Solved Crypt.AQLW infection

[skuzzi]

One of my computers was infected with the Crypt.AQLW trojan several weeks ago. In the menatime, it's been offline and unused; just now getting to deal with the nastiness. I can run MBAM and GMER, but get gibberish with the DDS.

Thanks for your assistance extricating the machine from the mire. Logs posted below:
skuzzi

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.21.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Me :: DOMUS1 [administrator]

Protection: Enabled

4/21/2012 12:53:03 AM
mbam-log-2012-04-21 (00-53-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252486
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-04-21 01:09:33
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 Hitachi_HDP725050GLA360 rev.GM4OA5CA
Running: fqq6g1o5.exe; Driver: D:\DOCUME~1\Me\LOCALS~1\Temp\kfldapog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Processes - GMER 1.0.15 ----

Process D:\WINDOWS\system32\ping.exe (*** hidden *** ) 3716

---- EOF - GMER 1.0.15 ----

 

[Bobbye]

I'll be glad to help with the malware- let's see if we cn get rid of the 'gibberish'.

Please download the corresponding file for your operating system:

XP
Vista
Windows 7

Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

You should then be able to run DDS.scr. It's usually the .scr file extension cauing the problem.
===============================================
I'd like you to run Combofix- IF AVG or CA is your antivirus program, you will need to run the App Remover to temporarily uninstall it as Combofix will not run with it on the system. IF you do not have either of these, you can skip the AppRemover and just disable the current security:

Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one: Use only if you had to remove AVG or CA.
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.

• • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
====================================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

 

[skuzzi]

After following your instructions, I was able to get DDS to run and also ran ComboFix. Logs are pasted below. (I believe the infection occurred around April 4th - looking at the logs, the event logging shows only one week.)
Thanks for your help
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Me at 9:51:48 on 2012-04-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1447 [GMT -6:00]
.
.
============== Running Processes ===============
.
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Bonjour\mDNSResponder.exe
d:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
D:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\PowerISO\PWRISOVM.EXE
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
D:\Program Files\MSI\Common\RaUI.exe
D:\Program Files\Rainmeter\Rainmeter.exe
D:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HDAudDeck] d:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [PWRISOVM.EXE] d:\program files\poweriso\PWRISOVM.EXE
mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] d:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [APSDaemon] "d:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes' Anti-Malware] "d:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: d:\docume~1\me\startm~1\programs\startup\openof~1.lnk - d:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: d:\docume~1\me\startm~1\programs\startup\rainme~1.lnk - d:\program files\rainmeter\Rainmeter.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - d:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - d:\program files\hewlett-packard\aio\hp officejet 7100 series\bin\hpogrp07.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\msiwir~1.lnk - d:\program files\msi\common\RaUI.exe
IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\me\application data\mozilla\firefox\profiles\vugw0kov.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - plugin: d:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: d:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: d:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: d:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: d:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-4 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-1-6 2348864]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [2012-4-4 22344]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;d:\windows\system32\drivers\viahduaa.sys [2012-1-6 993280]
S2 webrootcommagentservice;Btserial;d:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;d:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
S3 cpudrv;cpudrv;d:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 WDC_SAM;WD SCSI Pass Thru driver;d:\windows\system32\drivers\wdcsam.sys [2012-3-15 11520]
.
=============== Created Last 30 ================
.
2012-04-21 06:08:15 148480 ------w- d:\windows\system32\dllcache\imagehlp.dll
2012-04-05 00:14:51 -------- d-----w- d:\documents and settings\me\application data\Malwarebytes
2012-04-05 00:14:37 -------- d-----w- d:\documents and settings\all users\application data\Malwarebytes
2012-04-05 00:14:36 22344 ----a-w- d:\windows\system32\drivers\mbam.sys
2012-04-05 00:14:36 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2012-04-04 23:30:44 388096 ----a-r- d:\documents and settings\me\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-04-04 04:17:15 0 --sha-w- d:\windows\system32\dds_trash_log.cmd
2012-04-04 02:51:37 73728 ----a-w- d:\windows\system32\javacpl.cpl
2012-04-04 02:51:37 476904 ----a-w- d:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-04-04 02:47:09 418464 ----a-w- d:\windows\system32\FlashPlayerApp.exe
2012-03-25 19:03:07 753664 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2012-03-25 19:03:07 69714 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2012-03-25 19:03:07 5632 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2012-03-25 19:03:07 274432 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2012-03-25 19:03:07 200836 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2012-03-25 19:03:07 184320 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2012-03-25 19:03:06 331908 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2012-03-25 17:08:39 -------- d-----w- d:\documents and settings\me\local settings\application data\IsolatedStorage
2012-03-23 03:36:19 733184 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll
2012-03-23 03:36:19 69715 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll
2012-03-23 03:36:19 5632 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe
2012-03-23 03:36:19 266240 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll
2012-03-23 03:36:19 172032 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll
2012-03-23 03:36:18 303236 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll
2012-03-23 03:36:18 180356 ----a-w- d:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll
2012-03-23 03:18:55 110592 ----a-w- d:\windows\system32\tsccvid.dll
.
==================== Find3M ====================
.
2012-04-04 04:38:23 70304 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 02:51:27 472808 ----a-w- d:\windows\system32\deployJava1.dll
2012-03-16 03:39:59 28672 ----a-w- d:\windows\system32\qttask.exe
2012-03-01 11:01:32 916992 ----a-w- d:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- d:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
2012-02-29 14:08:49 178176 ----a-w- d:\windows\system32\wintrust.dll
2012-02-29 14:08:49 148480 ----a-w- d:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- d:\windows\system32\html.iec
2012-02-29 04:20:55 127 ----a-w- d:\windows\sophos.tmp
2012-02-15 17:01:50 4547944 ----a-w- d:\windows\system32\usbaaplrc.dll
2012-02-15 17:01:50 43520 ----a-w- d:\windows\system32\drivers\usbaapl.sys
2012-02-07 17:02:40 1070352 ----a-w- d:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:26:17 1869184 ----a-w- d:\windows\system32\win32k.sys
.
============= FINISH: 9:52:15.18 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/6/2011 9:57:26 AM
System Uptime: 4/21/2012 9:38:46 AM (0 hours ago)
.
Motherboard: ASRock | | G41M-LE
Processor: Pentium(R) Dual-Core CPU E5200 @ 2.50GHz | CPUSocket | 2500/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 244 GiB total, 111.716 GiB free.
D: is FIXED (NTFS) - 73 GiB total, 3.662 GiB free.
E: is FIXED (NTFS) - 148 GiB total, 16.518 GiB free.
F: is CDROM ()
Q: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 802.11g PCI Turbo Wireless Adapter
Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_B8341462&REV_00\4&CF81C54&0&08F0
Manufacturer: Ralink Technology, Inc.
Name: 802.11g PCI Turbo Wireless Adapter
PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_B8341462&REV_00\4&CF81C54&0&08F0
Service: RT61
.
==== System Restore Points ===================
.
RP178: 4/2/2012 10:42:48 PM - System Checkpoint
RP179: 4/3/2012 3:00:14 AM - Software Distribution Service 3.0
RP180: 4/3/2012 8:50:51 PM - Removed Java(TM) 6 Update 22
RP181: 4/3/2012 11:11:36 PM - Software Distribution Service 3.0
RP182: 4/4/2012 5:30:42 PM - Installed HiJackThis
RP183: 4/5/2012 3:00:45 AM - Software Distribution Service 3.0
RP184: 4/6/2012 3:00:14 AM - Software Distribution Service 3.0
RP185: 4/7/2012 3:00:14 AM - Software Distribution Service 3.0
RP186: 4/8/2012 3:00:13 AM - Software Distribution Service 3.0
RP187: 4/9/2012 3:00:14 AM - Software Distribution Service 3.0
RP188: 4/10/2012 3:00:15 AM - Software Distribution Service 3.0
RP189: 4/11/2012 3:00:14 AM - Software Distribution Service 3.0
RP190: 4/12/2012 3:00:14 AM - Software Distribution Service 3.0
RP191: 4/13/2012 3:00:15 AM - Software Distribution Service 3.0
RP192: 4/14/2012 3:00:14 AM - Software Distribution Service 3.0
RP193: 4/15/2012 3:00:14 AM - Software Distribution Service 3.0
RP194: 4/16/2012 3:00:15 AM - Software Distribution Service 3.0
RP195: 4/17/2012 3:00:21 AM - Software Distribution Service 3.0
RP196: 4/18/2012 3:00:14 AM - Software Distribution Service 3.0
RP197: 4/19/2012 3:00:14 AM - Software Distribution Service 3.0
RP198: 4/20/2012 3:00:16 AM - Software Distribution Service 3.0
RP199: 4/21/2012 1:12:12 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
%WS4_ARP_DISPLAY%
µTorrent
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader X (10.1.2)
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoCAD Architecture 2010
AutoCAD Architecture 2010 Language Pack - English
Autodesk Architectural Desktop 2005
Autodesk Design Review 2010
Autodesk DWF Viewer
Bonjour
DVDFab 7.0.9.2 (05/08/2010)
EVGA Precision 2.1.1
Higher Score on the SAT/PSAT
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB954550-v5)
hp officejet 7100 series
iTunes
Java Auto Updater
Java(TM) 6 Update 31
Magic ISO Maker v5.4 (build 0251)
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 11.0 (x86 en-US)
MSI Wireless LAN Card
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
NVIDIA Control Panel 290.53
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA Graphics Driver 290.53
NVIDIA Install Application
NVIDIA nView 136.02
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.11.1107
NVIDIA Update 1.6.24
NVIDIA Update Components
OpenOffice.org 3.3
PDF Settings
Platform
PowerISO
QuickTime
Rainmeter
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Recover Keys
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SES Driver
SpeedyPC
System Requirements Lab for Intel
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wnmiper
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wnmiper
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wnmiper
TurboTax 2010 wrapper
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax Home & Business 2006
TurboTax ItsDeductible 2006
TurboTax Premier 2004
TurboTax Premier 2005
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2598306) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
VLC media player 1.1.11
WebFldrs XP
WexTech AnswerWorks
Winamp
Winamp Detector Plug-in
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WinRAR 4.01 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
4/19/2012 4:56:29 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
4/18/2012 12:33:30 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
4/18/2012 10:31:46 AM, error: Service Control Manager [7023] - The Btserial service terminated with the following error: Access is denied.
4/18/2012 10:31:35 AM, error: Service Control Manager [7023] - The Sp_clamsrv service terminated with the following error: Access is denied.
4/18/2012 10:31:35 AM, error: Service Control Manager [7023] - The Pdlnecfg service terminated with the following error: The specified module could not be found.
4/18/2012 10:31:35 AM, error: Service Control Manager [7023] - The Mksvirmonsvc service terminated with the following error: The specified module could not be found.
4/18/2012 10:31:35 AM, error: Service Control Manager [7023] - The GoProto service terminated with the following error: The specified module could not be found.
4/18/2012 10:29:48 AM, error: dmboot [3] - dmboot: Failed to start volume Volume4 (N
4/17/2012 3:01:15 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007f0f4: Security Update for Windows XP (KB2481109).
.
==== End Of File ===========================

ComboFix 12-04-20.03 - Me 04/21/2012 10:24:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1677 [GMT -6:00]
Running from: d:\documents and settings\Me\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\documents and settings\Me\Application Data\inst.exe
D:\setup.exe
d:\windows\$NtUninstallKB14012$
d:\windows\$NtUninstallKB14012$\1514368255\@
d:\windows\$NtUninstallKB14012$\1514368255\cfg.ini
d:\windows\$NtUninstallKB14012$\1514368255\Desktop.ini
d:\windows\$NtUninstallKB14012$\1514368255\L\syjvwjii
d:\windows\$NtUninstallKB14012$\1514368255\oemid
d:\windows\$NtUninstallKB14012$\1514368255\U\00000001.@
d:\windows\$NtUninstallKB14012$\1514368255\U\00000002.@
d:\windows\$NtUninstallKB14012$\1514368255\U\00000004.@
d:\windows\$NtUninstallKB14012$\1514368255\U\80000000.@
d:\windows\$NtUninstallKB14012$\1514368255\U\80000004.@
d:\windows\$NtUninstallKB14012$\1514368255\U\80000032.@
d:\windows\$NtUninstallKB14012$\1514368255\version
d:\windows\$NtUninstallKB14012$\4175661304
d:\windows\dasetup.log
d:\windows\system\VB40032.DLL
d:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-03-21 to 2012-04-21 )))))))))))))))))))))))))))))))
.
.
2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\wbem\snmp
2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\xircom
2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\program files\microsoft frontpage
2012-04-21 06:08 . 2012-02-29 14:08 148480 ------w- d:\windows\system32\dllcache\imagehlp.dll
2012-04-13 16:28 . 2012-04-13 16:28 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2012-04-05 00:14 . 2012-04-05 00:14 -------- d-----w- d:\documents and settings\Me\Application Data\Malwarebytes
2012-04-05 00:14 . 2012-04-05 00:14 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-05 00:14 . 2012-04-21 06:03 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2012-04-05 00:14 . 2012-04-04 21:56 22344 ----a-w- d:\windows\system32\drivers\mbam.sys
2012-04-05 00:08 . 2012-04-05 00:08 -------- d-----w- d:\documents and settings\Administrator
2012-04-04 23:30 . 2012-04-04 23:30 388096 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-04 04:37 . 2012-04-04 04:37 -------- d-sh--w- d:\documents and settings\NetworkService\PrivacIE
2012-04-04 02:53 . 2012-04-04 02:53 -------- d-----w- d:\program files\Common Files\Java
2012-04-04 02:51 . 2012-04-04 02:51 73728 ----a-w- d:\windows\system32\javacpl.cpl
2012-04-04 02:51 . 2012-04-04 02:51 476904 ----a-w- d:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-04-04 02:47 . 2012-04-04 04:38 418464 ----a-w- d:\windows\system32\FlashPlayerApp.exe
2012-03-25 19:03 . 2012-03-25 19:03 200836 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2012-03-25 19:03 . 2005-04-04 05:02 753664 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2012-03-25 19:03 . 2005-04-04 05:02 69714 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2012-03-25 19:03 . 2005-04-04 05:01 274432 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2012-03-25 19:03 . 2005-04-04 05:00 184320 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2012-03-25 19:03 . 2005-04-04 04:59 5632 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2012-03-25 19:03 . 2012-03-25 19:03 331908 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2012-03-25 17:24 . 2012-03-25 17:24 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\IsolatedStorage
2012-03-25 17:08 . 2012-03-25 17:08 -------- d-----w- d:\documents and settings\Me\Local Settings\Application Data\IsolatedStorage
2012-03-23 03:36 . 2004-04-19 05:42 733184 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iKernel.dll
2012-03-23 03:36 . 2004-04-19 05:40 69715 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\ctor.dll
2012-03-23 03:36 . 2004-04-19 05:39 266240 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iscript.dll
2012-03-23 03:36 . 2004-04-19 05:39 172032 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iuser.dll
2012-03-23 03:36 . 2004-04-19 05:39 5632 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\DotNetInstaller.exe
2012-03-23 03:36 . 2012-03-23 03:36 303236 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\setup.dll
2012-03-23 03:36 . 2012-03-23 03:36 180356 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iGdi.dll
2012-03-23 03:18 . 2003-04-16 07:10 110592 ----a-w- d:\windows\system32\tsccvid.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 04:38 . 2011-12-06 18:25 70304 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 02:51 . 2011-12-17 07:55 472808 ----a-w- d:\windows\system32\deployJava1.dll
2012-03-20 23:33 . 2012-03-20 23:33 40960 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
2012-03-16 03:39 . 2012-03-16 03:39 28672 ----a-w- d:\windows\system32\qttask.exe
2012-03-01 11:01 . 2009-03-08 02:34 916992 ----a-w- d:\windows\system32\wininet.dll
2012-03-01 11:01 . 2009-03-08 02:34 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2009-03-08 02:34 43520 ----a-w- d:\windows\system32\licmgr10.dll
2012-02-29 14:08 . 2008-11-13 13:18 178176 ----a-w- d:\windows\system32\wintrust.dll
2012-02-29 14:08 . 2008-04-14 11:00 148480 ----a-w- d:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2009-03-08 02:35 385024 ----a-w- d:\windows\system32\html.iec
2012-02-29 04:20 . 2012-02-29 04:20 127 ----a-w- d:\windows\sophos.tmp
2012-02-15 17:01 . 2012-03-15 22:36 4547944 ----a-w- d:\windows\system32\usbaaplrc.dll
2012-02-15 17:01 . 2012-03-15 22:36 43520 ----a-w- d:\windows\system32\drivers\usbaapl.sys
2012-02-07 17:02 . 2012-02-07 17:02 1070352 ----a-w- d:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:26 . 2009-02-09 10:08 1869184 ----a-w- d:\windows\system32\win32k.sys
2012-03-18 05:21 . 2011-12-06 18:11 97208 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-03-26 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . d:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . d:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HDAudDeck"="d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-01-09 33570816]
"PWRISOVM.EXE"="d:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"APSDaemon"="d:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
d:\documents and settings\Me\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - d:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
Rainmeter.lnk - d:\program files\Rainmeter\Rainmeter.exe [2012-1-8 105160]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - d:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
HPAiODevice(hp officejet 7100 series) - 1.lnk - d:\program files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2003-6-25 495682]
MSI Wireless Utility.lnk - d:\program files\MSI\Common\RaUI.exe [2011-12-6 425984]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0d:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Documents and Settings\\Me\\My Documents\\Downloads\\utorrent.exe"=
"d:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/4/2012 6:14 PM 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [1/6/2012 8:56 AM 2348864]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [4/4/2012 6:14 PM 22344]
R3 pcouffin;VSO Software pcouffin;d:\windows\system32\drivers\pcouffin.sys [1/8/2012 11:23 AM 47360]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;d:\windows\system32\drivers\viahduaa.sys [1/6/2012 12:28 PM 993280]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 8:47 PM 253600]
S3 cpudrv;cpudrv;d:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
S3 WDC_SAM;WD SCSI Pass Thru driver;d:\windows\system32\drivers\wdcsam.sys [3/15/2012 4:38 PM 11520]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lvusbsta
ctljystk
HssSrv
se2Dnd5
cltnetcnservice
nimxdfk
F700imd
dvpapi
pgsql-8.0
us30sys
QPSched
dlbu_device
dcpflics
webrootcommagentservice
tavsvc
firelm01
MTC0001_ESB
IntelC51
vaiomediaplatform-videoserver-appserver
SE27obex
se59obex
winpppoverethernet
quickbooksdb
agnwifi
viagfx
oracleorahome811cman
awecho
regmon701
Si3114r5
gearsecurity
icm10blk
ntsyslog
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-21 d:\windows\Tasks\Adobe Flash Player Updater.job
- d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 04:38]
.
2012-04-20 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-04-20 d:\windows\Tasks\SpeedyPC Program Check.job
- d:\program files\SpeedyPC\SpeedyPC.exe [2010-05-19 23:10]
.
2012-04-19 d:\windows\Tasks\SpeedyPC.job
- d:\program files\SpeedyPC\SpeedyPC.exe [2010-05-19 23:10]
.
.
------- Supplementary Scan -------
.
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - d:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-21 10:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4008)
d:\windows\system32\WININET.dll
d:\windows\system32\msi.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
d:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\OpenOffice.org 3\program\soffice.exe
d:\windows\system32\wscntfy.exe
d:\program files\OpenOffice.org 3\program\soffice.bin
d:\program files\iPod\bin\iPodService.exe
d:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
d:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
d:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
d:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2012-04-21 10:38:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-21 16:38
.
Pre-Run: 3,792,707,584 bytes free
Post-Run: 4,777,283,584 bytes free
.
- - End Of File - - 731CEFD1711A401CA2F78354ADAF7337

 

[Bobbye]

Can you tell me please if you intentionally disabled the SFC> System File Checker?
Also tell me if you open Internet Explorer, do you get a page with a green background and hear a sound like a whistle?

There is an entry that can be caused by a Worm: mWinlogon: SfcDisable=-99 (0xffffff9d)

RenameLoi.A is a worm that carries out several modifications in the Windows Registry, which prevent the user from working with the computer as usual. These modifications prevent the user from carrying out the following actions, among others:

• Viewing the processes that are being run through the Task Manager.
• Modifying the configuration of the features of the folders.
• This spreads through local, removable and mapped drives, making copies of itself in them.
• Additionally, it modifies the start and search page of Internet Explorer.
  
  It disables Windows File Protection (WFP). This implies that the Windows protected files can be modified, which could cause problems with the operating system and the installed programs
  ------------------------------------------------------------------
  Are you experiencing any of the above?
  ----------------------------------------------------------------
  I would like you to completely disable SpeedyPC to include the Scheduled Task for it that you have set. This is a registry cleaner- something we don't recommend to anyone as the risks outweigh any small benefit you may get. Feel free to uninstall it.
  
  You have several pieces of software loading and running in the background, the function being to make the PC and surfing go faster. But what you haven't considered is that these are starting on boot and running in the background, using resources from the system. (I'll specify those for you later.)
  
  All you tell me is>
  

  my computers was infected with the Crypt.AQLW trojan several weeks ago.

  You do not give me any details of what found this malware or any particular problems you were having.
  =================================================
  I also note these 2 drives:
  

  C: is FIXED (NTFS) - 244 GiB total, 111.716 GiB free.
  D: is FIXED (NTFS) - 73 GiB total, 3.662 GiB free.

  
  But all the processes in the logs are on the D Drive instead of the C Drive. Could this be the reason?
  

  4/19/2012 4:56:29 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

  ================================================
  Before we run other scans let's check this:
  To run the Eset Online Virus Scan:
  If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"
     
     If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
     [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
     [o] Double click on the desktop icon to run.
     [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
     
  4. Continue with the directions.
     
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
     
     
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
  NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
  
  Please answer my questions and leave the Eset log in your next reply. I will be giving you some script to run through Combofix after the above.

 

[skuzzi]

Can you tell me please if you intentionally disabled the SFC> System File Checker?
Also tell me if you open Internet Explorer, do you get a page with a green background and hear a sound like a whistle?

There is an entry that can be caused by a Worm: mWinlogon: SfcDisable=-99 (0xffffff9d)

RenameLoi.A is a worm that carries out several modifications in the Windows Registry, which prevent the user from working with the computer as usual. These modifications prevent the user from carrying out the following actions, among others:

• Viewing the processes that are being run through the Task Manager.
• Modifying the configuration of the features of the folders.
• This spreads through local, removable and mapped drives, making copies of itself in them.
• Additionally, it modifies the start and search page of Internet Explorer.
  
  It disables Windows File Protection (WFP). This implies that the Windows protected files can be modified, which could cause problems with the operating system and the installed programs
  ------------------------------------------------------------------
  Are you experiencing any of the above?
  ----------------------------------------------------------------
  I would like you to completely disable SpeedyPC to include the Scheduled Task for it that you have set. This is a registry cleaner- something we don't recommend to anyone as the risks outweigh any small benefit you may get. Feel free to uninstall it.
  
  You have several pieces of software loading and running in the background, the function being to make the PC and surfing go faster. But what you haven't considered is that these are starting on boot and running in the background, using resources from the system. (I'll specify those for you later.)
  
  All you tell me is>
  
  You do not give me any details of what found this malware or any particular problems you were having.
  =================================================
  I also note these 2 drives:
  
  
  But all the processes in the logs are on the D Drive instead of the C Drive. Could this be the reason?
  
  ================================================
  Before we run other scans let's check this:
  To run the Eset Online Virus Scan:
  If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"
     
     If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
     [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
     [o] Double click on the desktop icon to run.
     [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
     
     
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
  NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
  
  Please answer my questions and leave the Eset log in your next reply. I will be giving you some script to run through Combofix after the above.

Bobbye –

I have not intentionally disabled the System File checker. When opening IE, I get through to msn.com. (I don’t typically use IE, using Firefox instead. I believe after running ComboFix, the computer rebooted and the IE desktop icon (re)appeared. I wouldn’t normally have the desktop icon.)

Jumping to run ESET online through IE, I get a popup window with a “Failed load” ‘x’ in the window (like a missing image response or missing ActiveX?). So am running it through the download and my usual FireFox.

Back to your request for more basic info – you’re right- I lacked supplying much info with my first post. Since this occurred several weeks ago, I’ll try to retrace the unfolding events. AVG AV Free Edition 2012 started with an alert to 2 Trojans – Crypt.AQLW and ?. I attempted to heal/quarantine the infections however the alerts continued to appear. Often the infected file name changes and cannot be found or is inaccessible, and occur in the Windows/system32 folder. In proceeding through the process on TechSpot, I removed AVG as requested and am not sure about the logs which might be more informative than my memory. On or about April 3 or 4, I was updating Java and Flash and afterwards, I started noticing the AVG alerts. I downloaded MBAM and HiJack This and installed on 4.4.2012 in order to look for suspicious activity.

Regarding any other symptoms, the computer seems to function fine albeit with AVG finding infected files, and infected system restore points. I almost immediately disconnected from the internet/network and stopped using the machine except to retrieve data files via flash drive. Looking in the Task manager I couldn’t find unusual processes; likewise in Windows files, I looked for newly created/modified files with no obvious answers. The four symptoms you list that relate to the RenameLoi.A worm don’t seem to be my symptoms.

Regarding the C and D drives – I have OS on both drives. D drive is the main drive I use; at the moment, I have been intending to scrub the C drive as “corrupt and unstable”. On booting, often the chkdsk utility runs on C drive. I understand that C is usually (and used to be on this machine) the “main” drive.

Regarding Speedy PC – I have never used it; and recognize its lack of value. I will uninstall.

Please be aware that I have been using a flash drive to transfer files rather than connect to my network or internet. If in fact the malware is replicating on other drives, I will to to deal with this as well. I have been maintaining internet silence with the infected machine except for brief intervals such as ESET download and earlier MBAM updates.

the ESET log is pasted below……….

C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP101\A0185121.exe a variant of Win32/InstallCore.D application
C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP102\A0185885.exe Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP46\A0140870.exe a variant of Win32/InstallCore.D application
C:\WINDOWS\Temp\jar_cache1286996826794414652.tmp a variant of Java/Exploit.CVE-2011-3544.A trojan
D:\Documents and Settings\Me\Local Settings\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\Cache\7\E9\8A9FCd01 HTML/Iframe.B.Gen virus
D:\Documents and Settings\Me\My Documents\Downloads\architecturaldesktop2005keygenparadox.zip a variant of Win32/Kryptik.ADSH trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP181\A0034908.sys Win32/Sirefef.DA trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP181\A0035911.sys Win32/Sirefef.DA trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP181\A0035965.sys Win32/Sirefef.DA trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP181\A0036005.sys Win32/Sirefef.DA trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP182\A0036052.sys Win32/Sirefef.DA trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP182\A0036093.sys Win32/Sirefef.DA trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP196\A0038716.dll Win32/Sirefef.ER trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP196\A0038717.dll Win32/Sirefef.ER trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP196\A0039702.sys Win32/Sirefef.DA trojan
D:\System Volume Information\_restore{08AACF18-BB46-4D8D-90E4-1B21C48D92DA}\RP198\A0039832.sys Win32/Sirefef.DA trojan

 

[skuzzi]

Bobbye -

While waiting for your response, I installed MSE (MS security essentials) and inadverently after installing, MSE scanned the computer and deleted the found infections - including Win32/Sirefef.AH and Win32/Sireef.AC and several other Java exploits (on the old C: Drive).

I apologize as I know this contradicts TS instructions and messes with the current diagnosis and solution. I await your advice.

skuzzi

 

[Bobbye]

My delay-sorry. Unavoidable.

The Win32/Sirefef.DA trojan seen are in the System Volume- those are where the Restore points are kee. They are no longer active and could only affect the system if you did a System Resore and happened to choose one of the infected points. I have you set a new clean restore point and remove the old restore points at the end of cleaning.

Virus scanners can't read locations. So MSE, like Eset, is likely identifying this malware in the restore point. This is a protected, system file and isn't 'quarantined or deleted' in a security scan, even though it may say that,

The only new entries in Eset are these:

1. C:\WINDOWS\Temp\jar_cache1286996826794414652.tmp a variant of Java/Exploit.CVE-2011-3544.A trojan
2. D:\Documents and Settings\Me\Local Settings\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\Cache\7\E9\8A9FCd01 HTML/Iframe.B.Gen virus
3. D:\Documents and Settings\Me\My Documents\Downloads\architecturaldesktop2005keygenparadox.zip a variant of Win32/Kryptik.ADSH trojan

#1 is in the Java cache. Malware usually finds it's way there due to an outdated version of Java on the system. It is on the C Drive.
#2 is in the Firefox cache. It can be cleared as follows:
Clear Firefox Cache

1. Open Firefox> Click on Tools> Options
2. Select the Advanced panel.
3. Click on the Network tab
4. In the Offline Storage section, click Clear Now.

#3 is malware from a pirated program. I will set up the move for all 3 entries. But to continue support, you will have to uninstall the pirated program.


Please download OTMovit by Old Timerand save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\WINDOWS\Temp\jar_cache1286996826794414652.tmp 
  D:\Documents and Settings\Me\Local Settings\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\Cache\7\E9\8A9FCd01 
  D:\Documents and Settings\Me\My Documents\Downloads\architecturaldesktop2005keygenparadox.zip 
  
  :Commands
  [purity]
  [emptytemp]
  [*][emptyjavacache]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
================================================================
You should also disinfect your flash drive.

• Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
• Install and run it.
• Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

 

[skuzzi]

OTM has been running for 12 hours and seems to be frozen.

 

[Bobbye]

Please stop OTM. Reboot the computer and run the following:

Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================
Remove this:

#3 is malware from a pirated program. I will set up the move for all 3 entries. But to continue support, you will have to uninstall the pirated program.

and any other pirated programs you have. After this has been done, run the Eset scanner again.

Please note: if you want to continue getting support, any pirated software on the system will have to be removed first.
===========================================
You may have gotten this infection by using cracks or keygens> here's what it is:

What is Crypt.AQLW

Crypt.AQLW is a terrible trojan horse infected the compromised computer without users' knowing in the background. Its infection is destructively as it is not easily found on the computer. It targets windows comptuters by exploiting vulnerabilities application as MS Access and will open the backdoor for malware installing. Once Crypt.AQLW installed on the compromised computer, it will change the registry entry to make sure it can start automatically when windows start. What's worse, it will install malwares on your computer without your permission.

How harmful is Crypt.AQLW infection
Crypt.AQLW creeps into system secretly.
Crypt.AQLW will modify system files and windows service.
Crypt.AQLW may block some programs.
Crypt.AQLW will install malwares on your computer.

Source: Anvisoft

Even if we remove all of the entries we find, the system may already be compromised and a Backdoor may be in place.

 

[skuzzi]

Here are results of the two scans:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\adobe\adobe premiere pro cs3\plug-ins\en_us\vstplugins\decrackler1.dll
c:\program files\adobe\adobe premiere pro cs3\plug-ins\en_us\vstplugins\decrackler2.dll
c:\program files\adobe\adobe premiere pro cs3\plug-ins\en_us\vstplugins\decrackler6.dll
scanner sequence 3.CP.11.PVABCJ
----- EOF -----

ESET Scan#2:

C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP101\A0185121.exe a variant of Win32/InstallCore.D application
C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP102\A0185885.exe Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP46\A0140870.exe a variant of Win32/InstallCore.D application

skuzzi

 

[Bobbye]

To continue support, please review my comments about the pirated program.

 

[skuzzi]

I thought I had - what are you referring to that I still need to remove.

 

[Bobbye]

This was what I was referring to:

D:\Documents and Settings\Me\My Documents\Downloads\architecturaldesktop2005keygenparadox.zip

Strange: although OTM didn't complete, the files I had for removal do not show up in the recent Eset scan.

Please give me an update on how the system is doing now.
=================================================
This needs to be run also:

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Select the action Cure to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• Click Continue.
• Next, the utility applies selected actions and outputs the result. Save and paste in your next reply.
• A reboot is required after disinfection.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

 

[skuzzi]

OK -

Regarding the system status - all is generally quiet. Throughout the process working with TS, the AVG and now MSEssentials typically would find and "quarantine" various files - Crypt.AQLW and Win32/Sirefef.AH. The last time that these were found was on 4.28.12, after I had tried running OTM and the machine froze. For the last 48+ hours though no activity. I remain offline/disconnected from the network.

Do I try running OTM again?

Ran TDSSkiller with no negative detection. Log posted below.

21:28:14.0734 2820 TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43
21:28:14.0750 2820 ============================================================
21:28:14.0750 2820 Current date / time: 2012/05/01 21:28:14.0750
21:28:14.0750 2820 SystemInfo:
21:28:14.0750 2820
21:28:14.0750 2820 OS Version: 5.1.2600 ServicePack: 3.0
21:28:14.0750 2820 Product type: Workstation
21:28:14.0750 2820 ComputerName: DOMUS1
21:28:14.0750 2820 UserName: Me
21:28:14.0750 2820 Windows directory: D:\WINDOWS
21:28:14.0750 2820 System windows directory: D:\WINDOWS
21:28:14.0750 2820 Processor architecture: Intel x86
21:28:14.0750 2820 Number of processors: 2
21:28:14.0750 2820 Page size: 0x1000
21:28:14.0750 2820 Boot type: Normal boot
21:28:14.0750 2820 ============================================================
21:28:16.0750 2820 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:28:16.0765 2820 Drive \Device\Harddisk1\DR32 - Size: 0xF0000000 (3.75 Gb), SectorSize: 0x200, Cylinders: 0x1E9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
21:28:16.0781 2820 ============================================================
21:28:16.0781 2820 \Device\Harddisk0\DR0:
21:28:16.0781 2820 MBR partitions:
21:28:16.0781 2820 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1E849D80
21:28:16.0781 2820 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1E849DBF, BlocksNum 0x927B619
21:28:16.0781 2820 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x27AC53D8, BlocksNum 0x128BF869
21:28:16.0781 2820 \Device\Harddisk1\DR32:
21:28:16.0781 2820 MBR partitions:
21:28:16.0781 2820 \Device\Harddisk1\DR32\Partition0: MBR, Type 0xB, StartLBA 0x20, BlocksNum 0x77FFE0
21:28:16.0781 2820 ============================================================
21:28:16.0828 2820 C: <-> \Device\Harddisk0\DR0\Partition0
21:28:16.0890 2820 D: <-> \Device\Harddisk0\DR0\Partition1
21:28:16.0937 2820 E: <-> \Device\Harddisk0\DR0\Partition2
21:28:16.0937 2820 ============================================================
21:28:16.0937 2820 Initialize success
21:28:16.0937 2820 ============================================================
21:28:18.0609 0520 ============================================================
21:28:18.0609 0520 Scan started
21:28:18.0609 0520 Mode: Manual;
21:28:18.0609 0520 ============================================================
21:28:19.0968 0520 Abiosdsk - ok
21:28:19.0968 0520 abp480n5 - ok
21:28:20.0000 0520 ACPI (8fd99680a539792a30e97944fdaecf17) D:\WINDOWS\system32\DRIVERS\ACPI.sys
21:28:20.0015 0520 ACPI - ok
21:28:20.0031 0520 ACPIEC (9859c0f6936e723e4892d7141b1327d5) D:\WINDOWS\system32\drivers\ACPIEC.sys
21:28:20.0031 0520 ACPIEC - ok
21:28:20.0109 0520 Adobe Version Cue CS3 (14c23516c990dcd6052152cf034dde40) D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
21:28:20.0109 0520 Adobe Version Cue CS3 - ok
21:28:20.0171 0520 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) D:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
21:28:20.0171 0520 AdobeFlashPlayerUpdateSvc - ok
21:28:20.0171 0520 adpu160m - ok
21:28:20.0203 0520 aec (8bed39e3c35d6a489438b8141717a557) D:\WINDOWS\system32\drivers\aec.sys
21:28:20.0218 0520 aec - ok
21:28:20.0234 0520 AegisP (2f7f3e8da380325866e566f5d5ec23d5) D:\WINDOWS\system32\DRIVERS\AegisP.sys
21:28:20.0234 0520 AegisP - ok
21:28:20.0265 0520 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) D:\WINDOWS\System32\drivers\afd.sys
21:28:20.0265 0520 AFD - ok
21:28:20.0281 0520 agnwifi - ok
21:28:20.0281 0520 Aha154x - ok
21:28:20.0281 0520 aic78u2 - ok
21:28:20.0281 0520 aic78xx - ok
21:28:20.0312 0520 Alerter (a9a3daa780ca6c9671a19d52456705b4) D:\WINDOWS\system32\alrsvc.dll
21:28:20.0312 0520 Alerter - ok
21:28:20.0328 0520 ALG (8c515081584a38aa007909cd02020b3d) D:\WINDOWS\System32\alg.exe
21:28:20.0328 0520 ALG - ok
21:28:20.0328 0520 AliIde - ok
21:28:20.0328 0520 amsint - ok
21:28:20.0375 0520 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
21:28:20.0375 0520 Apple Mobile Device - ok
21:28:20.0406 0520 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) D:\WINDOWS\System32\appmgmts.dll
21:28:20.0406 0520 AppMgmt - ok
21:28:20.0406 0520 asc - ok
21:28:20.0406 0520 asc3350p - ok
21:28:20.0406 0520 asc3550 - ok
21:28:20.0500 0520 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
21:28:20.0500 0520 aspnet_state - ok
21:28:20.0515 0520 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) D:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:28:20.0515 0520 AsyncMac - ok
21:28:20.0531 0520 atapi (9f3a2f5aa6875c72bf062c712cfa2674) D:\WINDOWS\system32\DRIVERS\atapi.sys
21:28:20.0531 0520 atapi - ok
21:28:20.0531 0520 Atdisk - ok
21:28:20.0562 0520 Atmarpc (9916c1225104ba14794209cfa8012159) D:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:28:20.0562 0520 Atmarpc - ok
21:28:20.0593 0520 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) D:\WINDOWS\System32\audiosrv.dll
21:28:20.0593 0520 AudioSrv - ok
21:28:20.0625 0520 audstub (d9f724aa26c010a217c97606b160ed68) D:\WINDOWS\system32\DRIVERS\audstub.sys
21:28:20.0625 0520 audstub - ok
21:28:20.0656 0520 Autodesk Licensing Service - ok
21:28:20.0656 0520 awecho - ok
21:28:20.0687 0520 Beep (da1f27d85e0d1525f6621372e7b685e9) D:\WINDOWS\system32\drivers\Beep.sys
21:28:20.0687 0520 Beep - ok
21:28:20.0718 0520 BITS (574738f61fca2935f5265dc4e5691314) D:\WINDOWS\system32\qmgr.dll
21:28:20.0781 0520 BITS - ok
21:28:20.0828 0520 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) D:\Program Files\Bonjour\mDNSResponder.exe
21:28:20.0828 0520 Bonjour Service - ok
21:28:20.0859 0520 Browser (7e39a3edc13b076e70fdb9a6f6d7a4b4) D:\WINDOWS\System32\browser.dll
21:28:20.0859 0520 Browser - ok
21:28:20.0859 0520 catchme - ok
21:28:20.0890 0520 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) D:\WINDOWS\system32\drivers\cbidf2k.sys
21:28:20.0890 0520 cbidf2k - ok
21:28:20.0890 0520 cd20xrnt - ok
21:28:20.0906 0520 Cdaudio (c1b486a7658353d33a10cc15211a873b) D:\WINDOWS\system32\drivers\Cdaudio.sys
21:28:20.0906 0520 Cdaudio - ok
21:28:20.0937 0520 Cdfs (c885b02847f5d2fd45a24e219ed93b32) D:\WINDOWS\system32\drivers\Cdfs.sys
21:28:20.0937 0520 Cdfs - ok
21:28:20.0953 0520 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) D:\WINDOWS\system32\DRIVERS\cdrom.sys
21:28:20.0953 0520 Cdrom - ok
21:28:20.0953 0520 Changer - ok
21:28:20.0968 0520 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) D:\WINDOWS\system32\cisvc.exe
21:28:20.0968 0520 CiSvc - ok
21:28:20.0968 0520 ClipSrv (34cbe729f38138217f9c80212a2a0c82) D:\WINDOWS\system32\clipsrv.exe
21:28:20.0968 0520 ClipSrv - ok
21:28:21.0062 0520 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) d:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:28:21.0062 0520 clr_optimization_v2.0.50727_32 - ok
21:28:21.0062 0520 cltnetcnservice - ok
21:28:21.0062 0520 CmdIde - ok
21:28:21.0062 0520 COMSysApp - ok
21:28:21.0078 0520 Cpqarray - ok
21:28:21.0109 0520 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) D:\Program Files\SystemRequirementsLab\cpudrv.sys
21:28:21.0109 0520 cpudrv - ok
21:28:21.0125 0520 CryptSvc (3d4e199942e29207970e04315d02ad3b) D:\WINDOWS\System32\cryptsvc.dll
21:28:21.0125 0520 CryptSvc - ok
21:28:21.0125 0520 ctljystk - ok
21:28:21.0125 0520 dac2w2k - ok
21:28:21.0140 0520 dac960nt - ok
21:28:21.0171 0520 DcomLaunch (6b27a5c03dfb94b4245739065431322c) D:\WINDOWS\system32\rpcss.dll
21:28:21.0187 0520 DcomLaunch - ok
21:28:21.0187 0520 dcpflics - ok
21:28:21.0203 0520 Dhcp (c51de19619d50cbd03708647aca10e70) D:\WINDOWS\System32\dhcpcsvc.dll
21:28:21.0203 0520 Dhcp - ok
21:28:21.0203 0520 Disk (47b6aaec570f2c11d8bad80a064d8ed1) D:\WINDOWS\system32\DRIVERS\disk.sys
21:28:21.0203 0520 Disk - ok
21:28:21.0218 0520 dlbu_device - ok
21:28:21.0218 0520 dmadmin - ok
21:28:21.0250 0520 dmboot (d992fe1274bde0f84ad826acae022a41) D:\WINDOWS\system32\drivers\dmboot.sys
21:28:21.0265 0520 dmboot - ok
21:28:21.0296 0520 dmio (7c824cf7bbde77d95c08005717a95f6f) D:\WINDOWS\system32\drivers\dmio.sys
21:28:21.0296 0520 dmio - ok
21:28:21.0312 0520 dmload (e9317282a63ca4d188c0df5e09c6ac5f) D:\WINDOWS\system32\drivers\dmload.sys
21:28:21.0312 0520 dmload - ok
21:28:21.0328 0520 dmserver (57edec2e5f59f0335e92f35184bc8631) D:\WINDOWS\System32\dmserver.dll
21:28:21.0328 0520 dmserver - ok
21:28:21.0359 0520 DMusic (8a208dfcf89792a484e76c40e5f50b45) D:\WINDOWS\system32\drivers\DMusic.sys
21:28:21.0359 0520 DMusic - ok
21:28:21.0390 0520 Dnscache (d977659ae4d8ece5286d99d1ed34614d) D:\WINDOWS\System32\dnsrslvr.dll
21:28:21.0390 0520 Dnscache - ok
21:28:21.0406 0520 Dot3svc (b4109c8c3d54c83246997a777724f318) D:\WINDOWS\System32\dot3svc.dll
21:28:21.0406 0520 Dot3svc - ok
21:28:21.0437 0520 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) D:\WINDOWS\system32\DRIVERS\Dot4.sys
21:28:21.0437 0520 dot4 - ok
21:28:21.0453 0520 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) D:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
21:28:21.0453 0520 Dot4Print - ok
21:28:21.0468 0520 Dot4Scan (bd05306428da63369692477ddc0f6f5f) D:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
21:28:21.0468 0520 Dot4Scan - ok
21:28:21.0468 0520 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) D:\WINDOWS\system32\DRIVERS\dot4usb.sys
21:28:21.0468 0520 dot4usb - ok
21:28:21.0484 0520 dpti2o - ok
21:28:21.0484 0520 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) D:\WINDOWS\system32\drivers\drmkaud.sys
21:28:21.0484 0520 drmkaud - ok
21:28:21.0500 0520 EapHost (2187855a7703adef0cef9ee4285182cc) D:\WINDOWS\System32\eapsvc.dll
21:28:21.0500 0520 EapHost - ok
21:28:21.0531 0520 ERSvc (bc93b4a066477954555966d77fec9ecb) D:\WINDOWS\System32\ersvc.dll
21:28:21.0531 0520 ERSvc - ok
21:28:21.0546 0520 Eventlog (65df52f5b8b6e9bbd183505225c37315) D:\WINDOWS\system32\services.exe
21:28:21.0546 0520 Eventlog - ok
21:28:21.0578 0520 EventSystem (f17f6226bdc0cd5f0bef0daf84d29bec) D:\WINDOWS\system32\es.dll
21:28:21.0578 0520 EventSystem - ok
21:28:21.0609 0520 exFat (4d893323dae445e34a4c9038b0551bc9) D:\WINDOWS\system32\drivers\exFat.sys
21:28:21.0609 0520 exFat - ok
21:28:21.0609 0520 F700imd - ok
21:28:21.0640 0520 Fastfat (38d332a6d56af32635675f132548343e) D:\WINDOWS\system32\drivers\Fastfat.sys
21:28:21.0640 0520 Fastfat - ok
21:28:21.0671 0520 FastUserSwitchingCompatibility (888cd7b39c37e13a2419becfaaf0a28c) D:\WINDOWS\System32\shsvcs.dll
21:28:21.0671 0520 FastUserSwitchingCompatibility - ok
21:28:21.0687 0520 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) D:\WINDOWS\system32\DRIVERS\fdc.sys
21:28:21.0687 0520 Fdc - ok
21:28:21.0703 0520 Fips (d45926117eb9fa946a6af572fbe1caa3) D:\WINDOWS\system32\drivers\Fips.sys
21:28:21.0703 0520 Fips - ok
21:28:21.0703 0520 firelm01 - ok
21:28:21.0781 0520 FLEXnet Licensing Service (f76d04f7413b07daa029f6520b64b4e8) D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
21:28:21.0781 0520 FLEXnet Licensing Service - ok
21:28:21.0796 0520 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) D:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:28:21.0796 0520 Flpydisk - ok
21:28:21.0812 0520 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) D:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:28:21.0812 0520 FltMgr - ok
21:28:21.0890 0520 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) d:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
21:28:21.0890 0520 FontCache3.0.0.0 - ok
21:28:21.0921 0520 Fs_Rec (30d42943a54704ef13e2562911dbfcea) D:\WINDOWS\system32\drivers\Fs_Rec.sys
21:28:21.0921 0520 Fs_Rec - ok
21:28:21.0937 0520 Ftdisk (6ac26732762483366c3969c9e4d2259d) D:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:28:21.0937 0520 Ftdisk - ok
21:28:21.0953 0520 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) D:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:28:21.0953 0520 GEARAspiWDM - ok
21:28:21.0953 0520 gearsecurity - ok
21:28:22.0000 0520 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) D:\WINDOWS\system32\DRIVERS\msgpc.sys
21:28:22.0000 0520 Gpc - ok
21:28:22.0031 0520 HDAudBus (573c7d0a32852b48f3058cfd8026f511) D:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:28:22.0031 0520 HDAudBus - ok
21:28:22.0078 0520 helpsvc - ok
21:28:22.0093 0520 HidServ - ok
21:28:22.0093 0520 hidusb (ccf82c5ec8a7326c3066de870c06daf1) D:\WINDOWS\system32\DRIVERS\hidusb.sys
21:28:22.0093 0520 hidusb - ok
21:28:22.0109 0520 hkmsvc (8878bd685e490239777bfe51320b88e9) D:\WINDOWS\System32\kmsvc.dll
21:28:22.0109 0520 hkmsvc - ok
21:28:22.0109 0520 hpn - ok
21:28:22.0125 0520 HssSrv - ok
21:28:22.0140 0520 HTTP (f80a415ef82cd06ffaf0d971528ead38) D:\WINDOWS\system32\Drivers\HTTP.sys
21:28:22.0156 0520 HTTP - ok
21:28:22.0187 0520 HTTPFilter (6100a808600f44d999cebdef8841c7a3) D:\WINDOWS\System32\w3ssl.dll
21:28:22.0187 0520 HTTPFilter - ok
21:28:22.0187 0520 i2omgmt - ok
21:28:22.0187 0520 i2omp - ok
21:28:22.0203 0520 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) D:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:28:22.0203 0520 i8042prt - ok
21:28:22.0218 0520 icm10blk - ok
21:28:22.0265 0520 idsvc (c01ac32dc5c03076cfb852cb5da5229c) d:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:28:22.0265 0520 idsvc - ok
21:28:22.0312 0520 Imapi (083a052659f5310dd8b6a6cb05edcf8e) D:\WINDOWS\system32\DRIVERS\imapi.sys
21:28:22.0312 0520 Imapi - ok
21:28:22.0593 0520 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) D:\WINDOWS\system32\imapi.exe
21:28:22.0593 0520 ImapiService - ok
21:28:22.0593 0520 ini910u - ok
21:28:22.0593 0520 IntelC51 - ok
21:28:22.0625 0520 IntelIde (b5466a9250342a7aa0cd1fba13420678) D:\WINDOWS\system32\DRIVERS\intelide.sys
21:28:22.0625 0520 IntelIde - ok
21:28:22.0640 0520 intelppm (8c953733d8f36eb2133f5bb58808b66b) D:\WINDOWS\system32\DRIVERS\intelppm.sys
21:28:22.0640 0520 intelppm - ok
21:28:22.0750 0520 IntuitUpdateService (3dc635b66dd7412e1c9c3a77b8d78f25) D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
21:28:22.0750 0520 IntuitUpdateService - ok
21:28:22.0765 0520 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) D:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:28:22.0765 0520 Ip6Fw - ok
21:28:22.0796 0520 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) D:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:28:22.0796 0520 IpFilterDriver - ok
21:28:22.0812 0520 IpInIp (b87ab476dcf76e72010632b5550955f5) D:\WINDOWS\system32\DRIVERS\ipinip.sys
21:28:22.0812 0520 IpInIp - ok
21:28:22.0828 0520 IpNat (cc748ea12c6effde940ee98098bf96bb) D:\WINDOWS\system32\DRIVERS\ipnat.sys
21:28:22.0843 0520 IpNat - ok
21:28:22.0875 0520 iPod Service (ce004777b92dea56fe14ec900d20baa4) D:\Program Files\iPod\bin\iPodService.exe
21:28:22.0890 0520 iPod Service - ok
21:28:22.0921 0520 IPSec (23c74d75e36e7158768dd63d92789a91) D:\WINDOWS\system32\DRIVERS\ipsec.sys
21:28:22.0921 0520 IPSec - ok
21:28:22.0937 0520 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) D:\WINDOWS\system32\DRIVERS\irenum.sys
21:28:22.0937 0520 IRENUM - ok
21:28:22.0953 0520 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) D:\WINDOWS\system32\DRIVERS\isapnp.sys
21:28:22.0953 0520 isapnp - ok
21:28:23.0046 0520 JavaQuickStarterService (0a5709543986843d37a92290b7838340) D:\Program Files\Java\jre6\bin\jqs.exe
21:28:23.0046 0520 JavaQuickStarterService - ok
21:28:23.0078 0520 Kbdclass (463c1ec80cd17420a542b7f36a36f128) D:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:28:23.0078 0520 Kbdclass - ok
21:28:23.0109 0520 kmixer (692bcf44383d056aed41b045a323d378) D:\WINDOWS\system32\drivers\kmixer.sys
21:28:23.0109 0520 kmixer - ok
21:28:23.0125 0520 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) D:\WINDOWS\system32\drivers\KSecDD.sys
21:28:23.0125 0520 KSecDD - ok
21:28:23.0171 0520 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) D:\WINDOWS\System32\srvsvc.dll
21:28:23.0171 0520 LanmanServer - ok
21:28:23.0203 0520 lanmanworkstation (3b9324d60dd321bab7bf6f77931d3fd1) D:\WINDOWS\System32\wkssvc.dll
21:28:23.0203 0520 lanmanworkstation - ok
21:28:23.0203 0520 lbrtfdc - ok
21:28:23.0234 0520 LmHosts (a7db739ae99a796d91580147e919cc59) D:\WINDOWS\System32\lmhsvc.dll
21:28:23.0250 0520 LmHosts - ok
21:28:23.0250 0520 lvusbsta - ok
21:28:23.0281 0520 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) D:\WINDOWS\system32\drivers\mbam.sys
21:28:23.0281 0520 MBAMProtector - ok
21:28:23.0343 0520 MBAMService (ba400ed640bca1eae5c727ae17c10207) D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
21:28:23.0343 0520 MBAMService - ok
21:28:23.0375 0520 Messenger (986b1ff5814366d71e0ac5755c88f2d3) D:\WINDOWS\System32\msgsvc.dll
21:28:23.0390 0520 Messenger - ok
21:28:23.0406 0520 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) D:\WINDOWS\system32\drivers\mnmdd.sys
21:28:23.0406 0520 mnmdd - ok
21:28:23.0437 0520 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) D:\WINDOWS\system32\mnmsrvc.exe
21:28:23.0437 0520 mnmsrvc - ok
21:28:23.0453 0520 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) D:\WINDOWS\system32\drivers\Modem.sys
21:28:23.0453 0520 Modem - ok
21:28:23.0500 0520 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) D:\WINDOWS\system32\drivers\monfilt.sys
21:28:23.0515 0520 monfilt - ok
21:28:23.0546 0520 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) D:\WINDOWS\system32\DRIVERS\mouclass.sys
21:28:23.0546 0520 Mouclass - ok
21:28:23.0562 0520 mouhid (b1c303e17fb9d46e87a98e4ba6769685) D:\WINDOWS\system32\DRIVERS\mouhid.sys
21:28:23.0562 0520 mouhid - ok
21:28:23.0578 0520 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) D:\WINDOWS\system32\drivers\MountMgr.sys
21:28:23.0578 0520 MountMgr - ok
21:28:23.0609 0520 MpFilter (fee0baded54222e9f1dae9541212aab1) D:\WINDOWS\system32\DRIVERS\MpFilter.sys
21:28:23.0609 0520 MpFilter - ok
21:28:23.0718 0520 MpKslfbde9dc8 (a69630d039c38018689190234f866d77) D:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C2D4FD19-BC36-4C79-9B01-128AAED58D90}\MpKslfbde9dc8.sys
21:28:23.0718 0520 MpKslfbde9dc8 - ok
21:28:23.0718 0520 mraid35x - ok
21:28:23.0734 0520 MRxDAV (65e818c473e220b6ab762e1966296fd1) D:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:28:23.0734 0520 MRxDAV - ok
21:28:23.0796 0520 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) D:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:28:23.0796 0520 MRxSmb - ok
21:28:23.0828 0520 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) D:\WINDOWS\system32\msdtc.exe
21:28:23.0828 0520 MSDTC - ok
21:28:23.0828 0520 Msfs (c941ea2454ba8350021d774daf0f1027) D:\WINDOWS\system32\drivers\Msfs.sys
21:28:23.0828 0520 Msfs - ok
21:28:23.0828 0520 MSIServer - ok
21:28:23.0843 0520 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) D:\WINDOWS\system32\drivers\MSKSSRV.sys
21:28:23.0843 0520 MSKSSRV - ok
21:28:23.0921 0520 MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) D:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
21:28:23.0921 0520 MsMpSvc - ok
21:28:23.0937 0520 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) D:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:28:23.0937 0520 MSPCLOCK - ok
21:28:23.0953 0520 MSPQM (bad59648ba099da4a17680b39730cb3d) D:\WINDOWS\system32\drivers\MSPQM.sys
21:28:23.0953 0520 MSPQM - ok
21:28:23.0968 0520 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) D:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:28:23.0968 0520 mssmbios - ok
21:28:23.0968 0520 MTC0001_ESB - ok
21:28:23.0984 0520 Mup (f7b1ad991491f02af6da70b00b8bf114) D:\WINDOWS\system32\drivers\Mup.sys
21:28:23.0984 0520 Mup - ok
21:28:24.0015 0520 napagent (0102140028fad045756796e1c685d695) D:\WINDOWS\System32\qagentrt.dll
21:28:24.0031 0520 napagent - ok
21:28:24.0046 0520 NDIS (b5b1080d35974c0e718d64280761bcd5) D:\WINDOWS\system32\drivers\NDIS.sys
21:28:24.0046 0520 NDIS - ok
21:28:24.0078 0520 NdisTapi (0109c4f3850dfbab279542515386ae22) D:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:28:24.0078 0520 NdisTapi - ok
21:28:24.0093 0520 Ndisuio (f927a4434c5028758a842943ef1a3849) D:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:28:24.0093 0520 Ndisuio - ok
21:28:24.0093 0520 NdisWan (b053a8411045fd0664b389a090cb2bbc) D:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:28:24.0109 0520 NdisWan - ok
21:28:24.0140 0520 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) D:\WINDOWS\system32\drivers\NDProxy.sys
21:28:24.0140 0520 NDProxy - ok
21:28:24.0156 0520 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) D:\WINDOWS\system32\DRIVERS\netbios.sys
21:28:24.0156 0520 NetBIOS - ok
21:28:24.0171 0520 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) D:\WINDOWS\system32\DRIVERS\netbt.sys
21:28:24.0171 0520 NetBT - ok
21:28:24.0203 0520 NetDDE (b857ba82860d7ff85ae29b095645563b) D:\WINDOWS\system32\netdde.exe
21:28:24.0203 0520 NetDDE - ok
21:28:24.0218 0520 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) D:\WINDOWS\system32\netdde.exe
21:28:24.0218 0520 NetDDEdsdm - ok
21:28:24.0234 0520 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
21:28:24.0234 0520 Netlogon - ok
21:28:24.0281 0520 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) D:\WINDOWS\System32\netman.dll
21:28:24.0281 0520 Netman - ok
21:28:24.0359 0520 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) d:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:28:24.0359 0520 NetTcpPortSharing - ok
21:28:24.0359 0520 nimxdfk - ok
21:28:24.0390 0520 Nla (290c1a30defc723bbe10910ac2d6f6d0) D:\WINDOWS\System32\mswsock.dll
21:28:24.0390 0520 Nla - ok
21:28:24.0390 0520 Npfs (3182d64ae053d6fb034f44b6def8034a) D:\WINDOWS\system32\drivers\Npfs.sys
21:28:24.0390 0520 Npfs - ok
21:28:24.0421 0520 Ntfs (4c51d5275ae8a16999edfe7e647d00de) D:\WINDOWS\system32\drivers\Ntfs.sys
21:28:24.0437 0520 Ntfs - ok
21:28:24.0437 0520 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
21:28:24.0437 0520 NtLmSsp - ok
21:28:24.0468 0520 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) D:\WINDOWS\system32\ntmssvc.dll
21:28:24.0468 0520 NtmsSvc - ok
21:28:24.0468 0520 ntsyslog - ok
21:28:24.0500 0520 Null (73c1e1f395918bc2c6dd67af7591a3ad) D:\WINDOWS\system32\drivers\Null.sys
21:28:24.0500 0520 Null - ok
21:28:24.0812 0520 nv (ed9816dbaf6689542ea7d022631906a1) D:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:28:25.0000 0520 nv - ok
21:28:25.0109 0520 NVSvc (08d8b80a3c0453a043968831d44c5c9f) D:\WINDOWS\system32\nvsvc32.exe
21:28:25.0109 0520 NVSvc - ok
21:28:25.0234 0520 nvUpdatusService (1284f91493fc353281b015345a043f4d) D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
21:28:25.0265 0520 nvUpdatusService - ok
21:28:25.0328 0520 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) D:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:28:25.0328 0520 NwlnkFlt - ok
21:28:25.0328 0520 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) D:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:28:25.0328 0520 NwlnkFwd - ok
21:28:25.0421 0520 odserv (785f487a64950f3cb8e9f16253ba3b7b) D:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
21:28:25.0421 0520 odserv - ok
21:28:25.0437 0520 oracleorahome811cman - ok
21:28:25.0468 0520 ose (5a432a042dae460abe7199b758e8606c) D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:28:25.0468 0520 ose - ok
21:28:25.0500 0520 Parport (5575faf8f97ce5e713d108c2a58d7c7c) D:\WINDOWS\system32\DRIVERS\parport.sys
21:28:25.0500 0520 Parport - ok
21:28:25.0515 0520 PartMgr (beb3ba25197665d82ec7065b724171c6) D:\WINDOWS\system32\drivers\PartMgr.sys
21:28:25.0515 0520 PartMgr - ok
21:28:25.0531 0520 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) D:\WINDOWS\system32\drivers\ParVdm.sys
21:28:25.0531 0520 ParVdm - ok
21:28:25.0546 0520 PCI (a219903ccf74233761d92bef471a07b1) D:\WINDOWS\system32\DRIVERS\pci.sys
21:28:25.0546 0520 PCI - ok
21:28:25.0546 0520 PCIDump - ok
21:28:25.0562 0520 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) D:\WINDOWS\system32\drivers\PCIIde.sys
21:28:25.0562 0520 PCIIde - ok
21:28:25.0578 0520 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) D:\WINDOWS\system32\drivers\Pcmcia.sys
21:28:25.0578 0520 Pcmcia - ok
21:28:25.0609 0520 pcouffin (5b6c11de7e839c05248ced8825470fef) D:\WINDOWS\system32\Drivers\pcouffin.sys
21:28:25.0609 0520 pcouffin - ok
21:28:25.0609 0520 PDCOMP - ok
21:28:25.0609 0520 PDFRAME - ok
21:28:25.0609 0520 PDRELI - ok
21:28:25.0625 0520 PDRFRAME - ok
21:28:25.0625 0520 perc2 - ok
21:28:25.0625 0520 perc2hib - ok
21:28:25.0625 0520 pgsql-8.0 - ok
21:28:25.0656 0520 PlugPlay (65df52f5b8b6e9bbd183505225c37315) D:\WINDOWS\system32\services.exe
21:28:25.0656 0520 PlugPlay - ok
21:28:25.0703 0520 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
21:28:25.0703 0520 PolicyAgent - ok
21:28:25.0718 0520 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) D:\WINDOWS\system32\DRIVERS\raspptp.sys
21:28:25.0718 0520 PptpMiniport - ok
21:28:25.0734 0520 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
21:28:25.0734 0520 ProtectedStorage - ok
21:28:25.0734 0520 PSched (09298ec810b07e5d582cb3a3f9255424) D:\WINDOWS\system32\DRIVERS\psched.sys
21:28:25.0734 0520 PSched - ok
21:28:25.0750 0520 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) D:\WINDOWS\system32\DRIVERS\ptilink.sys
21:28:25.0750 0520 Ptilink - ok
21:28:25.0765 0520 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) D:\WINDOWS\system32\Drivers\PxHelp20.sys
21:28:25.0765 0520 PxHelp20 - ok
21:28:25.0765 0520 ql1080 - ok
21:28:25.0765 0520 Ql10wnt - ok
21:28:25.0781 0520 ql12160 - ok
21:28:25.0781 0520 ql1240 - ok
21:28:25.0781 0520 ql1280 - ok
21:28:25.0781 0520 QPSched - ok
21:28:25.0796 0520 quickbooksdb - ok
21:28:25.0812 0520 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) D:\WINDOWS\system32\DRIVERS\rasacd.sys
21:28:25.0812 0520 RasAcd - ok
21:28:25.0828 0520 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) D:\WINDOWS\System32\rasauto.dll
21:28:25.0828 0520 RasAuto - ok
21:28:25.0843 0520 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) D:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:28:25.0843 0520 Rasl2tp - ok
21:28:25.0859 0520 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) D:\WINDOWS\System32\rasmans.dll
21:28:25.0875 0520 RasMan - ok
21:28:25.0875 0520 RasPppoe (5bc962f2654137c9909c3d4603587dee) D:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:28:25.0875 0520 RasPppoe - ok
21:28:25.0875 0520 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) D:\WINDOWS\system32\DRIVERS\raspti.sys
21:28:25.0875 0520 Raspti - ok
21:28:25.0890 0520 Rdbss (77050c6615f6eb5402f832b27fd695e0) D:\WINDOWS\system32\DRIVERS\rdbss.sys
21:28:25.0906 0520 Rdbss - ok
21:28:25.0906 0520 RDPCDD (4912d5b403614ce99c28420f75353332) D:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:28:25.0906 0520 RDPCDD - ok
21:28:25.0937 0520 rdpdr (c694a927eb7c354f7ae97955043a9641) D:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:28:25.0937 0520 rdpdr - ok
21:28:25.0968 0520 RDPWD (2d293b720c206473a05950ce007db12a) D:\WINDOWS\system32\drivers\RDPWD.sys
21:28:25.0968 0520 RDPWD - ok
21:28:25.0984 0520 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) D:\WINDOWS\system32\sessmgr.exe
21:28:25.0984 0520 RDSessMgr - ok
21:28:26.0000 0520 redbook (f828dd7e1419b6653894a8f97a0094c5) D:\WINDOWS\system32\DRIVERS\redbook.sys
21:28:26.0000 0520 redbook - ok
21:28:26.0000 0520 regmon701 - ok
21:28:26.0031 0520 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) D:\WINDOWS\System32\mprdim.dll
21:28:26.0031 0520 RemoteAccess - ok
21:28:26.0062 0520 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) D:\WINDOWS\system32\regsvc.dll
21:28:26.0062 0520 RemoteRegistry - ok
21:28:26.0078 0520 RpcLocator (aaed593f84afa419bbae8572af87cf6a) D:\WINDOWS\system32\locator.exe
21:28:26.0078 0520 RpcLocator - ok
21:28:26.0109 0520 RpcSs (6b27a5c03dfb94b4245739065431322c) D:\WINDOWS\System32\rpcss.dll
21:28:26.0109 0520 RpcSs - ok
21:28:26.0156 0520 rspndr (743d7d59767073a617b1dcc6c546f234) D:\WINDOWS\system32\DRIVERS\rspndr.sys
21:28:26.0156 0520 rspndr - ok
21:28:26.0171 0520 RSVP (471b3f9741d762abe75e9deea4787e47) D:\WINDOWS\system32\rsvp.exe
21:28:26.0171 0520 RSVP - ok
21:28:26.0218 0520 RT61 (1d72a1ab4d4860291b67bffe6862093a) D:\WINDOWS\system32\DRIVERS\RT61.sys
21:28:26.0218 0520 RT61 - ok
21:28:26.0250 0520 RTLE8023xp (cb9310a5a910648d359c99a857e22a54) D:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
21:28:26.0250 0520 RTLE8023xp - ok
21:28:26.0265 0520 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) D:\WINDOWS\system32\lsass.exe
21:28:26.0265 0520 SamSs - ok
21:28:26.0296 0520 SCardSvr (86d007e7a654b9a71d1d7d856b104353) D:\WINDOWS\System32\SCardSvr.exe
21:28:26.0296 0520 SCardSvr - ok
21:28:26.0328 0520 SCDEmu (f441ba47bd8610cb9536965bd7d1f943) D:\WINDOWS\system32\drivers\SCDEmu.sys
21:28:26.0328 0520 SCDEmu - ok
21:28:26.0359 0520 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) D:\WINDOWS\system32\schedsvc.dll
21:28:26.0359 0520 Schedule - ok
21:28:26.0359 0520 SE27obex - ok
21:28:26.0359 0520 se2Dnd5 - ok
21:28:26.0375 0520 se59obex - ok
21:28:26.0390 0520 Secdrv (90a3935d05b494a5a39d37e71f09a677) D:\WINDOWS\system32\DRIVERS\secdrv.sys
21:28:26.0390 0520 Secdrv - ok
21:28:26.0406 0520 seclogon (cbe612e2bb6a10e3563336191eda1250) D:\WINDOWS\System32\seclogon.dll
21:28:26.0406 0520 seclogon - ok
21:28:26.0437 0520 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) D:\WINDOWS\system32\sens.dll
21:28:26.0437 0520 SENS - ok
21:28:26.0453 0520 serenum (0f29512ccd6bead730039fb4bd2c85ce) D:\WINDOWS\system32\DRIVERS\serenum.sys
21:28:26.0453 0520 serenum - ok
21:28:26.0453 0520 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) D:\WINDOWS\system32\DRIVERS\serial.sys
21:28:26.0453 0520 Serial - ok
21:28:26.0468 0520 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) D:\WINDOWS\system32\drivers\Sfloppy.sys
21:28:26.0468 0520 Sfloppy - ok
21:28:26.0484 0520 SharedAccess (4f10a2fa76b5bd54cd68afa94e8adb39) D:\WINDOWS\System32\ipnathlp.dll
21:28:26.0484 0520 SharedAccess - ok
21:28:26.0515 0520 ShellHWDetection (888cd7b39c37e13a2419becfaaf0a28c) D:\WINDOWS\System32\shsvcs.dll
21:28:26.0531 0520 ShellHWDetection - ok
21:28:26.0531 0520 Si3114r5 - ok
21:28:26.0531 0520 Simbad - ok
21:28:26.0531 0520 Sparrow - ok
21:28:26.0562 0520 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) D:\WINDOWS\system32\drivers\splitter.sys
21:28:26.0562 0520 splitter - ok
21:28:26.0593 0520 Spooler (60784f891563fb1b767f70117fc2428f) D:\WINDOWS\system32\spoolsv.exe
21:28:26.0593 0520 Spooler - ok
21:28:26.0640 0520 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) D:\WINDOWS\system32\DRIVERS\sr.sys
21:28:26.0640 0520 sr - ok
21:28:26.0656 0520 srservice (3805df0ac4296a34ba4bf93b346cc378) D:\WINDOWS\system32\srsvc.dll
21:28:26.0656 0520 srservice - ok
21:28:26.0687 0520 Srv (9b390283569ea58d43d2586032b892f5) D:\WINDOWS\system32\DRIVERS\srv.sys
21:28:26.0687 0520 Srv - ok
21:28:26.0718 0520 SSDPSRV (0a5679b3714edab99e357057ee88fca6) D:\WINDOWS\System32\ssdpsrv.dll
21:28:26.0718 0520 SSDPSRV - ok
21:28:26.0765 0520 stisvc (8bad69cbac032d4bbacfce0306174c30) D:\WINDOWS\system32\wiaservc.dll
21:28:26.0765 0520 stisvc - ok
21:28:26.0796 0520 swenum (3941d127aef12e93addf6fe6ee027e0f) D:\WINDOWS\system32\DRIVERS\swenum.sys
21:28:26.0796 0520 swenum - ok
21:28:26.0812 0520 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) D:\WINDOWS\system32\drivers\swmidi.sys
21:28:26.0812 0520 swmidi - ok
21:28:26.0812 0520 SwPrv - ok
21:28:26.0812 0520 symc810 - ok
21:28:26.0828 0520 symc8xx - ok
21:28:26.0828 0520 sym_hi - ok
21:28:26.0828 0520 sym_u3 - ok
21:28:26.0828 0520 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) D:\WINDOWS\system32\drivers\sysaudio.sys
21:28:26.0828 0520 sysaudio - ok
21:28:26.0843 0520 SysmonLog (c7abbc59b43274b1109df6b24d617051) D:\WINDOWS\system32\smlogsvc.exe
21:28:26.0843 0520 SysmonLog - ok
21:28:26.0859 0520 TapiSrv (e2b32b10acc5d97623275aafb67e5f03) D:\WINDOWS\System32\tapisrv.dll
21:28:26.0875 0520 TapiSrv - ok
21:28:26.0875 0520 tavsvc - ok
21:28:26.0890 0520 Tcpip (25a740d70e8007814a48d3fa1b34fa34) D:\WINDOWS\system32\DRIVERS\tcpip.sys
21:28:26.0890 0520 Tcpip - ok
21:28:26.0921 0520 TDPIPE (6471a66807f5e104e4885f5b67349397) D:\WINDOWS\system32\drivers\TDPIPE.sys
21:28:26.0921 0520 TDPIPE - ok
21:28:26.0937 0520 TDTCP (c0578456f29e5f26285f81b7b71fe57d) D:\WINDOWS\system32\drivers\TDTCP.sys
21:28:26.0937 0520 TDTCP - ok
21:28:26.0953 0520 TermDD (88155247177638048422893737429d9e) D:\WINDOWS\system32\DRIVERS\termdd.sys
21:28:26.0953 0520 TermDD - ok
21:28:26.0968 0520 TermService (37981a741ad7b04258e87129ffe79ab9) D:\WINDOWS\System32\termsrv.dll
21:28:26.0984 0520 TermService - ok
21:28:27.0015 0520 Themes (888cd7b39c37e13a2419becfaaf0a28c) D:\WINDOWS\System32\shsvcs.dll
21:28:27.0015 0520 Themes - ok
21:28:27.0046 0520 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) D:\WINDOWS\system32\tlntsvr.exe
21:28:27.0046 0520 TlntSvr - ok
21:28:27.0046 0520 TosIde - ok
21:28:27.0062 0520 TrkWks (55bca12f7f523d35ca3cb833c725f54e) D:\WINDOWS\system32\trkwks.dll
21:28:27.0062 0520 TrkWks - ok
21:28:27.0078 0520 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) D:\WINDOWS\system32\drivers\Udfs.sys
21:28:27.0078 0520 Udfs - ok
21:28:27.0093 0520 ultra - ok
21:28:27.0125 0520 Update (402ddc88356b1bac0ee3dd1580c76a31) D:\WINDOWS\system32\DRIVERS\update.sys
21:28:27.0125 0520 Update - ok
21:28:27.0156 0520 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) D:\WINDOWS\System32\upnphost.dll
21:28:27.0156 0520 upnphost - ok
21:28:27.0171 0520 UPS (05365fb38fca1e98f7a566aaaf5d1815) D:\WINDOWS\System32\ups.exe
21:28:27.0171 0520 UPS - ok
21:28:27.0171 0520 us30sys - ok
21:28:27.0203 0520 USBAAPL (eafe1e00739afe6c51487a050e772e17) D:\WINDOWS\system32\Drivers\usbaapl.sys
21:28:27.0203 0520 USBAAPL - ok
21:28:27.0234 0520 usbccgp (c18d6c74953621346df6b0a11f80c1cc) D:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:28:27.0234 0520 usbccgp - ok
21:28:27.0250 0520 usbehci (152ee0baa614388273a0b9ae9c9fd5a0) D:\WINDOWS\system32\DRIVERS\usbehci.sys
21:28:27.0250 0520 usbehci - ok
21:28:27.0250 0520 usbhub (1ab3cdde553b6e064d2e754efe20285c) D:\WINDOWS\system32\DRIVERS\usbhub.sys
21:28:27.0265 0520 usbhub - ok
21:28:27.0281 0520 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) D:\WINDOWS\system32\DRIVERS\usbscan.sys
21:28:27.0296 0520 usbscan - ok
21:28:27.0312 0520 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:28:27.0328 0520 USBSTOR - ok
21:28:27.0343 0520 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) D:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:28:27.0343 0520 usbuhci - ok
21:28:27.0343 0520 vaiomediaplatform-videoserver-appserver - ok
21:28:27.0343 0520 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) D:\WINDOWS\System32\drivers\vga.sys
21:28:27.0359 0520 VgaSave - ok
21:28:27.0359 0520 viagfx - ok
21:28:27.0406 0520 VIAHdAudAddService (1422f65bcec926077f541025c40cf93a) D:\WINDOWS\system32\drivers\viahduaa.sys
21:28:27.0421 0520 VIAHdAudAddService - ok
21:28:27.0421 0520 ViaIde - ok
21:28:27.0437 0520 VolSnap (4c8fcb5cc53aab716d810740fe59d025) D:\WINDOWS\system32\drivers\VolSnap.sys
21:28:27.0437 0520 VolSnap - ok
21:28:27.0468 0520 VSS (7a9db3a67c333bf0bd42e42b8596854b) D:\WINDOWS\System32\vssvc.exe
21:28:27.0468 0520 VSS - ok
21:28:27.0484 0520 W32Time (9f8a0d0cbb2fa265a754516128c00e22) D:\WINDOWS\system32\w32time.dll
21:28:27.0484 0520 W32Time - ok
21:28:27.0500 0520 Wanarp (e20b95baedb550f32dd489265c1da1f6) D:\WINDOWS\system32\DRIVERS\wanarp.sys
21:28:27.0500 0520 Wanarp - ok
21:28:27.0531 0520 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) D:\WINDOWS\system32\DRIVERS\wdcsam.sys
21:28:27.0531 0520 WDC_SAM - ok
21:28:27.0531 0520 WDICA - ok
21:28:27.0546 0520 wdmaud (6768acf64b18196494413695f0c3a00f) D:\WINDOWS\system32\drivers\wdmaud.sys
21:28:27.0546 0520 wdmaud - ok
21:28:27.0562 0520 WebClient (77a354e28153ad2d5e120a5a8687bc06) D:\WINDOWS\System32\webclnt.dll
21:28:27.0562 0520 WebClient - ok
21:28:27.0562 0520 webrootcommagentservice - ok
21:28:27.0625 0520 winmgmt (2d0e4ed081963804ccc196a0929275b5) D:\WINDOWS\system32\wbem\WMIsvc.dll
21:28:27.0625 0520 winmgmt - ok
21:28:27.0640 0520 winpppoverethernet - ok
21:28:27.0671 0520 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) D:\WINDOWS\system32\MsPMSNSv.dll
21:28:27.0671 0520 WmdmPmSN - ok
21:28:27.0718 0520 Wmi (e76f8807070ed04e7408a86d6d3a6137) D:\WINDOWS\System32\advapi32.dll
21:28:27.0718 0520 Wmi - ok
21:28:27.0750 0520 WmiApSrv (e0673f1106e62a68d2257e376079f821) D:\WINDOWS\system32\wbem\wmiapsrv.exe
21:28:27.0750 0520 WmiApSrv - ok
21:28:27.0859 0520 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) D:\Program Files\Windows Media Player\WMPNetwk.exe
21:28:27.0875 0520 WMPNetworkSvc - ok
21:28:27.0921 0520 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) D:\WINDOWS\System32\drivers\ws2ifsl.sys
21:28:27.0921 0520 WS2IFSL - ok
21:28:27.0953 0520 wscsvc (7c278e6408d1dce642230c0585a854d5) D:\WINDOWS\system32\wscsvc.dll
21:28:27.0953 0520 wscsvc - ok
21:28:28.0046 0520 wuauserv (aae1a6ffba2b0436e91795120f48c461) C:\WINDOWS\system32\wuauserv.dll
21:28:28.0062 0520 wuauserv - ok
21:28:28.0093 0520 WudfPf (f15feafffbb3644ccc80c5da584e6311) D:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:28:28.0093 0520 WudfPf - ok
21:28:28.0093 0520 WudfRd (28b524262bce6de1f7ef9f510ba3985b) D:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:28:28.0093 0520 WudfRd - ok
21:28:28.0109 0520 WudfSvc (05231c04253c5bc30b26cbaae680ed89) D:\WINDOWS\System32\WUDFSvc.dll
21:28:28.0125 0520 WudfSvc - ok
21:28:28.0171 0520 WZCSVC (349b8d2bb755e8c3b0e3e82a87663e55) D:\WINDOWS\System32\wzcsvc.dll
21:28:28.0171 0520 WZCSVC - ok
21:28:28.0187 0520 xmlprov (295d21f14c335b53cb8154e5b1f892b9) D:\WINDOWS\System32\xmlprov.dll
21:28:28.0203 0520 xmlprov - ok
21:28:28.0234 0520 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:28:28.0359 0520 \Device\Harddisk0\DR0 - ok
21:28:28.0375 0520 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR32
21:28:30.0562 0520 \Device\Harddisk1\DR32 - ok
21:28:30.0562 0520 Boot (0x1200) (b9fed1c489af71d17adee18fc2dff436) \Device\Harddisk0\DR0\Partition0
21:28:30.0562 0520 \Device\Harddisk0\DR0\Partition0 - ok
21:28:30.0578 0520 Boot (0x1200) (242d91a369c59a4d3cbeeb1bee23e594) \Device\Harddisk0\DR0\Partition1
21:28:30.0578 0520 \Device\Harddisk0\DR0\Partition1 - ok
21:28:30.0593 0520 Boot (0x1200) (1ea16fa355571e402cc503ac7f7d6b00) \Device\Harddisk0\DR0\Partition2
21:28:30.0593 0520 \Device\Harddisk0\DR0\Partition2 - ok
21:28:30.0593 0520 Boot (0x1200) (16071b33dbf7fc36615a4c0853c672d5) \Device\Harddisk1\DR32\Partition0
21:28:30.0593 0520 \Device\Harddisk1\DR32\Partition0 - ok
21:28:30.0593 0520 ============================================================
21:28:30.0593 0520 Scan finished
21:28:30.0593 0520 ============================================================
21:28:30.0609 3068 Detected object count: 0
21:28:30.0609 3068 Actual detected object count: 0

 

[Bobbye]

Okay, a few FYIs:
1. I explained that virus scans do not read locations. So when AVG or MSE shows an entry in System Volume or Qoobox, those have already been handled. Scan will continue to show them, but they are not active. At the end of cleaning, you will drop the old restore points and set a new, clean one. The Qoobox folder will be removed when Combofix is uninstalled.
2. TDSSKiller is clean.
3.

the computer rebooted and the IE desktop icon (re)appeared. I wouldn’t normally have the desktop icon.)

This should just be a shortcut- you can do a right click to confirm, then delete.

4. Is there any particular reason you have these on the Startup menu?

1). StartupFolder: d:\docume~1\me\startm~1\programs\startup\openof~1.lnk - d:\program files\openoffice.org 3\program\quickstart.exe
OpenOffice.org> quickstart.exe
When you want to use Open Office, access in All Programs. Don't waste system resources running a program in the background that you may not use.
2). StartupFolder: d:\docume~1\me\startm~1\programs\startup\rainme~1.lnk - d:\program files\rainmeter\Rainmeter.exe
Rainmeter is Users Choice (application need to be run at startup, but is not system critical)> a customizable resource meter)
Click on Rainmeter if you want to check resources. Don't waste your resources running a program to check resources. Put a shortcut in QuickLaunch if you want, but not on Startup.
3).StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - d:\program files\common files\autodesk shared\acstart16.exe
Preloads some libraries that are used by AutoCAD in order to make the software load faster> AutoCAD is for 2D and 3D CAD design, drafting, modeling, architectural drawing, and engineering software. Does it need to start on boot and run in the background? Can't you just open the program when you need it?
4).StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - d:\program files\hewlett-packard\aio\hp officejet 7100 series\bin\hpogrp07.exe hp officejet 7100 series> printer does not need to start on boot. Access through All Programs or use File> Print.
There is no reason or advantage for printer to start on boot.
5.) StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\msiwir~1.lnk - d:\program files\msi\common\RaUI.exe
Artera Turbo Internet Accelerator - "surf faster, boost download speed". Only required if you find it helps improve your performance. If you ISP is so slow that you really need this okay- if it makes a significant difference.

A note about boosters, meters, optimizers, etc. They usually use more of the system resources just to run to make any significant difference.

5.

Regarding Speedy PC – I have never used it; and recognize its lack of value. I will uninstall.

Don't forget to uninstall this, delete the program folder and stop the Scheduled Tasks.

6.

On or about April 3 or 4, I was updating Java and Flash and afterwards, I started noticing the AVG alerts

Both of these update sreens have pre-checked processes. These are usually TB or BHO. Look for them before you download and uncheck them. Also, when installing, choose 'Custom Install' instead of 'Standard. You may be able to avoid bundled processes this way.
=====================================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
d:\windows\sophos.tmp
FileLook::
d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\ALSysIO.sys
d:\windows\system32\dllcache\imagehlp.dll
DDS::
mWinlogon: SfcDisable=-99 (0xffffff9d)
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=-
"d:\\Documents and Settings\\Me\\My Documents\\Downloads\\utorrent.exe"=-
Clearjavacache::
Driver::
ALSysIO

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
How is system doing now?

 

[skuzzi]

Ran the ComboFix and the log is pasted below.

Removed SpeedyPC; as well as start-up items. Is there a guided procedure for examining the start-up items/running processes? Since I review our home's computers, often there are 60+ processes running and the machines seem to slow down over time with additional programs/add-ons. It would be useful to be able to eliminate some of those start-up background items that are consuming resources.

The computer seems to be stable - a major improvement. However, I haven't been using it very much throughout this process.


ComboFix 12-05-07.02 - Me 05/07/2012 9:28.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1260 [GMT -6:00]
Running from: d:\documents and settings\Me\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-07 to 2012-05-07 )))))))))))))))))))))))))))))))
.
.
2012-05-07 14:43 . 2012-05-07 14:43 56200 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDB52BF3-8753-4C38-A2F6-E0AF85562D29}\offreg.dll
2012-05-07 14:39 . 2012-04-13 06:36 6734704 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-07 14:39 . 2012-04-13 06:36 6734704 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDB52BF3-8753-4C38-A2F6-E0AF85562D29}\mpengine.dll
2012-04-30 19:39 . 2012-04-30 19:39 1409 ----a-w- d:\windows\QTFont.for
2012-04-28 04:35 . 2012-04-28 04:35 -------- d-----w- D:\_OTM
2012-04-27 04:03 . 2012-04-27 04:03 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-25 03:13 . 2012-01-31 12:44 237072 ------w- d:\windows\system32\MpSigStub.exe
2012-04-25 03:05 . 2012-04-25 03:05 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-04-25 03:05 . 2012-04-25 03:05 -------- d-----w- d:\program files\Microsoft Security Client
2012-04-23 03:29 . 2012-04-23 03:29 -------- d-----w- d:\program files\ESET
2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\wbem\snmp
2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\xircom
2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\program files\microsoft frontpage
2012-04-21 06:08 . 2012-02-29 14:08 148480 ------w- d:\windows\system32\dllcache\imagehlp.dll
2012-04-13 16:28 . 2012-04-13 16:28 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-23 05:18 . 2012-04-04 02:47 418464 ----a-w- d:\windows\system32\FlashPlayerApp.exe
2012-04-23 05:18 . 2011-12-06 18:25 70304 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 23:30 . 2012-04-04 23:30 388096 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-04 21:56 . 2012-04-05 00:14 22344 ----a-w- d:\windows\system32\drivers\mbam.sys
2012-04-04 02:51 . 2012-04-04 02:51 73728 ----a-w- d:\windows\system32\javacpl.cpl
2012-04-04 02:51 . 2011-12-17 07:55 472808 ----a-w- d:\windows\system32\deployJava1.dll
2012-03-20 23:33 . 2012-03-20 23:33 40960 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
2012-03-16 03:39 . 2012-03-16 03:39 28672 ----a-w- d:\windows\system32\qttask.exe
2012-03-01 11:01 . 2009-03-08 02:34 916992 ----a-w- d:\windows\system32\wininet.dll
2012-03-01 11:01 . 2009-03-08 02:34 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2009-03-08 02:34 43520 ----a-w- d:\windows\system32\licmgr10.dll
2012-02-29 14:08 . 2008-11-13 13:18 178176 ----a-w- d:\windows\system32\wintrust.dll
2012-02-29 14:08 . 2008-04-14 11:00 148480 ----a-w- d:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2009-03-08 02:35 385024 ----a-w- d:\windows\system32\html.iec
2012-02-29 04:20 . 2012-02-29 04:20 127 ----a-w- d:\windows\sophos.tmp
2012-02-15 17:01 . 2012-03-15 22:36 4547944 ----a-w- d:\windows\system32\usbaaplrc.dll
2012-02-15 17:01 . 2012-03-15 22:36 43520 ----a-w- d:\windows\system32\drivers\usbaapl.sys
2012-02-07 17:02 . 2012-02-07 17:02 1070352 ----a-w- d:\windows\system32\MSCOMCTL.OCX
2012-03-18 05:21 . 2011-12-06 18:11 97208 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-03-26 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . d:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . d:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-04-21_16.34.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-07 14:31 . 2012-05-07 14:31 16384 d:\windows\Temp\Perflib_Perfdata_780.dat
+ 2012-04-23 05:18 . 2012-04-23 05:18 353440 d:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_Plugin.exe
+ 2012-04-23 04:19 . 2012-04-23 04:19 353440 d:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe
+ 2012-04-23 04:19 . 2012-04-23 04:19 424608 d:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.dll
+ 2012-04-04 02:47 . 2012-04-23 05:18 253088 d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2011-04-18 19:18 . 2011-04-18 19:18 165648 d:\windows\system32\drivers\MpFilter.sys
+ 2012-04-25 03:05 . 2012-04-25 03:05 785920 d:\windows\Installer\11bb89b8.msi
+ 2012-04-25 03:05 . 2012-04-25 03:05 483840 d:\windows\Installer\11bb89b0.msi
+ 2012-04-25 03:05 . 2012-04-25 03:05 301056 d:\windows\Installer\11bb89a9.msi
+ 2007-02-26 07:01 . 2007-02-26 07:01 437160 d:\windows\Installer\$PatchCache$\Managed\000021599B0090400000000000F01FEC\12.0.6012\DWTRIG20.EXE
+ 2006-10-27 00:48 . 2006-10-27 00:48 439568 d:\windows\Installer\$PatchCache$\Managed\000021599B0090400000000000F01FEC\12.0.6012\DWDCW20.DLL
+ 2012-04-23 05:18 . 2012-04-23 05:18 8797344 d:\windows\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 1189004 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
+ 2012-04-04 13:32 . 2012-04-04 13:32 16613376 d:\windows\Installer\c8621.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HDAudDeck"="d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-01-09 33570816]
"PWRISOVM.EXE"="d:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"APSDaemon"="d:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"MSC"="d:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - d:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
HPAiODevice(hp officejet 7100 series) - 1.lnk - d:\program files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2003-6-25 495682]
MSI Wireless Utility.lnk - d:\program files\MSI\Common\RaUI.exe [2011-12-6 425984]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0d:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Documents and Settings\\Me\\My Documents\\Downloads\\utorrent.exe"=
"d:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/4/2012 6:14 PM 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [1/6/2012 8:56 AM 2348864]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [4/4/2012 6:14 PM 22344]
R3 pcouffin;VSO Software pcouffin;d:\windows\system32\drivers\pcouffin.sys [1/8/2012 11:23 AM 47360]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;d:\windows\system32\drivers\viahduaa.sys [1/6/2012 12:28 PM 993280]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 8:47 PM 253088]
S3 cpudrv;cpudrv;d:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
S3 WDC_SAM;WD SCSI Pass Thru driver;d:\windows\system32\drivers\wdcsam.sys [3/15/2012 4:38 PM 11520]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lvusbsta
ctljystk
HssSrv
se2Dnd5
cltnetcnservice
nimxdfk
F700imd
dvpapi
pgsql-8.0
us30sys
QPSched
dlbu_device
dcpflics
webrootcommagentservice
tavsvc
firelm01
MTC0001_ESB
IntelC51
vaiomediaplatform-videoserver-appserver
SE27obex
se59obex
winpppoverethernet
quickbooksdb
agnwifi
viagfx
oracleorahome811cman
awecho
regmon701
Si3114r5
gearsecurity
icm10blk
ntsyslog
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-07 d:\windows\Tasks\Adobe Flash Player Updater.job
- d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 05:18]
.
2012-05-04 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
.
------- Supplementary Scan -------
.
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.11.1
FF - ProfilePath - d:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-07 09:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(904)
d:\windows\system32\WININET.dll
d:\windows\system32\msi.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-05-07 09:33:24
ComboFix-quarantined-files.txt 2012-05-07 15:33
ComboFix2.txt 2012-05-07 15:22
ComboFix3.txt 2012-04-21 16:38
ComboFix4.txt 2010-09-07 19:37
ComboFix5.txt 2012-05-07 15:27
.
Pre-Run: 5,480,136,704 bytes free
Post-Run: 5,468,545,024 bytes free
.
- - End Of File - - 2A6C166837B28CF760BEB2DE1F6025F4

 

[Bobbye]

Is there a guided procedure for examining the start-up items/running processes? Since I review our home's computers, often there are 60+ processes running and the machines seem to slow down over time with additional programs/add-ons. It would be useful to be able to eliminate some of those start-up background items that are consuming resources.

The What: Startup Menu: Using msconfig utility
The only processes that have to be checked on the Startup Menu are:
1. Antivirus
2. Firewall- if using 3rd party FW like Comodo
3. Touchpad if using laptop
4. Network processes (2-3) is using Pure Magic/Cisco.
Nothing else> not printer or camera or Cyber anything> no auto-updates
Average reasonable number of processes to see running in the Task Manager is 35-40

The How: To remove entries from the Startup Menu using the msconfig utility:

• Click on Start> Run> type in msconfig> enter>
  
  
• Click on Selective Startup
• Choose the Startup tab:
  
  
  
  All images courtesy NetSquirrel
• To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
• Uncheck any processes you do not need to start on boot.
• Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.[/QUOTE]

The Where: Do not handle Services using msconfig> access by click on Start> Run> type in services.msc> Find the Service you want and double click to open> Set Startup Type as recommended. You may find the best to do in Safe Mode because you will have to set Dependencies also:

Black Viper’s Windows XP x86 (32-bit) Service Pack 3 Service Configurations

Chart is below the car

The Add ons: This can be a vulnerability:
Always make sure the most current version is installed> Active X entries for Java, Adobe, Flash, Shockwave should be current.
Best advice for the Add-ons: The fewer the better. Too many or problem add-ons may cause runtime errors.

Restore Points: Always have Restore Points available. Create a shortcut for restore points. Drag it from the desktop to the QuickLaunch Toolbar. Very handy and a good reminder.

And the bottom line: Use a good search engine to identify a process.
Don't add or remove a process unless you know what it's for.

 

[skuzzi]

Many thanks for the advice on start-up and processes.

 

[Bobbye]

[size=4]You're welcome.

But it appears we may have gotten sidetracked. You didn't run this script through Combofix- please do that now and leave it new log it will generate:

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
d:\windows\sophos.tmp
FileLook::
d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\ALSysIO.sys
d:\windows\system32\dllcache\imagehlp.dll
DDS::
mWinlogon: SfcDisable=-99 (0xffffff9d)
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=-
"d:\\Documents and Settings\\Me\\My Documents\\Downloads\\utorrent.exe"=-
Clearjavacache::
Driver::
ALSysIO
Clearjavacache::
 
Driver::
 
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
I note that you have had Combofix on the system for 2 years.

ComboFix2.txt 2012-05-07 15:22
ComboFix3.txt 2012-04-21 16:38
ComboFix4.txt 2010-09-07 19:37
ComboFix5.txt 2012-05-07 15:27]

My directions were :

Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

[/size]

 

[skuzzi]

I uninstalled Combofix and re-installed.
I ran ComboFix with the CFscript; log pasted below.


ComboFix 12-05-08.02 - Me 05/08/2012 21:41:51.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1123 [GMT -6:00]
Running from: d:\documents and settings\Me\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Me\Desktop\CFscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"d:\windows\sophos.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\windows\sophos.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-04-09 to 2012-05-09 )))))))))))))))))))))))))))))))
.
.
2012-05-09 03:29 . 2012-05-09 03:29 56200 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4FF25B8-9133-4644-B392-4EFD613AB353}\offreg.dll
2012-05-09 03:29 . 2012-05-09 03:29 29904 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4FF25B8-9133-4644-B392-4EFD613AB353}\MpKslb0533e77.sys
2012-04-23 03:29 . 2012-04-23 03:29 -------- d-----w- d:\program files\ESET
2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\wbem\snmp
2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\windows\system32\xircom
2012-04-21 16:33 . 2012-04-21 16:33 -------- d-----w- d:\program files\microsoft frontpage
2012-04-21 06:08 . 2012-02-29 14:08 148480 ------w- d:\windows\system32\dllcache\imagehlp.dll
2012-04-13 16:28 . 2012-04-13 16:28 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-07 17:18 . 2012-04-04 02:47 419488 ----a-w- d:\windows\system32\FlashPlayerApp.exe
2012-05-07 17:18 . 2011-12-06 18:25 70304 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 23:30 . 2012-04-04 23:30 388096 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-04 21:56 . 2012-04-05 00:14 22344 ----a-w- d:\windows\system32\drivers\mbam.sys
2012-04-04 02:51 . 2012-04-04 02:51 73728 ----a-w- d:\windows\system32\javacpl.cpl
2012-04-04 02:51 . 2011-12-17 07:55 472808 ----a-w- d:\windows\system32\deployJava1.dll
2012-03-21 02:44 . 2011-04-18 19:18 171064 ----a-w- d:\windows\system32\drivers\MpFilter.sys
2012-03-20 23:33 . 2012-03-20 23:33 40960 ----a-r- d:\documents and settings\Me\Application Data\Microsoft\Installer\{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}\NewShortcut3_2E7595EC4FB14E2993D49083C8A9B107.exe
2012-03-16 03:39 . 2012-03-16 03:39 28672 ----a-w- d:\windows\system32\qttask.exe
2012-03-01 11:01 . 2009-03-08 02:34 916992 ----a-w- d:\windows\system32\wininet.dll
2012-03-01 11:01 . 2009-03-08 02:34 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2009-03-08 02:34 43520 ----a-w- d:\windows\system32\licmgr10.dll
2012-02-29 14:08 . 2008-11-13 13:18 178176 ----a-w- d:\windows\system32\wintrust.dll
2012-02-29 14:08 . 2008-04-14 11:00 148480 ----a-w- d:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2009-03-08 02:35 385024 ----a-w- d:\windows\system32\html.iec
2012-02-15 17:01 . 2012-03-15 22:36 4547944 ----a-w- d:\windows\system32\usbaaplrc.dll
2012-02-15 17:01 . 2012-03-15 22:36 43520 ----a-w- d:\windows\system32\drivers\usbaapl.sys
2012-05-08 01:04 . 2011-12-06 18:11 97208 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe ---
Company: VIA Technologies, Inc.
File Description: HDeck MFC Application
File Version: 5, 2, 0, 0
Product Name: HDeck Application
Copyright: Copyright (C) 2005
Original Filename: HDeck.EXE
File size: 33570816
Created time: 2012-01-06 18:29
Modified time: 2009-01-09 20:49
MD5: F937BCE9A6CD1B0847B45923F94A90E0
SHA1: E49248611F055628D735DBEFC9B9B227B6AC2E05
.
.
--- d:\windows\system32\dllcache\imagehlp.dll ---
Company: Microsoft Corporation
File Description: Windows NT Image Helper
File Version: 5.1.2600.6198 (xpsp_sp3_qfe.120229-1630)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: IMAGEHLP.DLL
File size: 148480
Created time: 2012-04-21 06:08
Modified time: 2012-02-29 14:08
MD5: 2557B78A91D24E68C8873B04D7D6D9BB
SHA1: 8DDFCD71B6CF3C6495AF4D76966661438D301337
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-03-26 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . d:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . d:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HDAudDeck"="d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-01-09 33570816]
"Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"APSDaemon"="d:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"MSC"="d:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - d:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
MSI Wireless Utility.lnk - d:\program files\MSI\Common\RaUI.exe [2011-12-6 425984]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0d:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=d:\windows\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-03-15 10:15 180224 ----a-w- d:\program files\PowerISO\PWRISOVM.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R1 MpKslb0533e77;MpKslb0533e77;d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4FF25B8-9133-4644-B392-4EFD613AB353}\MpKslb0533e77.sys [5/8/2012 9:29 PM 29904]
R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/4/2012 6:14 PM 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [1/6/2012 8:56 AM 2348864]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [4/4/2012 6:14 PM 22344]
R3 pcouffin;VSO Software pcouffin;d:\windows\system32\drivers\pcouffin.sys [1/8/2012 11:23 AM 47360]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;d:\windows\system32\drivers\viahduaa.sys [1/6/2012 12:28 PM 993280]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 8:47 PM 257696]
S3 cpudrv;cpudrv;d:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
S3 MozillaMaintenance;Mozilla Maintenance Service;d:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/7/2012 7:04 PM 129976]
S3 WDC_SAM;WD SCSI Pass Thru driver;d:\windows\system32\drivers\wdcsam.sys [3/15/2012 4:38 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLB0533E77
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lvusbsta
ctljystk
HssSrv
se2Dnd5
cltnetcnservice
nimxdfk
F700imd
dvpapi
pgsql-8.0
us30sys
QPSched
dlbu_device
dcpflics
webrootcommagentservice
tavsvc
firelm01
MTC0001_ESB
IntelC51
vaiomediaplatform-videoserver-appserver
SE27obex
se59obex
winpppoverethernet
quickbooksdb
agnwifi
viagfx
oracleorahome811cman
awecho
regmon701
Si3114r5
gearsecurity
icm10blk
ntsyslog
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-08 d:\windows\Tasks\Adobe Flash Player Updater.job
- d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 17:18]
.
2012-05-04 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
.
------- Supplementary Scan -------
.
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.11.1
FF - ProfilePath - d:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\vugw0kov.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-08 21:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = d:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,8e,e0,a8,30,b5,77,42,a1,fd,32,\
.
Completion time: 2012-05-08 21:47:54
ComboFix-quarantined-files.txt 2012-05-09 03:47
.
Pre-Run: 8,021,127,168 bytes free
Post-Run: 8,023,330,816 bytes free
.
- - End Of File - - 5414836F05557470B7A198723BE3614F

 

[Bobbye]

Okay, all good in Combofix. 3 entries were confirmed as the legitimate process.

Last scan: Please update an run the Eset scan once more.

Previous problems were resolved- yes?

 

[skuzzi]

I ran the ESET scan and have posted the results below - only found infected old restore points on drive C. I'd be happy to delete those as I was planning to scrub the C Drive and install Windows 7 on that partition.

Regarding the original problems that brought me here, they have been resolved. And with the reduction of running start-up processes, the machine performs more smoothly and I am much calmer.

skuzzi

 

[skuzzi]

Oops -

ESET Scan below

C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP101\A0185121.exe a variant of Win32/InstallCore.D application
C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP102\A0185885.exe Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{1A4944E2-2439-43B2-AC73-2C05C540023F}\RP46\A0140870.exe a variant of Win32/InstallCore.D application

 

[Bobbye]

Good- system is clean.The following will handle those restore points. FYI> those Win32InstallCore.D application entries most likely came from downloads on CNet. They require you add an Active X Object to get their downloads> that's what it is,

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
• Choose Disc Cleanup
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Stay safe- surf wisely!