Solved Trojan.Maljavagen23 & various PUBs

[glhglh]

My son's been at it again (read exasperated facial expression here).

Ran Symantec Endpoint: notification of Trojan.Maljavagen23, some of which could not be deleted.

Downloaded Malwarebytes, and am running, but the updating of the virus definitions seemed different than I have experienced before. Did get the updates, and ran scan. Lots of PUP.

The reason I started the scans on his notebook was that his screen would show for about a second, then go off. using an external screen works with no problem. Thought maybe the virus might affect the screen??

I was able to run the Malwarebytes and get a log, and gmer with a log, but dss ran for two hours. and froze the computer. I finally just pulled the plug, and rebooted. after the reboot, I again disabled the Symantec Endpoint, and tried to run again. Froze again, it's been another hour.

shall I just pull the plug again? the cntrl alt del does not give a dialog. Then (and by the way, once a couple of the virus' were found and deleted by Malwarebytes & gmer, there appeared 31 important updates. (he is using windows VISTA). shall I just post the logs I have?

 

[glhglh]

booting to safety mode with networking. I'll try to get the logs to send, and to run dss again.

 

[glhglh]

www.malwarebytes.org

Database version: v2012.08.01.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Benjamin :: BEN-DEL [administrator]

8/1/2012 10:53:01 AM
mbam-log-2012-08-01 (10-53-01).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 309347
Time elapsed: 2 hour(s), 7 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 14
HKCR\CLSID\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044044435} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055045535} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO.1 (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Codec-V (Trojan.LilyJade) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Program Files\Codec-V\Codec-V.dll (PUP.Codec.PR) -> Quarantined and deleted successfully.
C:\Program Files\Codec-V\Uninstall.exe (Trojan.LilyJade) -> Quarantined and deleted successfully.
C:\Users\Benjamin\AppData\Local\Temp\{AFBD6FE3-BDBE-C052-F6AB-B983AB919E9E}\Addons\codecc_extension.exe (Trojan.LilyJade) -> Quarantined and deleted successfully.
C:\Users\Benjamin\Downloads\Codec-V.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.

(end)


the gmer log was empty. I'm going to try to run it again from safe mode. but will post this, then run it.

here is the rkreport. when I try to post a reply, I am redirected to the main page over and over. this had control of this machine.

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: Benjamin [Admin rights]
Mode: Scan -- Date: 08/01/2012 17:46:14

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 15 ¤¤¤
[HJ] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK1665GSX ATA Device +++++
--- User ---
[MBR] 5687d4fa6e6c7a20b0b4cd078bb8f016
[BSP] 07d76ee5427909186a8cc2bbac874834 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152625 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] d03a238488bbbb2fa90015973351e876
[BSP] 07d76ee5427909186a8cc2bbac874834 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152625 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312578048 | Size: 1 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt

I'll do the answmbr next.

 

[Broni]

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================================

Leave GMER alone.

• Download RogueKiller on the desktop
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
• Otherwise just double-click on RogueKiller.exe
• Pre-scan will start. Let it finish.
• Click on SCAN button.
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

==========================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

[glhglh]

from the infected machine, I tried to click the Post Reply icon, but was taken to the main forum page over and over. I was however able to edit my last post , so posted the rkreport there.

trying aswMBR, but it will not load in safe mode, so am rebooting and will try again.

 

[glhglh]

I can't get aswMBR to run. Not in safe mode, not in regular windows, as administrator or not.

any ideas?

 

[Broni]

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[glhglh]

Thanks for your help again on this Broni! Looks like combofix has frozen the notebook. I'll leave it alone tonight, and try more tomorrow.

When I looked at the network settings, it seems like it set up its own network. tried several times to disconnect, finally I just disconnected wireless adapter, once combofix works, I'll set it up again.

 

[Broni]

If computer clock is not running re-run Combofix from safe mode.

 

[glhglh]

I'm in pacific time zone. started combofix on my son's computer 14 hours ago in safe mode. it is not proceeded past "however, scan times for badly infected machines may easily double".

did not say the clock was changed, and will be changed back (I remember this on past problems ), and nothing more.

the clock on the start ribbon is correct. and the cursor line in the blue box is flashing.

Is it time to move on to the rkill options?

after being unable to close the internet connection last night from his machine, I'm worried about his mother's computer (she consults from that computer), and his sisters' machine, and mine. we have our own exchange server (but using server 2003 I think.). maybe I'm worrying too much. we work to keep our endpoint uptodate, but from what I could see from the logs from his machine lastnight, he seems to be a hole.

So, what do I do next for his computer, and am I too bothered about our other computers?

 

[Broni]

Is it time to move on to the rkill options?

Yes and run rKill and Combofix from safe mode.

 

[glhglh]

Brori,

I'm in a loop. there are updates from Microsoft. (not updated since last december when this problem apparently started). I check "do not update", but when I run rkill or combofix, and they freeze, the order to "not update" is lost, and it tries to load the updates. But won't, failure, but during the process I lose a lot of time. I looked at the update log, and 128/14/2011 was the last successful update.

any suggestions?

 

[Broni]

run rKill and Combofix from safe mode

Updates shouldn't bother you from there.

 

[glhglh]

in safe mode, ran rkill, then a renamed combofix. I wasn't smart enough this time to copy the rkill but is was something like "rkill has completed it's tasks", not much more.

Combo fix makes it as far as the "scanning for problems", then runs for 16 hours this time.

I tried to simply use the "restart button", blank screen, then "logon process has failed to create the security options dialog" FAilure Security Options". I click OK, than back to the dos screen, but everything is froxen now.

I also get the messages about Endpoint running early in the Combofix process. but Symantec is disabled.

Shall I try to completely uninstall Symantec?

 

[glhglh]

On my computer, when I try to post these messages, IE freezes. Amazing.

Opened Chrome. Friday night, I got one RKreport I didn't post (because the notebook froze, and started the cycle of reboot, discussed before.

here is that report:

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: Benjamin [Admin rights]
Mode: Scan -- Date: 08/01/2012 17:46:14

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 15 ¤¤¤
[HJ] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK1665GSX ATA Device +++++
--- User ---
[MBR] 5687d4fa6e6c7a20b0b4cd078bb8f016
[BSP] 07d76ee5427909186a8cc2bbac874834 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152625 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] d03a238488bbbb2fa90015973351e876
[BSP] 07d76ee5427909186a8cc2bbac874834 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152625 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312578048 | Size: 1 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt

also, in the process of running rkill, then combofix (renamed, and not renamed), and the combofix.

Yesterday:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 08/02/2012 at 13:20:37.
Operating System: Windows Vista (TM) Business


Processes terminated by Rkill or while it was running:

C:\Windows\system32\vssvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE


Rkill completed on 08/02/2012 at 13:23:04.
late last night:
his log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 08/03/2012 at 21:56:53.
Operating System: Windows Vista (TM) Business
Processes terminated by Rkill or while it was running:
Rkill completed on 08/03/2012 at 21:58:07.
I was in safe mode both times, started combofix right after running rkill, and combo fix got as far as the "scanning for infections" screen, then nothing more. I waited 10 hours before I rebooted, and transfered the logs to a thumb drive to post.

 

[Broni]

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

[glhglh]

at last! I see the changed files list only goes back 3 months. I'm sure when I was able to check the "widows update history" last night, the problems (unable to update) started on dec 14, 2011. There was a time when I was OK in dos, but it wasn't long enough ago. remembering 50 years is not problem, the past 5 minutes, or a year, maybe not so good.

is there a way to get a log of the changes in december 2011 in dos?



Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 04-08-2012 12:15:40
Running from E:\
Windows Vista (TM) Business Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [XeroxRegistation] "C:\Users\Benjamin\AppData\Local\Temp\Xerox\EReg\EReg.exe" /Startup [137728 2008-03-13] (Xerox Corporation)
HKU\Benjamin\...\Run: [CrossRiderPlugin] C:\Program Files\CrossriderWebApps\Crossrider.exe [478720 2011-05-15] (Crossrider)
HKLM\...\Runonce: [GrpConv] grpconv -o [x]
Winlogon\Notify\SEP: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll [X]

================================ Services (Whitelisted) ==================

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
4 Giraffic; C:\Program Files\Giraffic\Veoh_GirafficWatchdog.exe --service [2232504 2012-07-02] (Giraffic)
2 SepMasterService; "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe" /s "Symantec Endpoint Protection" /m "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll" /prefetch:1 [167344 2011-08-26] (Symantec Corporation)
3 SmcService; "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe" /prefetch:1 [1664744 2011-08-26] (Symantec Corporation)
3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe [280496 2011-08-26] (Symantec Corporation)
4 Updater Service for StartNow Toolbar; C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe [265952 2012-04-20] ()
4 Web Assistant Updater; C:\Program Files\Web Assistant\ExtensionUpdaterService.exe [185856 2012-05-08] ()

========================== Drivers (Whitelisted) =============

1 BHDrvx86; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120711.012\BHDrvx86.sys [821920 2012-06-20] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-06-29] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-05-30] (Symantec Corporation)
1 IDSVix86; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120801.001\IDSvix86.sys [382624 2012-07-31] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120801.004\NAVENG.SYS [87928 2012-07-31] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120801.004\NAVEX15.SYS [1589752 2012-07-31] (Symantec Corporation)
1 SRTSP; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SRTSP.SYS [516216 2011-08-26] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SRTSPX.SYS [50168 2011-08-26] (Symantec Corporation)
0 SymDS; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMDS.SYS [340088 2011-08-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMEFA.SYS [756856 2011-08-26] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [127096 2011-08-26] (Symantec Corporation)
1 SymIRON; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\Ironx86.SYS [136312 2011-08-26] (Symantec Corporation)
1 SYMTDIV; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMTDIV.SYS [331384 2011-08-26] (Symantec Corporation)
1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [50096 2011-08-26] (Symantec Corporation)
3 USBCCID; C:\Windows\System32\DRIVERS\usbccid.sys [30208 2009-04-10] (Microsoft Corporation)
3 catchme; \??\C:\Users\Benjamin\AppData\Local\Temp\catchme.sys [x]
3 COH_Mon; \??\C:\Windows\system32\Drivers\COH_Mon.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-04 12:15 - 2012-08-04 12:15 - 00000000 ____D C:\FRST
2012-08-03 21:06 - 2012-08-03 21:13 - 00000000 ___SD C:\sewf8374ljk
2012-08-02 18:10 - 2012-08-02 18:10 - 00000000 ____A C:\Users\Benjamin\Documents\gmer 2.log
2012-08-02 12:20 - 2012-08-03 20:58 - 00000366 ____A C:\rkill.log
2012-08-01 18:24 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-01 18:24 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-01 18:24 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-01 18:17 - 2012-08-01 18:23 - 00000000 ____D C:\Qoobox
2012-08-01 18:16 - 2012-08-01 18:16 - 00000000 ____D C:\Windows\erdnt
2012-08-01 18:13 - 2012-08-01 18:12 - 04722680 ____R (Swearware) C:\Users\Benjamin\Desktop\sewf8374ljk.exe
2012-08-01 16:46 - 2012-08-01 16:46 - 00002385 ____A C:\Users\Benjamin\Desktop\RKreport[1].txt
2012-08-01 16:44 - 2012-08-01 16:46 - 00000000 ____D C:\Users\Benjamin\Desktop\RK_Quarantine
2012-08-01 09:59 - 2012-08-01 09:59 - 00000076 ____A C:\Users\Benjamin\AppData\Roaming\mbam.context.scan
2012-07-31 18:29 - 2012-07-31 18:42 - 00000941 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-31 18:28 - 2012-08-03 20:59 - 00000000 ____D C:\Users\Benjamin\Desktop\Ben Virus scans
2012-07-23 18:18 - 2012-07-23 18:18 - 00158184 ____A C:\Windows\Minidump\Mini072312-01.dmp
2012-07-17 18:12 - 2012-07-17 18:12 - 00000000 ____D C:\Users\Benjamin\AppData\Local\Proxure
2012-07-17 18:11 - 2012-07-17 18:11 - 00000000 ____D C:\Users\All Users\ClubSanDisk
2012-07-17 13:53 - 2012-07-17 13:53 - 00000000 ____D C:\Program Files\Oracle
2012-07-17 13:52 - 2012-07-05 21:06 - 00772544 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-07-17 13:52 - 2012-07-05 21:06 - 00227760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-07-17 13:51 - 2012-07-17 13:49 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-07-17 13:51 - 2012-07-17 13:49 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-07-17 13:47 - 2012-07-17 13:47 - 00000000 ____D C:\Users\All Users\McAfee
2012-07-17 13:46 - 2012-07-17 13:46 - 00893936 ____A (Oracle Corporation) C:\Users\Benjamin\Downloads\chromeinstall-7u5.exe
2012-07-17 13:46 - 2012-07-17 13:46 - 00893936 ____A (Oracle Corporation) C:\Users\Benjamin\Downloads\chromeinstall-7u5 (1).exe
2012-07-13 15:48 - 2012-07-13 15:48 - 00000000 ____D C:\Program Files\Incredibar.com
2012-07-13 15:47 - 2012-07-13 15:47 - 00000000 ____D C:\Program Files\Web Assistant
2012-07-13 15:46 - 2012-07-13 15:46 - 00000000 ____D C:\Users\Benjamin\AppData\Local\Codec-V
2012-07-13 15:45 - 2012-08-01 12:04 - 00000000 ____D C:\Program Files\Codec-V
2012-07-12 17:46 - 2012-07-12 17:46 - 00000000 ____D C:\Users\All Users\Graboid Inc
2012-07-12 17:39 - 2012-07-12 17:40 - 37996064 ____A C:\Users\Benjamin\Downloads\GraboidVideoSetup-3.11.exe
2012-07-12 06:51 - 2012-07-31 15:51 - 09821896 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-07-06 17:42 - 2012-07-06 17:42 - 00000000 ____D C:\Users\Benjamin\AppData\Local\StartNow

============ 3 Months Modified Files ========================

2012-08-04 10:59 - 2008-01-20 17:39 - 01133614 ____A C:\Windows\WindowsUpdate.log
2012-08-04 10:56 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-04 10:56 - 2006-11-02 04:47 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-04 10:56 - 2006-11-02 04:47 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-04 10:55 - 2006-11-02 05:01 - 00032624 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-04 10:53 - 2006-11-02 02:33 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-04 10:51 - 2012-04-04 07:33 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-04 08:17 - 2006-11-02 05:00 - 00806248 ____A C:\Windows\PFRO.log
2012-08-03 20:58 - 2012-08-02 12:20 - 00000366 ____A C:\rkill.log
2012-08-03 20:53 - 2011-12-12 23:25 - 00001356 ____A C:\Users\Benjamin\AppData\Local\d3d9caps.dat
2012-08-03 15:15 - 2012-06-22 22:12 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3175613772-2373492689-2895465435-1001UA.job
2012-08-02 18:10 - 2012-08-02 18:10 - 00000000 ____A C:\Users\Benjamin\Documents\gmer 2.log
2012-08-01 18:12 - 2012-08-01 18:13 - 04722680 ____R (Swearware) C:\Users\Benjamin\Desktop\sewf8374ljk.exe
2012-08-01 18:12 - 2006-11-02 04:52 - 00028016 ____A C:\Windows\setupact.log
2012-08-01 16:46 - 2012-08-01 16:46 - 00002385 ____A C:\Users\Benjamin\Desktop\RKreport[1].txt
2012-08-01 09:59 - 2012-08-01 09:59 - 00000076 ____A C:\Users\Benjamin\AppData\Roaming\mbam.context.scan
2012-07-31 18:42 - 2012-07-31 18:29 - 00000941 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-31 15:51 - 2012-07-12 06:51 - 09821896 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-07-31 15:51 - 2012-04-04 07:33 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-31 15:51 - 2011-06-06 14:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-25 22:22 - 2012-06-22 22:11 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3175613772-2373492689-2895465435-1001Core.job
2012-07-23 18:18 - 2012-07-23 18:18 - 00158184 ____A C:\Windows\Minidump\Mini072312-01.dmp
2012-07-23 18:18 - 2011-04-03 22:30 - 273275364 ____A C:\Windows\MEMORY.DMP
2012-07-17 13:49 - 2012-07-17 13:51 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-07-17 13:49 - 2012-07-17 13:51 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-07-17 13:46 - 2012-07-17 13:46 - 00893936 ____A (Oracle Corporation) C:\Users\Benjamin\Downloads\chromeinstall-7u5.exe
2012-07-17 13:46 - 2012-07-17 13:46 - 00893936 ____A (Oracle Corporation) C:\Users\Benjamin\Downloads\chromeinstall-7u5 (1).exe
2012-07-12 17:40 - 2012-07-12 17:39 - 37996064 ____A C:\Users\Benjamin\Downloads\GraboidVideoSetup-3.11.exe
2012-07-11 11:29 - 2012-06-22 22:15 - 00002092 ____A C:\Users\Benjamin\Desktop\Google Chrome.lnk
2012-07-11 02:21 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-07-11 02:08 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-05 21:06 - 2012-07-17 13:52 - 00772544 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-07-05 21:06 - 2012-07-17 13:52 - 00227760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-07-05 21:06 - 2011-04-11 12:13 - 00687544 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-06-27 22:56 - 2012-06-27 22:54 - 00001932 ____A C:\Users\Public\Desktop\DivX Plus Converter.lnk
2012-06-27 22:55 - 2012-03-31 20:27 - 00001432 ____A C:\Users\Benjamin\Desktop\DivX Movies.lnk
2012-06-27 22:54 - 2012-06-27 22:54 - 00000952 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk
2012-06-27 22:50 - 2012-06-27 22:50 - 00933256 ____A (DivX, LLC) C:\Users\Benjamin\Downloads\DivXInstaller(1).exe
2012-06-23 12:21 - 2012-06-23 12:21 - 00157576 ____A C:\Windows\Minidump\Mini062312-01.dmp
2012-06-22 22:11 - 2012-06-22 22:10 - 00739824 ____A (Google Inc.) C:\Users\Benjamin\Downloads\ChromeSetup(1).exe
2012-06-19 19:33 - 2012-06-19 19:32 - 00157568 ____A C:\Windows\Minidump\Mini061912-01.dmp
2012-06-16 16:11 - 2012-06-16 16:11 - 00157544 ____A C:\Windows\Minidump\Mini061612-01.dmp
2012-06-10 20:36 - 2011-11-05 11:55 - 00000032 ___AH C:\Users\Benjamin\jagex_cl_runescape_LIVE.dat
2012-06-02 14:19 - 2012-06-22 11:08 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 11:08 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 11:08 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 11:07 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:12 - 2012-06-22 11:08 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-22 11:07 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-29 11:35 - 2012-05-29 11:35 - 00000839 ____A C:\Users\Benjamin\Desktop\SwiftKit.lnk
2012-05-29 11:32 - 2011-03-31 19:25 - 00004109 ____A C:\Windows\IE9_main.log
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 _RASH C:\MSDOS.SYS
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 _RASH C:\IO.SYS
2012-05-29 11:06 - 2012-05-29 11:05 - 03343772 ____A () C:\Users\Benjamin\Downloads\SwiftKit(Install)(1).exe
2012-05-14 19:11 - 2012-05-14 19:11 - 00157608 ____A C:\Windows\Minidump\Mini051412-01.dmp

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 2045.39 MB
Available physical RAM: 1621.8 MB
Total Pagefile: 1823.89 MB
Available Pagefile: 1677.11 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.31 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:149.05 GB) (Free:85.83 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (VISTA_SP1_BUSINESS) (CDROM) (Total:3.01 GB) (Free:0 GB) UDF
3 Drive e: (PATRIOT) (Removable) (Total:14.91 GB) (Free:14.82 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 15 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 1024 KB
Partition 2 Primary 1872 KB 149 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 149 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E PATRIOT NTFS Removable 15 GB Healthy

==================================================================================

==========================================================

Last Boot: 2012-08-04 08:23

======================= End Of Log ==========================

 

[Broni]

I don't see much in the above log.

Download TDSSKiller and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

[glhglh]

I've tried to run TDSSKiller in safety mode, regular mode, just double click, and "run as administrator in each of these modes.

any ideas?

 

[Broni]

As a matter of fact I do see something what I didn't see last night.
You have infected partition.

Download GETxPUD.exe to the desktop of your clean computer

• Double click on GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Insert blank CD into your CD drive.
• Click on Start and follow the prompts to burn the image to a CD.
• Boot bad computer from the CD
• Click Menu then Terminal Emulator
• Type parted /dev/sda set 1 boot on
• Press Enter
• Type parted /dev/sda rm 2
• Press Enter
• Remove xPUD CD, restart normally

Next....

For x86 (x32) bit systems please download Listparts to your Desktop.
For x64 bit systems please download Listparts64 to your Desktop.
Double click on downloaded file to start the program.

Click on Scan button.

Scan result will open in Notepad (Result.txt).
Post it in your next reply.

 

[glhglh]

after each of these commands, the reaponce was "information: you may need to update /etc/fstab.
as it was booting, there was a quick box with something being changed, but it was very fastl. something 2/47, then booted in safe mode
beginning of safe mode, confirmed network name and domain.
copied listparts to desktop and opened, there was a box "list BCD" I did not check this box.
Ran scan.
ListParts by Farbar Version: 25-07-2012
Ran by Benjamin (administrator) on 06-08-2012 at 10:45:37
Windows Vista (X86)
Running From: C:\Users\Benjamin\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 20%
Total physical RAM: 2045.39 MB
Available physical RAM: 1626.12 MB
Total Pagefile: 2218.16 MB
Available Pagefile: 1967.99 MB
Total Virtual: 2047.88 MB
Available Virtual: 1984.26 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:149.05 GB) (Free:88.03 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (PATRIOT) (Removable) (Total:14.91 GB) (Free:14.75 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 15 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 1024 KB
======================================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 149 GB Healthy Boot
======================================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 4032 KB
======================================================================================================
Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E PATRIOT NTFS Removable 15 GB Healthy
======================================================================================================
==========================================================
TDL4: custom:26000022

****** End Of Log ******

 

[Broni]

That looks good.

Please give me fresh FRST log.

 

[glhglh]

Where do I download frst?

 

[Broni]

See my post #16.
You did it before.

 

[glhglh]

Getting old is a *****!!!!!!!!
What is the "script" that keeps freezing my IE tab each time I try to post a log? the tab freezes & the box at the bottom says: "techspot.com is not responding due to a long-running script" then there is a button to stop script.
if I do nothing, it stays frozen, if I push stop script soon, I just reload the tab, if I wait a few minutes, I need to close IE and start again.
This has been hapening for this issue. I don't remember the problem in the past with other problems.

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 06-08-2012 18:36:21
Running from E:\
Windows Vista (TM) Business Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [XeroxRegistation] "C:\Users\Benjamin\AppData\Local\Temp\Xerox\EReg\EReg.exe" /Startup [137728 2008-03-13] (Xerox Corporation)
HKU\Benjamin\...\Run: [CrossRiderPlugin] C:\Program Files\CrossriderWebApps\Crossrider.exe [478720 2011-05-15] (Crossrider)
Winlogon\Notify\SEP: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.5
================================ Services (Whitelisted) ==================
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
4 Giraffic; C:\Program Files\Giraffic\Veoh_GirafficWatchdog.exe --service [2232504 2012-07-02] (Giraffic)
2 SepMasterService; "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe" /s "Symantec Endpoint Protection" /m "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll" /prefetch:1 [167344 2011-08-26] (Symantec Corporation)
3 SmcService; "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe" /prefetch:1 [1664744 2011-08-26] (Symantec Corporation)
3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe [280496 2011-08-26] (Symantec Corporation)
4 Updater Service for StartNow Toolbar; C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe [265952 2012-04-20] ()
4 Web Assistant Updater; C:\Program Files\Web Assistant\ExtensionUpdaterService.exe [185856 2012-05-08] ()
========================== Drivers (Whitelisted) =============
1 BHDrvx86; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120711.012\BHDrvx86.sys [821920 2012-06-20] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-06-29] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-05-30] (Symantec Corporation)
1 IDSVix86; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120801.001\IDSvix86.sys [382624 2012-07-31] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120801.004\NAVENG.SYS [87928 2012-07-31] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120801.004\NAVEX15.SYS [1589752 2012-07-31] (Symantec Corporation)
1 SRTSP; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SRTSP.SYS [516216 2011-08-26] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SRTSPX.SYS [50168 2011-08-26] (Symantec Corporation)
0 SymDS; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMDS.SYS [340088 2011-08-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMEFA.SYS [756856 2011-08-26] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [127096 2011-08-26] (Symantec Corporation)
1 SymIRON; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\Ironx86.SYS [136312 2011-08-26] (Symantec Corporation)
1 SYMTDIV; C:\Windows\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMTDIV.SYS [331384 2011-08-26] (Symantec Corporation)
1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [50096 2011-08-26] (Symantec Corporation)
3 USBCCID; C:\Windows\System32\DRIVERS\usbccid.sys [30208 2009-04-10] (Microsoft Corporation)
3 catchme; \??\C:\Users\Benjamin\AppData\Local\Temp\catchme.sys [x]
3 COH_Mon; \??\C:\Windows\system32\Drivers\COH_Mon.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-08-06 17:12 - 2012-08-04 10:22 - 00892822 ____A (Farbar) C:\Users\Benjamin\Desktop\FRST.exe
2012-08-06 09:45 - 2012-08-06 09:45 - 00002530 ____A C:\Users\Benjamin\Desktop\Result.txt
2012-08-06 09:44 - 2012-08-06 09:23 - 00306999 ____A (Farbar) C:\Users\Benjamin\Desktop\ListParts.exe
2012-08-06 09:33 - 2012-08-06 17:18 - 268435456 __ASH C:\Windows\System32\temppf.sys
2012-08-06 09:11 - 2012-08-06 09:12 - 67108864 ____A C:\Users\Benjamin\Desktop\xpud-0.9.2.iso
2012-08-06 09:05 - 2012-08-06 09:17 - 00000000 ____D C:\Users\Benjamin\Desktop\GETxPUD
2012-08-06 09:05 - 2012-08-06 08:59 - 00497272 ____A C:\Users\Benjamin\Desktop\GETxPUD.exe
2012-08-05 08:54 - 2012-08-05 08:54 - 00000000 ____D C:\Users\glh\Desktop\tdsskiller
2012-08-05 08:53 - 2012-08-05 08:53 - 00000000 ____D C:\tdsskiller
2012-08-04 12:15 - 2012-08-04 12:15 - 00000000 ____D C:\FRST
2012-08-03 21:06 - 2012-08-03 21:13 - 00000000 ___SD C:\sewf8374ljk
2012-08-02 18:10 - 2012-08-02 18:10 - 00000000 ____A C:\Users\Benjamin\Documents\gmer 2.log
2012-08-02 12:20 - 2012-08-03 20:58 - 00000366 ____A C:\rkill.log
2012-08-01 18:24 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-01 18:24 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-01 18:24 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-01 18:24 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-01 18:17 - 2012-08-01 18:23 - 00000000 ____D C:\Qoobox
2012-08-01 18:16 - 2012-08-01 18:16 - 00000000 ____D C:\Windows\erdnt
2012-08-01 18:13 - 2012-08-01 18:12 - 04722680 ____R (Swearware) C:\Users\Benjamin\Desktop\sewf8374ljk.exe
2012-08-01 16:46 - 2012-08-01 16:46 - 00002385 ____A C:\Users\Benjamin\Desktop\RKreport[1].txt
2012-08-01 16:44 - 2012-08-01 16:46 - 00000000 ____D C:\Users\Benjamin\Desktop\RK_Quarantine
2012-08-01 09:59 - 2012-08-01 09:59 - 00000076 ____A C:\Users\Benjamin\AppData\Roaming\mbam.context.scan
2012-07-31 18:29 - 2012-07-31 18:42 - 00000941 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-31 18:28 - 2012-08-03 20:59 - 00000000 ____D C:\Users\Benjamin\Desktop\Ben Virus scans
2012-07-23 18:18 - 2012-07-23 18:18 - 00158184 ____A C:\Windows\Minidump\Mini072312-01.dmp
2012-07-17 18:12 - 2012-07-17 18:12 - 00000000 ____D C:\Users\Benjamin\AppData\Local\Proxure
2012-07-17 18:11 - 2012-07-17 18:11 - 00000000 ____D C:\Users\All Users\ClubSanDisk
2012-07-17 13:53 - 2012-07-17 13:53 - 00000000 ____D C:\Program Files\Oracle
2012-07-17 13:52 - 2012-07-05 21:06 - 00772544 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-07-17 13:52 - 2012-07-05 21:06 - 00227760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-07-17 13:51 - 2012-07-17 13:49 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-07-17 13:51 - 2012-07-17 13:49 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-07-17 13:47 - 2012-07-17 13:47 - 00000000 ____D C:\Users\All Users\McAfee
2012-07-17 13:46 - 2012-07-17 13:46 - 00893936 ____A (Oracle Corporation) C:\Users\Benjamin\Downloads\chromeinstall-7u5.exe
2012-07-17 13:46 - 2012-07-17 13:46 - 00893936 ____A (Oracle Corporation) C:\Users\Benjamin\Downloads\chromeinstall-7u5 (1).exe
2012-07-13 15:48 - 2012-07-13 15:48 - 00000000 ____D C:\Program Files\Incredibar.com
2012-07-13 15:47 - 2012-07-13 15:47 - 00000000 ____D C:\Program Files\Web Assistant
2012-07-13 15:46 - 2012-07-13 15:46 - 00000000 ____D C:\Users\Benjamin\AppData\Local\Codec-V
2012-07-13 15:45 - 2012-08-01 12:04 - 00000000 ____D C:\Program Files\Codec-V
2012-07-12 17:46 - 2012-07-12 17:46 - 00000000 ____D C:\Users\All Users\Graboid Inc
2012-07-12 17:39 - 2012-07-12 17:40 - 37996064 ____A C:\Users\Benjamin\Downloads\GraboidVideoSetup-3.11.exe
2012-07-12 06:51 - 2012-07-31 15:51 - 09821896 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
============ 3 Months Modified Files ========================
2012-08-06 17:19 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-06 17:18 - 2012-08-06 09:33 - 268435456 __ASH C:\Windows\System32\temppf.sys
2012-08-06 09:45 - 2012-08-06 09:45 - 00002530 ____A C:\Users\Benjamin\Desktop\Result.txt
2012-08-06 09:23 - 2012-08-06 09:44 - 00306999 ____A (Farbar) C:\Users\Benjamin\Desktop\ListParts.exe
2012-08-06 09:23 - 2008-01-20 17:39 - 01577753 ____A C:\Windows\WindowsUpdate.log
2012-08-06 09:23 - 2006-11-02 05:01 - 00032624 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-06 09:23 - 2006-11-02 04:47 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-06 09:23 - 2006-11-02 04:47 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-06 09:22 - 2012-06-22 22:12 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3175613772-2373492689-2895465435-1001UA.job
2012-08-06 09:12 - 2012-08-06 09:11 - 67108864 ____A C:\Users\Benjamin\Desktop\xpud-0.9.2.iso
2012-08-06 08:59 - 2012-08-06 09:05 - 00497272 ____A C:\Users\Benjamin\Desktop\GETxPUD.exe
2012-08-06 08:51 - 2012-04-04 07:33 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-06 02:20 - 2006-11-02 02:33 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-05 22:22 - 2012-06-22 22:11 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3175613772-2373492689-2895465435-1001Core.job
2012-08-04 10:22 - 2012-08-06 17:12 - 00892822 ____A (Farbar) C:\Users\Benjamin\Desktop\FRST.exe
2012-08-04 08:17 - 2006-11-02 05:00 - 00806248 ____A C:\Windows\PFRO.log
2012-08-03 20:58 - 2012-08-02 12:20 - 00000366 ____A C:\rkill.log
2012-08-03 20:53 - 2011-12-12 23:25 - 00001356 ____A C:\Users\Benjamin\AppData\Local\d3d9caps.dat
2012-08-02 18:10 - 2012-08-02 18:10 - 00000000 ____A C:\Users\Benjamin\Documents\gmer 2.log
2012-08-01 18:12 - 2012-08-01 18:13 - 04722680 ____R (Swearware) C:\Users\Benjamin\Desktop\sewf8374ljk.exe
2012-08-01 18:12 - 2006-11-02 04:52 - 00028016 ____A C:\Windows\setupact.log
2012-08-01 16:46 - 2012-08-01 16:46 - 00002385 ____A C:\Users\Benjamin\Desktop\RKreport[1].txt
2012-08-01 09:59 - 2012-08-01 09:59 - 00000076 ____A C:\Users\Benjamin\AppData\Roaming\mbam.context.scan
2012-07-31 18:42 - 2012-07-31 18:29 - 00000941 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-31 15:51 - 2012-07-12 06:51 - 09821896 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-07-31 15:51 - 2012-04-04 07:33 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-31 15:51 - 2011-06-06 14:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-23 18:18 - 2012-07-23 18:18 - 00158184 ____A C:\Windows\Minidump\Mini072312-01.dmp
2012-07-23 18:18 - 2011-04-03 22:30 - 273275364 ____A C:\Windows\MEMORY.DMP
2012-07-17 13:49 - 2012-07-17 13:51 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-07-17 13:49 - 2012-07-17 13:51 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-07-17 13:46 - 2012-07-17 13:46 - 00893936 ____A (Oracle Corporation) C:\Users\Benjamin\Downloads\chromeinstall-7u5.exe
2012-07-17 13:46 - 2012-07-17 13:46 - 00893936 ____A (Oracle Corporation) C:\Users\Benjamin\Downloads\chromeinstall-7u5 (1).exe
2012-07-12 17:40 - 2012-07-12 17:39 - 37996064 ____A C:\Users\Benjamin\Downloads\GraboidVideoSetup-3.11.exe
2012-07-11 11:29 - 2012-06-22 22:15 - 00002092 ____A C:\Users\Benjamin\Desktop\Google Chrome.lnk
2012-07-11 02:21 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-07-11 02:08 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-05 21:06 - 2012-07-17 13:52 - 00772544 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-07-05 21:06 - 2012-07-17 13:52 - 00227760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-07-05 21:06 - 2011-04-11 12:13 - 00687544 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-06-27 22:56 - 2012-06-27 22:54 - 00001932 ____A C:\Users\Public\Desktop\DivX Plus Converter.lnk
2012-06-27 22:55 - 2012-03-31 20:27 - 00001432 ____A C:\Users\Benjamin\Desktop\DivX Movies.lnk
2012-06-27 22:54 - 2012-06-27 22:54 - 00000952 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk
2012-06-27 22:50 - 2012-06-27 22:50 - 00933256 ____A (DivX, LLC) C:\Users\Benjamin\Downloads\DivXInstaller(1).exe
2012-06-23 12:21 - 2012-06-23 12:21 - 00157576 ____A C:\Windows\Minidump\Mini062312-01.dmp
2012-06-22 22:11 - 2012-06-22 22:10 - 00739824 ____A (Google Inc.) C:\Users\Benjamin\Downloads\ChromeSetup(1).exe
2012-06-19 19:33 - 2012-06-19 19:32 - 00157568 ____A C:\Windows\Minidump\Mini061912-01.dmp
2012-06-16 16:11 - 2012-06-16 16:11 - 00157544 ____A C:\Windows\Minidump\Mini061612-01.dmp
2012-06-10 20:36 - 2011-11-05 11:55 - 00000032 ___AH C:\Users\Benjamin\jagex_cl_runescape_LIVE.dat
2012-06-02 14:19 - 2012-06-22 11:08 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 11:08 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 11:08 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 11:07 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 11:07 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-22 11:07 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-22 11:08 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-22 11:07 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-22 11:07 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-29 11:35 - 2012-05-29 11:35 - 00000839 ____A C:\Users\Benjamin\Desktop\SwiftKit.lnk
2012-05-29 11:32 - 2011-03-31 19:25 - 00004109 ____A C:\Windows\IE9_main.log
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 _RASH C:\MSDOS.SYS
2012-05-29 11:22 - 2012-05-29 11:22 - 00000000 _RASH C:\IO.SYS
2012-05-29 11:06 - 2012-05-29 11:05 - 03343772 ____A () C:\Users\Benjamin\Downloads\SwiftKit(Install)(1).exe
2012-05-14 19:11 - 2012-05-14 19:11 - 00157608 ____A C:\Windows\Minidump\Mini051412-01.dmp
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 22%
Total physical RAM: 2045.39 MB
Available physical RAM: 1595.33 MB
Total Pagefile: 1823.89 MB
Available Pagefile: 1650.8 MB
Total Virtual: 2047.88 MB
Available Virtual: 1980.95 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:149.05 GB) (Free:86.05 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (VISTA_SP1_BUSINESS) (CDROM) (Total:3.01 GB) (Free:0 GB) UDF
3 Drive e: (PATRIOT) (Removable) (Total:14.91 GB) (Free:14.74 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 15 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 1024 KB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 149 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 4032 KB
==================================================================================
Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E PATRIOT NTFS Removable 15 GB Healthy
==================================================================================
==========================================================
TDL4: custom:26000022 <===== ATTENTION!

==========================================================
Last Boot: 2012-08-06 02:20

======================= End Of Log ==========================

Also, during this process, my internet connection was changed from my domain (hedrick.local) to public connection #2?
This is on my desktop computer. and has happened all weekend. I just rebooted, and got back to hedrick.local, with an internet connection. but once I try to post the changes have happened.