System Check malware

Inactive
By dennisgolfer
Mar 30, 2012
  1. I, too, have encountered the System Check virus/malware. I've run malware, dds, and gmer as suggested and their logs are enclosed. Right now my machine is in Safe mode but I cannot access the internet. It does appear that I can see all of my hard drive now, however. Help is appreciated.

    Malware:

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.29.05

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    dennis :: DENNISJONES [administrator]

    3/30/2012 7:02:10 AM
    mbam-log-2012-03-30 (07-02-10).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 409106
    Time elapsed: 50 minute(s), 24 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    *********************************************************

    gmer log:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-03-30 06:42:09
    Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\00000077 WDC_WD800JD-22MSA1 rev.10.01E01
    Running: w1sx6l80.exe; Driver: C:\DOCUME~1\dennis\LOCALS~1\Temp\pwdyqaog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    =============================================================


    DDS


    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by dennis at 6:42:48 on 2012-03-30
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.732 [GMT -5:00]
    .
    AV: Total Defense Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\WINDOWS\system32\ctfmon.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.lakevalleygolf.com/
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Gu8UZegGF0S] c:\documents and settings\all users\application data\Gu8UZegGF0S.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Akamai NetSession Interface] "c:\documents and settings\dennis\local settings\application data\akamai\netsession_win.exe"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
    mRun: [Logitech Utility] Logi_MwX.Exe
    mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [SonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI -clearReboot
    mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
    IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: c:\windows\system32\VetRedir.dll
    LSP: mswsock.dll
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://66.112.124.186/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272740649484
    DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://69.29.48.55/NELX.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=724
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{B967DB00-4311-4E57-A3D9-E9897FF35EE7} : DhcpNameServer = 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: LMIinit - LMIinit.dll
    Notify: NecUsb3Sevices - USB3Sw32.dll
    Notify: PCANotify - PCANotify.dll
    Notify: USB3Sw32 - USB3Sw32.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com
    Hosts: 94.63.147.16 www.google.com
    Hosts: 94.63.147.17 www.bing.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\dennis\application data\mozilla\firefox\profiles\u1h4u1v3.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - plugin: c:\documents and settings\dennis\application data\mozilla\firefox\profiles\u1h4u1v3.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2011-10-27 170064]
    R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
    R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2010-5-3 101528]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2009-2-23 20504]
    S0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2011-7-29 123984]
    S0 lyaxc;lyaxc;c:\windows\system32\drivers\pjdpuyh.sys --> c:\windows\system32\drivers\pjdpuyh.sys [?]
    S1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
    S1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2011-10-26 83536]
    S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    S2 Acceler8DB Server;Acceler8DB Server;c:\program files\asna\adb engine 5.0\adbntsvc.exe [2010-5-1 606528]
    S2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-30 169408]
    S2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-10-29 206152]
    S2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-5-1 222544]
    S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2010-5-1 207920]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 CrossLoopService;CrossLoop Service;c:\documents and settings\dennis\local settings\application data\crossloop\CrossLoopService.exe [2010-5-11 560792]
    S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2011-6-9 521600]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-25 136176]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-8-8 374152]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
    S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-5-20 47640]
    S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2003-3-31 14336]
    S2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-3-3 428640]
    S2 UmxEngine;TM Engine;c:\program files\ca\sharedcomponents\tmengine\UmxEngine.exe [2011-4-4 662096]
    S2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2011-1-7 30152]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2011-6-26 101904]
    S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-10-31 106496]
    S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2010-5-14 20448]
    S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\drivers\genbus.sys --> c:\windows\system32\drivers\GenBus.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-25 136176]
    S3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2011-9-6 331344]
    S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-13 50704]
    S3 NUS_Bus32;Network USB Server Bus ;c:\windows\system32\drivers\nus_bus32.sys --> c:\windows\system32\drivers\NUS_Bus32.sys [?]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2010-5-3 24876]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
    .
    =============== Created Last 30 ================
    .
    2012-03-29 19:33:07 38400 ----a-w- c:\windows\system32\USB3Sw32.dll
    2012-03-29 18:41:43 -------- d-----w- c:\documents and settings\dennis\application data\SUPERAntiSpyware.com
    2012-03-29 18:38:55 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-03-29 18:38:55 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2012-03-29 14:03:01 99328 ----a-w- c:\documents and settings\dennis\application data\3C7FC64A.exe
    2012-03-29 13:04:09 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-03-29 13:02:10 46080 ----a-w- c:\windows\system32\cCYt7A.com
    2012-03-29 12:56:34 99328 ----a-w- c:\windows\system32\cCYt7A.com_
    2012-03-29 12:56:32 46080 ----a-w- c:\documents and settings\dennis\application data\6F7C99FE.exe
    2012-03-28 14:47:16 -------- d-----w- c:\program files\common files\EPSON
    2012-03-28 14:47:14 -------- d-----w- c:\program files\EPSON Software
    2012-03-28 14:46:30 93696 ----a-w- c:\windows\system32\E_TLBH5A.DLL
    2012-03-28 14:46:30 81408 ----a-w- c:\windows\system32\E_TD4BH5A.DLL
    2012-03-28 14:46:04 -------- d-----w- c:\program files\Epson America Inc
    2012-03-23 14:10:45 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-03-23 14:10:45 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    .
    ==================== Find3M ====================
    .
    2012-03-02 19:55:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ============= FINISH: 6:43:50.59 ===============


    ****************************************************************************

    and ATTACH:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 5/1/2010 1:49:47 PM
    System Uptime: 3/30/2012 6:20:26 AM (0 hours ago)
    .
    Motherboard: MSI | | MS-7309
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 1 | 2210/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 24.472 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 298 GiB total, 37.406 GiB free.
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
    Description: Floppy disk drive
    Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&36946FF3&0&0
    Manufacturer: (Standard floppy disk drives)
    Name: Floppy disk drive
    PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&36946FF3&0&0
    Service: flpydisk
    .
    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&38D79619&0
    Manufacturer: (Standard keyboards)
    Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&38D79619&0
    Service: i8042prt
    .
    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: Logitech-compatible Mouse PS/2
    Device ID: ACPI\PNP0F03\4&38D79619&0
    Manufacturer: Logitech
    Name: Logitech-compatible Mouse PS/2
    PNP Device ID: ACPI\PNP0F03\4&38D79619&0
    Service: i8042prt
    .
    Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
    Description: Unknown Device
    Device ID: USB\VID_0000&PID_0000\5&FF56C54&0&5
    Manufacturer: (Standard USB Host Controller)
    Name: Unknown Device
    PNP Device ID: USB\VID_0000&PID_0000\5&FF56C54&0&5
    Service:
    .
    Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
    Description: Officejet 6500 E710n-z
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Officejet 6500 E710n-z
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
    Description: Photosmart C309a series
    Device ID: ROOT\MULTIFUNCTION\0001
    Manufacturer: HP
    Name: Photosmart C309a series
    PNP Device ID: ROOT\MULTIFUNCTION\0001
    Service:
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    PNP Device ID: ROOT\NET\0000
    Service: vpnva
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0001
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0001
    Service: CVirtA
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: SonicWALL VPN Adapter
    Device ID: ROOT\RCVPN\0000
    Manufacturer: SonicWALL, Inc.
    Name: SonicWALL VPN Adapter
    PNP Device ID: ROOT\RCVPN\0000
    Service: rcvpn
    .
    ==== System Restore Points ===================
    .
    RP713: 2/1/2012 11:02:07 AM - System Checkpoint
    RP714: 2/2/2012 12:02:37 PM - System Checkpoint
    RP715: 2/3/2012 12:56:43 PM - System Checkpoint
    RP716: 2/4/2012 12:57:54 PM - System Checkpoint
    RP717: 2/5/2012 1:56:38 PM - System Checkpoint
    RP718: 2/6/2012 4:55:01 PM - System Checkpoint
    RP719: 2/7/2012 5:48:17 PM - System Checkpoint
    RP720: 2/8/2012 5:50:32 PM - System Checkpoint
    RP721: 2/9/2012 6:01:41 PM - System Checkpoint
    RP722: 2/10/2012 7:01:41 PM - System Checkpoint
    RP723: 2/11/2012 7:52:39 PM - System Checkpoint
    RP724: 2/12/2012 8:01:42 PM - System Checkpoint
    RP725: 2/13/2012 9:01:41 PM - System Checkpoint
    RP726: 2/14/2012 10:00:53 PM - System Checkpoint
    RP727: 2/15/2012 11:00:57 PM - System Checkpoint
    RP728: 2/17/2012 12:01:23 AM - System Checkpoint
    RP729: 2/18/2012 1:00:54 AM - System Checkpoint
    RP730: 2/19/2012 2:00:43 AM - System Checkpoint
    RP731: 2/20/2012 3:00:47 AM - System Checkpoint
    RP732: 2/21/2012 4:00:56 AM - System Checkpoint
    RP733: 2/22/2012 5:00:28 AM - System Checkpoint
    RP734: 2/23/2012 6:00:26 AM - System Checkpoint
    RP735: 2/24/2012 10:22:11 AM - System Checkpoint
    RP736: 2/25/2012 11:00:25 AM - System Checkpoint
    RP737: 2/26/2012 12:00:25 PM - System Checkpoint
    RP738: 2/27/2012 4:52:25 PM - System Checkpoint
    RP739: 2/28/2012 5:05:26 PM - System Checkpoint
    RP740: 2/29/2012 5:09:21 PM - System Checkpoint
    RP741: 3/1/2012 6:00:31 PM - System Checkpoint
    RP742: 3/2/2012 6:44:25 PM - System Checkpoint
    RP743: 3/3/2012 7:44:24 PM - System Checkpoint
    RP744: 3/4/2012 8:44:25 PM - System Checkpoint
    RP745: 3/5/2012 9:08:19 PM - System Checkpoint
    RP746: 3/6/2012 10:08:19 PM - System Checkpoint
    RP747: 3/7/2012 11:08:22 PM - System Checkpoint
    RP748: 3/9/2012 12:08:20 AM - System Checkpoint
    RP749: 3/9/2012 1:55:39 PM - Installed Adobe Photoshop Elements 9.
    RP750: 3/10/2012 2:08:22 PM - System Checkpoint
    RP751: 3/11/2012 3:16:50 PM - System Checkpoint
    RP752: 3/12/2012 5:14:27 PM - System Checkpoint
    RP753: 3/13/2012 6:08:06 PM - System Checkpoint
    RP754: 3/14/2012 7:08:04 PM - System Checkpoint
    RP755: 3/16/2012 11:34:48 AM - System Checkpoint
    RP756: 3/17/2012 12:08:03 PM - System Checkpoint
    RP757: 3/18/2012 1:07:59 PM - System Checkpoint
    RP758: 3/19/2012 4:29:02 PM - System Checkpoint
    RP759: 3/20/2012 5:07:55 PM - System Checkpoint
    RP760: 3/21/2012 6:07:44 PM - System Checkpoint
    RP761: 3/22/2012 7:31:37 PM - System Checkpoint
    RP762: 3/23/2012 8:07:42 PM - System Checkpoint
    RP763: 3/24/2012 9:07:42 PM - System Checkpoint
    RP764: 3/25/2012 10:07:37 PM - System Checkpoint
    RP765: 3/26/2012 11:07:43 PM - System Checkpoint
    RP766: 3/28/2012 12:07:33 AM - System Checkpoint
    RP767: 3/28/2012 9:46:04 AM - Installed Epson Connect
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Acceler8DB Engine 5.0
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Help Center 2.1
    Adobe Photoshop Elements 5.0
    Adobe Photoshop Elements 9
    Adobe Photoshop.com Inspiration Browser
    Adobe Premiere Elements 8.0
    Adobe Reader X (10.1.2)
    AllWebMenus PRO 5.1.788
    AMD APP SDK Runtime
    Anti-Virus Plus
    Apple Application Support
    Apple Software Update
    ASNA Visual RPG 4.0
    ATI AVIVO Codecs
    ATI Catalyst Install Manager
    Bay Photo
    Bay Photo Economy
    Bay Photo Light
    BookSmart® 3.0.4 3.0.4
    BufferChm
    C309a
    CA Anti-Virus Plus
    CameraHelperMsi
    CamStudio
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    Cisco AnyConnect VPN Client
    Cisco Systems VPN Client 4.6.04.0043
    Core FTP LE 1.3c
    Core FTP LE 2.1
    CrossLoop 2.72
    Destination Component
    DeviceDiscovery
    Diamond Multimedia 11.3 2400-5900, 6400-6600, 6800-6900 WinXP
    DocProc
    DriveImage XML (Private Edition)
    Elements 9 Organizer
    Elements STI Installer
    Envelope Creator
    Epson Connect
    Epson Customer Participation
    Epson Download Navigator
    EPSON Printer Software
    EPSON WorkForce 1100 Series Printer Uninstall
    EPSON WP-4020 Series Printer Uninstall
    erLT
    FastStone Capture 7.0
    Fax
    File Uploader
    FLV Player
    FotoFusion v4
    Google Chrome
    Google Earth Plug-in
    Google Update Helper
    GPBaseService2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB945282)
    Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946040)
    Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946308)
    Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946344)
    Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947540)
    Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947789)
    Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB948127)
    Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB951708)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB958655-v2)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 12.0
    HP Imaging Device Functions 12.0
    HP Photosmart C309a All-In-One Driver Software 12.0 Rel .5
    HP Photosmart Essential 3.5
    HP Smart Web Printing 4.60
    HP Solution Center 13.0
    HP Update
    HPDiagnosticAlert
    HPPhotoSmartDiscLabel_PaperLabel
    HPPhotoSmartDiscLabel_PrintOnDisc
    HPPhotoSmartDiscLabelContent1
    hpphotosmartdisclabelplugin
    HPPhotosmartEssential
    HPProductAssistant
    HydraVision
    InfraRecorder
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 26
    Jimco Open Web
    Layout Creator
    LiveReg (Symantec Corporation)
    LiveUpdate 1.80 (Symantec Corporation)
    Logitech MouseWare 9.79.1
    LogMeIn
    LWS Facebook
    LWS Gallery
    LWS Help_main
    LWS Launcher
    LWS Motion Detection
    LWS Pictures And Video
    LWS Twitter
    LWS Video Mask Maker
    LWS VideoEffects
    LWS Webcam Software
    LWS WLM Plugin
    LWS YouTube Plugin
    Mabry BarCod Sample
    Malwarebytes Anti-Malware version 1.60.1.1000
    MarketResearch
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft Help Viewer 1.0
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office FrontPage 2003
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Ultimate 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2008
    Microsoft SQL Server 2008 Browser
    Microsoft SQL Server 2008 Common Files
    Microsoft SQL Server 2008 Database Engine Services
    Microsoft SQL Server 2008 Database Engine Shared
    Microsoft SQL Server 2008 Native Client
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 RsFx Driver
    Microsoft SQL Server 2008 Setup Support Files
    Microsoft SQL Server Compact 3.5 SP1 Design Tools English
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server System CLR Types
    Microsoft SQL Server VSS Writer
    Microsoft Visual Basic 2008 Express Edition with SP1 - ENU
    Microsoft Visual Basic Power Packs 3.0
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_CRT_x86
    MobileSigns
    Mozilla Firefox 11.0 (x86 en-US)
    MSVCSetup
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser
    Nero 7 Essentials
    neroxml
    Network
    Nikon Message Center
    Noiseware Standard Edition
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    OCR Software by I.R.I.S. 12.0
    OGA Notifier 2.0.0048.0
    Opanda IExif 2.3
    Picture Control Utility
    PictureProject
    PictureProject In Touch Downloader 1.0
    PrimoPDF
    PS_AIO_05_C309_Software_Min
    QuickTime
    Realtek High Definition Audio Driver
    Redistributable_MM
    Scan
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2466156)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2464583)
    Security Update for Microsoft Office Groove 2007 (KB2494047)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Service Pack 1 for SQL Server 2008 (KB968369)
    Slideshow Generator Powertoy for Windows XP
    SmartSound Quicktracks for Premiere Elements 8.0
    SmartWebPrinting
    Snood for Windows version 3.52-W
    SolutionCenter
    SonicWALL Global VPN Client
    SonicWALL SSL-VPN NetExtender
    Spybot - Search & Destroy
    Sql Server Customer Experience Improvement Program
    Status
    SUPERAntiSpyware
    SWiSH Max2
    Symantec pcAnywhere
    System Requirements Lab
    TeamViewer 7
    Toolbox
    Total Defense Internet Security Suite
    TrayApp
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Outlook 2007 Junk Email Filter (KB2522999)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB980182)
    ViewNX
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    Viewpoint Toolbar
    VNC Free Edition 4.1.3
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows XP Service Pack 3
    WinRAR archiver
    XL2000 ID Machine
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/30/2012 6:23:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy Fips i8042prt KmxAgent KmxStart ohci1394 Processor SASDIFSV SASKUTIL
    3/29/2012 9:02:58 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TM Engine service to connect.
    3/29/2012 9:02:58 AM, error: Service Control Manager [7000] - The TM Engine service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    3/29/2012 8:33:24 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD awlegacy Fips i8042prt IPSec KmxAgent KmxStart MRxSmb NetBIOS NetBT Processor RasAcd RCFOX Rdbss Tcpip
    3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    3/29/2012 8:33:24 AM, error: Service Control Manager [7001] - The Cisco AnyConnect VPN Agent service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/29/2012 8:21:04 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/29/2012 8:20:51 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy Fips i8042prt KmxAgent KmxStart Processor
    3/29/2012 8:08:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    3/29/2012 8:08:20 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    3/29/2012 8:08:20 AM, error: Service Control Manager [7022] - The Windows Time service hung on starting.
    3/29/2012 8:08:20 AM, error: Service Control Manager [7022] - The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.
    3/29/2012 8:02:01 AM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
    3/29/2012 7:36:27 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    3/29/2012 4:24:18 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the USB3 Service service to connect.
    3/29/2012 4:24:18 PM, error: Service Control Manager [7000] - The USB3 Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    3/29/2012 4:20:53 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
    3/29/2012 4:20:53 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    3/29/2012 4:20:21 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    3/29/2012 4:10:56 PM, error: Service Control Manager [7023] - The USB3 Service service terminated with the following error: The specified module could not be found.
    3/29/2012 4:10:56 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
    3/29/2012 4:10:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Service service to connect.
    3/29/2012 4:10:56 PM, error: Service Control Manager [7000] - The Viewpoint Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    3/29/2012 3:35:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: awlegacy Fips i8042prt KmxAgent KmxStart Processor SASDIFSV SASKUTIL
    3/29/2012 3:35:15 PM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
    3/29/2012 3:35:15 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: NetBT
    3/29/2012 1:47:57 PM, error: Schannel [36870] - A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0xc0000253.
    3/29/2012 1:38:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}
    3/29/2012 1:32:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    3/29/2012 1:08:57 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    3/27/2012 11:04:59 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    .
    ==== End Of File ===========================
  2. Broni

    Broni Malware Annihilator Posts: 45,186   +242

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  3. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    Thank you for your help.


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-30 11:57:44
    -----------------------------
    11:57:44.671 OS Version: Windows 5.1.2600 Service Pack 3
    11:57:44.671 Number of processors: 2 586 0x4B02
    11:57:44.671 ComputerName: DENNISJONES UserName: dennis
    11:57:45.906 Initialize success
    11:58:14.281 AVAST engine download error: 0
    11:58:26.640 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    11:58:26.640 Disk 0 Vendor: WDC_WD3200AAJB-00TYA0 00.02C01 Size: 305245MB BusType: 3
    11:58:26.656 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\00000077
    11:58:26.656 Disk 1 Vendor: WDC_WD800JD-22MSA1 10.01E01 Size: 76319MB BusType: 3
    11:58:26.687 Disk 1 MBR read successfully
    11:58:26.687 Disk 1 MBR scan
    11:58:26.687 Disk 1 Windows XP default MBR code
    11:58:26.687 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
    11:58:26.687 Disk 1 scanning sectors +156280320
    11:58:26.781 Disk 1 scanning C:\WINDOWS\system32\drivers
    11:58:40.015 Service scanning
    11:58:45.406 Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
    11:59:01.328 Modules scanning
    11:59:08.296 Disk 1 trace - called modules:
    11:59:08.328 ntkrnlpa.exe CLASSPNP.SYS disk.sys tsk1.tmp hal.dll nvata.sys
    11:59:08.328 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x86dceab8]
    11:59:08.343 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000079[0x86d4ff18]
    11:59:08.343 5 tsk1.tmp[f735e620] -> nt!IofCallDriver -> \Device\00000077[0x86d5f030]
    11:59:08.343 Scan finished successfully
    11:59:20.109 Disk 1 MBR has been saved successfully to "F:\MBR.dat"
    11:59:20.156 The log file has been saved successfully to "F:\aswMBR.txt"




    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive1 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive1 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
  4. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    Also - when I started bootkit it issued this message with just an "OK" option:

    ATA_PASS_THROUGH_DIRECT is not supported by your disk controller. SCSI_PASS_THROUGH_DIRECT will be used for disk I/O.
  5. Broni

    Broni Malware Annihilator Posts: 45,186   +242

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  6. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    While running combofix I got a msg box saying "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack" and before I could record the rest it went away and issued a msg about Rootkit is detected this may take several minutes.

    It just initiated a reboot.

    Also - the infected machine has not had internet access, but I have a second machine that I have been downloading and transferring fixes, etc from
  7. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    I did NOT run rkill as I wasn't sure if I should or not since I did not have any problems with combofix. Do I need to run rkill regardless?




    ComboFix 12-03-30.06 - dennis 03/30/2012 13:06:19.1.2 - x86
    Running from: c:\documents and settings\dennis\Desktop\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    .
    .
    .
    C:\debug_log.txt
    c:\documents and settings\All Users\Application Data\~QIQS362nnJbixw
    c:\documents and settings\All Users\Application Data\~QIQS362nnJbixwr
    c:\documents and settings\All Users\Application Data\4X726q4j.exe
    c:\documents and settings\All Users\Application Data\QIQS362nnJbixw
    c:\documents and settings\All Users\Application Data\Tarma Installer
    c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\_Setup.dll
    c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\20110105160908.log
    c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\20110209132028.log
    c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\Setup.dat
    c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\Setup.exe
    c:\documents and settings\All Users\Application Data\Tarma Installer\{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8}\Setup.ico
    c:\documents and settings\dennis\Application Data\rensyschk1.exe
    c:\documents and settings\dennis\Application Data\rensyschk2.exe
    c:\documents and settings\dennis\My Documents\DPE.DUS
    c:\documents and settings\dennis\Start Menu\Programs\System Check
    c:\windows\$NtUninstallKB21166$
    c:\windows\$NtUninstallKB21166$\3871978599\@
    c:\windows\$NtUninstallKB21166$\3871978599\cfg.ini
    c:\windows\$NtUninstallKB21166$\3871978599\Desktop.ini
    c:\windows\$NtUninstallKB21166$\3871978599\L\aijxgmre
    c:\windows\$NtUninstallKB21166$\3871978599\U\00000001.@
    c:\windows\$NtUninstallKB21166$\3871978599\U\00000002.@
    c:\windows\$NtUninstallKB21166$\3871978599\U\00000004.@
    c:\windows\$NtUninstallKB21166$\3871978599\U\80000000.@
    c:\windows\$NtUninstallKB21166$\3871978599\U\80000004.@
    c:\windows\$NtUninstallKB21166$\3871978599\U\80000032.@
    c:\windows\$NtUninstallKB21166$\3871978599\version
    c:\windows\$NtUninstallKB21166$\3946123810
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\dllcache\dlimport.exe
    c:\windows\system32\dllcache\wmpvis.dll
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\PowerToyReadme.htm
    c:\windows\system32\SET14.tmp
    c:\windows\system32\SET15.tmp
    c:\windows\system32\SET17.tmp
    c:\windows\system32\SET18.tmp
    c:\windows\system32\SET1B.tmp
    c:\windows\system32\SET24.tmp
    c:\windows\system32\SET29.tmp
    c:\windows\system32\SET2A.tmp
    c:\windows\system32\SET30.tmp
    c:\windows\system32\SET31.tmp
    c:\windows\system32\SET7.tmp
    c:\windows\system32\SET8.tmp
    c:\windows\system32\SETD.tmp
    c:\windows\system32\SETE.tmp
    c:\windows\system32\SETF.tmp
    c:\windows\system32\Thumbs.db
    c:\windows\system32\USB3Sw32.dll
    c:\windows\system32\wpcap.dll
    .
    c:\windows\system32\drivers\netbt.sys was missing
    Restored copy from - c:\windows\ServicePackFiles\i386\netbt.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_6TO4
    -------\Legacy_NPF
    -------\Service_6to4
    -------\Service_NPF
    .
    .
    .
    .
    .
    2012-03-30 18:19 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
    2012-03-30 18:19 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-03-29 18:41 . 2012-03-29 18:41 -------- d-----w- c:\documents and settings\dennis\Application Data\SUPERAntiSpyware.com
    2012-03-29 18:38 . 2012-03-29 18:41 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-03-29 18:38 . 2012-03-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-03-29 13:02 . 2012-03-29 12:57 99328 ----a-w- c:\windows\system32\cCYt7A.com
    2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\Common Files\EPSON
    2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\EPSON Software
    2012-03-28 14:46 . 2012-03-28 14:46 -------- d-----w- c:\program files\Epson America Inc
    2012-03-23 14:10 . 2012-03-23 14:10 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-23 14:10 . 2012-03-23 14:10 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    .
    .
    .
    .
    .
    2012-03-02 19:55 . 2011-05-17 19:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-23 14:10 . 2011-08-28 13:23 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    .
    .
    .

    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
    "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2009-08-05 710528]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 98304]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-07-23 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-08-19 06:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 10:04 2879488 ------r- c:\windows\SkyTel.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
    "c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
    "c:\\Documents and Settings\\dennis\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
    "c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
    "c:\\Program Files\\CoreFTP\\coreftp.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5910:TCP"= 5910:TCP:vnc5910
    "1194:TCP"= 1194:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface
    .
    R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [5/3/2010 10:33 AM 101528]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
    R2 Acceler8DB Server;Acceler8DB Server;c:\program files\ASNA\ADB Engine 5.0\adbntsvc.exe [5/1/2010 3:43 PM 606528]
    R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/30/2010 4:06 AM 169408]
    R2 CrossLoopService;CrossLoop Service;c:\documents and settings\dennis\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [5/11/2010 9:36 AM 560792]
    R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [6/9/2011 1:01 PM 521600]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [8/8/2011 1:24 PM 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/3/2011 8:31 PM 428640]
    R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/7/2011 10:57 PM 30152]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 5:32 PM 497856]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/26/2011 12:08 PM 101904]
    R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/23/2009 4:55 PM 20504]
    S0 lyaxc;lyaxc;c:\windows\system32\drivers\pjdpuyh.sys --> c:\windows\system32\drivers\pjdpuyh.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
    S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [3/31/2003 7:00 AM 14336]
    S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [5/14/2010 4:58 PM 20448]
    S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys --> c:\windows\system32\DRIVERS\GenBus.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
    S3 NUS_Bus32;Network USB Server Bus ;c:\windows\system32\DRIVERS\NUS_Bus32.sys --> c:\windows\system32\DRIVERS\NUS_Bus32.sys [?]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [5/3/2010 10:32 AM 24876]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 10:08 PM 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    NecUsb3Sevic REG_MULTI_SZ NecUsb3
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    slee_81_service
    AlteraByteBlaster
    pctfw1
    nimxdfk
    s116obex
    sscdbus
    SilverLink
    anydvd
    nvmpu401
    LVCap138
    dwmrcs
    iSMBIOS
    nipxirmu
    nsm1serd
    iaimfp3
    lvcomser
    XBCD
    BootScreen
    vsserv
    ASInsHelp
    getPlusHelper
    spcsutilityservice
    epoxusdm
    twotrack
    aslm75
    Dfs
    bjmcmng
    tosrfsnd
    .
    .
    .
    2012-03-29 c:\windows\Tasks\AdobeAAMUpdater-1.0-DENNISJONES-dennis.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 07:25]
    .
    2012-03-29 c:\windows\Tasks\At1.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At11.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At13.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At15.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At17.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At19.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At21.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-30 c:\windows\Tasks\At23.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-30 c:\windows\Tasks\At25.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-30 c:\windows\Tasks\At27.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At29.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At3.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At31.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At33.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At35.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At37.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At39.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At41.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At43.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At45.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At47.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At49.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At5.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At51.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At53.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At55.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At57.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At59.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At61.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At63.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At65.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At67.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At69.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At7.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-30 c:\windows\Tasks\At71.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-30 c:\windows\Tasks\At73.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-30 c:\windows\Tasks\At75.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At77.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At79.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At81.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At83.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At85.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At87.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At89.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At9.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At91.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At93.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-29 c:\windows\Tasks\At95.job
    - c:\windows\system32\cCYt7A.com [2012-03-29 12:57]
    .
    2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
    .
    2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
    .
    2012-03-30 c:\windows\Tasks\User_Feed_Synchronization-{C276CCE1-5D5D-43C6-B6EB-3580CBE7D38B}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- -------
    .
    uStart Page = hxxp://www.lakevalleygolf.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
    IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://66.112.124.186/CACHE/stc/1/binaries/vpnweb.cab
    FF - ProfilePath - c:\documents and settings\dennis\Application Data\Mozilla\Firefox\Profiles\u1h4u1v3.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    .
    - - - - - - - -
    .
    HKCU-Run-Gu8UZegGF0S - c:\documents and settings\All Users\Application Data\Gu8UZegGF0S.exe
    HKCU-Run-Akamai NetSession Interface - c:\documents and settings\dennis\Local Settings\Application Data\Akamai\netsession_win.exe
    Notify-NecUsb3Sevices - USB3Sw32.dll
    Notify-USB3Sw32 - USB3Sw32.dll
    SafeBoot-71918672.sys
    AddRemove-Diamond Multimedia 11.3 2400-5900, 6400-6600, 6800-6900 WinXP - c:\program files\Diamond Multimedia 11.3 2400-5900
    AddRemove-{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{1E3CA~1\Setup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-30 13:23
    Windows 5.1.2600 Service Pack 3 NTFS
    .

    .

    .

    .
    .
    : 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
    "ImagePath"="system32\drivers\tsk1.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
    "ImagePath"="system32\drivers\tsk2.tmp"
    .
    --------------------- ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]
    "<No Name>"="{3C90A7C3-0CFE-4AF6-9B74-A2492C3EEC47}"
    .
    --------------------- ---------------------
    .
    - - - - - - - > 'winlogon.exe'(572)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\LMIinit.dll
    .
    - - - - - - - > 'explorer.exe'(2788)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\MouseWare\System\LgWndHk.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\Logitech\MouseWare\system\em_exec.exe
    c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    .
    **************************************************************************
    .
    : 2012-03-30 13:37:05 -
    ComboFix-quarantined-files.txt 2012-03-30 18:37
    .
    Pre-Run: 26,610,233,344 bytes free
    : 27,403,599,872 bytes free
    .
    - - End Of File - - 51F2F9440C51BB46C5212B3471D532BA
  8. Broni

    Broni Malware Annihilator Posts: 45,186   +242

    By your choice or it happened because of the infection?

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

    ================================================================

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\cCYt7A.com
    
    
    AtJob::
    
    Driver::
    lyaxc
    
    Rootkit::
    c:\windows\system32\drivers\pjdpuyh.sys 
    
    Registry::
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  9. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    ComboFix 12-03-30.06 - dennis 03/30/2012 15:00:16.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.363 [GMT -5:00]
    Running from: c:\documents and settings\dennis\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\dennis\Desktop\cfscript.txt
    .
    FILE ::
    "c:\windows\system32\cCYt7A.com"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At25.job
    c:\windows\Tasks\At27.job
    c:\windows\Tasks\At29.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At31.job
    c:\windows\Tasks\At33.job
    c:\windows\Tasks\At35.job
    c:\windows\Tasks\At37.job
    c:\windows\Tasks\At39.job
    c:\windows\Tasks\At41.job
    c:\windows\Tasks\At43.job
    c:\windows\Tasks\At45.job
    c:\windows\Tasks\At47.job
    c:\windows\Tasks\At49.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At51.job
    c:\windows\Tasks\At53.job
    c:\windows\Tasks\At55.job
    c:\windows\Tasks\At57.job
    c:\windows\Tasks\At59.job
    c:\windows\Tasks\At61.job
    c:\windows\Tasks\At63.job
    c:\windows\Tasks\At65.job
    c:\windows\Tasks\At67.job
    c:\windows\Tasks\At69.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At71.job
    c:\windows\Tasks\At73.job
    c:\windows\Tasks\At75.job
    c:\windows\Tasks\At77.job
    c:\windows\Tasks\At79.job
    c:\windows\Tasks\At81.job
    c:\windows\Tasks\At83.job
    c:\windows\Tasks\At85.job
    c:\windows\Tasks\At87.job
    c:\windows\Tasks\At89.job
    c:\windows\Tasks\At9.job
    c:\windows\Tasks\At91.job
    c:\windows\Tasks\At93.job
    c:\windows\Tasks\At95.job
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_lyaxc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-30 19:03 . 2012-03-30 19:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2012-03-30 19:03 . 2012-03-30 19:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Viewpoint
    2012-03-30 19:03 . 2012-03-30 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
    2012-03-30 18:19 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
    2012-03-29 18:41 . 2012-03-29 18:41 -------- d-----w- c:\documents and settings\dennis\Application Data\SUPERAntiSpyware.com
    2012-03-29 18:38 . 2012-03-29 18:41 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-03-29 18:38 . 2012-03-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-03-29 13:02 . 2012-03-29 12:57 99328 ----a-w- c:\windows\system32\cCYt7A.com_
    2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\Common Files\EPSON
    2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\EPSON Software
    2012-03-28 14:46 . 2010-09-28 11:01 93696 ----a-w- c:\windows\system32\E_TLBH5A.DLL
    2012-03-28 14:46 . 2010-08-09 11:02 81408 ----a-w- c:\windows\system32\E_TD4BH5A.DLL
    2012-03-28 14:46 . 2012-03-28 14:46 -------- d-----w- c:\program files\Epson America Inc
    2012-03-23 14:10 . 2012-03-23 14:10 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-23 14:10 . 2012-03-23 14:10 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-02 19:55 . 2011-05-17 19:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-23 14:10 . 2011-08-28 13:23 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-30_18.23.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-03-30 20:18 . 2012-03-30 20:18 16384 c:\windows\Temp\Perflib_Perfdata_9e4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
    "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2009-08-05 710528]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 98304]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe" [2012-03-02 250016]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-07-23 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-08-19 06:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 10:04 2879488 ------r- c:\windows\SkyTel.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
    "c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
    "c:\\Documents and Settings\\dennis\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
    "c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
    "c:\\Program Files\\CoreFTP\\coreftp.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5910:TCP"= 5910:TCP:vnc5910
    "1194:TCP"= 1194:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface
    .
    R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [5/3/2010 10:33 AM 101528]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
    R2 Acceler8DB Server;Acceler8DB Server;c:\program files\ASNA\ADB Engine 5.0\adbntsvc.exe [5/1/2010 3:43 PM 606528]
    R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/30/2010 4:06 AM 169408]
    R2 CrossLoopService;CrossLoop Service;c:\documents and settings\dennis\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [5/11/2010 9:36 AM 560792]
    R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [6/9/2011 1:01 PM 521600]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [8/8/2011 1:24 PM 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/3/2011 8:31 PM 428640]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 5:32 PM 497856]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/26/2011 12:08 PM 101904]
    R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/23/2009 4:55 PM 20504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
    S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [3/31/2003 7:00 AM 14336]
    S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [5/14/2010 4:58 PM 20448]
    S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys --> c:\windows\system32\DRIVERS\GenBus.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
    S3 NUS_Bus32;Network USB Server Bus ;c:\windows\system32\DRIVERS\NUS_Bus32.sys --> c:\windows\system32\DRIVERS\NUS_Bus32.sys [?]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [5/3/2010 10:32 AM 24876]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 10:08 PM 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    NecUsb3Sevic REG_MULTI_SZ NecUsb3
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    slee_81_service
    AlteraByteBlaster
    pctfw1
    nimxdfk
    s116obex
    sscdbus
    SilverLink
    anydvd
    nvmpu401
    LVCap138
    dwmrcs
    iSMBIOS
    nipxirmu
    nsm1serd
    iaimfp3
    lvcomser
    XBCD
    BootScreen
    vsserv
    ASInsHelp
    getPlusHelper
    spcsutilityservice
    epoxusdm
    twotrack
    aslm75
    Dfs
    bjmcmng
    tosrfsnd
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-29 c:\windows\Tasks\AdobeAAMUpdater-1.0-DENNISJONES-dennis.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 07:25]
    .
    2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
    .
    2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
    .
    2012-03-30 c:\windows\Tasks\User_Feed_Synchronization-{C276CCE1-5D5D-43C6-B6EB-3580CBE7D38B}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.lakevalleygolf.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
    IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://66.112.124.186/CACHE/stc/1/binaries/vpnweb.cab
    FF - ProfilePath - c:\documents and settings\dennis\Application Data\Mozilla\Firefox\Profiles\u1h4u1v3.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-30 15:19
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
    "ImagePath"="system32\drivers\tsk1.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
    "ImagePath"="system32\drivers\tsk2.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]
    "<No Name>"="{3C90A7C3-0CFE-4AF6-9B74-A2492C3EEC47}"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(576)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\LMIinit.dll
    .
    - - - - - - - > 'explorer.exe'(3924)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\MouseWare\System\LgWndHk.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\msi.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\Logitech\MouseWare\system\em_exec.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-30 15:25:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-30 20:25
    ComboFix2.txt 2012-03-30 18:37
    .
    Pre-Run: 27,385,085,952 bytes free
    Post-Run: 27,383,963,648 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    [spybotsd]
    timeout.old=30
    .
    - - End Of File - - D371E266598C0DE2B8D185F08784265B
  10. Broni

    Broni Malware Annihilator Posts: 45,186   +242

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\cCYt7A.com_
    c:\windows\system32\E_TLBH5A.DLL
    c:\windows\system32\E_TD4BH5A.DLL
    
    
    Folder::
    
    Driver::
    
    Registry::
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
    "ImagePath"="system32\drivers\acpi.sys"
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
    "ImagePath"="system32\drivers\redbook.sys"
    
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  11. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    ComboFix 12-03-30.06 - dennis 03/30/2012 15:57:20.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.373 [GMT -5:00]
    Running from: c:\documents and settings\dennis\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\dennis\Desktop\cfscript.txt
    .
    FILE ::
    "c:\windows\system32\cCYt7A.com_"
    "c:\windows\system32\E_TD4BH5A.DLL"
    "c:\windows\system32\E_TLBH5A.DLL"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\cCYt7A.com_
    c:\windows\system32\E_TD4BH5A.DLL
    c:\windows\system32\E_TLBH5A.DLL
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-30 19:03 . 2012-03-30 19:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2012-03-30 19:03 . 2012-03-30 19:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Viewpoint
    2012-03-30 19:03 . 2012-03-30 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
    2012-03-30 18:19 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
    2012-03-30 18:19 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-03-29 18:41 . 2012-03-29 18:41 -------- d-----w- c:\documents and settings\dennis\Application Data\SUPERAntiSpyware.com
    2012-03-29 18:38 . 2012-03-29 18:41 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-03-29 18:38 . 2012-03-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\Common Files\EPSON
    2012-03-28 14:47 . 2012-03-28 14:47 -------- d-----w- c:\program files\EPSON Software
    2012-03-28 14:46 . 2012-03-28 14:46 -------- d-----w- c:\program files\Epson America Inc
    2012-03-23 14:10 . 2012-03-23 14:10 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-23 14:10 . 2012-03-23 14:10 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-02 19:55 . 2011-05-17 19:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-23 14:10 . 2011-08-28 13:23 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-30_18.23.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-03-30 21:09 . 2012-03-30 21:09 16384 c:\windows\Temp\Perflib_Perfdata_e54.dat
    + 2012-03-30 21:12 . 2012-03-30 21:12 16384 c:\windows\Temp\Perflib_Perfdata_84.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
    "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2009-08-05 710528]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 98304]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe" [2012-03-02 250016]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-07-23 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-08-19 06:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 10:04 2879488 ------r- c:\windows\SkyTel.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
    "c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
    "c:\\Documents and Settings\\dennis\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
    "c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
    "c:\\Program Files\\CoreFTP\\coreftp.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5910:TCP"= 5910:TCP:vnc5910
    "1194:TCP"= 1194:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface
    .
    R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [5/3/2010 10:33 AM 101528]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
    R2 Acceler8DB Server;Acceler8DB Server;c:\program files\ASNA\ADB Engine 5.0\adbntsvc.exe [5/1/2010 3:43 PM 606528]
    R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/30/2010 4:06 AM 169408]
    R2 CrossLoopService;CrossLoop Service;c:\documents and settings\dennis\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [5/11/2010 9:36 AM 560792]
    R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [6/9/2011 1:01 PM 521600]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [8/8/2011 1:24 PM 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/3/2011 8:31 PM 428640]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 5:32 PM 497856]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [6/26/2011 12:08 PM 101904]
    R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/23/2009 4:55 PM 20504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
    S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [3/31/2003 7:00 AM 14336]
    S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [5/14/2010 4:58 PM 20448]
    S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys --> c:\windows\system32\DRIVERS\GenBus.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2010 10:11 AM 136176]
    S3 NUS_Bus32;Network USB Server Bus ;c:\windows\system32\DRIVERS\NUS_Bus32.sys --> c:\windows\system32\DRIVERS\NUS_Bus32.sys [?]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [5/3/2010 10:32 AM 24876]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 10:08 PM 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    NecUsb3Sevic REG_MULTI_SZ NecUsb3
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    slee_81_service
    AlteraByteBlaster
    pctfw1
    nimxdfk
    s116obex
    sscdbus
    SilverLink
    anydvd
    nvmpu401
    LVCap138
    dwmrcs
    iSMBIOS
    nipxirmu
    nsm1serd
    iaimfp3
    lvcomser
    XBCD
    BootScreen
    vsserv
    ASInsHelp
    getPlusHelper
    spcsutilityservice
    epoxusdm
    twotrack
    aslm75
    Dfs
    bjmcmng
    tosrfsnd
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-29 c:\windows\Tasks\AdobeAAMUpdater-1.0-DENNISJONES-dennis.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 07:25]
    .
    2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
    .
    2012-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-25 15:11]
    .
    2012-03-30 c:\windows\Tasks\User_Feed_Synchronization-{C276CCE1-5D5D-43C6-B6EB-3580CBE7D38B}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.lakevalleygolf.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
    IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://66.112.124.186/CACHE/stc/1/binaries/vpnweb.cab
    FF - ProfilePath - c:\documents and settings\dennis\Application Data\Mozilla\Firefox\Profiles\u1h4u1v3.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-30 16:15
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
    "ImagePath"="system32\drivers\tsk1.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
    "ImagePath"="system32\drivers\tsk2.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]
    "<No Name>"="{3C90A7C3-0CFE-4AF6-9B74-A2492C3EEC47}"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(576)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\LMIinit.dll
    .
    - - - - - - - > 'explorer.exe'(944)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\MouseWare\System\LgWndHk.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\msi.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\Logitech\MouseWare\system\em_exec.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-30 16:24:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-30 21:24
    ComboFix2.txt 2012-03-30 20:25
    ComboFix3.txt 2012-03-30 18:37
    .
    Pre-Run: 27,392,663,552 bytes free
    Post-Run: 27,373,314,048 bytes free
    .
    - - End Of File - - 26F7D190AF5EED8397DC017068535101
  12. Broni

    Broni Malware Annihilator Posts: 45,186   +242

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\tsk1.tmp
    c:\windows\system32\drivers\tsk2.tmp
    
    Rootkit::
    c:\windows\system32\drivers\tsk1.tmp
    c:\windows\system32\drivers\tsk2.tmp
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
    "ImagePath"="system32\drivers\acpi.sys"
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
    "ImagePath"="system32\drivers\redbook.sys"
    
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\ASNA\Shared\Security Provider*Wrong guess again!]
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  13. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    Having a problem now. I copied/pasted and ran the combofix as indicated above. Now the machine is in a reboot loop. It tries to boot, then comes to a screen saying it did not boot successfully. If I tell it to reboot in Safe mode it acts like it wants to, then reboots and starts over. What next?
     
  14. Broni

    Broni Malware Annihilator Posts: 45,186   +242

    Combofix created restore point so try "Last known good configuration".
  15. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    that's not working either. It just starts a new boot as soon as select Last Known Good Config and hit Enter
  16. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    Just tried a Safe Mode boot. it goes through a bunch of "multi disc..." statements and the last one it shows is mup.sys then it starts a reboot
  17. Broni

    Broni Malware Annihilator Posts: 45,186   +242

    Do you have/can borrow Windows XP CD?
  18. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    I have my xp cd
  19. Broni

    Broni Malware Annihilator Posts: 45,186   +242

  20. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    that didn't go well. It's read the cd and rebooted to finish the Repair. Now it wants the location of SP1. Suggestions? I've looked all over the cd and got nothing.
  21. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    I think I'm going to walk away for a while. If you have any suggestions leave me a note and I'll pick it up later. Thanks.
  22. Broni

    Broni Malware Annihilator Posts: 45,186   +242

    I see what the problem is.
    Your computer has SP3 installed and your CD most likely doesn't have any SP on it.
    In order to run repair installation you'll have to create new CD, which will include SP3.
    Instructions: http://www.theeldergeek.com/slipstreamed_xpsp3_cd.htm
  23. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    Hi Broni: Thank again for helping. I'm working on copying and creating the bootable cd with SP included but I've run into another hiccup. Following the link you provided I'm down to their second step in Copying and Extracting Files.

    The second step is to navigate to where you downloaded the Service Pack 3 file.

    Of course, this is a problem because I'm unable to boot now, so I can't navigate to where I downloaded the file to. Are you aware of an alternative? If I have another XP machine can I copy it from there?

    I will continue to explore but wanted to send a note in case you had a quick n dirty answer.
  24. Broni

    Broni Malware Annihilator Posts: 45,186   +242

  25. dennisgolfer

    dennisgolfer Newcomer, in training Topic Starter Posts: 20

    Just to keep you updated..... I've tried downloading SP3 and it didn't like that, so I download SP2 and created the disc, etc., and it didn't like that either. When the machine boots now it is asking for "The file 'asms' on Windox XP Professional Service Pack 1 CD is needed."

    The only downloads I've been able to find were for SP2 and SP3 and it doesn't seem to like those. The SP2 disc shows up with an ASMS folder, but I can't find an asms file anywhere. I've tried a variety of paths and it doesn't seem to want any of them.

    I have a friend who has an SP2 cd that he has used before so he knows it's good. I'm going to pick it up from him later this morning and try it.

    So, since my machine was XP Pro, SP3 and I'm doing a Repair, do I need SP3, SP2, or SP1 to continue the Repair? The machine is asking for SP1.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.