00:05:45 -------- d-----w- c:\windows\system32\SPReview
2011-03-01 00:04:55 -------- d-----w- c:\windows\system32\EventProviders
2011-03-01 00:01:04 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-28 23:59:59 933376 ----a-w- c:\windows\system32\Vault.dll
2011-02-28 23:58:53 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-02-28 23:58:53 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2011-02-28 23:58:52 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2011-02-28 23:58:52 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-02-28 23:58:35 697344 ----a-w- c:\windows\system32\SmiEngine.dll
2011-02-28 23:58:26 209920 ----a-w- c:\windows\system32\PkgMgr.exe
2011-02-28 23:58:26 189952 ----a-w- c:\windows\system32\wdscore.dll
2011-02-28 23:57:58 323072 ----a-w- c:\windows\system32\drvstore.dll
2011-02-28 23:57:58 257024 ----a-w- c:\windows\system32\dpx.dll
2011-02-28 23:16:58 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-28 23:16:58 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-28 23:16:32 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-02-28 23:16:32 161792 ----a-w- c:\windows\system32\d3d10_1.dll
.
==================== Find3M ====================
.
2011-03-01 00:32:36 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-02 11:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-26 13:00:46 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2011-01-26 13:00:32 596480 ----a-w- c:\windows\system32\aticfx32.dll
2011-01-26 12:59:48 17204736 ----a-w- c:\windows\system32\atioglxx.dll
2011-01-26 12:56:30 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-01-26 12:55:56 393216 ----a-w- c:\windows\system32\atieclxx.exe
2011-01-26 12:55:26 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2011-01-26 12:54:12 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2011-01-26 12:53:56 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2011-01-26 12:53:44 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-01-26 12:53:36 15872 ----a-w- c:\windows\system32\atimuixx.dll
2011-01-26 12:53:28 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-01-26 12:49:46 4105728 ----a-w- c:\windows\system32\atidxx32.dll
2011-01-26 12:32:14 1912832 ----a-w- c:\windows\system32\atiumdmv.dll
2011-01-26 12:28:54 4170752 ----a-w- c:\windows\system32\atiumdag.dll
2011-01-26 12:27:52 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-01-26 12:27:42 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-01-26 12:25:52 5580800 ----a-w- c:\windows\system32\aticaldd.dll
2011-01-26 12:24:20 3463680 ----a-w- c:\windows\system32\atiumdva.dll
2011-01-26 12:20:46 52736 ----a-w- c:\windows\system32\coinst.dll
2011-01-26 12:14:08 249856 ----a-w- c:\windows\system32\atiadlxx.dll
2011-01-26 12:13:54 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-01-26 12:13:44 32768 ----a-w- c:\windows\system32\atigktxx.dll
2011-01-26 12:12:42 30720 ----a-w- c:\windows\system32\atiuxpag.dll
2011-01-26 12:12:26 28672 ----a-w- c:\windows\system32\atiu9pag.dll
2011-01-26 12:12:00 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2011-01-26 12:08:42 52736 ----a-w- c:\windows\system32\atimpc32.dll
2011-01-26 12:08:42 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
2011-01-07 07:45:57 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 06:01:22 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-01-07 05:43:36 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:55:55 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 03:51:01 2330624 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 14:26:19.87 ===============

---- DDS log: Attach.txt ----

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 14/01/2010 1:16:07 AM
System Uptime: 21/03/2011 2:02:32 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0T656F
Processor: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz | CPU | 2793/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 125 GiB total, 78.456 GiB free.
D: is FIXED (NTFS) - 50 GiB total, 39.067 GiB free.
E: is FIXED (NTFS) - 58 GiB total, 33.263 GiB free.
F: is FIXED (NTFS) - 50 GiB total, 29.761 GiB free.
G: is FIXED (NTFS) - 50 GiB total, 4.222 GiB free.
H: is FIXED (NTFS) - 50 GiB total, 24.88 GiB free.
I: is FIXED (NTFS) - 50 GiB total, 22.662 GiB free.
J: is FIXED (NTFS) - 50 GiB total, 24.348 GiB free.
K: is FIXED (NTFS) - 50 GiB total, 25.22 GiB free.
L: is FIXED (NTFS) - 50 GiB total, 16.657 GiB free.
M: is FIXED (NTFS) - 75 GiB total, 0.166 GiB free.
N: is CDROM (CDFS)
O: is Removable
P: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP325: 6/03/2011 9:59:23 PM - Windows Backup
RP326: 7/03/2011 2:16:57 PM - Installed Java(TM) 6 Update 24
RP327: 10/03/2011 9:39:59 AM - Windows Update
RP328: 13/03/2011 7:40:31 PM - Windows Backup
RP329: 20/03/2011 7:00:22 PM - Windows Backup
RP331: 20/03/2011 7:24:49 PM - Windows Backup
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.2
Adobe Shockwave Player 11.5
AMD Drag and Drop Transcoding
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 9.21
Ashampoo Core Tuner 1.20
Ashampoo Magical Defrag 3
Ashampoo WinOptimizer 6.50
ATI Catalyst Install Manager
µTorrent
avast! Free Antivirus
Bing Bar
Bing Bar Platform
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
ConvertHelper 2.2
Crazy Machines
Crazy Machines 1.5 Inventors Training Camp
Crazy Machines 1.5 New from the Lab
Crazy Machines 2
D3DX10
e-tax 2010
Evil Genius
GetRight
GIMP 2.6.8
Hospital Tycoon
Intel(R) Graphics Media Accelerator Driver
Intel(R) TV Wizard
iTunes
Jade Empire: Special Edition
Java Auto Updater
Java(TM) 6 Update 24
Junk Mail filter update
Just Great Software EditPad Lite 6.6.0
K-Lite Mega Codec Pack 3.8.0
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Basic 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mids' Hero/Villain Designer
MozBackup 1.4.10
Mozilla Firefox (3.6.13)
Mozilla Thunderbird (3.1.9)
MSVCRT
NCsoft Launcher
NVIDIA PhysX v8.09.04
Online Armor 4.0
OpenAL
Portal
PowerDVD DX
QuickTime
Safecracker: The Ultimate Puzzle Adventure
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Spybot - Search & Destroy
Steam
The Lord of the Rings FREE Trial
Twin Sector
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2508979)
V*****Maps Map Overlay
Warhammer 40,000: Dawn Of War - Gold Edition
Watchtower Library 2010 - English
WavePad Sound Editor
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR archiver
WordWeb
Yahoo! Software Update
Yahoo!7 Messenger
Yahoo!7 Toolbar
.
==== Event Viewer Messages From Past Week ========
.
21/03/2011 2:02:09 PM, Error: Service Control Manager [7023] - The Windows Update service terminated with the following error: %%-2147467243
21/03/2011 1:54:28 PM, Error: Service Control Manager [7034] - The AMD External Events Utility service terminated unexpectedly. It has done this 1 time(s).
20/03/2011 7:31:42 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
20/03/2011 7:25:50 PM, Error: volsnap [35] - The shadow copies of volume M: were aborted because the shadow copy storage failed to grow.
20/03/2011 7:24:42 PM, Error: volsnap [9] - The flush and hold writes operation on volume C: timed out while waiting for file system cleanup.
20/03/2011 7:18:36 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004
18/03/2011 9:56:07 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
15/03/2011 9:40:56 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.0.151. The computer with the IP address 192.168.0.147 did not allow the name to be claimed by this computer.
14/03/2011 9:58:52 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
.
==== End Of File ===========================
 
Welcome back! I'll be glad to check the logs for malware. But your description sounds more like you will need to make that call to the ISP.

I don't see any signs of a rootkit at this point. While I finish reviewing these log, please run the following:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
====================================
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to your desktop.
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Thanks for the assistance.

I followed your instructions to the letter, however there were a few points that you may need to know about as a result.

The Eset Anti-virus noted that I wasn't using IE (I use Firefox as a rule) and when it ran proceeded to scan nothing. I have not run IE8 on this machine and have no real desire to.

It didn't copy anything to the clipboard so I went and found the logfile (log.txt) and included it below.

As per your directions I then downloaded ComboFix and ran it. It did protest (as in a warning window appeared) about running on the incorrect version of windows. (I'm running Windows 7 Profession SP 1 32 Bit.) However said window disappeared when I agreed to a terms of usage window. The log it produced is included below.

It produced a Restore Point, but made no mention about the Recovery Console.

Hope this helps.

---- Eset NOD32 log.txt ----

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=0
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=439f54bb52b7f14c8e8e5e4d6e28b505
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-22 02:37:42
# local_time=2011-03-22 12:37:42 (+1000, E. Australia Standard Time)
# country="Australia"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=768 16777215 100 0 33317009 33317009 0 0
# compatibility_mode=5893 16776574 100 94 986335 52392653 0 0
# compatibility_mode=6401 16777213 66 100 445224 11088736 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0

---- ComboFix.txt ----

ComboFix 11-03-21.01 - Michael 22/03/2011 13:09:21.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.3070.2322 [GMT 10:00]
Running from: c:\users\Michael\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
FW: Online Armor Firewall *Disabled* {5841EF60-F43F-AE8D-642F-D79F12883626}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
.
.
2011-03-22 03:15 . 2011-03-22 03:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-22 02:34 . 2011-03-22 02:34 -------- d-----w- c:\program files\ESET
2011-03-09 23:39 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-03-09 23:39 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-03-09 23:39 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-03-09 23:39 . 2010-12-23 05:54 850944 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 23:39 . 2010-12-23 05:54 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-09 23:39 . 2010-12-23 05:54 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 23:39 . 2010-12-23 05:50 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-07 04:18 . 2011-03-07 04:18 -------- d-----w- c:\program files\Common Files\Java
2011-03-07 04:16 . 2011-03-07 04:16 -------- d-----w- c:\programdata\McAfee
2011-03-03 23:31 . 2011-03-03 23:31 -------- d-----w- c:\users\Michael\AppData\Local\assembly
2011-03-01 00:05 . 2011-03-01 00:05 -------- d-----w- c:\windows\system32\SPReview
2011-03-01 00:04 . 2011-03-01 00:04 -------- d-----w- c:\windows\system32\EventProviders
2011-03-01 00:01 . 2010-11-05 01:58 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-28 23:59 . 2010-11-20 12:29 132992 ----a-w- c:\windows\system32\drivers\ataport.sys
2011-02-28 23:58 . 2010-11-20 12:21 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-02-28 23:58 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2011-02-28 23:58 . 2010-11-20 12:21 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-02-28 23:58 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2011-02-28 23:58 . 2010-11-20 12:21 697344 ----a-w- c:\windows\system32\SmiEngine.dll
2011-02-28 23:58 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\wdscore.dll
2011-02-28 23:58 . 2010-11-20 12:17 209920 ----a-w- c:\windows\system32\PkgMgr.exe
2011-02-28 23:57 . 2010-11-20 12:18 323072 ----a-w- c:\windows\system32\drvstore.dll
2011-02-28 23:57 . 2010-11-20 12:18 257024 ----a-w- c:\windows\system32\dpx.dll
2011-02-28 23:16 . 2011-01-07 07:46 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-28 23:16 . 2011-01-07 07:46 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-28 23:16 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-02-28 23:16 . 2010-11-20 12:18 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-21 04:00 . 2010-06-24 01:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-01 00:32 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-03 05:54 . 2011-02-09 06:09 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-02-02 11:40 . 2010-04-20 22:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-26 13:36 . 2011-01-26 13:36 7566848 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-01-26 13:00 . 2011-01-26 13:00 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2011-01-26 13:00 . 2010-03-03 04:16 596480 ----a-w- c:\windows\system32\aticfx32.dll
2011-01-26 12:59 . 2011-01-26 12:59 17204736 ----a-w- c:\windows\system32\atioglxx.dll
2011-01-26 12:56 . 2010-04-07 02:13 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-01-26 12:55 . 2010-04-07 02:12 393216 ----a-w- c:\windows\system32\atieclxx.exe
2011-01-26 12:55 . 2010-04-07 02:12 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2011-01-26 12:54 . 2011-01-26 12:54 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2011-01-26 12:53 . 2010-04-07 02:10 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2011-01-26 12:53 . 2011-01-26 12:53 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-01-26 12:53 . 2011-01-26 12:53 15872 ----a-w- c:\windows\system32\atimuixx.dll
2011-01-26 12:53 . 2011-01-26 12:53 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-01-26 12:49 . 2010-03-03 04:06 4105728 ----a-w- c:\windows\system32\atidxx32.dll
2011-01-26 12:32 . 2011-01-26 12:32 1912832 ----a-w- c:\windows\system32\atiumdmv.dll
2011-01-26 12:28 . 2010-03-03 03:46 4170752 ----a-w- c:\windows\system32\atiumdag.dll
2011-01-26 12:27 . 2011-01-26 12:27 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-01-26 12:27 . 2011-01-26 12:27 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-01-26 12:25 . 2011-01-26 12:25 5580800 ----a-w- c:\windows\system32\aticaldd.dll
2011-01-26 12:24 . 2010-03-03 03:24 3463680 ----a-w- c:\windows\system32\atiumdva.dll
2011-01-26 12:20 . 2010-03-03 03:23 52736 ----a-w- c:\windows\system32\coinst.dll
2011-01-26 12:14 . 2010-04-07 01:23 249856 ----a-w- c:\windows\system32\atiadlxx.dll
2011-01-26 12:13 . 2011-01-26 12:13 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-01-26 12:13 . 2011-01-26 12:13 32768 ----a-w- c:\windows\system32\atigktxx.dll
2011-01-26 12:13 . 2011-01-26 12:13 238592 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-01-26 12:12 . 2010-03-03 03:06 30720 ----a-w- c:\windows\system32\atiuxpag.dll
2011-01-26 12:12 . 2010-03-03 03:06 28672 ----a-w- c:\windows\system32\atiu9pag.dll
2011-01-26 12:12 . 2011-01-26 12:12 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2011-01-26 12:11 . 2011-01-26 12:11 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-01-26 12:08 . 2011-01-26 12:08 52736 ----a-w- c:\windows\system32\atimpc32.dll
2011-01-26 12:08 . 2011-01-26 12:08 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2011-01-13 09:41 . 2010-01-26 22:01 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-13 08:47 . 2010-06-29 11:25 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-01-13 14:30 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-01-13 14:31 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-01-13 14:31 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:37 . 2010-01-13 14:31 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-01-13 14:30 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-01-13 08:37 . 2010-01-13 14:31 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-07 07:45 . 2011-02-09 06:10 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 06:01 . 2011-02-09 06:13 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-01-07 05:43 . 2011-02-09 06:10 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:55 . 2011-02-09 06:10 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 03:51 . 2011-02-09 06:10 2330624 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate]
@="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}"
[HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}]
2010-11-20 12:20 442880 ----a-w- c:\windows\System32\ntshrui.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-24 140520]
"DefragTaskBar"="d:\program files\Ashampoo Magical Defrag 3\defragtaskbar.exe" [2009-12-16 927072]
"Ashampoo Core Tuner"="d:\program files\Ashampoo Core Tuner\autostarter.exe" [2009-09-25 428376]
"WordWeb"="d:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"@OnlineArmor GUI"="d:\program files\Online Armor\OAui.exe" [2010-11-04 2345000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "d:\progra~1\ONLINE~1\oaevent.dll" [2010-11-04 353992]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
.
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2010-10-30 38856]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MMCSS;Multimedia Class Scheduler;c:\windows\system32\svchost.exe [2009-07-14 20992]
R2 sppsvc;Software Protection;c:\windows\system32\sppsvc.exe [2010-11-20 3179520]
R2 SvcOnlineArmor;Online Armor;d:\program files\Online Armor\oasrv.exe [2010-11-04 3653208]
R3 1394ohci;1394 OHCI Compliant Host Controller;c:\windows\system32\drivers\1394ohci.sys [2010-11-20 164864]
R3 AcpiPmi;ACPI Power Meter Driver;c:\windows\system32\drivers\acpipmi.sys [2010-11-20 10240]
R3 adp94xx;adp94xx;c:\windows\system32\DRIVERS\adp94xx.sys [2009-07-14 422976]
R3 adpahci;adpahci;c:\windows\system32\DRIVERS\adpahci.sys [2009-07-14 297552]
R3 amdsata;amdsata;c:\windows\system32\drivers\amdsata.sys [2010-11-20 80256]
R3 amdsbs;amdsbs;c:\windows\system32\DRIVERS\amdsbs.sys [2009-07-14 159312]
R3 AppID;AppID Driver;c:\windows\system32\drivers\appid.sys [2010-11-20 50176]
R3 AppIDSvc;Application Identity;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 arcsas;arcsas;c:\windows\system32\DRIVERS\arcsas.sys [2009-07-14 86608]
R3 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\DRIVERS\bxvbdx.sys [2009-07-13 430080]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
R3 BDESVC;BitLocker Drive Encryption Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\DRIVERS\BrFiltLo.sys [2009-07-13 13568]
R3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\DRIVERS\BrFiltUp.sys [2009-07-13 5248]
R3 Brserid;Brother MFC Serial Port Interface Driver (WDM);c:\windows\System32\Drivers\Brserid.sys [2009-07-14 272128]
R3 BrSerWdm;Brother WDM Serial driver;c:\windows\System32\Drivers\BrSerWdm.sys [2009-07-13 62336]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\System32\Drivers\BrUsbMdm.sys [2009-07-13 12160]
R3 CertPropSvc;Certificate Propagation;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 circlass;Consumer IR Devices;c:\windows\system32\DRIVERS\circlass.sys [2009-07-13 37888]
R3 defragsvc;Disk Defragmenter;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 DfSdkS;Defragmentation-Service;d:\program files\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 ebdrv;Broadcom NetXtreme II 10 GigE VBD;c:\windows\system32\DRIVERS\evbdx.sys [2009-07-13 3100160]
R3 elxstor;elxstor;c:\windows\system32\DRIVERS\elxstor.sys [2009-07-14 453712]
R3 Filetrace;Filetrace;c:\windows\system32\drivers\filetrace.sys [2009-07-13 28160]
R3 FsDepends;File System Dependency Minifilter;c:\windows\system32\drivers\FsDepends.sys [2009-07-14 46160]
R3 hcw85cir;Hauppauge Consumer Infrared Receiver;c:\windows\system32\drivers\hcw85cir.sys [2009-07-13 26624]
R3 HpSAMD;HpSAMD;c:\windows\system32\drivers\HpSAMD.sys [2009-07-14 67152]
R3 iaStorV;Intel RAID Controller Windows 7;c:\windows\system32\drivers\iaStorV.sys [2010-11-20 332160]
R3 IPBusEnum;PnP-X IP Bus Enumerator;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 IPMIDRV;IPMIDRV;c:\windows\system32\drivers\IPMIDrv.sys [2010-11-20 65536]
R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [2010-11-20 233344]
R3 KtmRm;KtmRm for Distributed Transaction Coordinator;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 lltdsvc;Link-Layer Topology Discovery Mapper;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 LSI_FC;LSI_FC;c:\windows\system32\DRIVERS\lsi_fc.sys [2009-07-14 95824]
R3 LSI_SAS;LSI_SAS;c:\windows\system32\DRIVERS\lsi_sas.sys [2009-07-14 89168]
R3 LSI_SAS2;LSI_SAS2;c:\windows\system32\DRIVERS\lsi_sas2.sys [2009-07-14 54864]
R3 LSI_SCSI;LSI_SCSI;c:\windows\system32\DRIVERS\lsi_scsi.sys [2009-07-14 96848]
R3 megasas;megasas;c:\windows\system32\DRIVERS\megasas.sys [2009-07-14 30800]
R3 mpio;Microsoft Multi-Path Bus Driver;c:\windows\system32\drivers\mpio.sys [2010-11-20 130432]
R3 msahci;msahci;c:\windows\system32\drivers\msahci.sys [2010-11-20 28032]
R3 msdsm;Microsoft Multi-Path Device Specific Module;c:\windows\system32\drivers\msdsm.sys [2010-11-20 116096]
R3 mshidkmdf;Pass-through HID to KMDF Filter Driver;c:\windows\System32\drivers\mshidkmdf.sys [2009-07-13 4096]
R3 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 MsRPC;MsRPC; [x]
R3 MTConfig;Microsoft Input Configuration Driver;c:\windows\system32\DRIVERS\MTConfig.sys [2009-07-13 12288]
R3 NativeWifiP;NativeWiFi Filter;c:\windows\system32\DRIVERS\nwifi.sys [2009-07-13 267264]
R3 NdisCap;NDIS Capture LightWeight Filter;c:\windows\system32\DRIVERS\ndiscap.sys [2009-07-13 27136]
R3 nfrd960;nfrd960;c:\windows\system32\DRIVERS\nfrd960.sys [2009-07-14 44624]
R3 nvstor;nvstor;c:\windows\system32\drivers\nvstor.sys [2010-11-20 143744]
R3 PeerDistSvc;BranchCache;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 pla;Performance Logs & Alerts;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 PNRPAutoReg;PNRP Machine Name Publication Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 ql2300;ql2300;c:\windows\system32\DRIVERS\ql2300.sys [2009-07-14 1383488]
R3 ql40xx;ql40xx;c:\windows\system32\DRIVERS\ql40xx.sys [2009-07-14 106064]
R3 s3cap;s3cap;c:\windows\system32\drivers\vms3cap.sys [2010-11-20 5632]
R3 scfilter;Smart card PnP Class Filter Driver;c:\windows\system32\DRIVERS\scfilter.sys [2010-11-20 26624]
R3 SCPolicySvc;Smart Card Removal Policy;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 SensrSvc;Adaptive Brightness;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 SessionEnv;Remote Desktop Configuration;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 sffp_mmc;SFF Storage Protocol Driver for MMC;c:\windows\system32\drivers\sffp_mmc.sys [2009-07-13 12288]
R3 SiSRaid4;SiSRaid4;c:\windows\system32\DRIVERS\sisraid4.sys [2009-07-14 77888]
R3 Smb;Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session);c:\windows\system32\DRIVERS\smb.sys [2009-07-13 71168]
R3 sppuinotify;SPP Notification Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 stexstor;stexstor;c:\windows\system32\DRIVERS\stexstor.sys [2009-07-14 21072]
R3 StorSvc;Storage Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [2010-11-20 28032]
R3 TBS;TPM Base Services;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 THREADORDER;Thread Ordering Server;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 TrustedInstaller;Windows Modules Installer;c:\windows\servicing\TrustedInstaller.exe [2010-11-20 204800]
R3 tssecsrv;Remote Desktop Services Security Filter Driver;c:\windows\system32\DRIVERS\tssecsrv.sys [2010-11-20 31232]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 UI0Detect;Interactive Services Detection;c:\windows\system32\UI0Detect.exe [2009-07-14 35840]
R3 uliagpkx;Uli AGP Bus Filter;c:\windows\system32\drivers\uliagpkx.sys [2009-07-14 57424]
R3 UmRdpService;Remote Desktop Services UserMode Port Redirector;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 usbcir;eHome Infrared Receiver (USBCIR);c:\windows\system32\drivers\usbcir.sys [2009-07-13 86016]
R3 VaultSvc;Credential Manager;c:\windows\system32\lsass.exe [2009-07-14 22528]
R3 vhdmp;vhdmp;c:\windows\system32\drivers\vhdmp.sys [2010-11-20 160128]
R3 ViaC7;VIA C7 Processor Driver;c:\windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
R3 VMBusHID;VMBusHID;c:\windows\system32\drivers\VMBusHID.sys [2010-11-20 17920]
R3 vsmraid;vsmraid;c:\windows\system32\DRIVERS\vsmraid.sys [2009-07-14 141904]
R3 vwifibus;Virtual WiFi Bus Driver;c:\windows\System32\drivers\vwifibus.sys [2009-07-13 19968]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [2009-07-13 21632]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400]
R3 wbengine;Block Level Backup Engine Service;c:\windows\system32\wbengine.exe [2010-11-20 1203200]
R3 WbioSrvc;Windows Biometric Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 WcsPlugInService;Windows Color System;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 Wd;Wd;c:\windows\system32\DRIVERS\wd.sys [2009-07-14 19024]
R3 WdiSystemHost;Diagnostic System Host;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 Wecsvc;Windows Event Collector;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 wercplsupport;Problem Reports and Solutions Control Panel Support;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WerSvc;Windows Error Reporting Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WIMMount;WIMMount;c:\windows\system32\drivers\wimmount.sys [2009-07-14 19008]
R3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 Wlansvc;WLAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 WPCSvc;Parental Controls;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 WwanSvc;WWAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 20992]
R4 Mcx2Svc;Media Center Extender Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R4 TabletInputService;Tablet PC Input Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R4 WPDBusEnum;Portable Device Enumerator Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S0 amdxata;amdxata;c:\windows\system32\drivers\amdxata.sys [2010-11-20 22400]
S0 CLFS;Common Log (CLFS);c:\windows\System32\CLFS.sys [2009-07-14 249408]
S0 CNG;CNG;c:\windows\System32\Drivers\cng.sys [2009-07-14 369568]
S0 FileInfo;File Information FS MiniFilter;c:\windows\system32\drivers\fileinfo.sys [2009-07-14 58448]
S0 fvevol;Bitlocker Drive Encryption Filter Driver;c:\windows\System32\DRIVERS\fvevol.sys [2010-11-20 194800]
S0 hwpolicy;Hardware Policy Driver;c:\windows\System32\drivers\hwpolicy.sys [2010-11-20 14208]
S0 KSecPkg;KSecPkg;c:\windows\System32\Drivers\ksecpkg.sys [2009-07-14 133200]
S0 msisadrv;msisadrv;c:\windows\system32\drivers\msisadrv.sys [2009-07-14 13888]
S0 pcw;Performance Counters for Windows Driver;c:\windows\System32\drivers\pcw.sys [2009-07-14 43088]
S0 rdyboost;ReadyBoost;c:\windows\System32\drivers\rdyboost.sys [2010-11-20 173440]
S0 spldr;Security Processor Loader Driver; [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-17 691696]
S0 storflt;Disk Virtual Machine Bus Acceleration Filter Driver;c:\windows\system32\drivers\vmstorfl.sys [2010-11-20 40704]
S0 vdrvroot;Microsoft Virtual Drive Enumerator Driver;c:\windows\system32\drivers\vdrvroot.sys [2009-07-14 32832]
S0 vmbus;Virtual Machine Bus;c:\windows\system32\drivers\vmbus.sys [2010-11-20 175360]
S0 volmgr;Volume Manager Driver;c:\windows\system32\drivers\volmgr.sys [2010-11-20 53120]
S0 volmgrx;Dynamic Volume Manager;c:\windows\System32\drivers\volmgrx.sys [2009-07-14 297040]
S1 aswSP;aswSP; [x]
S1 blbdrive;blbdrive;c:\windows\system32\DRIVERS\blbdrive.sys [2009-07-13 35328]
S1 CSC;Offline Files Driver;c:\windows\system32\drivers\csc.sys [2010-11-20 388096]
S1 DfsC;DFS Namespace Client Driver;c:\windows\system32\Drivers\dfsc.sys [2010-11-20 78336]
S1 discache;System Attribute Cache;c:\windows\system32\drivers\discache.sys [2009-07-13 32256]
S1 nsiproxy;NSI proxy service driver.;c:\windows\system32\drivers\nsiproxy.sys [2009-07-13 16896]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-11-04 202064]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-11-04 25000]
S1 RDPENCDD;RDP Encoder Mirror Driver;c:\windows\system32\drivers\rdpencdd.sys [2009-07-14 6656]
S1 RDPREFMP;Reflector Display Driver used to gain access to graphics data;c:\windows\system32\drivers\rdprefmp.sys [2009-07-14 7168]
S1 tdx;NetIO Legacy TDI Support Driver;c:\windows\system32\DRIVERS\tdx.sys [2010-11-20 74752]
S1 Wanarpv6;Remote Access IPv6 ARP Driver;c:\windows\system32\DRIVERS\wanarp.sys [2010-11-20 63488]
S1 WfpLwf;WFP Lightweight Filter;c:\windows\system32\DRIVERS\wfplwf.sys [2009-07-13 9728]
S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2010/01/13 23:32];c:\program files\CyberLink\PowerDVD DX\000.fcl [2009-06-24 10:19 87536]
S2 acthelper;Ashampoo CoreTuner Helper Service;d:\program files\Ashampoo Core Tuner\ACTHelperService.exe [2009-09-25 902488]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-01-26 176128]
S2 Ashampoo Defrag Service;Ashampoo Defrag Service;d:\program files\Ashampoo Magical Defrag 3\defragservice.exe [2009-12-16 890208]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S2 AudioEndpointBuilder;Windows Audio Endpoint Builder;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 BFE;Base Filtering Engine;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 CscService;Offline Files;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 DPS;Diagnostic Policy Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 FDResPub;Function Discovery Resource Publication;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 gpsvc;Group Policy Client;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 IKEEXT;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 iphlpsvc;IP Helper;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;c:\windows\system32\DRIVERS\lltdio.sys [2009-07-13 48128]
S2 luafv;UAC File Virtualization;c:\windows\system32\drivers\luafv.sys [2009-07-13 86528]
S2 MpsSvc;Windows Firewall;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 NlaSvc;Network Location Awareness;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 nsi;Network Store Interface Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 OAcat;Online Armor Helper Service;d:\program files\Online Armor\OAcat.exe [2010-11-04 380784]
S2 PEAUTH;PEAUTH;c:\windows\system32\drivers\peauth.sys [2009-07-14 586752]
S2 Power;Power;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 ProfSvc;User Profile Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 RpcEptMapper;RPC Endpoint Mapper;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 SBSDWSCService;SBSD Security Center Service;d:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SysMain;Superfetch;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 tcpipreg;TCP/IP Registry Compatibility;c:\windows\system32\drivers\tcpipreg.sys [2010-11-20 35328]
S2 UxSms;Desktop Window Manager Session Manager;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-01-26 7566848]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-01-26 238592]
S3 Appinfo;Application Information;c:\windows\system32\svchost.exe [2009-07-14 20992]
S3 bowser;Browser Support Driver;c:\windows\system32\DRIVERS\bowser.sys [2009-07-13 69632]
S3 CompositeBus;Composite Bus Enumerator Driver;c:\windows\system32\drivers\CompositeBus.sys [2010-11-20 31232]
S3 DXGKrnl;LDDM Graphics Subsystem;c:\windows\System32\drivers\dxgkrnl.sys [2010-11-20 728448]
S3 fdPHost;Function Discovery Provider Host;c:\windows\system32\svchost.exe [2009-07-14 20992]
S3 HomeGroupListener;HomeGroup Listener;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 HomeGroupProvider;HomeGroup Provider;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-07-13 229888]
S3 KeyIso;CNG Key Isolation;c:\windows\system32\lsass.exe [2009-07-14 22528]
S3 monitor;Microsoft Monitor Class Function Driver Service;c:\windows\system32\DRIVERS\monitor.sys [2009-07-13 23552]
S3 mpsdrv;Windows Firewall Authorization Driver;c:\windows\system32\drivers\mpsdrv.sys [2009-07-13 60416]
S3 mrxsmb10;SMB 1.x MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb10.sys [2010-11-20 223232]
S3 mrxsmb20;SMB 2.0 MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb20.sys [2010-11-20 96768]
S3 netprofm;Network List Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 OAnet;OnlineArmor Service;c:\windows\system32\DRIVERS\oanet.sys [2010-11-04 29120]
S3 PcaSvc;Program Compatibility Assistant Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S3 RasAgileVpn;WAN Miniport (IKEv2);c:\windows\system32\DRIVERS\AgileVpn.sys [2009-07-13 49152]
S3 rdpbus;Remote Desktop Device Redirector Bus Driver;c:\windows\system32\DRIVERS\rdpbus.sys [2009-07-14 18944]
S3 SDRSVC;Windows Backup;c:\windows\system32\svchost.exe [2009-07-14 20992]
S3 srv2;Server SMB 2.xxx Driver;c:\windows\system32\DRIVERS\srv2.sys [2010-11-20 309248]
S3 srvnet;srvnet;c:\windows\system32\DRIVERS\srvnet.sys [2010-11-20 114176]
S3 tunnel;Microsoft Tunnel Miniport Adapter Driver;c:\windows\system32\DRIVERS\tunnel.sys [2010-11-20 108544]
S3 umbus;UMBus Enumerator Driver;c:\windows\system32\drivers\umbus.sys [2010-11-20 39936]
S3 wcncsvc;Windows Connect Now - Config Registrar;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 WdiServiceHost;Diagnostic Service Host;c:\windows\System32\svchost.exe [2009-07-14 20992]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - UGLOYPOB
*Deregistered* - ugloypob
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
RPCSS REG_MULTI_SZ RpcEptMapper RpcSs
defragsvc REG_MULTI_SZ defragsvc
WerSvcGroup REG_MULTI_SZ wersvc
LocalServiceNoNetwork REG_MULTI_SZ DPS PLA BFE mpssvc WwanSvc
swprv REG_MULTI_SZ swprv
LocalServicePeerNet REG_MULTI_SZ PNRPSvc p2pimsvc p2psvc PnrpAutoReg
NetworkServiceAndNoImpersonation REG_MULTI_SZ KtmRm
regsvc REG_MULTI_SZ RemoteRegistry
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
DcomLaunch REG_MULTI_SZ Power PlugPlay DcomLaunch
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent
sdrsvc REG_MULTI_SZ sdrsvc
WbioSvcGroup REG_MULTI_SZ WbioSrvc
wcssvc REG_MULTI_SZ WcsPlugInService
AxInstSVGroup REG_MULTI_SZ AxInstSV
secsvcs REG_MULTI_SZ WinDefend
PeerDist REG_MULTI_SZ PeerDistSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Nla
NWCWorkstation
SRService
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
BDESVC
AppMgmt
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
homegrouplistener
StorSvc
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
WdiServiceHost
sppuinotify
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetworkService
lanmanworkstation
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
BthHFSrv
homegroupprovider
.
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-15 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-12 07:01]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - d:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - d:\program files\GetRight\GRbrowse.htm
TCP: {EB9D824D-F1DB-491F-A89D-B32705065FB3} = 192.168.0.1
FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\2tnep8uy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Amazon Toolbar: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-PlayNC Launcher - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-sacsvr
SafeBoot-vmms
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:15
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-03-22 13:17:08
ComboFix-quarantined-files.txt 2011-03-22 03:17
.
Pre-Run: 83,672,412,160 bytes free
Post-Run: 83,299,766,272 bytes free
.
- - End Of File - - 10271A54B2CD5A5699E4BCF35E3099E1
 
Regarding the message in Eset:
ESET Online Scanner implemented as an ActiveX control, and requires Internet Explorer 5.0 or later. Compatibility with other browsers (Firefox, Opera, Netscape, etc.) was added. The only thing you have to do is to agree to the installation of ESET Smart Installer, an application, which will install and launch ESET Online Scanner in a new browser window.
Click to expand...

A note about the 'speed': part of the problem is that you have a splitter servicing 5 computers. The signal will not be as strong, most likely on most or all of the systems.

We need to check for a rootkit first: Broni put this together for us:

Download aswMBR to your desktop.
  • Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan:
  • On completion of the scan click "Save log", save it to your desktop
  • Post in your next reply:

================================================
After we finish the scans for malware, I'm going to refer you to a site that will explain what the Services do and what you can move down from Automatic Startup type to Manual, or in some cases, Disable. You have a huge number of Services/drivers running, even for Window 7. You need to review what the Service does, if it needed to automatically start when you boot and what it's Dependencies are. Black Viper wrote the book on this and you won't find any better place or your Services than this site:
http://www.blackviper.com/2010/12/17/black-vipers-windows-7-service-pack-1-service-configurations/

Take your time! I find booting into Safe Mode easier when working with the Services because some Services ne other Services running in order for them to run.
 
Do I really need to run IE8 to run ESAT?

When I first got the computer about a year ago I did go into the Services area and turn off a few things like Remote Desktop and some wireless stuff as this computer doesn't have any connected. I haven't thought about it since.

Here's the log you requested.

--------

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-24 11:07:49
-----------------------------
11:07:49.060 OS Version: Windows 6.1.7601 Service Pack 1
11:07:49.060 Number of processors: 2 586 0x170A
11:07:49.060 ComputerName: MICRO-PC UserName: Michael
11:08:17.298 Initialize success
11:08:40.652 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:08:40.653 Disk 0 Vendor: ST3250318AS CC44 Size: 238418MB BusType: 3
11:08:40.656 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1
11:08:40.657 Disk 1 Vendor: SAMSUNG_HD501LJ CR100-10 Size: 476940MB BusType: 3
11:08:42.808 Disk 0 MBR read successfully
11:08:42.811 Disk 0 MBR scan
11:08:44.819 Disk 0 scanning sectors +488278016
11:08:44.849 Disk 0 scanning C:\Windows\system32\drivers
11:08:55.273 Service scanning
11:08:57.198 Disk 0 trace - called modules:
11:08:57.227 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x851821f8]<<
11:08:57.230 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8600d5c8]
11:08:57.233 3 CLASSPNP.SYS[8b5ab59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85f1c908]
11:08:57.237 \Driver\atapi[0x85ec2798] -> IRP_MJ_CREATE -> 0x851821f8
11:08:57.765 Scan finished successfully
 
Please do this:
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

    Code: 
    @ECHO OFF
START 
remover.exe fix  \\.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
  • Then in the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.

Run fix.bat by double clicking.You may see a black box appear; this is normal.
  • Click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
When done, run remover.exe again and post its output.

Do NOT reboot computer!
 
Remover.exe? Sorry Bobbye you've never sent me the link for that particular program.

I ran fix.bat and a black box flashed on the screen (as in was visible for less then one second) and then I was left with a cmd.exe window.

And just to confirm, after the cleaning is done, I go fiddling with the services.

Here's the output:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Michael\Desktop>remover.exe
'remover.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Michael\Desktop>
 
I am so sorry! And my internet was down for day and a half (#*$&#!@)! The program I had you run is fairly new, but my instruction was for another program. Please run the following, which is the source for the remover.exe file- and again my apology for the confusion:

Bootkit Remover:

Download bootkitremover.rar and save to your desktop.
  1. Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the remover.exe file to run the program.
    NOTE: The tool should be run from a command line with Administrator privileges.
  3. Scanning should be completed quickly
  4. Paste the output in your next reply.
remover.jpg

=====================================
 
Thanks every much for your help Bobbye. I know all to well the problems that surround trying to maintain regular access to the internet.

Please see the output below of the program. As the directions originally said not to reboot the computer, I'm currently sleeping the computer when I need to turn it off.

------

C:\Users\Michael\Downloads\bootkit_remover>remover
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

C:\Users\Michael\Downloads\bootkit_remover>

-----------------

Ok. I'm now annoyed at whoever put the rootkit on my computer.

Question: Should I use the dump facility to check what rootkit it is? How contagious could it be? (I swear, I studied this (computer security) but my brains drawing a blank at the moment)
Question: What impact would it have on the operation of the computer?
Question: Should I run Remover on the other computers on the network here?
 
Okay, now you need to run this: (it's not often I send out a 'fix' before I know the problem!)
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF
START 
remover.exe fix  \\.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
  • Then in the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double click fix.bat to run.
    You may see a black box appear; this is normal.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

When done, run remover.exe again and post its output.

Do NOT reboot computer!
==============================================
I had you do the bootkit check because of in this section of Cmbofix:
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
Click to expand...
and it repeated 11 times- exactly the same result. I think that was most likely a glitch in Comofix- not the finding itself, but the same repetition.
=================================================
It may have contributed to the slowness of the computer. But you should also check with the ISP to see if they have made any changes that would account for the slowness. (Just keep in mind that no ISP likes to admit anything is wrong with what they are doing!)

Question: Should I use the dump facility to check what rootkit it is? How contagious could it be? (I swear, I studied this (computer security) but my brains drawing a blank at the moment) Let it go for now
Question: Should I run Remover on the other computers on the network here?
Click to expand...
I suggest you run catchme first on each of the other systems: catchme is the rootkit/stealth malware scanner that scans for:
  • hidden processes
  • hidden registry keys
  • hidden services
  • hidden files
catchme can also delete, destroy and collect malicious files.

Download catchme.exe ( 137KB ) and save to your desktop.
  • Double click the catchme.exe to run it
  • Click the "Scan" button to start scan
  • Open catchme.log to see results

Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format.
You can paste those results, but make very sure that both you and I know which result belongs to which computer- if the results are different.

If you have used a flash drive between the 5 systems, let me know and I'll give you information to disinfect it also.
 
I did has you have asked. Here is the error message bootkit remover produces.

---------
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

System volume is \\.\C:
main(): CreateFile() ERROR 5
ERROR: Can't open volume device \\.\C:

Done;
Press any key to quit...
-------------------

I tried switching the batch file to Administrator mode and pointing it to where the remover.exe was but the output remained the same. I didn't know if it permissible to do the commands manually, so I decide to wait for further advice. [Edit: I just found a file: bootkit_remover_debug_log.txt on my desktop. Do you want me to post it?]

And here is the output of the program now. (Run in Administrator mode from command line):
----

C:\Users\Michael\Downloads\bootkit_remover>remover
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

C:\Users\Michael\Downloads\bootkit_remover>

--------------------

We do use flash drives between the five systems so a way to disinfect them would be appreciated. I'll have the clearly marked Catchme logs available as the computers wake up today.
 
I'll use this post for the results of the Catchme program. All times it is in Administrator mode.

Running the catchme program on MY computer, produces the following:

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 1895833125, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error


Running the catchme program on the INTERNET computer produces the following log:

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 09:04:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011b107a393]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0011b107a393]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0011b107a393]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Running the catchme program on Sarah's computer, produces the following: (We downloaded a fresh copy)

detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

Running the catchme program on David's computer, produces the following log: (Used a disinfected flash drive from my computer)

detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != -1736256597, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != -1736191833, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

One computer to go which we think is the source of the infection (it has had a problem in the past with VirtueMonde)

[Edit for last computer]---

Here's the last log:

Running the catchme program on Ken's computer, produces the following: (We downloaded a fresh copy)

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 10:21:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
 
Okay, for the flash drive: These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives
  1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  4. Wait until it has finished scanning and then exit the program.
  5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
And thank you- you did fine with fix.bat!
 
We were posting at the same time!

1.For MY Computer:
Bootkit Remover:

Download bootkitremover.rar and save to your desktop.
  1. Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the remover.exe file to run the program.
    NOTE: The tool should be run from a command line with Administrator privileges.
  3. Scanning should be completed quickly
  4. Paste the output in your next reply.
=====================================
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF

START remover.exe fix   \\.\PhysicalDrive0 
 
EXIT
  • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
  • Then in the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double clicking.Run fix.bat to run.
    You may see a black box appear; this is normal.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

When done, run remover.exe again and post its output.

Do NOT reboot computer!
====================================
2. For INTERNET Computer
NO action needed.
 
For MY computer:

Downloaded the new version of bootkit remover and tried to run it from the command line with Admin privileges, like you said. No dice. Same error message: ERROR: Can't open volume device \\.\C:

So I opened up explorer and right clicked it an selected "run as administrator" and got this output:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...


----
Next step was to twist Windows 7 to run the batch commands... so I made a shortcut to point to the remover.exe and made sure everything was in Administrator mode, and that the correct flags (fix \\.\PhysicalDrive0) were passed along.

As you said not to reboot, when the box came up asking about it, I selected NO.

Here is the output:

----
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000
Restoring boot code at \\.\PhysicalDrive0...
ERROR: No standard boot code found for your OS.
You can restore boot code only for Windows XP, Server 2003, Vista, Server 2008 a
nd Windows 7

Done;
Press any key to quit...
----

And just to check... running the program again without flags in Admin mode produces:

---
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
----
I hope to have the rest of the computers on the network shortly.
 
For Windows 7 Computer:

About the bootkit program:
Requires Administrator privileges to run.
Click to expand...

  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF
START 
remover.exe fix  \\.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
  • Then in the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double clicking.Run fix.bat to run.
    You may see a black box appear; this is normal.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

When done, run remover.exe again and post its output.

Do NOT reboot computer!

So we have done:
1. MY Computer
2. Internet Computer
3. Windows 7 Computer
4. Clean Computer> this was the first we ran> is this list correct?
 
Sorry for the delay in getting back to you Bob, got called into work and then tied up by it.

And sorry for any confusion regarding our network, I should have been more clearer.

The computers we have done are as follows:

1. My computer: was Presumed clean, running Windows 7 Pro, 32 Bit, Service Pack 1 (tests now show Root-kit and excess services running)
2. INTERNET computer: Windows XP
3. Sarah's Computer: Windows XP Pro x64
4. David's Computer: Windows 7 Ultimate x64
5. Ken's Computer: Windows XP Home

The reason my computer was presumed clean was I don't share flash drives on my computer and I'm fairly paranoid about the sites I visit.

Here's the results of the bootkit remover. I did what you asked. Downloaded a fresh copy. Unpacked it to desktop. Altered the Properties to run in Administrator mode. And then added the lines in Fix.bat to point to the desktop. It said that it would require a reboot but since you said not to, I hit no. Should I have clicked Yes? Or maybe run it without Online Armor running?

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
Okay, let's fix this:

  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF
START 
remover.exe fix   \\.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
  • Then in the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double clicking.Run fix.bat to run.
    You may see a black box appear; this is normal.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

When done, run remover.exe again and post its output.

Do NOT reboot computer!

There is no problem at all with your delay. For various reasons, I am behind and trying to catch up.
 
Here you go. Since my previous post of 3 days ago , my computer rebooted. Hope this isn't an issue.

I've also double checked with the others here and while they have noticed a slow-down over the recent months, nothing to the degree that I'm experiencing. I am having difficulty loading pages now and barely hit 1-5 Kb/s.

----
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000
Restoring boot code at \\.\PhysicalDrive0...
ERROR: No standard boot code found for your OS.
You can restore boot code only for Windows XP, Server 2003, Vista, Server 2008 a
nd Windows 7

Done;
Press any key to quit...


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF
START 
remover.exe fix    \\.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
  • Then in the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double clicking.Run fix.bat to run.
    You may see a black box appear; this is normal.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

When done, run remover.exe again and post its output.

Do NOT reboot computer!

This must be Dave's Computer since it has Win 7.
=============================================
Are you using a flash drive between the computers? IF yes, that may be how it spread and should also be disinfected.
Flash Disinfector for the Windows XP System:
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives
  1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  4. Wait until it has finished scanning and then exit the program.
  5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
The above won't run on Win 7, so use this:
  • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
  • Install and run it.
  • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
 
I went to do David's computer and he told me made his computer a dual boot computer. I just love my brother at times. Windows 7 is now on the second hard disk. Linux is his other OS.

I managed to run Remover once before he realized it was going for the boot sector and before I knew what he had done to his computer. It came up with an error about unable to access the sector. I couldn't capture the output before he made a fuss and banished me from his computer.


I've installed Panda USB Vaccine on my computer and tried to vaccinate all my flashdrives. All cleared except one, which it couldn't vaccinate due to "Error reading Volume" yet windows has no trouble read the drive.
 
All cleared except one, which it couldn't vaccinate due to "Error reading Volume" yet windows has no trouble read the drive.
Click to expand...

Maybe you could run the Error Check on this? Check both the scan and fix boxes, reboot and let it run. It will reboot when through.
 
I ran error check on the USB stick in question. And it passed no problems. I rebooted and checked both the scan and fix boxes and again it passed with no problems.

The only thing that gets me is that according to scan there are 9 hidden files on the USB device and Windows can only see 7.

So the easiest solution is to not use that USB stick any more, since Panda USB Vaccine still can't vaccinate it.

My computer still is having great difficulty accessing the internet in general. Should I try running Remover from safe mode? Does Remover work with Service Pack 1?
 
The first system you ran had 11 fixed drives. There are 11 of these messages: detected NTDLL code modification: I should have put that together sooner- sorry, brain drain.

I told you in the beginning that what you describe is mainly a problem from the ISP. But I would definitely suggest that you not use the flash drive among all of the systems.

Are we actually dealing with 5 separate computers here? Or does each user have one of the fixed drives?
 
There are five separate computers here on our network. Each user uses their own computer. My computer is the one I have easy access to.

To make my computer more manageable I split the two physical hard disks into 11 partitions: C - M. Each has a different purpose. (C is root, D is Data, G is Games, I is Internet saves, M is Windows Backup).

A quick update. As I'm still at a virtual standstill when it comes to connecting to the internet via Firefox, I've been paying highten interest to my firewall, CPU usage, and connections to my computer, and other vital stats.

At one point I've been upwards of 150 connections and have spiked momentarily to over 350 attempted connections. So I know something is going on... This could be part of normal activity or something out of the ordinary. At the time I trying without success to load the google search page and this page.

I was looking at the Resource Monitor yesterday and I noticed that my computer was trying to connect to www.007guard.com even after we had turned the network and the modem off. (At night, when we go to bed we turn the modem and other network hardware off at the wall to save power)

Curious, I had a look at my hosts file, as I didn't instantly recognise the address but it rang a bell. Here's the first few lines of the host file.

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
Click to expand...
Does this help at all?

Additionally I had a look at the allowed websites on my firewall. There are lots of sites I don't recall ever visitings. Should I clear that list or is that a later step? Would you like a copy to see if there are any obvious malware sites that have slipped though? I couldn't see any.

Also, I've be reliably informed that there are new versions of FireFox, Online Armor (my firewall), and Internet Explorer out. Should I hold off installing them for now?

Edit to add:
I had a look at C: and there are 3 directories that appear to be random strings.

One of them is called "C:\32788R22FWJFW\EN-US" contains a file called "cmd.cfxxe.mui".
One of the directories is called: "C:\3e8b52db515ea600e5cab11fd31dcf" and contains 320 files. They like like various drives and .dll. There are several exe files, migautoplay.exe, mighost.exe, spuninst.exe spupdsvc.exe and tcinst.exe. The remain files have the .man extension or .dll extension. What surprised me is when I noticed this directory and went to check it out, I was told I didn't have permission to access it. However I was using the Administrator account at the time (its the only account on the system - bad security I know)
The final directory "C:\db63cd887ce5b0607c1ad4d3" is the same as the above 320 file directory except it is locked - it has a little padlock beside it.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
786
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back