TechSpot

Progressively slower internet on Clean(?) computer

By MicroShader
Mar 21, 2011
  1. I was wondering if someone here could help, or point me in the right direction/forum.

    Here's the situation: Over the last few months we (family and myself) have been noticing that the internet has progressively been getting slower and slower. (No, we haven't run afoul of any caps or anything like that. The connection speed hasn't been fast enough to allow us to get that much data!) Being somewhat techno-savvy I've run S&D Spybot Scanner and Malwarebytes on our various computers and they have all come up clean, but I'm not 100% sure. I know that they miss one or two things beyond my expertise level, hence the post here.

    The net connection comes into ASDL modem, hits a Switch/Router and then is split between 5 computers. We use to get about 50kB/s, now we're struggling to get 5-10 kB/s, regardless of which computers are on or the time of day.

    Before we go complain to the ISP, I'd like to eliminate the computers as a possible source. I've made sure that all computers have Anti-viruses (avast!) and firewalls of various flavors.

    My computer is running Windows 7 Pro, and Online Armor. I've noticed that my computer does occasionally shot off weird requests that appear on the firewall, but I've been putting that down to Windows 7 update. I haven't knowingly installed any Browser Helpers or anything like that... none that I can recall at the moment.

    Please find the various logs from 8 step process for my computer. Do I need to run HiJackThis?

    ---- Malwarebytes Anti-Malware log----

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6113

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 8.0.7601.17514

    21/03/2011 2:17:48 PM
    mbam-log-2011-03-21 (14-17-48).txt

    Scan type: Quick scan
    Objects scanned: 151269
    Time elapsed: 4 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ----GMER log ----

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-03-21 14:21:47
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3250318AS rev.CC44
    Running: 3x1s5kki.exe; Driver: C:\Users\Michael\AppData\Local\Temp\ugloypob.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x90AE582E]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 851821F8
    Device \Driver\atapi \Device\Ide\IdePort0 851821F8
    Device \Driver\atapi \Device\Ide\IdePort1 851821F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 851821F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 851821F8
    Device \Driver\a17te2sg \Device\Scsi\a17te2sg1Port2Path0Target0Lun0 864DD320
    Device \Driver\a17te2sg \Device\Scsi\a17te2sg1 864DD320
    Device \FileSystem\Ntfs \Ntfs 851841F8
    Device \FileSystem\fastfat \Fat 873CE1F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Driver\tdx \Device\Ip OAmon.sys
    Device \Driver\tdx \Device\Tcp OAmon.sys
    Device \Driver\tdx \Device\Udp OAmon.sys
    Device \Driver\tdx \Device\RawIp OAmon.sys

    ---- EOF - GMER 1.0.15 ----


    ---- DDS log: DDS.txt----

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Michael at 14:23:16.46 on Mon 21/03/2011
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.3070.2005 [GMT 10:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: Online Armor Firewall *Enabled* {5841EF60-F43F-AE8D-642F-D79F12883626}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    D:\Program Files\Online Armor\OAcat.exe
    D:\Program Files\Online Armor\oasrv.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    D:\Program Files\Ashampoo Magical Defrag 3\defragtaskbar.exe
    D:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    D:\Program Files\Online Armor\oaui.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    D:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Windows\System32\StikyNot.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    D:\Program Files\Online Armor\OAhlp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    D:\Program Files\Ashampoo Core Tuner\ACTHelperService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    D:\Program Files\Ashampoo Magical Defrag 3\defragservice.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    D:\Program Files\Ashampoo Magical Defrag 3\defragmonitorservice.exe
    D:\Program Files\Ashampoo Magical Defrag 3\defragActivityMonitor.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\taskeng.exe
    C:\Users\Michael\Downloads\dds.scr
    C:\Windows\system32\conhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\jr6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Yahoo!7 Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
    uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [PlayNC Launcher]
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [DefragTaskBar] "d:\program files\ashampoo magical defrag 3\defragtaskbar.exe"
    mRun: [Ashampoo Core Tuner] d:\program files\ashampoo core tuner\autostarter.exe
    mRun: [WordWeb] "d:\program files\wordweb\wweb32.exe" -startup
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [@OnlineArmor GUI] "d:\program files\online armor\OAui.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Download with GetRight - d:\program files\getright\GRdownload.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
    IE: Open with GetRight Browser - d:\program files\getright\GRbrowse.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: {EB9D824D-F1DB-491F-A89D-B32705065FB3} = 192.168.0.1
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: igfxcui - igfxdev.dll
    SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - d:\progra~1\online~1\oaevent.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\2tnep8uy.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
    FF - plugin: d:\program files\jr6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: d:\program files\jr6\bin\new_plugin\npjp2.dll
    FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Amazon Toolbar: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-14 294608]
    R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-11-4 202064]
    R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2010-9-2 38856]
    R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-11-4 25000]
    R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2010/01/13 23:32:39];c:\program files\cyberlink\powerdvd dx\000.fcl [2010-1-13 87536]
    R2 acthelper;Ashampoo CoreTuner Helper Service;d:\program files\ashampoo core tuner\ACTHelperService.exe [2010-1-18 902488]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-4-7 176128]
    R2 Ashampoo Defrag Service;Ashampoo Defrag Service;d:\program files\ashampoo magical defrag 3\defragservice.exe [2010-1-18 890208]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-14 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-14 51280]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-20 40384]
    R2 OAcat;Online Armor Helper Service;d:\program files\online armor\oacat.exe [2010-11-4 380784]
    R2 SBSDWSCService;SBSD Security Center Service;d:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-18 1153368]
    R2 SvcOnlineArmor;Online Armor;d:\program files\online armor\oasrv.exe [2010-11-4 3653208]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-1-26 7566848]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-1-26 238592]
    R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-14 229888]
    R3 OAnet;OnlineArmor Service;c:\windows\system32\drivers\OAnet.sys [2010-11-4 29120]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
    S3 DfSdkS;Defragmentation-Service;d:\program files\ashampoo winoptimizer 6\DfSdkS.exe [2010-1-18 406016]
    S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-21 39272]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-1 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-27 1343400]
    .
    =============== Created Last 30 ================
    .
    2011-03-09 23:39:06 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-09 23:39:06 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-03-09 23:39:06 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-09 23:39:02 850944 ----a-w- c:\windows\system32\sbe.dll
    2011-03-09 23:39:02 642048 ----a-w- c:\windows\system32\CPFilters.dll
    2011-03-09 23:39:02 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-09 23:39:02 199680 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-03 23:31:43 -------- d-----w- c:\users\michael\appdata\local\assembly
    2011-03-01 00:05:45 -------- d-----w- c:\windows\system32\SPReview
    2011-03-01 00:04:55 -------- d-----w- c:\windows\system32\EventProviders
    2011-03-01 00:01:04 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2011-02-28 23:59:59 933376 ----a-w- c:\windows\system32\Vault.dll
    2011-02-28 23:58:53 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll
    2011-02-28 23:58:53 363008 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-02-28 23:58:52 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
    2011-02-28 23:58:52 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2011-02-28 23:58:35 697344 ----a-w- c:\windows\system32\SmiEngine.dll
    2011-02-28 23:58:26 209920 ----a-w- c:\windows\system32\PkgMgr.exe
    2011-02-28 23:58:26 189952 ----a-w- c:\windows\system32\wdscore.dll
    2011-02-28 23:57:58 323072 ----a-w- c:\windows\system32\drvstore.dll
    2011-02-28 23:57:58 257024 ----a-w- c:\windows\system32\dpx.dll
    2011-02-28 23:16:58 870912 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-02-28 23:16:58 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-28 23:16:32 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-02-28 23:16:32 161792 ----a-w- c:\windows\system32\d3d10_1.dll
    .
    ==================== Find3M ====================
    .
    2011-03-01 00:32:36 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-02-02 11:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-26 13:00:46 143360 ----a-w- c:\windows\system32\atiapfxx.exe
    2011-01-26 13:00:32 596480 ----a-w- c:\windows\system32\aticfx32.dll
    2011-01-26 12:59:48 17204736 ----a-w- c:\windows\system32\atioglxx.dll
    2011-01-26 12:56:30 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2011-01-26 12:55:56 393216 ----a-w- c:\windows\system32\atieclxx.exe
    2011-01-26 12:55:26 176128 ----a-w- c:\windows\system32\atiesrxx.exe
    2011-01-26 12:54:12 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2011-01-26 12:53:56 356352 ----a-w- c:\windows\system32\atipdlxx.dll
    2011-01-26 12:53:44 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2011-01-26 12:53:36 15872 ----a-w- c:\windows\system32\atimuixx.dll
    2011-01-26 12:53:28 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2011-01-26 12:49:46 4105728 ----a-w- c:\windows\system32\atidxx32.dll
    2011-01-26 12:32:14 1912832 ----a-w- c:\windows\system32\atiumdmv.dll
    2011-01-26 12:28:54 4170752 ----a-w- c:\windows\system32\atiumdag.dll
    2011-01-26 12:27:52 46080 ----a-w- c:\windows\system32\aticalrt.dll
    2011-01-26 12:27:42 44032 ----a-w- c:\windows\system32\aticalcl.dll
    2011-01-26 12:25:52 5580800 ----a-w- c:\windows\system32\aticaldd.dll
    2011-01-26 12:24:20 3463680 ----a-w- c:\windows\system32\atiumdva.dll
    2011-01-26 12:20:46 52736 ----a-w- c:\windows\system32\coinst.dll
    2011-01-26 12:14:08 249856 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-01-26 12:13:54 12800 ----a-w- c:\windows\system32\atiglpxx.dll
    2011-01-26 12:13:44 32768 ----a-w- c:\windows\system32\atigktxx.dll
    2011-01-26 12:12:42 30720 ----a-w- c:\windows\system32\atiuxpag.dll
    2011-01-26 12:12:26 28672 ----a-w- c:\windows\system32\atiu9pag.dll
    2011-01-26 12:12:00 23040 ----a-w- c:\windows\system32\atitmpxx.dll
    2011-01-26 12:08:42 52736 ----a-w- c:\windows\system32\atimpc32.dll
    2011-01-26 12:08:42 52736 ----a-w- c:\windows\system32\amdpcom32.dll
    2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-07 07:45:57 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-07 06:01:22 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-01-07 05:43:36 294400 ----a-w- c:\windows\system32\atmfd.dll
    2011-01-05 05:55:55 428032 ----a-w- c:\windows\system32\vbscript.dll
    2011-01-05 03:51:01 2330624 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 14:26:19.87 ===============

    ---- DDS log: Attach.txt ----

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 14/01/2010 1:16:07 AM
    System Uptime: 21/03/2011 2:02:32 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0T656F
    Processor: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz | CPU | 2793/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 125 GiB total, 78.456 GiB free.
    D: is FIXED (NTFS) - 50 GiB total, 39.067 GiB free.
    E: is FIXED (NTFS) - 58 GiB total, 33.263 GiB free.
    F: is FIXED (NTFS) - 50 GiB total, 29.761 GiB free.
    G: is FIXED (NTFS) - 50 GiB total, 4.222 GiB free.
    H: is FIXED (NTFS) - 50 GiB total, 24.88 GiB free.
    I: is FIXED (NTFS) - 50 GiB total, 22.662 GiB free.
    J: is FIXED (NTFS) - 50 GiB total, 24.348 GiB free.
    K: is FIXED (NTFS) - 50 GiB total, 25.22 GiB free.
    L: is FIXED (NTFS) - 50 GiB total, 16.657 GiB free.
    M: is FIXED (NTFS) - 75 GiB total, 0.166 GiB free.
    N: is CDROM (CDFS)
    O: is Removable
    P: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP325: 6/03/2011 9:59:23 PM - Windows Backup
    RP326: 7/03/2011 2:16:57 PM - Installed Java(TM) 6 Update 24
    RP327: 10/03/2011 9:39:59 AM - Windows Update
    RP328: 13/03/2011 7:40:31 PM - Windows Backup
    RP329: 20/03/2011 7:00:22 PM - Windows Backup
    RP331: 20/03/2011 7:24:49 PM - Windows Backup
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.2
    Adobe Shockwave Player 11.5
    AMD Drag and Drop Transcoding
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ashampoo Burning Studio 9.21
    Ashampoo Core Tuner 1.20
    Ashampoo Magical Defrag 3
    Ashampoo WinOptimizer 6.50
    ATI Catalyst Install Manager
    ĀµTorrent
    avast! Free Antivirus
    Bing Bar
    Bing Bar Platform
    Bonjour
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center HydraVision Full
    Catalyst Control Center InstallProxy
    ccc-core-static
    ccc-utility
    CCC Help English
    ConvertHelper 2.2
    Crazy Machines
    Crazy Machines 1.5 Inventors Training Camp
    Crazy Machines 1.5 New from the Lab
    Crazy Machines 2
    D3DX10
    e-tax 2010
    Evil Genius
    GetRight
    GIMP 2.6.8
    Hospital Tycoon
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    iTunes
    Jade Empire: Special Edition
    Java Auto Updater
    Java(TM) 6 Update 24
    Junk Mail filter update
    Just Great Software EditPad Lite 6.6.0
    K-Lite Mega Codec Pack 3.8.0
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Basic 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mids' Hero/Villain Designer
    MozBackup 1.4.10
    Mozilla Firefox (3.6.13)
    Mozilla Thunderbird (3.1.9)
    MSVCRT
    NCsoft Launcher
    NVIDIA PhysX v8.09.04
    Online Armor 4.0
    OpenAL
    Portal
    PowerDVD DX
    QuickTime
    Safecracker: The Ultimate Puzzle Adventure
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Spybot - Search & Destroy
    Steam
    The Lord of the Rings FREE Trial
    Twin Sector
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2508979)
    V*****Maps Map Overlay
    Warhammer 40,000: Dawn Of War - Gold Edition
    Watchtower Library 2010 - English
    WavePad Sound Editor
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinRAR archiver
    WordWeb
    Yahoo! Software Update
    Yahoo!7 Messenger
    Yahoo!7 Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    21/03/2011 2:02:09 PM, Error: Service Control Manager [7023] - The Windows Update service terminated with the following error: %%-2147467243
    21/03/2011 1:54:28 PM, Error: Service Control Manager [7034] - The AMD External Events Utility service terminated unexpectedly. It has done this 1 time(s).
    20/03/2011 7:31:42 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
    20/03/2011 7:25:50 PM, Error: volsnap [35] - The shadow copies of volume M: were aborted because the shadow copy storage failed to grow.
    20/03/2011 7:24:42 PM, Error: volsnap [9] - The flush and hold writes operation on volume C: timed out while waiting for file system cleanup.
    20/03/2011 7:18:36 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004
    18/03/2011 9:56:07 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    15/03/2011 9:40:56 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.0.151. The computer with the IP address 192.168.0.147 did not allow the name to be claimed by this computer.
    14/03/2011 9:58:52 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome back! I'll be glad to check the logs for malware. But your description sounds more like you will need to make that call to the ISP.

    I don't see any signs of a rootkit at this point. While I finish reviewing these log, please run the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ====================================
    Download Combofix from HERE or HERE and save to your desktop.
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  3. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    Thanks for the assistance.

    I followed your instructions to the letter, however there were a few points that you may need to know about as a result.

    The Eset Anti-virus noted that I wasn't using IE (I use Firefox as a rule) and when it ran proceeded to scan nothing. I have not run IE8 on this machine and have no real desire to.

    It didn't copy anything to the clipboard so I went and found the logfile (log.txt) and included it below.

    As per your directions I then downloaded ComboFix and ran it. It did protest (as in a warning window appeared) about running on the incorrect version of windows. (I'm running Windows 7 Profession SP 1 32 Bit.) However said window disappeared when I agreed to a terms of usage window. The log it produced is included below.

    It produced a Restore Point, but made no mention about the Recovery Console.

    Hope this helps.

    ---- Eset NOD32 log.txt ----

    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=0
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=439f54bb52b7f14c8e8e5e4d6e28b505
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-03-22 02:37:42
    # local_time=2011-03-22 12:37:42 (+1000, E. Australia Standard Time)
    # country="Australia"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode=768 16777215 100 0 33317009 33317009 0 0
    # compatibility_mode=5893 16776574 100 94 986335 52392653 0 0
    # compatibility_mode=6401 16777213 66 100 445224 11088736 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=0
    # found=0
    # cleaned=0
    # scan_time=0

    ---- ComboFix.txt ----

    ComboFix 11-03-21.01 - Michael 22/03/2011 13:09:21.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.3070.2322 [GMT 10:00]
    Running from: c:\users\Michael\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    FW: Online Armor Firewall *Disabled* {5841EF60-F43F-AE8D-642F-D79F12883626}
    SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-22 03:15 . 2011-03-22 03:15 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-22 02:34 . 2011-03-22 02:34 -------- d-----w- c:\program files\ESET
    2011-03-09 23:39 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-09 23:39 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-09 23:39 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-03-09 23:39 . 2010-12-23 05:54 850944 ----a-w- c:\windows\system32\sbe.dll
    2011-03-09 23:39 . 2010-12-23 05:54 642048 ----a-w- c:\windows\system32\CPFilters.dll
    2011-03-09 23:39 . 2010-12-23 05:54 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-09 23:39 . 2010-12-23 05:50 199680 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-07 04:18 . 2011-03-07 04:18 -------- d-----w- c:\program files\Common Files\Java
    2011-03-07 04:16 . 2011-03-07 04:16 -------- d-----w- c:\programdata\McAfee
    2011-03-03 23:31 . 2011-03-03 23:31 -------- d-----w- c:\users\Michael\AppData\Local\assembly
    2011-03-01 00:05 . 2011-03-01 00:05 -------- d-----w- c:\windows\system32\SPReview
    2011-03-01 00:04 . 2011-03-01 00:04 -------- d-----w- c:\windows\system32\EventProviders
    2011-03-01 00:01 . 2010-11-05 01:58 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2011-02-28 23:59 . 2010-11-20 12:29 132992 ----a-w- c:\windows\system32\drivers\ataport.sys
    2011-02-28 23:58 . 2010-11-20 12:21 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll
    2011-02-28 23:58 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-02-28 23:58 . 2010-11-20 12:21 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2011-02-28 23:58 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
    2011-02-28 23:58 . 2010-11-20 12:21 697344 ----a-w- c:\windows\system32\SmiEngine.dll
    2011-02-28 23:58 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\wdscore.dll
    2011-02-28 23:58 . 2010-11-20 12:17 209920 ----a-w- c:\windows\system32\PkgMgr.exe
    2011-02-28 23:57 . 2010-11-20 12:18 323072 ----a-w- c:\windows\system32\drvstore.dll
    2011-02-28 23:57 . 2010-11-20 12:18 257024 ----a-w- c:\windows\system32\dpx.dll
    2011-02-28 23:16 . 2011-01-07 07:46 870912 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-02-28 23:16 . 2011-01-07 07:46 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-28 23:16 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-02-28 23:16 . 2010-11-20 12:18 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-21 04:00 . 2010-06-24 01:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-03-01 00:32 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-02-03 05:54 . 2011-02-09 06:09 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2011-02-02 11:40 . 2010-04-20 22:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-26 13:36 . 2011-01-26 13:36 7566848 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2011-01-26 13:00 . 2011-01-26 13:00 143360 ----a-w- c:\windows\system32\atiapfxx.exe
    2011-01-26 13:00 . 2010-03-03 04:16 596480 ----a-w- c:\windows\system32\aticfx32.dll
    2011-01-26 12:59 . 2011-01-26 12:59 17204736 ----a-w- c:\windows\system32\atioglxx.dll
    2011-01-26 12:56 . 2010-04-07 02:13 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2011-01-26 12:55 . 2010-04-07 02:12 393216 ----a-w- c:\windows\system32\atieclxx.exe
    2011-01-26 12:55 . 2010-04-07 02:12 176128 ----a-w- c:\windows\system32\atiesrxx.exe
    2011-01-26 12:54 . 2011-01-26 12:54 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2011-01-26 12:53 . 2010-04-07 02:10 356352 ----a-w- c:\windows\system32\atipdlxx.dll
    2011-01-26 12:53 . 2011-01-26 12:53 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2011-01-26 12:53 . 2011-01-26 12:53 15872 ----a-w- c:\windows\system32\atimuixx.dll
    2011-01-26 12:53 . 2011-01-26 12:53 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2011-01-26 12:49 . 2010-03-03 04:06 4105728 ----a-w- c:\windows\system32\atidxx32.dll
    2011-01-26 12:32 . 2011-01-26 12:32 1912832 ----a-w- c:\windows\system32\atiumdmv.dll
    2011-01-26 12:28 . 2010-03-03 03:46 4170752 ----a-w- c:\windows\system32\atiumdag.dll
    2011-01-26 12:27 . 2011-01-26 12:27 46080 ----a-w- c:\windows\system32\aticalrt.dll
    2011-01-26 12:27 . 2011-01-26 12:27 44032 ----a-w- c:\windows\system32\aticalcl.dll
    2011-01-26 12:25 . 2011-01-26 12:25 5580800 ----a-w- c:\windows\system32\aticaldd.dll
    2011-01-26 12:24 . 2010-03-03 03:24 3463680 ----a-w- c:\windows\system32\atiumdva.dll
    2011-01-26 12:20 . 2010-03-03 03:23 52736 ----a-w- c:\windows\system32\coinst.dll
    2011-01-26 12:14 . 2010-04-07 01:23 249856 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-01-26 12:13 . 2011-01-26 12:13 12800 ----a-w- c:\windows\system32\atiglpxx.dll
    2011-01-26 12:13 . 2011-01-26 12:13 32768 ----a-w- c:\windows\system32\atigktxx.dll
    2011-01-26 12:13 . 2011-01-26 12:13 238592 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2011-01-26 12:12 . 2010-03-03 03:06 30720 ----a-w- c:\windows\system32\atiuxpag.dll
    2011-01-26 12:12 . 2010-03-03 03:06 28672 ----a-w- c:\windows\system32\atiu9pag.dll
    2011-01-26 12:12 . 2011-01-26 12:12 23040 ----a-w- c:\windows\system32\atitmpxx.dll
    2011-01-26 12:11 . 2011-01-26 12:11 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2011-01-26 12:08 . 2011-01-26 12:08 52736 ----a-w- c:\windows\system32\atimpc32.dll
    2011-01-26 12:08 . 2011-01-26 12:08 52736 ----a-w- c:\windows\system32\amdpcom32.dll
    2011-01-13 09:41 . 2010-01-26 22:01 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-01-13 08:47 . 2010-06-29 11:25 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-13 08:47 . 2010-01-13 14:30 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-13 08:41 . 2010-01-13 14:31 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-13 08:40 . 2010-01-13 14:31 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-13 08:37 . 2010-01-13 14:31 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-13 08:37 . 2010-01-13 14:30 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-01-13 08:37 . 2010-01-13 14:31 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-07 07:45 . 2011-02-09 06:10 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-07 06:01 . 2011-02-09 06:13 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-01-07 05:43 . 2011-02-09 06:10 294400 ----a-w- c:\windows\system32\atmfd.dll
    2011-01-05 05:55 . 2011-02-09 06:10 428032 ----a-w- c:\windows\system32\vbscript.dll
    2011-01-05 03:51 . 2011-02-09 06:10 2330624 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate]
    @="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}"
    [HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}]
    2010-11-20 12:20 442880 ----a-w- c:\windows\System32\ntshrui.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
    "SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-24 140520]
    "DefragTaskBar"="d:\program files\Ashampoo Magical Defrag 3\defragtaskbar.exe" [2009-12-16 927072]
    "Ashampoo Core Tuner"="d:\program files\Ashampoo Core Tuner\autostarter.exe" [2009-09-25 428376]
    "WordWeb"="d:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "@OnlineArmor GUI"="d:\program files\Online Armor\OAui.exe" [2010-11-04 2345000]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "EnableShellExecuteHooks"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "d:\progra~1\ONLINE~1\oaevent.dll" [2010-11-04 353992]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
    @="IEEE 1394 Bus host controllers"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
    @="SBP2 IEEE 1394 Devices"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
    @="SecurityDevices"
    .
    R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2010-10-30 38856]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 MMCSS;Multimedia Class Scheduler;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R2 sppsvc;Software Protection;c:\windows\system32\sppsvc.exe [2010-11-20 3179520]
    R2 SvcOnlineArmor;Online Armor;d:\program files\Online Armor\oasrv.exe [2010-11-04 3653208]
    R3 1394ohci;1394 OHCI Compliant Host Controller;c:\windows\system32\drivers\1394ohci.sys [2010-11-20 164864]
    R3 AcpiPmi;ACPI Power Meter Driver;c:\windows\system32\drivers\acpipmi.sys [2010-11-20 10240]
    R3 adp94xx;adp94xx;c:\windows\system32\DRIVERS\adp94xx.sys [2009-07-14 422976]
    R3 adpahci;adpahci;c:\windows\system32\DRIVERS\adpahci.sys [2009-07-14 297552]
    R3 amdsata;amdsata;c:\windows\system32\drivers\amdsata.sys [2010-11-20 80256]
    R3 amdsbs;amdsbs;c:\windows\system32\DRIVERS\amdsbs.sys [2009-07-14 159312]
    R3 AppID;AppID Driver;c:\windows\system32\drivers\appid.sys [2010-11-20 50176]
    R3 AppIDSvc;Application Identity;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 arcsas;arcsas;c:\windows\system32\DRIVERS\arcsas.sys [2009-07-14 86608]
    R3 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\DRIVERS\bxvbdx.sys [2009-07-13 430080]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
    R3 BDESVC;BitLocker Drive Encryption Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\DRIVERS\BrFiltLo.sys [2009-07-13 13568]
    R3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\DRIVERS\BrFiltUp.sys [2009-07-13 5248]
    R3 Brserid;Brother MFC Serial Port Interface Driver (WDM);c:\windows\System32\Drivers\Brserid.sys [2009-07-14 272128]
    R3 BrSerWdm;Brother WDM Serial driver;c:\windows\System32\Drivers\BrSerWdm.sys [2009-07-13 62336]
    R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\System32\Drivers\BrUsbMdm.sys [2009-07-13 12160]
    R3 CertPropSvc;Certificate Propagation;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 circlass;Consumer IR Devices;c:\windows\system32\DRIVERS\circlass.sys [2009-07-13 37888]
    R3 defragsvc;Disk Defragmenter;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 DfSdkS;Defragmentation-Service;d:\program files\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
    R3 ebdrv;Broadcom NetXtreme II 10 GigE VBD;c:\windows\system32\DRIVERS\evbdx.sys [2009-07-13 3100160]
    R3 elxstor;elxstor;c:\windows\system32\DRIVERS\elxstor.sys [2009-07-14 453712]
    R3 Filetrace;Filetrace;c:\windows\system32\drivers\filetrace.sys [2009-07-13 28160]
    R3 FsDepends;File System Dependency Minifilter;c:\windows\system32\drivers\FsDepends.sys [2009-07-14 46160]
    R3 hcw85cir;Hauppauge Consumer Infrared Receiver;c:\windows\system32\drivers\hcw85cir.sys [2009-07-13 26624]
    R3 HpSAMD;HpSAMD;c:\windows\system32\drivers\HpSAMD.sys [2009-07-14 67152]
    R3 iaStorV;Intel RAID Controller Windows 7;c:\windows\system32\drivers\iaStorV.sys [2010-11-20 332160]
    R3 IPBusEnum;PnP-X IP Bus Enumerator;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 IPMIDRV;IPMIDRV;c:\windows\system32\drivers\IPMIDrv.sys [2010-11-20 65536]
    R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [2010-11-20 233344]
    R3 KtmRm;KtmRm for Distributed Transaction Coordinator;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 lltdsvc;Link-Layer Topology Discovery Mapper;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 LSI_FC;LSI_FC;c:\windows\system32\DRIVERS\lsi_fc.sys [2009-07-14 95824]
    R3 LSI_SAS;LSI_SAS;c:\windows\system32\DRIVERS\lsi_sas.sys [2009-07-14 89168]
    R3 LSI_SAS2;LSI_SAS2;c:\windows\system32\DRIVERS\lsi_sas2.sys [2009-07-14 54864]
    R3 LSI_SCSI;LSI_SCSI;c:\windows\system32\DRIVERS\lsi_scsi.sys [2009-07-14 96848]
    R3 megasas;megasas;c:\windows\system32\DRIVERS\megasas.sys [2009-07-14 30800]
    R3 mpio;Microsoft Multi-Path Bus Driver;c:\windows\system32\drivers\mpio.sys [2010-11-20 130432]
    R3 msahci;msahci;c:\windows\system32\drivers\msahci.sys [2010-11-20 28032]
    R3 msdsm;Microsoft Multi-Path Device Specific Module;c:\windows\system32\drivers\msdsm.sys [2010-11-20 116096]
    R3 mshidkmdf;Pass-through HID to KMDF Filter Driver;c:\windows\System32\drivers\mshidkmdf.sys [2009-07-13 4096]
    R3 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 MsRPC;MsRPC; [x]
    R3 MTConfig;Microsoft Input Configuration Driver;c:\windows\system32\DRIVERS\MTConfig.sys [2009-07-13 12288]
    R3 NativeWifiP;NativeWiFi Filter;c:\windows\system32\DRIVERS\nwifi.sys [2009-07-13 267264]
    R3 NdisCap;NDIS Capture LightWeight Filter;c:\windows\system32\DRIVERS\ndiscap.sys [2009-07-13 27136]
    R3 nfrd960;nfrd960;c:\windows\system32\DRIVERS\nfrd960.sys [2009-07-14 44624]
    R3 nvstor;nvstor;c:\windows\system32\drivers\nvstor.sys [2010-11-20 143744]
    R3 PeerDistSvc;BranchCache;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 pla;Performance Logs & Alerts;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 PNRPAutoReg;PNRP Machine Name Publication Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 ql2300;ql2300;c:\windows\system32\DRIVERS\ql2300.sys [2009-07-14 1383488]
    R3 ql40xx;ql40xx;c:\windows\system32\DRIVERS\ql40xx.sys [2009-07-14 106064]
    R3 s3cap;s3cap;c:\windows\system32\drivers\vms3cap.sys [2010-11-20 5632]
    R3 scfilter;Smart card PnP Class Filter Driver;c:\windows\system32\DRIVERS\scfilter.sys [2010-11-20 26624]
    R3 SCPolicySvc;Smart Card Removal Policy;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 SensrSvc;Adaptive Brightness;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 SessionEnv;Remote Desktop Configuration;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 sffp_mmc;SFF Storage Protocol Driver for MMC;c:\windows\system32\drivers\sffp_mmc.sys [2009-07-13 12288]
    R3 SiSRaid4;SiSRaid4;c:\windows\system32\DRIVERS\sisraid4.sys [2009-07-14 77888]
    R3 Smb;Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session);c:\windows\system32\DRIVERS\smb.sys [2009-07-13 71168]
    R3 sppuinotify;SPP Notification Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 stexstor;stexstor;c:\windows\system32\DRIVERS\stexstor.sys [2009-07-14 21072]
    R3 StorSvc;Storage Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [2010-11-20 28032]
    R3 TBS;TPM Base Services;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 THREADORDER;Thread Ordering Server;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 TrustedInstaller;Windows Modules Installer;c:\windows\servicing\TrustedInstaller.exe [2010-11-20 204800]
    R3 tssecsrv;Remote Desktop Services Security Filter Driver;c:\windows\system32\DRIVERS\tssecsrv.sys [2010-11-20 31232]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 UI0Detect;Interactive Services Detection;c:\windows\system32\UI0Detect.exe [2009-07-14 35840]
    R3 uliagpkx;Uli AGP Bus Filter;c:\windows\system32\drivers\uliagpkx.sys [2009-07-14 57424]
    R3 UmRdpService;Remote Desktop Services UserMode Port Redirector;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 usbcir;eHome Infrared Receiver (USBCIR);c:\windows\system32\drivers\usbcir.sys [2009-07-13 86016]
    R3 VaultSvc;Credential Manager;c:\windows\system32\lsass.exe [2009-07-14 22528]
    R3 vhdmp;vhdmp;c:\windows\system32\drivers\vhdmp.sys [2010-11-20 160128]
    R3 ViaC7;VIA C7 Processor Driver;c:\windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
    R3 VMBusHID;VMBusHID;c:\windows\system32\drivers\VMBusHID.sys [2010-11-20 17920]
    R3 vsmraid;vsmraid;c:\windows\system32\DRIVERS\vsmraid.sys [2009-07-14 141904]
    R3 vwifibus;Virtual WiFi Bus Driver;c:\windows\System32\drivers\vwifibus.sys [2009-07-13 19968]
    R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [2009-07-13 21632]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400]
    R3 wbengine;Block Level Backup Engine Service;c:\windows\system32\wbengine.exe [2010-11-20 1203200]
    R3 WbioSrvc;Windows Biometric Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 WcsPlugInService;Windows Color System;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 Wd;Wd;c:\windows\system32\DRIVERS\wd.sys [2009-07-14 19024]
    R3 WdiSystemHost;Diagnostic System Host;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 Wecsvc;Windows Event Collector;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 wercplsupport;Problem Reports and Solutions Control Panel Support;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 WerSvc;Windows Error Reporting Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 WIMMount;WIMMount;c:\windows\system32\drivers\wimmount.sys [2009-07-14 19008]
    R3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 WinRM;Windows Remote Management (WS-Management);c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 Wlansvc;WLAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 WPCSvc;Parental Controls;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 WwanSvc;WWAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R4 Mcx2Svc;Media Center Extender Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R4 TabletInputService;Tablet PC Input Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R4 WPDBusEnum;Portable Device Enumerator Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S0 amdxata;amdxata;c:\windows\system32\drivers\amdxata.sys [2010-11-20 22400]
    S0 CLFS;Common Log (CLFS);c:\windows\System32\CLFS.sys [2009-07-14 249408]
    S0 CNG;CNG;c:\windows\System32\Drivers\cng.sys [2009-07-14 369568]
    S0 FileInfo;File Information FS MiniFilter;c:\windows\system32\drivers\fileinfo.sys [2009-07-14 58448]
    S0 fvevol;Bitlocker Drive Encryption Filter Driver;c:\windows\System32\DRIVERS\fvevol.sys [2010-11-20 194800]
    S0 hwpolicy;Hardware Policy Driver;c:\windows\System32\drivers\hwpolicy.sys [2010-11-20 14208]
    S0 KSecPkg;KSecPkg;c:\windows\System32\Drivers\ksecpkg.sys [2009-07-14 133200]
    S0 msisadrv;msisadrv;c:\windows\system32\drivers\msisadrv.sys [2009-07-14 13888]
    S0 pcw;Performance Counters for Windows Driver;c:\windows\System32\drivers\pcw.sys [2009-07-14 43088]
    S0 rdyboost;ReadyBoost;c:\windows\System32\drivers\rdyboost.sys [2010-11-20 173440]
    S0 spldr;Security Processor Loader Driver; [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-17 691696]
    S0 storflt;Disk Virtual Machine Bus Acceleration Filter Driver;c:\windows\system32\drivers\vmstorfl.sys [2010-11-20 40704]
    S0 vdrvroot;Microsoft Virtual Drive Enumerator Driver;c:\windows\system32\drivers\vdrvroot.sys [2009-07-14 32832]
    S0 vmbus;Virtual Machine Bus;c:\windows\system32\drivers\vmbus.sys [2010-11-20 175360]
    S0 volmgr;Volume Manager Driver;c:\windows\system32\drivers\volmgr.sys [2010-11-20 53120]
    S0 volmgrx;Dynamic Volume Manager;c:\windows\System32\drivers\volmgrx.sys [2009-07-14 297040]
    S1 aswSP;aswSP; [x]
    S1 blbdrive;blbdrive;c:\windows\system32\DRIVERS\blbdrive.sys [2009-07-13 35328]
    S1 CSC;Offline Files Driver;c:\windows\system32\drivers\csc.sys [2010-11-20 388096]
    S1 DfsC;DFS Namespace Client Driver;c:\windows\system32\Drivers\dfsc.sys [2010-11-20 78336]
    S1 discache;System Attribute Cache;c:\windows\system32\drivers\discache.sys [2009-07-13 32256]
    S1 nsiproxy;NSI proxy service driver.;c:\windows\system32\drivers\nsiproxy.sys [2009-07-13 16896]
    S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-11-04 202064]
    S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-11-04 25000]
    S1 RDPENCDD;RDP Encoder Mirror Driver;c:\windows\system32\drivers\rdpencdd.sys [2009-07-14 6656]
    S1 RDPREFMP;Reflector Display Driver used to gain access to graphics data;c:\windows\system32\drivers\rdprefmp.sys [2009-07-14 7168]
    S1 tdx;NetIO Legacy TDI Support Driver;c:\windows\system32\DRIVERS\tdx.sys [2010-11-20 74752]
    S1 Wanarpv6;Remote Access IPv6 ARP Driver;c:\windows\system32\DRIVERS\wanarp.sys [2010-11-20 63488]
    S1 WfpLwf;WFP Lightweight Filter;c:\windows\system32\DRIVERS\wfplwf.sys [2009-07-13 9728]
    S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2010/01/13 23:32];c:\program files\CyberLink\PowerDVD DX\000.fcl [2009-06-24 10:19 87536]
    S2 acthelper;Ashampoo CoreTuner Helper Service;d:\program files\Ashampoo Core Tuner\ACTHelperService.exe [2009-09-25 902488]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-01-26 176128]
    S2 Ashampoo Defrag Service;Ashampoo Defrag Service;d:\program files\Ashampoo Magical Defrag 3\defragservice.exe [2009-12-16 890208]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
    S2 AudioEndpointBuilder;Windows Audio Endpoint Builder;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 BFE;Base Filtering Engine;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 CscService;Offline Files;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 DPS;Diagnostic Policy Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 FDResPub;Function Discovery Resource Publication;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 gpsvc;Group Policy Client;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 IKEEXT;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 iphlpsvc;IP Helper;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;c:\windows\system32\DRIVERS\lltdio.sys [2009-07-13 48128]
    S2 luafv;UAC File Virtualization;c:\windows\system32\drivers\luafv.sys [2009-07-13 86528]
    S2 MpsSvc;Windows Firewall;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 NlaSvc;Network Location Awareness;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 nsi;Network Store Interface Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 OAcat;Online Armor Helper Service;d:\program files\Online Armor\OAcat.exe [2010-11-04 380784]
    S2 PEAUTH;PEAUTH;c:\windows\system32\drivers\peauth.sys [2009-07-14 586752]
    S2 Power;Power;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 ProfSvc;User Profile Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 RpcEptMapper;RPC Endpoint Mapper;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 SBSDWSCService;SBSD Security Center Service;d:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 SysMain;Superfetch;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 tcpipreg;TCP/IP Registry Compatibility;c:\windows\system32\drivers\tcpipreg.sys [2010-11-20 35328]
    S2 UxSms;Desktop Window Manager Session Manager;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-01-26 7566848]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-01-26 238592]
    S3 Appinfo;Application Information;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S3 bowser;Browser Support Driver;c:\windows\system32\DRIVERS\bowser.sys [2009-07-13 69632]
    S3 CompositeBus;Composite Bus Enumerator Driver;c:\windows\system32\drivers\CompositeBus.sys [2010-11-20 31232]
    S3 DXGKrnl;LDDM Graphics Subsystem;c:\windows\System32\drivers\dxgkrnl.sys [2010-11-20 728448]
    S3 fdPHost;Function Discovery Provider Host;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S3 HomeGroupListener;HomeGroup Listener;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S3 HomeGroupProvider;HomeGroup Provider;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-07-13 229888]
    S3 KeyIso;CNG Key Isolation;c:\windows\system32\lsass.exe [2009-07-14 22528]
    S3 monitor;Microsoft Monitor Class Function Driver Service;c:\windows\system32\DRIVERS\monitor.sys [2009-07-13 23552]
    S3 mpsdrv;Windows Firewall Authorization Driver;c:\windows\system32\drivers\mpsdrv.sys [2009-07-13 60416]
    S3 mrxsmb10;SMB 1.x MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb10.sys [2010-11-20 223232]
    S3 mrxsmb20;SMB 2.0 MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb20.sys [2010-11-20 96768]
    S3 netprofm;Network List Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S3 OAnet;OnlineArmor Service;c:\windows\system32\DRIVERS\oanet.sys [2010-11-04 29120]
    S3 PcaSvc;Program Compatibility Assistant Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S3 RasAgileVpn;WAN Miniport (IKEv2);c:\windows\system32\DRIVERS\AgileVpn.sys [2009-07-13 49152]
    S3 rdpbus;Remote Desktop Device Redirector Bus Driver;c:\windows\system32\DRIVERS\rdpbus.sys [2009-07-14 18944]
    S3 SDRSVC;Windows Backup;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S3 srv2;Server SMB 2.xxx Driver;c:\windows\system32\DRIVERS\srv2.sys [2010-11-20 309248]
    S3 srvnet;srvnet;c:\windows\system32\DRIVERS\srvnet.sys [2010-11-20 114176]
    S3 tunnel;Microsoft Tunnel Miniport Adapter Driver;c:\windows\system32\DRIVERS\tunnel.sys [2010-11-20 108544]
    S3 umbus;UMBus Enumerator Driver;c:\windows\system32\drivers\umbus.sys [2010-11-20 39936]
    S3 wcncsvc;Windows Connect Now - Config Registrar;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S3 WdiServiceHost;Diagnostic Service Host;c:\windows\System32\svchost.exe [2009-07-14 20992]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - UGLOYPOB
    *Deregistered* - ugloypob
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    RPCSS REG_MULTI_SZ RpcEptMapper RpcSs
    defragsvc REG_MULTI_SZ defragsvc
    WerSvcGroup REG_MULTI_SZ wersvc
    LocalServiceNoNetwork REG_MULTI_SZ DPS PLA BFE mpssvc WwanSvc
    swprv REG_MULTI_SZ swprv
    LocalServicePeerNet REG_MULTI_SZ PNRPSvc p2pimsvc p2psvc PnrpAutoReg
    NetworkServiceAndNoImpersonation REG_MULTI_SZ KtmRm
    regsvc REG_MULTI_SZ RemoteRegistry
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
    DcomLaunch REG_MULTI_SZ Power PlugPlay DcomLaunch
    NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent
    sdrsvc REG_MULTI_SZ sdrsvc
    WbioSvcGroup REG_MULTI_SZ WbioSrvc
    wcssvc REG_MULTI_SZ WcsPlugInService
    AxInstSVGroup REG_MULTI_SZ AxInstSV
    secsvcs REG_MULTI_SZ WinDefend
    PeerDist REG_MULTI_SZ PeerDistSvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    AeLookupSvc
    CertPropSvc
    SCPolicySvc
    lanmanserver
    gpsvc
    IKEEXT
    AudioSrv
    FastUserSwitchingCompatibility
    Nla
    NWCWorkstation
    SRService
    Wmi
    WmdmPmSp
    TermService
    wuauserv
    BITS
    ShellHWDetection
    LogonHours
    PCAudit
    helpsvc
    uploadmgr
    iphlpsvc
    seclogon
    AppInfo
    msiscsi
    MMCSS
    wercplsupport
    EapHost
    ProfSvc
    schedule
    hkmsvc
    SessionEnv
    winmgmt
    browser
    Themes
    BDESVC
    AppMgmt
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
    homegrouplistener
    StorSvc
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
    WdiServiceHost
    sppuinotify
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetworkService
    lanmanworkstation
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
    BthHFSrv
    homegroupprovider
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2010-12-15 c:\windows\Tasks\wavepadShakeIcon.job
    - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-12-12 07:01]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Download with GetRight - d:\program files\GetRight\GRdownload.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
    IE: Open with GetRight Browser - d:\program files\GetRight\GRbrowse.htm
    TCP: {EB9D824D-F1DB-491F-A89D-B32705065FB3} = 192.168.0.1
    FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\2tnep8uy.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Amazon Toolbar: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-PlayNC Launcher - (no file)
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    SafeBoot-sacsvr
    SafeBoot-vmms
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:15
    Windows 6.1.7601 Service Pack 1 NTFS
    .
    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-03-22 13:17:08
    ComboFix-quarantined-files.txt 2011-03-22 03:17
    .
    Pre-Run: 83,672,412,160 bytes free
    Post-Run: 83,299,766,272 bytes free
    .
    - - End Of File - - 10271A54B2CD5A5699E4BCF35E3099E1
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Regarding the message in Eset:
    A note about the 'speed': part of the problem is that you have a splitter servicing 5 computers. The signal will not be as strong, most likely on most or all of the systems.

    We need to check for a rootkit first: Broni put this together for us:

    Download aswMBR to your desktop.
    • Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan:
      [​IMG]
    • On completion of the scan click "Save log", save it to your desktop
    • Post in your next reply:
    [​IMG]
    ================================================
    After we finish the scans for malware, I'm going to refer you to a site that will explain what the Services do and what you can move down from Automatic Startup type to Manual, or in some cases, Disable. You have a huge number of Services/drivers running, even for Window 7. You need to review what the Service does, if it needed to automatically start when you boot and what it's Dependencies are. Black Viper wrote the book on this and you won't find any better place or your Services than this site:
    http://www.blackviper.com/2010/12/17/black-vipers-windows-7-service-pack-1-service-configurations/

    Take your time! I find booting into Safe Mode easier when working with the Services because some Services ne other Services running in order for them to run.
     
  5. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    Do I really need to run IE8 to run ESAT?

    When I first got the computer about a year ago I did go into the Services area and turn off a few things like Remote Desktop and some wireless stuff as this computer doesn't have any connected. I haven't thought about it since.

    Here's the log you requested.

    --------

    aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-03-24 11:07:49
    -----------------------------
    11:07:49.060 OS Version: Windows 6.1.7601 Service Pack 1
    11:07:49.060 Number of processors: 2 586 0x170A
    11:07:49.060 ComputerName: MICRO-PC UserName: Michael
    11:08:17.298 Initialize success
    11:08:40.652 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    11:08:40.653 Disk 0 Vendor: ST3250318AS CC44 Size: 238418MB BusType: 3
    11:08:40.656 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1
    11:08:40.657 Disk 1 Vendor: SAMSUNG_HD501LJ CR100-10 Size: 476940MB BusType: 3
    11:08:42.808 Disk 0 MBR read successfully
    11:08:42.811 Disk 0 MBR scan
    11:08:44.819 Disk 0 scanning sectors +488278016
    11:08:44.849 Disk 0 scanning C:\Windows\system32\drivers
    11:08:55.273 Service scanning
    11:08:57.198 Disk 0 trace - called modules:
    11:08:57.227 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x851821f8]<<
    11:08:57.230 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8600d5c8]
    11:08:57.233 3 CLASSPNP.SYS[8b5ab59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85f1c908]
    11:08:57.237 \Driver\atapi[0x85ec2798] -> IRP_MJ_CREATE -> 0x851821f8
    11:08:57.765 Scan finished successfully
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please do this:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

      Code:
      
      @ECHO OFF
      START 
      remover.exe fix  \\.\PhysicalDrive0  
      EXIT
      
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • Then in the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.

    Run fix.bat by double clicking.You may see a black box appear; this is normal.
    • Click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
    When done, run remover.exe again and post its output.

    Do NOT reboot computer!
     
  7. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    Remover.exe? Sorry Bobbye you've never sent me the link for that particular program.

    I ran fix.bat and a black box flashed on the screen (as in was visible for less then one second) and then I was left with a cmd.exe window.

    And just to confirm, after the cleaning is done, I go fiddling with the services.

    Here's the output:

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Users\Michael\Desktop>remover.exe
    'remover.exe' is not recognized as an internal or external command,
    operable program or batch file.

    C:\Users\Michael\Desktop>
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am so sorry! And my internet was down for day and a half (#*$&#!@)! The program I had you run is fairly new, but my instruction was for another program. Please run the following, which is the source for the remover.exe file- and again my apology for the confusion:

    Bootkit Remover:

    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      NOTE: The tool should be run from a command line with Administrator privileges.
    3. Scanning should be completed quickly
    4. Paste the output in your next reply.
    [​IMG]
    =====================================
     
  9. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    Thanks every much for your help Bobbye. I know all to well the problems that surround trying to maintain regular access to the internet.

    Please see the output below of the program. As the directions originally said not to reboot the computer, I'm currently sleeping the computer when I need to turn it off.

    ------

    C:\Users\Michael\Downloads\bootkit_remover>remover
    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...

    C:\Users\Michael\Downloads\bootkit_remover>

    -----------------

    Ok. I'm now annoyed at whoever put the rootkit on my computer.

    Question: Should I use the dump facility to check what rootkit it is? How contagious could it be? (I swear, I studied this (computer security) but my brains drawing a blank at the moment)
    Question: What impact would it have on the operation of the computer?
    Question: Should I run Remover on the other computers on the network here?
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, now you need to run this: (it's not often I send out a 'fix' before I know the problem!)
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START 
    remover.exe fix  \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • Then in the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click fix.bat to run.
      You may see a black box appear; this is normal.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    When done, run remover.exe again and post its output.

    Do NOT reboot computer!
    ==============================================
    I had you do the bootkit check because of in this section of Cmbofix:
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer
    detected NTDLL code modification:
    and it repeated 11 times- exactly the same result. I think that was most likely a glitch in Comofix- not the finding itself, but the same repetition.
    =================================================
    It may have contributed to the slowness of the computer. But you should also check with the ISP to see if they have made any changes that would account for the slowness. (Just keep in mind that no ISP likes to admit anything is wrong with what they are doing!)

    Question: Should I use the dump facility to check what rootkit it is? How contagious could it be? (I swear, I studied this (computer security) but my brains drawing a blank at the moment) Let it go for now
    I suggest you run catchme first on each of the other systems: catchme is the rootkit/stealth malware scanner that scans for:
    • hidden processes
    • hidden registry keys
    • hidden services
    • hidden files
    catchme can also delete, destroy and collect malicious files.

    Download catchme.exe ( 137KB ) and save to your desktop.
    • Double click the catchme.exe to run it
    • Click the "Scan" button to start scan
    • Open catchme.log to see results

    Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format.
    You can paste those results, but make very sure that both you and I know which result belongs to which computer- if the results are different.

    If you have used a flash drive between the 5 systems, let me know and I'll give you information to disinfect it also.
     
  11. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    I did has you have asked. Here is the error message bootkit remover produces.

    ---------
    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

    System volume is \\.\C:
    main(): CreateFile() ERROR 5
    ERROR: Can't open volume device \\.\C:

    Done;
    Press any key to quit...
    -------------------

    I tried switching the batch file to Administrator mode and pointing it to where the remover.exe was but the output remained the same. I didn't know if it permissible to do the commands manually, so I decide to wait for further advice. [Edit: I just found a file: bootkit_remover_debug_log.txt on my desktop. Do you want me to post it?]

    And here is the output of the program now. (Run in Administrator mode from command line):
    ----

    C:\Users\Michael\Downloads\bootkit_remover>remover
    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000
    Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    C:\Users\Michael\Downloads\bootkit_remover>

    --------------------

    We do use flash drives between the five systems so a way to disinfect them would be appreciated. I'll have the clearly marked Catchme logs available as the computers wake up today.
     
  12. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    I'll use this post for the results of the Catchme program. All times it is in Administrator mode.

    Running the catchme program on MY computer, produces the following:

    detected NTDLL code modification:
    ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 1895833125, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error


    Running the catchme program on the INTERNET computer produces the following log:

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-28 09:04:07
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011b107a393]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0011b107a393]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0011b107a393]

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    Running the catchme program on Sarah's computer, produces the following: (We downloaded a fresh copy)

    detected NTDLL code modification:
    ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

    Running the catchme program on David's computer, produces the following log: (Used a disinfected flash drive from my computer)

    detected NTDLL code modification:
    ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != -1736256597, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != -1736191833, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

    One computer to go which we think is the source of the infection (it has had a problem in the past with VirtueMonde)

    [Edit for last computer]---

    Here's the last log:

    Running the catchme program on Ken's computer, produces the following: (We downloaded a fresh copy)

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-31 10:21:08
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, for the flash drive: These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    And thank you- you did fine with fix.bat!
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We were posting at the same time!

    1.For MY Computer:
    Bootkit Remover:

    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      NOTE: The tool should be run from a command line with Administrator privileges.
    3. Scanning should be completed quickly
    4. Paste the output in your next reply.
    =====================================
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    
    START remover.exe fix   \\.\PhysicalDrive0 
     
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • Then in the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double clicking.Run fix.bat to run.
      You may see a black box appear; this is normal.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    When done, run remover.exe again and post its output.

    Do NOT reboot computer!
    ====================================
    2. For INTERNET Computer
    NO action needed.
     
  15. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    For MY computer:

    Downloaded the new version of bootkit remover and tried to run it from the command line with Admin privileges, like you said. No dice. Same error message: ERROR: Can't open volume device \\.\C:

    So I opened up explorer and right clicked it an selected "run as administrator" and got this output:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...


    ----
    Next step was to twist Windows 7 to run the batch commands... so I made a shortcut to point to the remover.exe and made sure everything was in Administrator mode, and that the correct flags (fix \\.\PhysicalDrive0) were passed along.

    As you said not to reboot, when the box came up asking about it, I selected NO.

    Here is the output:

    ----
    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000
    Restoring boot code at \\.\PhysicalDrive0...
    ERROR: No standard boot code found for your OS.
    You can restore boot code only for Windows XP, Server 2003, Vista, Server 2008 a
    nd Windows 7

    Done;
    Press any key to quit...
    ----

    And just to check... running the program again without flags in Admin mode produces:

    ---
    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
    ----
    I hope to have the rest of the computers on the network shortly.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For Windows 7 Computer:

    About the bootkit program:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START 
    remover.exe fix  \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • Then in the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double clicking.Run fix.bat to run.
      You may see a black box appear; this is normal.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    When done, run remover.exe again and post its output.

    Do NOT reboot computer!

    So we have done:
    1. MY Computer
    2. Internet Computer
    3. Windows 7 Computer
    4. Clean Computer> this was the first we ran> is this list correct?
     
  17. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    Sorry for the delay in getting back to you Bob, got called into work and then tied up by it.

    And sorry for any confusion regarding our network, I should have been more clearer.

    The computers we have done are as follows:

    1. My computer: was Presumed clean, running Windows 7 Pro, 32 Bit, Service Pack 1 (tests now show Root-kit and excess services running)
    2. INTERNET computer: Windows XP
    3. Sarah's Computer: Windows XP Pro x64
    4. David's Computer: Windows 7 Ultimate x64
    5. Ken's Computer: Windows XP Home

    The reason my computer was presumed clean was I don't share flash drives on my computer and I'm fairly paranoid about the sites I visit.

    Here's the results of the bootkit remover. I did what you asked. Downloaded a fresh copy. Unpacked it to desktop. Altered the Properties to run in Administrator mode. And then added the lines in Fix.bat to point to the desktop. It said that it would require a reboot but since you said not to, I hit no. Should I have clicked Yes? Or maybe run it without Online Armor running?

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, let's fix this:

    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START 
    remover.exe fix   \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • Then in the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double clicking.Run fix.bat to run.
      You may see a black box appear; this is normal.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    When done, run remover.exe again and post its output.

    Do NOT reboot computer!

    There is no problem at all with your delay. For various reasons, I am behind and trying to catch up.
     
  19. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    Here you go. Since my previous post of 3 days ago , my computer rebooted. Hope this isn't an issue.

    I've also double checked with the others here and while they have noticed a slow-down over the recent months, nothing to the degree that I'm experiencing. I am having difficulty loading pages now and barely hit 1-5 Kb/s.

    ----
    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000
    Restoring boot code at \\.\PhysicalDrive0...
    ERROR: No standard boot code found for your OS.
    You can restore boot code only for Windows XP, Server 2003, Vista, Server 2008 a
    nd Windows 7

    Done;
    Press any key to quit...


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 Service Pack 1 (build 7601), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02800000

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START 
    remover.exe fix    \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • Then in the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double clicking.Run fix.bat to run.
      You may see a black box appear; this is normal.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    When done, run remover.exe again and post its output.

    Do NOT reboot computer!

    This must be Dave's Computer since it has Win 7.
    =============================================
    Are you using a flash drive between the computers? IF yes, that may be how it spread and should also be disinfected.
    Flash Disinfector for the Windows XP System:
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    The above won't run on Win 7, so use this:
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
     
  21. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    I went to do David's computer and he told me made his computer a dual boot computer. I just love my brother at times. Windows 7 is now on the second hard disk. Linux is his other OS.

    I managed to run Remover once before he realized it was going for the boot sector and before I knew what he had done to his computer. It came up with an error about unable to access the sector. I couldn't capture the output before he made a fuss and banished me from his computer.


    I've installed Panda USB Vaccine on my computer and tried to vaccinate all my flashdrives. All cleared except one, which it couldn't vaccinate due to "Error reading Volume" yet windows has no trouble read the drive.
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Maybe you could run the Error Check on this? Check both the scan and fix boxes, reboot and let it run. It will reboot when through.
     
  23. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    I ran error check on the USB stick in question. And it passed no problems. I rebooted and checked both the scan and fix boxes and again it passed with no problems.

    The only thing that gets me is that according to scan there are 9 hidden files on the USB device and Windows can only see 7.

    So the easiest solution is to not use that USB stick any more, since Panda USB Vaccine still can't vaccinate it.

    My computer still is having great difficulty accessing the internet in general. Should I try running Remover from safe mode? Does Remover work with Service Pack 1?
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The first system you ran had 11 fixed drives. There are 11 of these messages: detected NTDLL code modification: I should have put that together sooner- sorry, brain drain.

    I told you in the beginning that what you describe is mainly a problem from the ISP. But I would definitely suggest that you not use the flash drive among all of the systems.

    Are we actually dealing with 5 separate computers here? Or does each user have one of the fixed drives?
     
  25. MicroShader

    MicroShader TS Rookie Topic Starter Posts: 22

    There are five separate computers here on our network. Each user uses their own computer. My computer is the one I have easy access to.

    To make my computer more manageable I split the two physical hard disks into 11 partitions: C - M. Each has a different purpose. (C is root, D is Data, G is Games, I is Internet saves, M is Windows Backup).

    A quick update. As I'm still at a virtual standstill when it comes to connecting to the internet via Firefox, I've been paying highten interest to my firewall, CPU usage, and connections to my computer, and other vital stats.

    At one point I've been upwards of 150 connections and have spiked momentarily to over 350 attempted connections. So I know something is going on... This could be part of normal activity or something out of the ordinary. At the time I trying without success to load the google search page and this page.

    I was looking at the Resource Monitor yesterday and I noticed that my computer was trying to connect to www.007guard.com even after we had turned the network and the modem off. (At night, when we go to bed we turn the modem and other network hardware off at the wall to save power)

    Curious, I had a look at my hosts file, as I didn't instantly recognise the address but it rang a bell. Here's the first few lines of the host file.

    Does this help at all?

    Additionally I had a look at the allowed websites on my firewall. There are lots of sites I don't recall ever visitings. Should I clear that list or is that a later step? Would you like a copy to see if there are any obvious malware sites that have slipped though? I couldn't see any.

    Also, I've be reliably informed that there are new versions of FireFox, Online Armor (my firewall), and Internet Explorer out. Should I hold off installing them for now?

    Edit to add:
    I had a look at C: and there are 3 directories that appear to be random strings.

    One of them is called "C:\32788R22FWJFW\EN-US" contains a file called "cmd.cfxxe.mui".
    One of the directories is called: "C:\3e8b52db515ea600e5cab11fd31dcf" and contains 320 files. They like like various drives and .dll. There are several exe files, migautoplay.exe, mighost.exe, spuninst.exe spupdsvc.exe and tcinst.exe. The remain files have the .man extension or .dll extension. What surprised me is when I noticed this directory and went to check it out, I was told I didn't have permission to access it. However I was using the Administrator account at the time (its the only account on the system - bad security I know)
    The final directory "C:\db63cd887ce5b0607c1ad4d3" is the same as the above 320 file directory except it is locked - it has a little padlock beside it.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...