Virus preventing me from following 6-step virus removal + google redirect problem

Inactive
By zooker
Oct 12, 2011
  1. I believe my computer has a virus and/or some form of malware. It started with the google redirect problem which alerted me to a problem. I also noticed that in the task manager the CPU would occasionally be running at 100%, apparently caused by an svchost.exe using a massive amount of memory.

    I've tried to follow the 6-step removal instructions but have failed miserably.
    - I originally uninstalled AVG anti virus because it would not run a scan.
    - I downloaded the recommended Avira program, however when it tried to update it just exited the program.
    - I downloaded, updated then ran Malwarebytes but during the Quick Scan it exited the program. When I tried to re-open it I get the error 'Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item'
    - I downloaded GMER and tried to run it. During the scan the program exited. I then ran it in Safe Mode and during the scan the computer just shut down and restarted itself.
    - I managed to download and run DDS sucessfully. Logs are below.

    I am at a loss as to how I can fix this computer. Please help me.

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
    Run by Katie Lloyd at 21:23:21 on 2011-10-12
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1451 [GMT 11:00]
    .
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\WINDOWS\400631341:3537444584.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Mozilla Firefox 4.0 Beta 8\firefox.exe
    C:\Program Files\Mozilla Firefox 4.0 Beta 8\plugin-container.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVIMlctM1NYM0UtR0hHWDktQUZISjMtUFcyUU4tWjlLSDQ"&"inst=NzctNzI1NTI0NzE2LUxJQysxLUZMMTArMS1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVM0KzEtRERUKzU0NzkwLUREMTBGKzEtTFNEKzItU1QxMEZBUFArMS1TMTBGRERGKzE"&"prod=90"&"ver=10.0.1410
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 10.1.1.1
    TCP: Interfaces\{1D99A002-D5A1-4225-81FD-E48DD72A1B14} : DhcpNameServer = 10.1.1.1
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\katie lloyd\application data\mozilla\firefox\profiles\m2mwbwff.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-10-12 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-12 136360]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-12 66616]
    S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-10-12 269480]
    S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\drivers\bsusbser.sys --> c:\windows\system32\drivers\bsusbser.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-10-12 09:51:09 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-12 09:51:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-12 09:45:55 -------- d-----w- c:\documents and settings\katie lloyd\application data\Avira
    2011-10-12 09:36:10 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-10-12 09:36:10 -------- d-----w- c:\program files\Avira
    2011-10-12 09:36:10 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-10-12 08:53:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-10-12 08:43:58 -------- d-----w- c:\windows\system32\appmgmt
    2011-09-26 11:24:43 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-09-22 00:43:04 -------- d-----w- c:\program files\Antivirus Programs
    2011-09-21 13:05:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-09-20 08:07:30 -------- d-----w- c:\documents and settings\katie lloyd\application data\Malwarebytes
    2011-09-20 08:07:18 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    .
    ==================== Find3M ====================
    .
    2011-10-12 08:53:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-08-31 13:20:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ============= FINISH: 21:23:51.76 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/01/2011 10:57:08 PM
    System Uptime: 12/10/2011 9:20:58 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0KD882
    Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | Microprocessor | 1662/166mhz
    Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | Microprocessor | 1662/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 142 GiB total, 35.009 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP162: 10/07/2011 11:38:17 PM - System Checkpoint
    RP163: 12/07/2011 12:11:29 AM - System Checkpoint
    RP164: 13/07/2011 12:22:38 AM - System Checkpoint
    RP165: 13/07/2011 1:03:05 PM - Removed AVG 2011
    RP166: 14/07/2011 3:00:15 AM - Software Distribution Service 3.0
    RP167: 15/07/2011 3:50:02 AM - System Checkpoint
    RP168: 16/07/2011 4:35:30 AM - System Checkpoint
    RP169: 17/07/2011 5:35:30 AM - System Checkpoint
    RP170: 18/07/2011 6:27:22 AM - System Checkpoint
    RP171: 19/07/2011 7:09:37 AM - System Checkpoint
    RP172: 19/07/2011 6:34:11 PM - Removed AVG 2011
    RP173: 20/07/2011 11:46:31 PM - System Checkpoint
    RP174: 22/07/2011 12:02:47 AM - System Checkpoint
    RP175: 23/07/2011 1:15:27 AM - System Checkpoint
    RP176: 24/07/2011 1:19:12 AM - System Checkpoint
    RP177: 25/07/2011 2:05:50 AM - System Checkpoint
    RP178: 26/07/2011 6:09:18 AM - System Checkpoint
    RP179: 27/07/2011 8:08:39 AM - System Checkpoint
    RP180: 28/07/2011 11:50:10 AM - System Checkpoint
    RP181: 29/07/2011 10:26:06 PM - System Checkpoint
    RP182: 30/07/2011 10:38:44 PM - System Checkpoint
    RP183: 31/07/2011 11:16:08 PM - System Checkpoint
    RP184: 2/08/2011 8:33:43 PM - System Checkpoint
    RP185: 3/08/2011 10:19:52 PM - System Checkpoint
    RP186: 4/08/2011 10:48:20 PM - System Checkpoint
    RP187: 5/08/2011 7:20:47 PM - Removed AVG 2011
    RP188: 6/08/2011 11:08:24 PM - System Checkpoint
    RP189: 7/08/2011 12:57:42 AM - Removed AVG 2011
    RP190: 8/08/2011 1:12:17 AM - System Checkpoint
    RP191: 9/08/2011 7:28:04 PM - System Checkpoint
    RP192: 10/08/2011 12:08:38 PM - Removed AVG 2011
    RP193: 11/08/2011 3:00:15 AM - Software Distribution Service 3.0
    RP194: 12/08/2011 1:14:41 PM - System Checkpoint
    RP195: 17/08/2011 6:50:28 PM - System Checkpoint
    RP196: 24/08/2011 8:23:13 PM - System Checkpoint
    RP197: 25/08/2011 11:28:44 PM - System Checkpoint
    RP198: 26/08/2011 11:59:18 PM - System Checkpoint
    RP199: 28/08/2011 12:47:13 AM - System Checkpoint
    RP200: 30/08/2011 5:58:15 PM - System Checkpoint
    RP201: 31/08/2011 7:37:47 PM - System Checkpoint
    RP202: 1/09/2011 8:44:57 PM - System Checkpoint
    RP203: 3/09/2011 6:39:15 PM - System Checkpoint
    RP204: 5/09/2011 11:22:57 PM - System Checkpoint
    RP205: 7/09/2011 12:38:17 AM - System Checkpoint
    RP206: 9/09/2011 5:28:33 PM - System Checkpoint
    RP207: 10/09/2011 5:34:49 PM - System Checkpoint
    RP208: 11/09/2011 8:05:20 PM - System Checkpoint
    RP209: 12/09/2011 10:44:39 PM - System Checkpoint
    RP210: 13/09/2011 11:48:17 PM - System Checkpoint
    RP211: 17/09/2011 11:18:15 PM - Software Distribution Service 3.0
    RP212: 19/09/2011 2:50:33 AM - System Checkpoint
    RP213: 19/09/2011 10:09:41 AM - Removed AVG 2011
    RP214: 20/09/2011 1:30:47 PM - System Checkpoint
    RP215: 21/09/2011 2:06:43 PM - System Checkpoint
    RP216: 28/09/2011 2:38:40 PM - System Checkpoint
    RP217: 10/10/2011 10:08:03 AM - System Checkpoint
    RP218: 12/10/2011 7:43:24 PM - Removed Java(TM) 6 Update 22
    RP219: 12/10/2011 7:51:40 PM - Removed AVG 2011
    RP220: 12/10/2011 7:53:10 PM - Removed AVG 2011
    RP221: 12/10/2011 7:53:26 PM - Installed Java(TM) 6 Update 27
    RP222: 12/10/2011 7:54:44 PM - Removed Adobe Reader X.
    .
    ==== Installed Programs ======================
    .
    ĀµTorrent
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.1)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    Conexant HDA D110 MDC V.92 Modem
    ConvertHelper 2.2
    Dell Resource CD
    e-tax 2011
    High Definition Audio Driver Package - KB835221
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB896256)
    Hotfix for Windows XP (KB908673)
    Hotfix for Windows XP (KB914642)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB981793)
    Image Resizer Powertoy for Windows XP
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless Software
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 27
    Malwarebytes' Anti-Malware version 1.51.2.1300
    mCore
    mDriver
    mDrWiFi
    Memory-Map
    mHlpDell
    Microsoft Office XP Professional with FrontPage
    Microsoft Office XP Web Components
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    mIWA
    mLogView
    mMHouse
    Mozilla Firefox 6.0.2 (x86 en-US)
    mPfMgr
    mPfWiz
    mProSafe
    mSSO
    MSXML 4.0 SP2 (KB973688)
    mWlsSafe
    mWMI
    mXML
    mZConfig
    Nero 6 Ultra Edition
    QuickTime
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    SigmaTel Audio
    Switch Sound File Converter
    Synaptics Pointing Device Driver
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VideoPad Video Editor
    VLC media player 1.1.9
    WavePad Sound Editor
    WebFldrs XP
    WIDCOMM Bluetooth Software
    Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
    Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
    Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows XP Hotfix - KB885855
    Windows XP Hotfix - KB885884
    ZENcast Organizer
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/10/2011 8:39:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    7/10/2011 4:38:56 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    7/10/2011 4:22:02 PM, error: Dhcp [1002] - The IP address lease 192.168.1.52 for the Network Card with network address 001B7799764D has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    7/10/2011 4:21:55 PM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: Access is denied.
    12/10/2011 9:21:43 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'afd.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    12/10/2011 9:06:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
    12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/10/2011 9:05:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/10/2011 9:05:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    12/10/2011 9:01:59 PM, error: Service Control Manager [7031] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    12/10/2011 9:01:59 PM, error: Service Control Manager [7000] - The Avira AntiVir Guard service failed to start due to the following error: Access is denied.
    12/10/2011 9:01:18 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    11/10/2011 9:55:00 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    11/10/2011 9:55:00 PM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147500037 (0x80004005).
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot! Let's see if we can get the scans running:
    1.
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    =======================================
    2. Then try this for Malwqrebytes:
    Please download randmbam.exe
    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running a scan again
    =======================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    3. Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =====================================
    4.
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    Please post the entire log with heading resembling this:
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ======================================
    If any of these programs are a problem to scan, please let me know.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. zooker

    zooker Newcomer, in training Topic Starter

    Hey Bobbye, thanks for helping me out.

    - I ran TDSSKiller successfully and it found two suspicious files which I quarantined. Do you need to see a log for this?
    - I tried the randomly named malwarebytes shortcut and it opened, however, when I tried to run the Quick Scan it shut down the program after about 5 seconds.

    Do you want me to continue with ComboFix?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Yes, I need the TDSSKiller log.
    ============================
    Please do the following and then run Mbam, DDS and follow with Combofix:

    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    =======================
    Logs in next reply.
  5. zooker

    zooker Newcomer, in training Topic Starter

    Ok, I've run RKill followed by exeHelper and they ran sucessfully (logs below). However Malwarebytes still shuts down after about 5 seconds of starting the quick scan.

    11:05:17.0500 0976 TDSS rootkit removing tool 2.6.8.0 Oct 12 2011 07:30:54
    11:05:18.0390 0976 ============================================================
    11:05:18.0390 0976 Current date / time: 2011/10/13 11:05:18.0390
    11:05:18.0390 0976 SystemInfo:
    11:05:18.0390 0976
    11:05:18.0390 0976 OS Version: 5.1.2600 ServicePack: 2.0
    11:05:18.0390 0976 Product type: Workstation
    11:05:18.0390 0976 ComputerName: KATIE-988DDAD9B
    11:05:18.0390 0976 UserName: Katie Lloyd
    11:05:18.0390 0976 Windows directory: C:\WINDOWS
    11:05:18.0390 0976 System windows directory: C:\WINDOWS
    11:05:18.0390 0976 Processor architecture: Intel x86
    11:05:18.0390 0976 Number of processors: 2
    11:05:18.0390 0976 Page size: 0x1000
    11:05:18.0390 0976 Boot type: Normal boot
    11:05:18.0390 0976 ============================================================
    11:05:20.0546 0976 Initialize success
    11:05:24.0109 2940 ============================================================
    11:05:24.0109 2940 Scan started
    11:05:24.0109 2940 Mode: Manual;
    11:05:24.0109 2940 ============================================================
    11:05:25.0421 2940 2d26e117 (6434d69be3c62614117f85cc10329f2c) C:\WINDOWS\400631341:3537444584.exe
    11:05:25.0437 2940 Suspicious file (Hidden): C:\WINDOWS\400631341:3537444584.exe. md5: 6434d69be3c62614117f85cc10329f2c
    11:05:25.0437 2940 2d26e117 ( HiddenFile.Multi.Generic ) - warning
    11:05:25.0437 2940 2d26e117 - detected HiddenFile.Multi.Generic (1)
    11:05:25.0453 2940 Abiosdsk - ok
    11:05:25.0468 2940 abp480n5 - ok
    11:05:25.0515 2940 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    11:05:25.0531 2940 ACPI - ok
    11:05:25.0562 2940 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    11:05:25.0562 2940 ACPIEC - ok
    11:05:25.0578 2940 adpu160m - ok
    11:05:25.0625 2940 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    11:05:25.0640 2940 aec - ok
    11:05:25.0703 2940 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    11:05:25.0703 2940 AegisP - ok
    11:05:25.0750 2940 AFD (298a94d6afc5c37e22310f24bf3e0ed0) C:\WINDOWS\System32\drivers\afd.sys
    11:05:25.0750 2940 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 298a94d6afc5c37e22310f24bf3e0ed0, Fake md5: 55e6e1c51b6d30e54335750955453702
    11:05:25.0750 2940 AFD ( ForgedFile.Multi.Generic ) - warning
    11:05:25.0750 2940 AFD - detected ForgedFile.Multi.Generic (1)
    11:05:25.0765 2940 Aha154x - ok
    11:05:25.0781 2940 aic78u2 - ok
    11:05:25.0796 2940 aic78xx - ok
    11:05:25.0812 2940 AliIde - ok
    11:05:25.0812 2940 amsint - ok
    11:05:25.0859 2940 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    11:05:25.0859 2940 Arp1394 - ok
    11:05:25.0875 2940 asc - ok
    11:05:25.0875 2940 asc3350p - ok
    11:05:25.0890 2940 asc3550 - ok
    11:05:25.0921 2940 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    11:05:25.0921 2940 AsyncMac - ok
    11:05:25.0984 2940 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    11:05:25.0984 2940 atapi - ok
    11:05:25.0984 2940 Atdisk - ok
    11:05:26.0015 2940 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    11:05:26.0031 2940 Atmarpc - ok
    11:05:26.0093 2940 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    11:05:26.0093 2940 audstub - ok
    11:05:26.0296 2940 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    11:05:26.0296 2940 avgio - ok
    11:05:26.0359 2940 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    11:05:26.0359 2940 avgntflt - ok
    11:05:26.0390 2940 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    11:05:26.0390 2940 avipbb - ok
    11:05:26.0437 2940 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
    11:05:26.0437 2940 bcm4sbxp - ok
    11:05:26.0468 2940 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    11:05:26.0468 2940 Beep - ok
    11:05:26.0500 2940 bsusbser - ok
    11:05:26.0546 2940 btaudio (8893ae0b6b9b60e0521a60e8b2160216) C:\WINDOWS\system32\drivers\btaudio.sys
    11:05:26.0562 2940 btaudio - ok
    11:05:26.0593 2940 BTDriver (fde318e3569f57264af74b7e431f60ae) C:\WINDOWS\system32\DRIVERS\btport.sys
    11:05:26.0593 2940 BTDriver - ok
    11:05:26.0703 2940 BTKRNL (9c3c8b9e2eda516eb44b51dab81dbd68) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
    11:05:26.0718 2940 BTKRNL - ok
    11:05:26.0734 2940 BTSERIAL (089f7526ff41c17b0a43896d0553d5a2) C:\WINDOWS\system32\drivers\btserial.sys
    11:05:26.0734 2940 BTSERIAL - ok
    11:05:26.0765 2940 BTWDNDIS (28531ab3183f498e58d93d585e6a6b70) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
    11:05:26.0765 2940 BTWDNDIS - ok
    11:05:26.0812 2940 btwhid (c5c0e21c67089f053b964e0a8b8adbac) C:\WINDOWS\system32\DRIVERS\btwhid.sys
    11:05:26.0812 2940 btwhid - ok
    11:05:26.0843 2940 btwmodem (7d295223c172ab4d61dc256721b2f09e) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
    11:05:26.0843 2940 btwmodem - ok
    11:05:26.0921 2940 BTWUSB (56c701580f2891952761362ba7594b3d) C:\WINDOWS\system32\Drivers\btwusb.sys
    11:05:26.0921 2940 BTWUSB - ok
    11:05:26.0968 2940 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    11:05:26.0968 2940 cbidf2k - ok
    11:05:26.0968 2940 cd20xrnt - ok
    11:05:27.0015 2940 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    11:05:27.0015 2940 Cdaudio - ok
    11:05:27.0062 2940 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    11:05:27.0062 2940 Cdfs - ok
    11:05:27.0093 2940 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    11:05:27.0093 2940 Cdrom - ok
    11:05:27.0109 2940 Changer - ok
    11:05:27.0156 2940 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    11:05:27.0156 2940 CmBatt - ok
    11:05:27.0203 2940 CmdIde - ok
    11:05:27.0218 2940 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    11:05:27.0218 2940 Compbatt - ok
    11:05:27.0234 2940 Cpqarray - ok
    11:05:27.0250 2940 dac2w2k - ok
    11:05:27.0265 2940 dac960nt - ok
    11:05:27.0281 2940 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    11:05:27.0281 2940 Disk - ok
    11:05:27.0375 2940 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    11:05:27.0390 2940 dmboot - ok
    11:05:27.0406 2940 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    11:05:27.0421 2940 dmio - ok
    11:05:27.0437 2940 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    11:05:27.0437 2940 dmload - ok
    11:05:27.0484 2940 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    11:05:27.0484 2940 DMusic - ok
    11:05:27.0484 2940 dpti2o - ok
    11:05:27.0500 2940 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    11:05:27.0500 2940 drmkaud - ok
    11:05:27.0562 2940 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    11:05:27.0578 2940 Fastfat - ok
    11:05:27.0640 2940 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    11:05:27.0640 2940 Fdc - ok
    11:05:27.0656 2940 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    11:05:27.0656 2940 Fips - ok
    11:05:27.0671 2940 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    11:05:27.0671 2940 Flpydisk - ok
    11:05:27.0718 2940 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    11:05:27.0718 2940 FltMgr - ok
    11:05:27.0750 2940 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    11:05:27.0750 2940 Fs_Rec - ok
    11:05:27.0765 2940 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    11:05:27.0781 2940 Ftdisk - ok
    11:05:27.0828 2940 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    11:05:27.0828 2940 GEARAspiWDM - ok
    11:05:27.0859 2940 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    11:05:27.0859 2940 Gpc - ok
    11:05:27.0921 2940 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    11:05:27.0921 2940 HDAudBus - ok
    11:05:27.0968 2940 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    11:05:27.0968 2940 hidusb - ok
    11:05:27.0984 2940 hpn - ok
    11:05:28.0062 2940 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
    11:05:28.0078 2940 HSF_DPV - ok
    11:05:28.0140 2940 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
    11:05:28.0140 2940 HSXHWAZL - ok
    11:05:28.0203 2940 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    11:05:28.0203 2940 HTTP - ok
    11:05:28.0265 2940 i2omgmt - ok
    11:05:28.0265 2940 i2omp - ok
    11:05:28.0312 2940 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    11:05:28.0312 2940 i8042prt - ok
    11:05:28.0406 2940 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    11:05:28.0437 2940 ialm - ok
    11:05:28.0500 2940 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    11:05:28.0500 2940 Imapi - ok
    11:05:28.0531 2940 ini910u - ok
    11:05:28.0546 2940 IntelIde - ok
    11:05:28.0593 2940 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    11:05:28.0593 2940 intelppm - ok
    11:05:28.0625 2940 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    11:05:28.0625 2940 Ip6Fw - ok
    11:05:28.0656 2940 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    11:05:28.0656 2940 IpFilterDriver - ok
    11:05:28.0671 2940 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    11:05:28.0671 2940 IpInIp - ok
    11:05:28.0703 2940 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    11:05:28.0718 2940 IpNat - ok
    11:05:28.0765 2940 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    11:05:28.0765 2940 IPSec - ok
    11:05:28.0843 2940 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    11:05:28.0843 2940 IRENUM - ok
    11:05:28.0875 2940 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    11:05:28.0890 2940 isapnp - ok
    11:05:28.0921 2940 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    11:05:28.0937 2940 Kbdclass - ok
    11:05:28.0953 2940 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    11:05:28.0953 2940 kbdhid - ok
    11:05:29.0000 2940 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    11:05:29.0015 2940 kmixer - ok
    11:05:29.0062 2940 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    11:05:29.0078 2940 KSecDD - ok
    11:05:29.0109 2940 lbrtfdc - ok
    11:05:29.0156 2940 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    11:05:29.0156 2940 mdmxsdk - ok
    11:05:29.0187 2940 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    11:05:29.0187 2940 mnmdd - ok
    11:05:29.0218 2940 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    11:05:29.0234 2940 Modem - ok
    11:05:29.0265 2940 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    11:05:29.0265 2940 Mouclass - ok
    11:05:29.0281 2940 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    11:05:29.0281 2940 mouhid - ok
    11:05:29.0312 2940 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    11:05:29.0312 2940 MountMgr - ok
    11:05:29.0343 2940 mraid35x - ok
    11:05:29.0375 2940 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    11:05:29.0375 2940 MRxDAV - ok
    11:05:29.0437 2940 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    11:05:29.0453 2940 MRxSmb - ok
    11:05:29.0484 2940 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    11:05:29.0484 2940 Msfs - ok
    11:05:29.0531 2940 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    11:05:29.0531 2940 MSKSSRV - ok
    11:05:29.0546 2940 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    11:05:29.0546 2940 MSPCLOCK - ok
    11:05:29.0562 2940 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    11:05:29.0562 2940 MSPQM - ok
    11:05:29.0640 2940 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    11:05:29.0640 2940 mssmbios - ok
    11:05:29.0671 2940 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    11:05:29.0671 2940 Mup - ok
    11:05:29.0703 2940 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    11:05:29.0718 2940 NDIS - ok
    11:05:29.0750 2940 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    11:05:29.0765 2940 NdisTapi - ok
    11:05:29.0796 2940 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    11:05:29.0796 2940 Ndisuio - ok
    11:05:29.0828 2940 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    11:05:29.0828 2940 NdisWan - ok
    11:05:29.0859 2940 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    11:05:29.0859 2940 NDProxy - ok
    11:05:29.0875 2940 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    11:05:29.0875 2940 NetBIOS - ok
    11:05:29.0937 2940 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    11:05:29.0937 2940 NetBT - ok
    11:05:30.0062 2940 NETw3x32 (71371ed9086a3d65f43967c89634e9a9) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
    11:05:30.0109 2940 NETw3x32 - ok
    11:05:30.0140 2940 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    11:05:30.0140 2940 NIC1394 - ok
    11:05:30.0203 2940 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    11:05:30.0203 2940 Npfs - ok
    11:05:30.0250 2940 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    11:05:30.0265 2940 Ntfs - ok
    11:05:30.0312 2940 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    11:05:30.0312 2940 Null - ok
    11:05:30.0359 2940 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    11:05:30.0359 2940 NwlnkFlt - ok
    11:05:30.0359 2940 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    11:05:30.0375 2940 NwlnkFwd - ok
    11:05:30.0390 2940 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    11:05:30.0390 2940 ohci1394 - ok
    11:05:30.0453 2940 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
    11:05:30.0453 2940 Parport - ok
    11:05:30.0484 2940 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    11:05:30.0484 2940 PartMgr - ok
    11:05:30.0515 2940 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    11:05:30.0515 2940 ParVdm - ok
    11:05:30.0546 2940 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    11:05:30.0562 2940 PCI - ok
    11:05:30.0562 2940 PCIDump - ok
    11:05:30.0578 2940 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    11:05:30.0578 2940 PCIIde - ok
    11:05:30.0625 2940 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    11:05:30.0625 2940 Pcmcia - ok
    11:05:30.0640 2940 PDCOMP - ok
    11:05:30.0656 2940 PDFRAME - ok
    11:05:30.0656 2940 PDRELI - ok
    11:05:30.0671 2940 PDRFRAME - ok
    11:05:30.0687 2940 perc2 - ok
    11:05:30.0703 2940 perc2hib - ok
    11:05:30.0734 2940 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    11:05:30.0734 2940 PptpMiniport - ok
    11:05:30.0796 2940 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    11:05:30.0796 2940 PSched - ok
    11:05:30.0828 2940 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    11:05:30.0828 2940 Ptilink - ok
    11:05:30.0843 2940 ql1080 - ok
    11:05:30.0859 2940 Ql10wnt - ok
    11:05:30.0875 2940 ql12160 - ok
    11:05:30.0890 2940 ql1240 - ok
    11:05:30.0890 2940 ql1280 - ok
    11:05:30.0921 2940 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    11:05:30.0921 2940 RasAcd - ok
    11:05:30.0953 2940 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    11:05:30.0953 2940 Rasl2tp - ok
    11:05:30.0968 2940 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    11:05:30.0968 2940 RasPppoe - ok
    11:05:30.0968 2940 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    11:05:30.0968 2940 Raspti - ok
    11:05:31.0000 2940 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    11:05:31.0000 2940 Rdbss - ok
    11:05:31.0015 2940 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    11:05:31.0015 2940 RDPCDD - ok
    11:05:31.0046 2940 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    11:05:31.0046 2940 rdpdr - ok
    11:05:31.0093 2940 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    11:05:31.0109 2940 RDPWD - ok
    11:05:31.0203 2940 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    11:05:31.0203 2940 redbook - ok
    11:05:31.0234 2940 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
    11:05:31.0234 2940 rimmptsk - ok
    11:05:31.0250 2940 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
    11:05:31.0250 2940 rimsptsk - ok
    11:05:31.0296 2940 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
    11:05:31.0296 2940 rismxdp - ok
    11:05:31.0359 2940 s24trans (daef68fc328342d219de928c8ee610b2) C:\WINDOWS\system32\DRIVERS\s24trans.sys
    11:05:31.0359 2940 s24trans - ok
    11:05:31.0406 2940 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    11:05:31.0421 2940 sdbus - ok
    11:05:31.0437 2940 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    11:05:31.0437 2940 Secdrv - ok
    11:05:31.0515 2940 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
    11:05:31.0531 2940 Serial - ok
    11:05:31.0546 2940 sffdisk (1d9f1bec651815741f088a8fb88e17ee) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
    11:05:31.0546 2940 sffdisk - ok
    11:05:31.0562 2940 sffp_sd (586499fd312ffd7f78553f408e71682e) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
    11:05:31.0562 2940 sffp_sd - ok
    11:05:31.0593 2940 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    11:05:31.0593 2940 Sfloppy - ok
    11:05:31.0609 2940 Simbad - ok
    11:05:31.0625 2940 Sparrow - ok
    11:05:31.0656 2940 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    11:05:31.0656 2940 splitter - ok
    11:05:31.0703 2940 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    11:05:31.0703 2940 sr - ok
    11:05:31.0750 2940 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    11:05:31.0765 2940 Srv - ok
    11:05:31.0843 2940 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    11:05:31.0843 2940 ssmdrv - ok
    11:05:31.0921 2940 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
    11:05:31.0937 2940 STHDA - ok
    11:05:32.0000 2940 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    11:05:32.0000 2940 swenum - ok
    11:05:32.0031 2940 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    11:05:32.0031 2940 swmidi - ok
    11:05:32.0093 2940 symc810 - ok
    11:05:32.0109 2940 symc8xx - ok
    11:05:32.0109 2940 sym_hi - ok
    11:05:32.0125 2940 sym_u3 - ok
    11:05:32.0187 2940 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    11:05:32.0187 2940 SynTP - ok
    11:05:32.0218 2940 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    11:05:32.0218 2940 sysaudio - ok
    11:05:32.0281 2940 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    11:05:32.0296 2940 Tcpip - ok
    11:05:32.0312 2940 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    11:05:32.0328 2940 TDPIPE - ok
    11:05:32.0343 2940 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    11:05:32.0343 2940 TDTCP - ok
    11:05:32.0421 2940 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    11:05:32.0421 2940 TermDD - ok
    11:05:32.0437 2940 TosIde - ok
    11:05:32.0484 2940 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    11:05:32.0484 2940 Udfs - ok
    11:05:32.0500 2940 ultra - ok
    11:05:32.0531 2940 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    11:05:32.0531 2940 Update - ok
    11:05:32.0578 2940 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    11:05:32.0578 2940 usbccgp - ok
    11:05:32.0609 2940 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    11:05:32.0609 2940 usbehci - ok
    11:05:32.0625 2940 usbhub (ace960e54148821e8e48f5d191562c28) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    11:05:32.0640 2940 usbhub - ok
    11:05:32.0687 2940 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    11:05:32.0687 2940 USBSTOR - ok
    11:05:32.0781 2940 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    11:05:32.0781 2940 usbuhci - ok
    11:05:32.0812 2940 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    11:05:32.0812 2940 VgaSave - ok
    11:05:32.0812 2940 ViaIde - ok
    11:05:32.0859 2940 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    11:05:32.0859 2940 VolSnap - ok
    11:05:32.0890 2940 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    11:05:32.0890 2940 Wanarp - ok
    11:05:32.0890 2940 WDICA - ok
    11:05:32.0953 2940 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    11:05:32.0953 2940 wdmaud - ok
    11:05:33.0015 2940 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
    11:05:33.0031 2940 winachsf - ok
    11:05:33.0140 2940 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    11:05:33.0140 2940 WmiAcpi - ok
    11:05:33.0203 2940 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    11:05:33.0203 2940 WpdUsb - ok
    11:05:33.0250 2940 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    11:05:33.0265 2940 WudfPf - ok
    11:05:33.0265 2940 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    11:05:33.0281 2940 WudfRd - ok
    11:05:33.0312 2940 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    11:05:33.0453 2940 \Device\Harddisk0\DR0 - ok
    11:05:33.0453 2940 Boot (0x1200) (d0081d4c561a6ae3504f51832644b1a8) \Device\Harddisk0\DR0\Partition0
    11:05:33.0453 2940 \Device\Harddisk0\DR0\Partition0 - ok
    11:05:33.0453 2940 ============================================================
    11:05:33.0453 2940 Scan finished
    11:05:33.0453 2940 ============================================================
    11:05:33.0468 3256 Detected object count: 2
    11:05:33.0468 3256 Actual detected object count: 2
    11:06:12.0140 3256 C:\WINDOWS\400631341:3537444584.exe - copied to quarantine
    11:06:12.0140 3256 2d26e117 ( HiddenFile.Multi.Generic ) - User select action: Quarantine
    11:06:12.0218 3256 C:\WINDOWS\System32\drivers\afd.sys - copied to quarantine
    11:06:12.0218 3256 AFD ( ForgedFile.Multi.Generic ) - User select action: Quarantine
    11:06:17.0656 1100 Deinitialize success



    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 14/10/2011 at 12:47:48.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE


    Rkill completed on 14/10/2011 at 12:47:54.




    exeHelper by Raktor
    Build 20100414
    Run at 12:49:01 on 10/14/11
    Now searching...
    Checking for numerical processes...
    Killed numerical process 400631341:3537444584
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please go on and run Combofix.
  7. zooker

    zooker Newcomer, in training Topic Starter

    Combofix ran successfully.

    ComboFix 11-10-14.04 - Katie Lloyd 16/10/2011 8:38.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1673 [GMT 11:00]
    Running from: c:\documents and settings\Katie Lloyd\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\z.xml
    c:\windows\$NtUninstallKB13262$
    c:\windows\$NtUninstallKB13262$\450235846
    c:\windows\$NtUninstallKB13262$\757522711\@
    c:\windows\$NtUninstallKB13262$\757522711\bckfg.tmp
    c:\windows\$NtUninstallKB13262$\757522711\cfg.ini
    c:\windows\$NtUninstallKB13262$\757522711\Desktop.ini
    c:\windows\$NtUninstallKB13262$\757522711\keywords
    c:\windows\$NtUninstallKB13262$\757522711\kwrd.dll
    c:\windows\$NtUninstallKB13262$\757522711\L\drriaddo
    c:\windows\$NtUninstallKB13262$\757522711\U\00000001.@
    c:\windows\$NtUninstallKB13262$\757522711\U\00000002.@
    c:\windows\$NtUninstallKB13262$\757522711\U\80000000.@
    c:\windows\$NtUninstallKB13262$\757522711\U\80000032.@
    c:\windows\system32\d3d9caps.dat
    c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK
    c:\windows\system32\drivers\DELL_XPS_MM061 .MRK
    .
    Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
    Restored copy from - The cat found it :)
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_2d26e117
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-15 to 2011-10-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-15 04:18 . 2008-08-14 09:51 138368 -c--a-w- c:\windows\system32\dllcache\afd.sys
    2011-10-15 04:18 . 2008-08-14 09:51 138368 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-10-13 00:28 . 2011-10-14 01:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-10-13 00:27 . 2011-10-14 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-13 00:27 . 2011-08-31 06:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-12 09:45 . 2011-10-12 09:45 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Avira
    2011-10-12 09:36 . 2011-07-21 01:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\program files\Avira
    2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-10-12 09:36 . 2011-07-21 01:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-10-12 09:36 . 2010-06-17 04:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-10-12 09:36 . 2010-06-17 04:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-10-12 08:55 . 2011-10-12 08:55 -------- d-----w- c:\program files\Common Files\Adobe
    2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Common Files\Java
    2011-10-12 08:53 . 2011-10-12 08:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Java
    2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    2011-09-26 11:24 . 2011-09-26 11:24 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-09-22 00:43 . 2011-10-13 00:11 -------- d-----w- c:\program files\Antivirus Programs
    2011-09-21 01:31 . 2011-09-21 01:35 -------- d-----w- c:\documents and settings\Administrator
    2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Malwarebytes
    2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-20 06:15 . 2011-09-20 06:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
    2011-09-20 06:15 . 2011-09-20 06:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-09-20 05:39 . 2011-09-20 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-12 08:53 . 2011-02-02 09:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-08-31 13:20 . 2011-07-26 12:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-20 281768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVIMlctM1NYM0UtR0hHWDktQUZISjMtUFcyUU4tWjlLSDQ&inst=NzctNzI1NTI0NzE2LUxJQysxLUZMMTArMS1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVM0KzEtRERUKzU0NzkwLUREMTBGKzEtTFNEKzItU1QxMEZBUFArMS1TMTBGRERGKzE&prod=90&ver=10.0.1410" [?]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2011 8:36 PM 136360]
    S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys --> c:\windows\system32\DRIVERS\bsusbser.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
    .
    2011-02-18 c:\windows\Tasks\switchSevenDays.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
    .
    2011-02-18 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
    .
    2011-08-07 c:\windows\Tasks\videopadDowngrade.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
    .
    2011-08-02 c:\windows\Tasks\videopadShakeIcon.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
    .
    2011-08-07 c:\windows\Tasks\wavepadDowngrade.job
    - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
    .
    2011-08-02 c:\windows\Tasks\wavepadShakeIcon.job
    - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Katie Lloyd\Application Data\Mozilla\Firefox\Profiles\m2mwbwff.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
    FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\BitTorrentBar\tbBitT.dll
    BHO-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\BitTorrentBar\tbBitT.dll
    Toolbar-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\BitTorrentBar\tbBitT.dll
    WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - c:\program files\BitTorrentBar\tbBitT.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-16 08:57
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(288)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Intel\Wireless\Bin\WLKeeper.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\stsystra.exe
    c:\windows\system32\igfxsrvc.exe
    c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-16 09:00:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-15 22:00
    .
    Pre-Run: 37,182,332,928 bytes free
    Post-Run: 40,276,930,560 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 9B853D07A5B752EFAF53E833406AE5BA
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay- looks good!- just a few more to remove:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
    c:\documents and settings\LocalService\Local Settings\Application Data\Adobe c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    c:\program files\Antivirus Programs
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ============================================
    Please run the following:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.
    ==========================================
    Download Security Check by screen317 from one of these links:
    Link1
    Link 2
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  9. zooker

    zooker Newcomer, in training Topic Starter

    All three ran sucessfully.


    ComboFix 11-10-15.04 - Katie Lloyd 16/10/2011 20:12:30.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1550 [GMT 11:00]
    Running from: c:\documents and settings\Katie Lloyd\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Katie Lloyd\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
    c:\program files\Antivirus Programs
    c:\program files\Antivirus Programs\807zsspv.exe
    c:\program files\Antivirus Programs\AppRemover(1).exe
    c:\program files\Antivirus Programs\avira_antivir_personal_en.exe
    c:\program files\Antivirus Programs\logs\attach.txt
    c:\program files\Antivirus Programs\logs\DDS.txt
    c:\program files\Antivirus Programs\logs\exehelperlog.txt
    c:\program files\Antivirus Programs\logs\rkill.log
    c:\program files\Antivirus Programs\logs\TDSSKiller.2.6.8.0_13.10.2011_11.05.17_log.txt
    c:\program files\Antivirus Programs\randmbam.exe
    c:\program files\Antivirus Programs\tdsskiller\eula.txt
    c:\program files\Antivirus Programs\tdsskiller\TDSSKiller.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-15 22:47 . 2011-10-15 22:47 -------- d-----w- c:\program files\ESET
    2011-10-15 04:18 . 2008-08-14 09:51 138368 -c--a-w- c:\windows\system32\dllcache\afd.sys
    2011-10-15 04:18 . 2008-08-14 09:51 138368 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-10-13 00:28 . 2011-10-14 01:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-10-13 00:27 . 2011-10-14 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-13 00:27 . 2011-08-31 06:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-12 09:45 . 2011-10-12 09:45 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Avira
    2011-10-12 09:36 . 2011-07-21 01:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\program files\Avira
    2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-10-12 09:36 . 2011-07-21 01:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-10-12 09:36 . 2010-06-17 04:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-10-12 09:36 . 2010-06-17 04:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-10-12 08:55 . 2011-10-12 08:55 -------- d-----w- c:\program files\Common Files\Adobe
    2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Common Files\Java
    2011-10-12 08:53 . 2011-10-12 08:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Java
    2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    2011-09-26 11:24 . 2011-09-26 11:24 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-09-21 01:31 . 2011-09-21 01:35 -------- d-----w- c:\documents and settings\Administrator
    2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Malwarebytes
    2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-20 06:15 . 2011-09-20 06:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-09-20 05:39 . 2011-09-20 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-12 08:53 . 2011-02-02 09:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-08-31 13:20 . 2011-07-26 12:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-10-15_21.57.15 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-10-16 09:00 . 2011-10-16 09:00 16384 c:\windows\Temp\Perflib_Perfdata_280.dat
    + 2001-08-23 12:00 . 2011-10-16 09:04 40394 c:\windows\system32\perfc009.dat
    - 2001-08-23 12:00 . 2011-10-15 21:43 40394 c:\windows\system32\perfc009.dat
    + 2001-08-23 12:00 . 2011-10-16 09:04 312172 c:\windows\system32\perfh009.dat
    - 2001-08-23 12:00 . 2011-10-15 21:43 312172 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-20 281768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVIMlctM1NYM0UtR0hHWDktQUZISjMtUFcyUU4tWjlLSDQ&inst=NzctNzI1NTI0NzE2LUxJQysxLUZMMTArMS1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVM0KzEtRERUKzU0NzkwLUREMTBGKzEtTFNEKzItU1QxMEZBUFArMS1TMTBGRERGKzE&prod=90&ver=10.0.1410" [?]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2011 8:36 PM 136360]
    S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys --> c:\windows\system32\DRIVERS\bsusbser.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
    .
    2011-02-18 c:\windows\Tasks\switchSevenDays.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
    .
    2011-02-18 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
    .
    2011-08-07 c:\windows\Tasks\videopadDowngrade.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
    .
    2011-08-02 c:\windows\Tasks\videopadShakeIcon.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
    .
    2011-08-07 c:\windows\Tasks\wavepadDowngrade.job
    - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
    .
    2011-08-02 c:\windows\Tasks\wavepadShakeIcon.job
    - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: DhcpNameServer = 10.1.1.1
    FF - ProfilePath - c:\documents and settings\Katie Lloyd\Application Data\Mozilla\Firefox\Profiles\m2mwbwff.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
    FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-16 20:17
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-10-16 20:18:20
    ComboFix-quarantined-files.txt 2011-10-16 09:18
    ComboFix2.txt 2011-10-15 22:00
    .
    Pre-Run: 40,224,841,728 bytes free
    Post-Run: 40,128,217,088 bytes free
    .
    - - End Of File - - 53396A0992328EB0AC519DBBCE8D50E8


    ================================================================

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.RP.11.MFAAVH
    ----- EOF -----


    ================================================================


    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 2 x86
    Out of date service pack!!
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    Avira AntiVir Personal - Free Antivirus
    ESET Online Scanner v3
    Antivirus up to date! (On Access scanning disabled!)
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 27
    Adobe Flash Player ( 10.3.183.7) Flash Player Out of Date!
    Adobe Reader X (10.1.1)
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    ``````````End of Log````````````
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'm not sure what these deletions are:
    I put the 1 entry c:\program files\Antivirus Programs for removal because there is no program named Antivirus Programs If you wanted to create a Directory to keep all these programs together it would have been C:\Antivirus Programs NOT in C:\Program files.

    If that is the case, then I need to restore those files and you need to set up a directory correctly

    Please let me know before we go any further. Don't try to do anything yourself- just let me know.The scans I had you run were to be saved to the desktop not program files.
  11. zooker

    zooker Newcomer, in training Topic Starter

    Sorry about that. I think I created that folder to store some antivirus software when I was trying to fix this myself (silly me). All of the programs you have asked me to run have been saved to my desktop, except TDSSKiller for some reason. I'm not sure why I didn't save this to the desktop.

    Apologies if this has caused you some trouble. I appreciate all the help you've been providing and I'll follow any further steps exactly.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Do you plan to continue?
  13. zooker

    zooker Newcomer, in training Topic Starter

    Yes I'd like to continue. I was awaiting your reply about restoring the deleted files and whatever the next steps were.

    Cheers
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Do you understand about a 'directory' vs a 'program folder'? You can set up a Directory, which can be a folder to group processes: Example could be C:\malwarescans. Then you could put all the scanning programs in that Directory. (Please don't do this now!)

    But a Program folder contains processes for a specific program including dll, exe, sys, etc. files. Example would be c:\program files\Avira which is a folder containing the files needed for Avira.

    But you cannot use one program folder to 'store' processes for multiple programs.There are 8 different programs stashed in the one 'program folder'!

    Please make sure that Avira is still on the system. The other programs can be downloaded again
    =======================================
    I suspect the the PriceGong was keeping your CPU busy. I see quote a few logs with Combofix deleting the many processes it puts on system- but it should be gone now, with the exception of being in Add/Remove Programs and it's program folder on the C drive> Programs. Please check both places: if in Add/Remove Programs, uninstall it. Then delete the program folder.
    =====================================
    I see Malwarebytes data on the system from over a month ago: This is most likely the reqson you can't run it now:
    2011-09-20 08:07 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Malwarebytes
    2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    Please uninstall Mbam now. Make sure it's gone from Add/Remove Programs and that it's program folder has been deleted.
    ----------------------------------------------
    Reboot the computer
    ---------------------------------------------
    Note: Both Mbam and SAS have a line for you to check to remove entries that are found. Be sure to do that in both.

    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
    The run this: [​IMG]
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
    =====================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    C:\TDSSKiller_Quarantine
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    =============================
    Logs from Mbam, SAS and Combofix in next reply please.
  15. zooker

    zooker Newcomer, in training Topic Starter

    Thanks for getting back to me. I've completed all the steps successfully. The computer seems to be running alot better now.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8015

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    25/10/2011 2:46:30 PM
    mbam-log-2011-10-25 (14-46-30).txt

    Scan type: Quick scan
    Objects scanned: 169627
    Time elapsed: 3 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ==============================================================

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/25/2011 at 03:31 PM

    Application Version : 5.0.1132

    Core Rules Database Version : 7843
    Trace Rules Database Version: 5655

    Scan type : Complete Scan
    Total Scan Time : 00:27:26

    Operating System Information
    Windows XP Professional 32-bit, Service Pack 2 (Build 5.01.2600)
    Administrator

    Memory items scanned : 571
    Memory threats detected : 0
    Registry items scanned : 36405
    Registry threats detected : 0
    File items scanned : 24520
    File threats detected : 9

    Adware.Tracking Cookie
    media.lvrj.com [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\8D7KG3UK ]
    stat.easydate.biz [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\8D7KG3UK ]
    .e-2dj6ael4qgdpmeq.stats.esomniture.com [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\M2MWBWFF.DEFAULT\COOKIES.SQLITE ]
    .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\M2MWBWFF.DEFAULT\COOKIES.SQLITE ]
    .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\M2MWBWFF.DEFAULT\COOKIES.SQLITE ]
    cloud.video.unrulymedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S2JELK7R ]
    media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S2JELK7R ]
    secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S2JELK7R ]
    stat.easydate.biz [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S2JELK7R ]

    =================================================================

    ComboFix 11-10-24.05 - Katie Lloyd 25/10/2011 15:50:50.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1321 [GMT 11:00]
    Running from: c:\documents and settings\Katie Lloyd\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Katie Lloyd\Desktop\CFScript.txt.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0000\object.ini
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0000\svc0000\object.ini
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0000\svc0000\tsk0000.ini
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\object.ini
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\object.ini
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\tsk0000.ini
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\tsk0001.dta
    c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\tsk0001.ini
    c:\tdsskiller_quarantine\26.09.2011_21.22.24\susp0000\object.ini
    c:\tdsskiller_quarantine\26.09.2011_21.22.24\susp0000\svc0000\object.ini
    c:\tdsskiller_quarantine\26.09.2011_21.22.24\susp0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\26.09.2011_21.22.24\susp0000\svc0000\tsk0000.ini
    c:\windows\help\tours\htmltour\unlock_playing.htm
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-25 03:56 . 2011-10-25 03:56 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\SUPERAntiSpyware.com
    2011-10-25 03:55 . 2011-10-25 03:56 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-10-25 03:55 . 2011-10-25 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-10-25 03:42 . 2011-08-31 06:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-25 03:42 . 2011-10-25 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-15 22:47 . 2011-10-15 22:47 -------- d-----w- c:\program files\ESET
    2011-10-15 04:18 . 2008-08-14 09:51 138368 -c--a-w- c:\windows\system32\dllcache\afd.sys
    2011-10-15 04:18 . 2008-08-14 09:51 138368 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-10-12 10:06 . 2011-10-12 10:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2011-10-12 09:45 . 2011-10-12 09:45 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Avira
    2011-10-12 09:36 . 2011-07-21 01:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\program files\Avira
    2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-10-12 09:36 . 2011-07-21 01:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-10-12 09:36 . 2010-06-17 04:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-10-12 09:36 . 2010-06-17 04:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-10-12 08:55 . 2011-10-12 08:55 -------- d-----w- c:\program files\Common Files\Adobe
    2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Common Files\Java
    2011-10-12 08:53 . 2011-10-12 08:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Java
    2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-12 08:53 . 2011-02-02 09:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-08-31 13:20 . 2011-07-26 12:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-10-15_21.57.15 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-10-25 03:17 . 2011-10-25 03:17 16384 c:\windows\Temp\Perflib_Perfdata_2a4.dat
    - 2001-08-23 12:00 . 2011-10-15 21:43 40394 c:\windows\system32\perfc009.dat
    + 2001-08-23 12:00 . 2011-10-25 03:21 40394 c:\windows\system32\perfc009.dat
    - 2011-04-04 10:07 . 2011-06-17 14:11 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
    + 2011-04-04 10:07 . 2011-10-21 08:57 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
    - 2001-08-23 12:00 . 2011-10-15 21:43 312172 c:\windows\system32\perfh009.dat
    + 2001-08-23 12:00 . 2011-10-25 03:21 312172 c:\windows\system32\perfh009.dat
    + 2011-02-02 10:04 . 2011-10-04 23:09 48324552 c:\windows\system32\MRT.exe
    + 2011-10-21 08:56 . 2011-10-21 08:56 20333568 c:\windows\Installer\1b4ec.msp
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-12 4615552]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-20 281768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVIMlctM1NYM0UtR0hHWDktQUZISjMtUFcyUU4tWjlLSDQ&inst=NzctNzI1NTI0NzE2LUxJQysxLUZMMTArMS1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVM0KzEtRERUKzU0NzkwLUREMTBGKzEtTFNEKzItU1QxMEZBUFArMS1TMTBGRERGKzE&prod=90&ver=10.0.1410" [?]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/07/2011 3:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [13/07/2011 8:55 AM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 10:38 AM 116608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2011 8:36 PM 136360]
    S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys --> c:\windows\system32\DRIVERS\bsusbser.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - !SASCORE
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
    .
    2011-02-18 c:\windows\Tasks\switchSevenDays.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
    .
    2011-02-18 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
    .
    2011-08-07 c:\windows\Tasks\videopadDowngrade.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
    .
    2011-08-02 c:\windows\Tasks\videopadShakeIcon.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
    .
    2011-08-07 c:\windows\Tasks\wavepadDowngrade.job
    - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
    .
    2011-08-02 c:\windows\Tasks\wavepadShakeIcon.job
    - c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: DhcpNameServer = 10.1.1.1
    FF - ProfilePath - c:\documents and settings\Katie Lloyd\Application Data\Mozilla\Firefox\Profiles\m2mwbwff.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
    FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-25 15:54
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-10-25 15:55:45
    ComboFix-quarantined-files.txt 2011-10-25 04:55
    ComboFix2.txt 2011-10-16 09:18
    ComboFix3.txt 2011-10-15 22:00
    .
    Pre-Run: 39,873,527,808 bytes free
    Post-Run: 39,862,759,424 bytes free
    .
    - - End Of File - - 697AAE94D1235EC446EB8809F903F216
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I recently got a newsletter detailing how malware authors are using Scheduled Tasks to get malware on to a system.
    http://www.infoworld.com/t/malware/...ler-177047?source=IFWNLE_nlt_daily_2011-10-25

    I strongly recommend that you stop all of these:
    Scheduled Tasks
    Most of these found are usually auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only[/b[ auto-update I get is for the AV program.

    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    To change the settings for a task: right-click the Task> click Properties> do any of the following:
    1. To change the schedule for the task, click the Schedule tab.
    2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
    3. To delete a task> right-click the task> click Delete.
    4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.
    ========================================
    P2P or 'file sharing Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    =============================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.