Solved Nasty virus on computer

A

AliciaArkansas

Posts: 10   +0
Hi My name is Alicia. I'm so glad I found your website and some people who could possibly help me because my computer has some nasty viruses and I'm not sure what to do next. I've followed all your instructions on the sticky post on the forum and ran the 3 logs for MalewareBytes, Gmer, and DDS (see logs below). I'm an intelligent person but I do not know much about computers other than where the on button is because I'm a single mom and don't have much time to mess with the pc.

Basically here are my problems... The other day I thought I'd be cool and clean my computer up because I'm tired of all the programs that have accumulated in the startup and my program list is so long that it covered my entire screen. So i started deleting and uninstalling old things I didn't use and ran some sort of cleaner called cc cleaner I believe, cleared out my temp files and all that good stuff. Then I downloaded a program called steam so I could buy games for my kids.

1. Next thing I know when I go to certain websites, like my university e-mail which uses google email, I get an error and can't open the page (I use chrome) but it works with internet explorer which I hate. The error says "The site's security certificate is signed using a weak signature algorithm!"

2. random pages pop up in another tab for crap like women's health and other ads frequently.

3. Half the time when I click on a link to go to a page it takes me to a totally different website with ads and such.

First thing I did was run Malewarebytes which says I have a rootkit but it can't be deleted when I select delete Quarantined items then asks me to restart to delete it. So i do that and I still have the problem. I ran another scan same thing. Did it 3 times. So I ran AVG which found nothing. Next thing I did was dance around my computer with a dead chicken... Not really but you get the point! Please see logs in next post.
 
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 912042601

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/25/2012 11:27:10 PM
mbam-log-2012-04-25 (23-27-10).txt

Scan type: Full scan (C:\|)
Objects scanned: 164374
Time elapsed: 57 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\fsma.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\fsma.dll (RootKit.0Access.H) -> Delete on reboot.
c:\documents and settings\administrator\application data\Sun\Java\deployment\cache\6.0\36\165b0664-2c1907a5 (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\Sun\Java\deployment\cache\6.0\56\78ea68f8-217e19ca (Trojan.FakeAlert.VGen) -> Quarantined and deleted successfully.
 
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-04-26 02:00:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-22LSA0 rev.06.01D06
Running: j6zknpbt.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpog.sys
---- System - GMER 1.0.15 ----
SSDT sppk.sys ZwEnumerateKey [0xB7EC5CA4]
SSDT sppk.sys ZwEnumerateValueKey [0xB7EC6032]
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1b [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\VClone \Device\Scsi\VClone1 89C461F8
Device \Driver\a1m7b30v \Device\Scsi\a1m7b30v1Port5Path0Target0Lun0 89BAB500
Device \Driver\a1m7b30v \Device\Scsi\a1m7b30v1 89BAB500
Device \Driver\VClone \Device\Scsi\VClone1Port4Path0Target0Lun0 89C461F8
Device \FileSystem\Ntfs \Ntfs 89E521F8
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----
Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3788
---- EOF - GMER 1.0.15 ----
 
DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Run by Administrator at 2:13:58 on 2012-04-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1241 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Search the Web - c:\program files\sweetim\toolbars\internet explorer\resources\menuext.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: Interfaces\{C6DA8D22-8FB1-49C6-8F14-BEAF68B8EC05} : NameServer = 68.94.156.1,68.94.157.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ov3wgo5u.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ov3wgo5u.default\extensions\reader_plugin@ebrary.com\plugins\NPinfotl.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\administrator\application data\Move Networks
FF - Ext: Poster: {d48a39ba-8f80-4fce-8ee1-bc710561c55d} - %profile%\extensions\{d48a39ba-8f80-4fce-8ee1-bc710561c55d}
FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-17 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-17 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-17 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-17 297752]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-2-28 1373576]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-29 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-29 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9e3f9fd9ba96e;Google Update Service (gupdate1c9e3f9fd9ba96e);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\wusb54gscv2.sys --> c:\windows\system32\drivers\WUSB54GSCV2.sys [?]
.
=============== Created Last 30 ================
.
2012-04-25 04:01:54--------d-----w-c:\program files\common files\Steam
2012-04-24 22:34:400--sha-w-c:\windows\system32\dds_trash_log.cmd
2012-04-13 19:12:39--------d-----w-c:\program files\common files\Symantec Shared
2012-04-13 19:12:31--------d-----w-c:\documents and settings\all users\application data\Norton
2012-04-13 19:12:28--------d-----w-c:\documents and settings\all users\application data\NortonInstaller
.
==================== Find3M ====================
.
2009-06-05 17:09:38774144----a-w-c:\program files\RngInterstitial.dll
.
============= FINISH: 2:14:40.04 ===============
 
attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/17/2009 9:31:41 PM
System Uptime: 4/26/2012 2:01:25 AM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA74GM-S2
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket M2 | 2611/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 12.605 GiB free.
D: is FIXED (NTFS) - 98 GiB total, 60.894 GiB free.
E: is FIXED (NTFS) - 135 GiB total, 24.824 GiB free.
F: is CDROM (UDF)
G: is CDROM ()
H: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP941: 1/27/2012 9:20:08 AM - System Checkpoint
RP942: 1/28/2012 10:10:17 AM - System Checkpoint
RP943: 1/29/2012 3:41:00 PM - System Checkpoint
RP944: 1/30/2012 4:07:54 PM - System Checkpoint
RP945: 1/31/2012 5:07:54 PM - System Checkpoint
RP946: 2/1/2012 9:27:17 PM - System Checkpoint
RP947: 2/2/2012 9:50:24 PM - System Checkpoint
RP948: 2/3/2012 10:36:37 PM - System Checkpoint
RP949: 2/4/2012 11:50:26 PM - System Checkpoint
RP950: 2/6/2012 12:06:28 AM - System Checkpoint
RP951: 2/7/2012 1:06:28 AM - System Checkpoint
RP952: 2/8/2012 2:06:28 AM - System Checkpoint
RP953: 2/9/2012 3:04:23 AM - System Checkpoint
RP954: 2/10/2012 3:57:44 AM - System Checkpoint
RP955: 2/11/2012 4:53:37 AM - System Checkpoint
RP956: 2/12/2012 5:53:34 AM - System Checkpoint
RP957: 2/13/2012 6:53:34 AM - System Checkpoint
RP958: 2/14/2012 6:59:11 AM - System Checkpoint
RP959: 2/15/2012 7:04:16 AM - System Checkpoint
RP960: 2/16/2012 7:52:30 AM - System Checkpoint
RP961: 2/17/2012 8:52:30 AM - System Checkpoint
RP962: 2/18/2012 9:52:30 AM - System Checkpoint
RP963: 2/19/2012 12:59:25 PM - System Checkpoint
RP964: 2/20/2012 1:00:56 PM - System Checkpoint
RP965: 2/21/2012 1:52:04 PM - System Checkpoint
RP966: 2/22/2012 3:32:51 PM - System Checkpoint
RP967: 2/23/2012 3:48:52 PM - System Checkpoint
RP968: 2/24/2012 3:52:14 PM - System Checkpoint
RP969: 2/25/2012 9:35:03 PM - System Checkpoint
RP970: 2/27/2012 12:23:34 AM - System Checkpoint
RP971: 2/28/2012 12:46:50 AM - System Checkpoint
RP972: 2/29/2012 1:39:30 AM - System Checkpoint
RP973: 3/1/2012 2:35:03 AM - System Checkpoint
RP974: 3/2/2012 3:33:54 AM - System Checkpoint
RP975: 3/3/2012 4:33:54 AM - System Checkpoint
RP976: 4/4/2012 10:50:43 AM - System Checkpoint
RP977: 3/4/2012 3:50:20 PM - System Checkpoint
RP978: 3/5/2012 5:06:15 PM - System Checkpoint
RP979: 3/6/2012 5:37:57 PM - System Checkpoint
RP980: 3/7/2012 6:01:11 PM - System Checkpoint
RP981: 3/8/2012 8:29:23 PM - System Checkpoint
RP982: 3/9/2012 8:32:46 PM - System Checkpoint
RP983: 3/10/2012 9:32:46 PM - System Checkpoint
RP984: 3/11/2012 10:12:04 PM - System Checkpoint
RP985: 3/12/2012 10:31:40 PM - System Checkpoint
RP986: 3/13/2012 10:48:01 PM - System Checkpoint
RP987: 3/14/2012 11:55:41 PM - System Checkpoint
RP988: 3/16/2012 11:35:52 AM - System Checkpoint
RP989: 3/17/2012 11:08:24 PM - System Checkpoint
RP990: 3/18/2012 11:11:04 PM - System Checkpoint
RP991: 3/20/2012 12:57:57 PM - System Checkpoint
RP992: 3/21/2012 1:23:04 PM - System Checkpoint
RP993: 3/22/2012 4:11:38 PM - System Checkpoint
RP994: 3/23/2012 5:25:57 PM - System Checkpoint
RP995: 3/24/2012 5:44:29 PM - System Checkpoint
RP996: 3/25/2012 5:59:07 PM - System Checkpoint
RP997: 3/27/2012 12:11:02 AM - System Checkpoint
RP998: 3/28/2012 12:54:10 AM - System Checkpoint
RP999: 3/29/2012 2:45:02 AM - System Checkpoint
RP1000: 3/30/2012 3:32:34 AM - System Checkpoint
RP1001: 3/31/2012 3:55:51 AM - System Checkpoint
RP1002: 4/1/2012 4:54:52 AM - System Checkpoint
RP1003: 4/2/2012 5:52:45 AM - System Checkpoint
RP1004: 4/3/2012 6:51:49 AM - System Checkpoint
RP1005: 4/4/2012 7:56:05 AM - System Checkpoint
RP1006: 4/5/2012 8:51:49 AM - System Checkpoint
RP1007: 4/6/2012 9:50:41 AM - System Checkpoint
RP1008: 4/7/2012 10:50:41 AM - System Checkpoint
RP1009: 4/8/2012 1:48:00 PM - System Checkpoint
RP1010: 4/9/2012 1:59:36 PM - System Checkpoint
RP1011: 4/10/2012 2:48:31 PM - System Checkpoint
RP1012: 4/11/2012 2:52:35 PM - System Checkpoint
RP1013: 4/12/2012 2:59:15 PM - System Checkpoint
RP1014: 4/13/2012 3:01:55 PM - System Checkpoint
RP1015: 4/14/2012 3:42:49 PM - System Checkpoint
RP1016: 4/15/2012 5:31:46 PM - System Checkpoint
RP1017: 4/16/2012 5:34:24 PM - System Checkpoint
RP1018: 4/17/2012 5:35:59 PM - System Checkpoint
RP1019: 4/18/2012 9:31:58 PM - System Checkpoint
RP1020: 4/20/2012 10:42:33 AM - System Checkpoint
RP1021: 4/21/2012 11:18:08 AM - System Checkpoint
RP1022: 4/22/2012 1:13:35 PM - System Checkpoint
RP1023: 4/23/2012 1:59:18 PM - System Checkpoint
RP1024: 4/24/2012 2:18:23 PM - System Checkpoint
RP1025: 4/24/2012 11:01:52 PM - Installed Steam
RP1026: 4/24/2012 11:48:35 PM - Removed 1701 A.D. Demo
RP1027: 4/24/2012 11:57:58 PM - Removed Eu3 - DEMO
RP1028: 4/25/2012 12:30:37 AM - Removed Windows Live Upload Tool
RP1029: 4/26/2012 12:33:12 AM - System Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.1
Adobe Shockwave Player 11.5
AiO_Scan_CDA
AMD Processor Driver
AT&T U-verse Setup
AVG Free 8.5
Black & White® 2
Browser Configuration Utility
CCleaner
Compatibility Pack for the 2007 Office system
Conquest 4.0
Dawn of Discovery
Diner Dash - Hometown Hero
Download Updater (AOL LLC)
DVDFab Ghosthunter release 6.0.1.0
Europa Universalis III
Facebook Plug-In
Family Tree Maker
Farm Frenzy: Ancient Rome
Farm Frenzy: Gone Fishing
Free Video to Flash Converter version 4.1
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB958655-v2)
HOTLLAMA Media Player
HP Deskjet 3050A J611 series Basic Device Software
HP Deskjet 3050A J611 series Help
HP Photo Creations
HP PSC & OfficeJet 6.1.A
HP Update
ImgBurn
InterActual Player
InterVideo WinDVD 7
Java Auto Updater
Java(TM) 6 Update 20
Junk Mail filter update
K-Lite Codec Pack 3.1.5 Full
Little Shop of Treasures
LogMeIn Hamachi
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Age of Empires II
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Help Viewer 1.0
Microsoft Office Word Viewer 2003
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual C++ 2010 Express - ENU
Microsoft WSE 3.0 Runtime
Microsoft XML Parser
Move Media Player
Mozilla Firefox (3.6.20)
MSVCRT
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
NVIDIA PhysX
Pando Media Booster
Pinnacle VideoSpin
QFolder
QuickTime
RealArcade
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Roads of Rome 3
RollerCoaster Tycoon 3 Platinum
Scan
Segoe UI
SkyGazer 4
Skype™ 5.5
Solid YouTube Downloader and Converter FileBulldog Toolbar
Sothink SWF Quicker
Starcraft
StarCraft II
Steam
Stronghold 2
The Sims Medieval
TheSkyX First Light Edition
VirtualCloneDrive
VLC media player 0.9.9
Web Games Player Plugin
WebFldrs XP
Wedding Dash
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Movie Maker 2.0
WinRAR 4.01 (32-bit)
Wireless USB Card
World of Warcraft
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
4/25/2012 7:48:33 PM, error: Print [19] - Sharing printer failed + 1722, Printer HPDeskjet F300 series share name Printer.
4/25/2012 12:05:37 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
4/25/2012 11:30:35 PM, error: Service Control Manager [7023] - The Digisptiservice service terminated with the following error: The specified module could not be found.
4/25/2012 10:05:52 PM, error: Service Control Manager [7023] - The Sntnlusb service terminated with the following error: The specified module could not be found.
4/25/2012 10:04:25 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
4/19/2012 7:56:28 PM, error: Service Control Manager [7034] - The LogMeIn Hamachi Tunneling Engine service terminated unexpectedly. It has done this 1 time(s).
4/19/2012 7:56:03 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
 
Good Morning Alicia. I'll be glad to help with the malware. You have a rootkit that will take some going to find all entries to remove. You also are infected with a Backdoor- we can't guarantee that a system hasn't already been compromised, but let's check out a few things:

First, you ran an outdated version of Malwarebytes. I'd like you to remove that and download it again from this link: There are some changes so please read my instructions carefully.

Malwarebytes' Anti-Malware
  • Please download Malwarebytes' Anti-Malware from from HERE
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    [o] Update Malwarebytes' Anti-Malware
    [o] and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach this log with your reply
    Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
    [o] If you accidentally close it, the log file is saved here and will be named like this:
    [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
========================
I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===================================
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Select the action Cure to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • Click Continue.
  • Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
==========================================================
Please leave the logs for the new Malwarebytes, Combofix and TDSSKiller in your next reply. Be sure to let me know if you experience any problems with the scan or new problems with the system.
=========================================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
Threads are closed after 5 days if there is no reply.
 
Thank you for your quick response. I have downloaded the new version of Malwarebytes and below is my new log. I have go class for the next 5 hours and will get the rest done tonight after class or in the morning. Also, after downloading the new malwarebytes it's going nuts. Every 2 or 3 seconds for the last 2 hours while I been doing homework a note will pop up from my system tray saying it successfully blocked access to a potential malicious website then has a number like 83.133.122.75 Type: outgoing. Didn't know if you needed to know that! Also, every 15 minutes or so the entire Malwarebytes program pops up asking me if I want to Quarantine rootkit and I always click yes.
======================================
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.26.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Administrator :: ALICIA [administrator]

Protection: Disabled

4/26/2012 11:40:05 AM
mbam-log-2012-04-26 (11-40-05).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 443302
Time elapsed: 2 hour(s), 14 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\WINDOWS\system32\SGIR.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\system32\SGIR.dll (RootKit.0Access.H) -> Delete on reboot.
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090800.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090801.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

(end)
 
Bobbye,
I've followed your instructions in the order you gave them. In the previous reply is my new Malewarebytes log and below is my Combofix and TDSSKiller log. I did run into a problem when trying to run Combofix. Your directions said to disable all antivirus programs but every time I turned off Malewarebytes my computer seemed to be getting attacked worse and I couldn't do anything, such as starting the CF program, even when I tried to turn the internet off. After about 4 attempts of doing this and having to do a hard reboot I ran Combofix with Malewarebytes on.

After following your directions, the note boxes from Malewarebytes icon in the system tray which say "successfully blocked access to a potential malicious website" every 2 or 3 seconds have stopped. My computer is faster and I can access my university email without getting blocked and the red crossed out https:// in the search box is gone. Does this mean that my computer is healed?

================================================
CF Log

ComboFix 12-04-26.01 - Administrator 04/26/2012 21:30:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1728 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\fegnqddd.exe
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\searchplugins\bing-zugo.xml
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\somototoolbar\vmNTemplatex.dll
c:\windows\$NtUninstallKB30749$
c:\windows\$NtUninstallKB30749$\11903000
c:\windows\$NtUninstallKB30749$\1757417693\@
c:\windows\$NtUninstallKB30749$\1757417693\cfg.ini
c:\windows\$NtUninstallKB30749$\1757417693\Desktop.ini
c:\windows\$NtUninstallKB30749$\1757417693\L\hxiaemkh
c:\windows\$NtUninstallKB30749$\1757417693\oemid
c:\windows\$NtUninstallKB30749$\1757417693\U\00000001.@
c:\windows\$NtUninstallKB30749$\1757417693\U\00000002.@
c:\windows\$NtUninstallKB30749$\1757417693\U\00000004.@
c:\windows\$NtUninstallKB30749$\1757417693\U\80000000.@
c:\windows\$NtUninstallKB30749$\1757417693\U\80000004.@
c:\windows\$NtUninstallKB30749$\1757417693\U\80000032.@
c:\windows\$NtUninstallKB30749$\1757417693\version
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\urttemp
c:\windows\system32\urttemp\fusion.dll
c:\windows\system32\urttemp\mscoree.dll
c:\windows\system32\urttemp\mscoree.dll.local
c:\windows\system32\urttemp\mscorsn.dll
c:\windows\system32\urttemp\mscorwks.dll
c:\windows\system32\urttemp\msvcr71.dll
c:\windows\system32\urttemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 02:43 . 2012-04-27 02:4340776----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-26 16:38 . 2012-04-04 20:5622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-04-25 04:01 . 2012-04-25 04:01--------d-----w-c:\program files\Common Files\Steam
2012-04-24 22:57 . 2012-04-24 22:57--------d-s---w-c:\documents and settings\NetworkService\UserData
2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\program files\Common Files\Symantec Shared
2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 17:09 . 2009-06-05 17:09774144----a-w-c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-18 39408]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-10-29 3077528]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-17 113664]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-7-5 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2012-02-28 23:381987976----a-w-c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 05:311657376----a-w-c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-10-13 14:2717351304----a-r-c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-04-25 04:021242448----a-w-d:\steam games\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Ubisoft\\Related Designs\\Dawn of Discovery\\tools\\Anno4Web.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57924:TCP"= 57924:TCP:pando Media Booster
"57924:UDP"= 57924:UDP:pando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/15/2009 6:36 PM 721904]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 6:38 PM 1373576]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2012 11:38 AM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/26/2012 11:38 AM 22344]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/26/2012 9:43 PM 40776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9e3f9fd9ba96e;Google Update Service (gupdate1c9e3f9fd9ba96e);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2.sys --> c:\windows\system32\DRIVERS\WUSB54GSCV2.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Intels51
NETw3x32
3dkeybd
StkAMini
fcprintservice
hsf_dpv
icdsptsv
mmc_2K
wampmysqld
rdnaoflsvc
vvoice
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
.
2012-04-27 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C6DA8D22-8FB1-49C6-8F14-BEAF68B8EC05}: NameServer = 68.94.156.1,68.94.157.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Administrator\Application Data\Move Networks
FF - Ext: Poster: {d48a39ba-8f80-4fce-8ee1-bc710561c55d} - %profile%\extensions\{d48a39ba-8f80-4fce-8ee1-bc710561c55d}
FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
Notify-avgrsstarter - (no file)
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-uTorrent - c:\documents and settings\Administrator\My Documents\Downloads\utorrent.exe
AddRemove-VLC media player - c:\program files\VideoLAN\VLC\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-26 21:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2976)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-04-26 21:47:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-27 02:46
.
Pre-Run: 13,430,509,568 bytes free
Post-Run: 15,459,385,344 bytes free
.
- - End Of File - - 2462689C9DB34D3EF810CD0CEDCC9361

 
TDSSKiller Log


21:48:40.0703 2832TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43
21:48:41.0203 2832============================================================
21:48:41.0203 2832Current date / time: 2012/04/26 21:48:41.0203
21:48:41.0203 2832SystemInfo:
21:48:41.0203 2832
21:48:41.0203 2832OS Version: 5.1.2600 ServicePack: 3.0
21:48:41.0203 2832Product type: Workstation
21:48:41.0203 2832ComputerName: ALICIA
21:48:41.0203 2832UserName: Administrator
21:48:41.0203 2832Windows directory: C:\WINDOWS
21:48:41.0203 2832System windows directory: C:\WINDOWS
21:48:41.0203 2832Processor architecture: Intel x86
21:48:41.0203 2832Number of processors: 2
21:48:41.0203 2832Page size: 0x1000
21:48:41.0203 2832Boot type: Normal boot
21:48:41.0203 2832============================================================
21:48:42.0359 2832Drive \Device\Harddisk0\DR0 - Size: 0x12A1E0DE00 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:48:42.0375 2832Drive \Device\Harddisk1\DR1 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:48:42.0375 2832============================================================
21:48:42.0375 2832\Device\Harddisk0\DR0:
21:48:42.0375 2832MBR partitions:
21:48:42.0375 2832\Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950E482
21:48:42.0375 2832\Device\Harddisk1\DR1:
21:48:42.0375 2832MBR partitions:
21:48:42.0375 2832\Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xC34F28D
21:48:42.0406 2832\Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0xC34F30B, BlocksNum 0x10E55C6E
21:48:42.0406 2832============================================================
21:48:42.0421 2832C: <-> \Device\Harddisk0\DR0\Partition0
21:48:42.0468 2832D: <-> \Device\Harddisk1\DR1\Partition0
21:48:42.0484 2832E: <-> \Device\Harddisk1\DR1\Partition1
21:48:42.0484 2832============================================================
21:48:42.0484 2832Initialize success
21:48:42.0484 2832============================================================
21:48:48.0734 3804============================================================
21:48:48.0734 3804Scan started
21:48:48.0734 3804Mode: Manual;
21:48:48.0734 3804============================================================
21:48:48.0984 38043dkeybd - ok
21:48:49.0000 3804Abiosdsk - ok
21:48:49.0015 3804abp480n5 - ok
21:48:49.0046 3804ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:48:49.0046 3804ACPI - ok
21:48:49.0078 3804ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:48:49.0078 3804ACPIEC - ok
21:48:49.0078 3804adpu160m - ok
21:48:49.0109 3804aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:48:49.0109 3804aec - ok
21:48:49.0156 3804AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
21:48:49.0156 3804AFD - ok
21:48:49.0156 3804Aha154x - ok
21:48:49.0156 3804aic78u2 - ok
21:48:49.0171 3804aic78xx - ok
21:48:49.0218 3804Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
21:48:49.0218 3804Alerter - ok
21:48:49.0234 3804ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
21:48:49.0234 3804ALG - ok
21:48:49.0234 3804AliIde - ok
21:48:49.0250 3804AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
21:48:49.0250 3804AmdK8 - ok
21:48:49.0265 3804amsint - ok
21:48:49.0281 3804AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
21:48:49.0281 3804AppMgmt - ok
21:48:49.0281 3804asc - ok
21:48:49.0296 3804asc3350p - ok
21:48:49.0296 3804asc3550 - ok
21:48:49.0468 3804aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
21:48:49.0468 3804aspnet_state - ok
21:48:49.0468 3804AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:48:49.0468 3804AsyncMac - ok
21:48:49.0484 3804atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:48:49.0484 3804atapi - ok
21:48:49.0484 3804Atdisk - ok
21:48:49.0531 3804atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\WINDOWS\system32\DRIVERS\atksgt.sys
21:48:49.0546 3804atksgt - ok
21:48:49.0562 3804Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:48:49.0562 3804Atmarpc - ok
21:48:49.0578 3804AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
21:48:49.0578 3804AudioSrv - ok
21:48:49.0609 3804audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:48:49.0609 3804audstub - ok
21:48:49.0625 3804Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:48:49.0625 3804Beep - ok
21:48:49.0671 3804BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
21:48:49.0671 3804BITS - ok
21:48:49.0687 3804Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
21:48:49.0687 3804Browser - ok
21:48:49.0703 3804BUFADPT (df306fdaf60511b1f117b34a575abe07) C:\WINDOWS\system32\BUFADPT.SYS
21:48:49.0703 3804BUFADPT - ok
21:48:49.0703 3804catchme - ok
21:48:49.0734 3804cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:48:49.0734 3804cbidf2k - ok
21:48:49.0734 3804cd20xrnt - ok
21:48:49.0765 3804Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:48:49.0765 3804Cdaudio - ok
21:48:49.0796 3804Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:48:49.0812 3804Cdfs - ok
21:48:49.0828 3804Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:48:49.0828 3804Cdrom - ok
21:48:49.0843 3804Changer - ok
21:48:49.0859 3804CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
21:48:49.0859 3804CiSvc - ok
21:48:49.0875 3804ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
21:48:49.0875 3804ClipSrv - ok
21:48:49.0953 3804clr_optimization_v2.0.50727_32 (234b1bc2796483e1f5c3f26649fb3388) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:48:49.0953 3804clr_optimization_v2.0.50727_32 - ok
21:48:49.0984 3804clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
21:48:49.0984 3804clr_optimization_v4.0.30319_32 - ok
21:48:49.0984 3804CmdIde - ok
21:48:50.0000 3804COMSysApp - ok
21:48:50.0000 3804Cpqarray - ok
21:48:50.0046 3804CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
21:48:50.0046 3804CryptSvc - ok
21:48:50.0046 3804dac2w2k - ok
21:48:50.0062 3804dac960nt - ok
21:48:50.0109 3804DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
21:48:50.0109 3804DcomLaunch - ok
21:48:50.0125 3804Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
21:48:50.0125 3804Dhcp - ok
21:48:50.0140 3804Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:48:50.0140 3804Disk - ok
21:48:50.0140 3804dmadmin - ok
21:48:50.0203 3804dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:48:50.0234 3804dmboot - ok
21:48:50.0265 3804dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:48:50.0265 3804dmio - ok
21:48:50.0281 3804dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:48:50.0281 3804dmload - ok
21:48:50.0296 3804dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
21:48:50.0296 3804dmserver - ok
21:48:50.0328 3804DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:48:50.0328 3804DMusic - ok
21:48:50.0343 3804Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
21:48:50.0343 3804Dnscache - ok
21:48:50.0359 3804Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
21:48:50.0359 3804Dot3svc - ok
21:48:50.0375 3804dpti2o - ok
21:48:50.0390 3804drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:48:50.0390 3804drmkaud - ok
21:48:50.0406 3804EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
21:48:50.0406 3804EapHost - ok
21:48:50.0437 3804ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
21:48:50.0437 3804ElbyCDIO - ok
21:48:50.0437 3804ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
21:48:50.0437 3804ERSvc - ok
21:48:50.0484 3804Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
21:48:50.0484 3804Eventlog - ok
21:48:50.0531 3804EventSystem (19a799805b24990867b00c120d300c3a) C:\WINDOWS\system32\es.dll
21:48:50.0531 3804EventSystem - ok
21:48:50.0562 3804Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:48:50.0562 3804Fastfat - ok
21:48:50.0593 3804FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
21:48:50.0609 3804FastUserSwitchingCompatibility - ok
21:48:50.0609 3804fcprintservice - ok
21:48:50.0625 3804Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:48:50.0625 3804Fdc - ok
21:48:50.0640 3804Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:48:50.0640 3804Fips - ok
21:48:50.0640 3804Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:48:50.0640 3804Flpydisk - ok
21:48:50.0671 3804FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:48:50.0671 3804FltMgr - ok
21:48:50.0796 3804FontCache3.0.0.0 (993883524aa9cf1c90e1545411a9ac9c) C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
21:48:50.0796 3804FontCache3.0.0.0 - ok
21:48:50.0828 3804Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:48:50.0828 3804Fs_Rec - ok
21:48:50.0843 3804Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:48:50.0843 3804Ftdisk - ok
21:48:50.0859 3804gdrv (c6e3105b8c68c35cc1eb26a00fd1a8c6) C:\WINDOWS\gdrv.sys
21:48:50.0859 3804gdrv - ok
21:48:50.0890 3804Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:48:50.0890 3804Gpc - ok
21:48:50.0906 3804GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS
21:48:50.0921 3804GTNDIS5 - ok
21:48:51.0046 3804gupdate1c9e3f9fd9ba96e (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
21:48:51.0046 3804gupdate1c9e3f9fd9ba96e - ok
21:48:51.0046 3804gupdatem (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
21:48:51.0046 3804gupdatem - ok
21:48:51.0093 3804gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
21:48:51.0093 3804gusvc - ok
21:48:51.0125 3804hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
21:48:51.0125 3804hamachi - ok
21:48:51.0218 3804Hamachi2Svc (fa89c0429821c7c429eec7a0ce1c02d3) C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
21:48:51.0234 3804Hamachi2Svc - ok
21:48:51.0265 3804HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:48:51.0265 3804HDAudBus - ok
21:48:51.0312 3804helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:48:51.0312 3804helpsvc - ok
21:48:51.0343 3804HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
21:48:51.0343 3804HidServ - ok
21:48:51.0375 3804hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:48:51.0375 3804hidusb - ok
21:48:51.0406 3804hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
21:48:51.0406 3804hkmsvc - ok
21:48:51.0406 3804hpn - ok
21:48:51.0453 3804HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
21:48:51.0453 3804HPZid412 - ok
21:48:51.0468 3804HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
21:48:51.0468 3804HPZipr12 - ok
21:48:51.0484 3804HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
21:48:51.0484 3804HPZius12 - ok
21:48:51.0500 3804hsf_dpv - ok
21:48:51.0515 3804HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
21:48:51.0531 3804HTTP - ok
21:48:51.0578 3804HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
21:48:51.0578 3804HTTPFilter - ok
21:48:51.0578 3804i2omgmt - ok
21:48:51.0578 3804i2omp - ok
21:48:51.0625 3804i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:48:51.0625 3804i8042prt - ok
21:48:51.0625 3804icdsptsv - ok
21:48:51.0796 3804idsvc (e7cc3aeaed9893a88876744cd439f76c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:48:51.0812 3804idsvc - ok
21:48:51.0859 3804Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:48:51.0859 3804Imapi - ok
21:48:51.0890 3804ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
21:48:51.0890 3804ImapiService - ok
21:48:51.0890 3804ini910u - ok
21:48:52.0109 3804IntcAzAudAddService (2feb5bf0312e1cb76cd2caa875cbaa5d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
21:48:52.0125 3804IntcAzAudAddService - ok
21:48:52.0218 3804IntelIde - ok
21:48:52.0218 3804Intels51 - ok
21:48:52.0265 3804Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:48:52.0265 3804Ip6Fw - ok
21:48:52.0312 3804IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:48:52.0312 3804IpFilterDriver - ok
21:48:52.0343 3804IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:48:52.0343 3804IpInIp - ok
21:48:52.0359 3804IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:48:52.0359 3804IpNat - ok
21:48:52.0390 3804IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:48:52.0390 3804IPSec - ok
21:48:52.0421 3804IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:48:52.0421 3804IRENUM - ok
21:48:52.0453 3804isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:48:52.0453 3804isapnp - ok
21:48:52.0546 3804JavaQuickStarterService (1834c96fb1f9280bcf6ddfa6de8338bf) C:\Program Files\Java\jre6\bin\jqs.exe
21:48:52.0546 3804JavaQuickStarterService - ok
21:48:52.0562 3804Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:48:52.0562 3804Kbdclass - ok
21:48:52.0593 3804kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:48:52.0593 3804kbdhid - ok
21:48:52.0609 3804kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:48:52.0609 3804kmixer - ok
21:48:52.0656 3804KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
21:48:52.0656 3804KSecDD - ok
21:48:52.0671 3804LanmanServer (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
21:48:52.0687 3804LanmanServer - ok
21:48:52.0718 3804lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll
21:48:52.0718 3804lanmanworkstation - ok
21:48:52.0718 3804lbrtfdc - ok
21:48:52.0765 3804lirsgt (f8a7212d0864ef5e9185fb95e6623f4d) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
21:48:52.0765 3804lirsgt - ok
21:48:52.0781 3804LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
21:48:52.0781 3804LmHosts - ok
21:48:52.0812 3804MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
21:48:52.0812 3804MBAMProtector - ok
21:48:52.0875 3804MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
21:48:52.0875 3804MBAMService - ok
21:48:52.0968 3804McciCMService (f8b823414a22dbf3bec10dcaa5f93cd8) C:\Program Files\Common Files\Motive\McciCMService.exe
21:48:52.0984 3804McciCMService - ok
21:48:53.0000 3804Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
21:48:53.0000 3804Messenger - ok
21:48:53.0000 3804mmc_2K - ok
21:48:53.0015 3804mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:48:53.0015 3804mnmdd - ok
21:48:53.0031 3804mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
21:48:53.0031 3804mnmsrvc - ok
21:48:53.0062 3804Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:48:53.0062 3804Modem - ok
21:48:53.0093 3804Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:48:53.0093 3804Mouclass - ok
21:48:53.0125 3804mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:48:53.0140 3804mouhid - ok
21:48:53.0140 3804MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:48:53.0140 3804MountMgr - ok
21:48:53.0140 3804mraid35x - ok
21:48:53.0187 3804MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
21:48:53.0187 3804MREMP50 - ok
21:48:53.0187 3804MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
21:48:53.0203 3804MRESP50 - ok
21:48:53.0218 3804MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:48:53.0218 3804MRxDAV - ok
21:48:53.0250 3804MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:48:53.0265 3804MRxSmb - ok
21:48:53.0296 3804MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
21:48:53.0296 3804MSDTC - ok
21:48:53.0312 3804Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:48:53.0312 3804Msfs - ok
21:48:53.0312 3804MSIServer - ok
21:48:53.0359 3804MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:48:53.0359 3804MSKSSRV - ok
21:48:53.0375 3804MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:48:53.0375 3804MSPCLOCK - ok
21:48:53.0375 3804MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:48:53.0390 3804MSPQM - ok
21:48:53.0406 3804mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:48:53.0406 3804mssmbios - ok
21:48:53.0406 3804Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
21:48:53.0421 3804Mup - ok
21:48:53.0453 3804napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
21:48:53.0468 3804napagent - ok
21:48:53.0484 3804NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:48:53.0484 3804NDIS - ok
21:48:53.0515 3804NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:48:53.0515 3804NdisTapi - ok
21:48:53.0546 3804Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:48:53.0546 3804Ndisuio - ok
21:48:53.0562 3804NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:48:53.0562 3804NdisWan - ok
21:48:53.0578 3804NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
21:48:53.0578 3804NDProxy - ok
21:48:53.0593 3804NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:48:53.0593 3804NetBIOS - ok
21:48:53.0609 3804NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:48:53.0625 3804NetBT - ok
21:48:53.0656 3804NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
21:48:53.0656 3804NetDDE - ok
21:48:53.0656 3804NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
21:48:53.0656 3804NetDDEdsdm - ok
21:48:53.0687 3804Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:48:53.0687 3804Netlogon - ok
21:48:53.0734 3804Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
21:48:53.0734 3804Netman - ok
21:48:53.0890 3804NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
21:48:53.0890 3804NetTcpPortSharing - ok
21:48:53.0890 3804NETw3x32 - ok
21:48:53.0937 3804Nla (b4138e99236f0f57d4cf49bae98a0746) C:\WINDOWS\System32\mswsock.dll
21:48:53.0937 3804Nla - ok
21:48:53.0937 3804Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:48:53.0937 3804Npfs - ok
21:48:53.0984 3804Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:48:53.0984 3804Ntfs - ok
21:48:53.0984 3804NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:48:53.0984 3804NtLmSsp - ok
21:48:54.0031 3804NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
21:48:54.0031 3804NtmsSvc - ok
21:48:54.0046 3804Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:48:54.0046 3804Null - ok
21:48:54.0359 3804nv (406ddab2b05d94d4818e97ff050d1bc6) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:48:54.0562 3804nv - ok
21:48:54.0640 3804nvsvc (b3adef87ee4eca88380d730b92bdb231) C:\WINDOWS\system32\nvsvc32.exe
21:48:54.0640 3804nvsvc - ok
21:48:54.0703 3804NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:48:54.0703 3804NwlnkFlt - ok
21:48:54.0718 3804NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:48:54.0718 3804NwlnkFwd - ok
21:48:54.0812 3804ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:48:54.0812 3804ose - ok
21:48:54.0859 3804Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:48:54.0859 3804Parport - ok
21:48:54.0875 3804PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:48:54.0875 3804PartMgr - ok
21:48:54.0890 3804ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:48:54.0890 3804ParVdm - ok
21:48:54.0906 3804PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:48:54.0906 3804PCI - ok
21:48:54.0906 3804PCIDump - ok
21:48:54.0921 3804PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:48:54.0921 3804PCIIde - ok
21:48:54.0937 3804Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:48:54.0953 3804Pcmcia - ok
21:48:54.0953 3804PDCOMP - ok
21:48:54.0953 3804PDFRAME - ok
21:48:54.0968 3804PDRELI - ok
21:48:54.0968 3804PDRFRAME - ok
21:48:54.0968 3804perc2 - ok
21:48:54.0984 3804perc2hib - ok
21:48:55.0015 3804PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
21:48:55.0015 3804PlugPlay - ok
21:48:55.0046 3804Pml Driver HPZ12 (a38b3ce68e7f126190cde4aa3fdf050f) C:\WINDOWS\system32\HPZipm12.exe
21:48:55.0046 3804Pml Driver HPZ12 - ok
21:48:55.0062 3804PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:48:55.0062 3804PolicyAgent - ok
21:48:55.0062 3804PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:48:55.0062 3804PptpMiniport - ok
21:48:55.0093 3804Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
21:48:55.0093 3804Processor - ok
21:48:55.0093 3804ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:48:55.0093 3804ProtectedStorage - ok
21:48:55.0109 3804PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:48:55.0125 3804PSched - ok
21:48:55.0140 3804Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:48:55.0140 3804Ptilink - ok
21:48:55.0140 3804ql1080 - ok
21:48:55.0156 3804Ql10wnt - ok
21:48:55.0156 3804ql12160 - ok
21:48:55.0171 3804ql1240 - ok
21:48:55.0171 3804ql1280 - ok
21:48:55.0203 3804RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:48:55.0203 3804RasAcd - ok
21:48:55.0234 3804RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
21:48:55.0234 3804RasAuto - ok
21:48:55.0265 3804Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:48:55.0265 3804Rasl2tp - ok
21:48:55.0281 3804RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
21:48:55.0281 3804RasMan - ok
21:48:55.0296 3804RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:48:55.0296 3804RasPppoe - ok
21:48:55.0296 3804Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:48:55.0296 3804Raspti - ok
21:48:55.0312 3804Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:48:55.0328 3804Rdbss - ok
21:48:55.0328 3804rdnaoflsvc - ok
21:48:55.0343 3804RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:48:55.0343 3804RDPCDD - ok
21:48:55.0390 3804rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:48:55.0390 3804rdpdr - ok
21:48:55.0671 3804RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
21:48:55.0671 3804RDPWD - ok
21:48:55.0703 3804RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
21:48:55.0718 3804RDSessMgr - ok
21:48:55.0750 3804redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:48:55.0750 3804redbook - ok
21:48:55.0781 3804RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
21:48:55.0781 3804RemoteAccess - ok
21:48:55.0812 3804RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
21:48:55.0812 3804RemoteRegistry - ok
21:48:55.0843 3804RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
21:48:55.0843 3804RpcLocator - ok
21:48:55.0906 3804RpcSs (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\System32\rpcss.dll
21:48:55.0906 3804RpcSs - ok
21:48:55.0937 3804RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
21:48:55.0937 3804RSVP - ok
21:48:55.0984 3804RT73 (da4980fad2b7d86d6ed8e35e3874f65e) C:\WINDOWS\system32\DRIVERS\rt73.sys
21:48:56.0000 3804RT73 - ok
21:48:56.0031 3804RTLE8023xp (839141088ad7ee90f5b441b2d1afd22c) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
21:48:56.0031 3804RTLE8023xp - ok
21:48:56.0062 3804SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:48:56.0062 3804SamSs - ok
21:48:56.0093 3804SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
21:48:56.0109 3804SCardSvr - ok
21:48:56.0140 3804Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
21:48:56.0140 3804Schedule - ok
21:48:56.0156 3804Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:48:56.0156 3804Secdrv - ok
21:48:56.0187 3804seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
21:48:56.0187 3804seclogon - ok
21:48:56.0203 3804SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
21:48:56.0203 3804SENS - ok
21:48:56.0234 3804Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:48:56.0234 3804Serial - ok
21:48:56.0296 3804Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:48:56.0296 3804Sfloppy - ok
21:48:56.0328 3804SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
21:48:56.0343 3804SharedAccess - ok
21:48:56.0375 3804ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
21:48:56.0375 3804ShellHWDetection - ok
21:48:56.0375 3804Simbad - ok
21:48:56.0390 3804Sparrow - ok
21:48:56.0421 3804splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:48:56.0421 3804splitter - ok
21:48:56.0437 3804Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe
21:48:56.0437 3804Spooler - ok
21:48:56.0500 3804sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
21:48:56.0500 3804Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
21:48:56.0500 3804sptd ( LockedFile.Multi.Generic ) - warning
21:48:56.0500 3804sptd - detected LockedFile.Multi.Generic (1)
21:48:56.0531 3804sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:48:56.0546 3804sr - ok
21:48:56.0562 3804srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
21:48:56.0562 3804srservice - ok
21:48:56.0593 3804Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
21:48:56.0593 3804Srv - ok
21:48:56.0625 3804SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
21:48:56.0625 3804SSDPSRV - ok
21:48:56.0687 3804Steam Client Service - ok
21:48:56.0734 3804stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
21:48:56.0750 3804stisvc - ok
21:48:56.0750 3804StkAMini - ok
21:48:56.0765 3804swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:48:56.0765 3804swenum - ok
21:48:56.0796 3804swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:48:56.0796 3804swmidi - ok
21:48:56.0796 3804SwPrv - ok
21:48:56.0796 3804symc810 - ok
21:48:56.0812 3804symc8xx - ok
21:48:56.0812 3804sym_hi - ok
21:48:56.0812 3804sym_u3 - ok
21:48:56.0843 3804sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:48:56.0843 3804sysaudio - ok
21:48:56.0875 3804SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
21:48:56.0875 3804SysmonLog - ok
21:48:56.0890 3804TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
21:48:56.0890 3804TapiSrv - ok
21:48:56.0921 3804Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:48:56.0921 3804Tcpip - ok
21:48:56.0953 3804TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:48:56.0953 3804TDPIPE - ok
21:48:56.0953 3804TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:48:56.0953 3804TDTCP - ok
21:48:56.0984 3804TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:48:56.0984 3804TermDD - ok
21:48:57.0031 3804TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
21:48:57.0031 3804TermService - ok
21:48:57.0046 3804Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
21:48:57.0046 3804Themes - ok
21:48:57.0078 3804TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
21:48:57.0078 3804TlntSvr - ok
21:48:57.0093 3804TosIde - ok
21:48:57.0125 3804TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
21:48:57.0125 3804TrkWks - ok
21:48:57.0140 3804Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:48:57.0156 3804Udfs - ok
21:48:57.0156 3804ultra - ok
21:48:57.0218 3804Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:48:57.0218 3804Update - ok
21:48:57.0250 3804upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
21:48:57.0250 3804upnphost - ok
21:48:57.0250 3804UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
21:48:57.0250 3804UPS - ok
21:48:57.0296 3804usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:48:57.0296 3804usbccgp - ok
21:48:57.0312 3804usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:48:57.0312 3804usbehci - ok
21:48:57.0312 3804usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:48:57.0312 3804usbhub - ok
21:48:57.0328 3804usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
21:48:57.0328 3804usbohci - ok
21:48:57.0375 3804usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:48:57.0375 3804usbprint - ok
21:48:57.0406 3804usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:48:57.0406 3804usbscan - ok
21:48:57.0453 3804USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:48:57.0453 3804USBSTOR - ok
21:48:57.0468 3804VClone (2cc2660b3ec3434c88d2c808dd7937d4) C:\WINDOWS\system32\DRIVERS\VClone.sys
21:48:57.0468 3804VClone - ok
21:48:57.0484 3804VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:48:57.0484 3804VgaSave - ok
21:48:57.0500 3804ViaIde - ok
21:48:57.0515 3804VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:48:57.0515 3804VolSnap - ok
21:48:57.0562 3804VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
21:48:57.0562 3804VSS - ok
21:48:57.0578 3804vvoice - ok
21:48:57.0609 3804W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
21:48:57.0609 3804W32Time - ok
21:48:57.0625 3804wampmysqld - ok
21:48:57.0656 3804Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:48:57.0656 3804Wanarp - ok
21:48:57.0656 3804WDICA - ok
21:48:57.0687 3804wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:48:57.0703 3804wdmaud - ok
21:48:57.0734 3804WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
21:48:57.0734 3804WebClient - ok
21:48:57.0812 3804winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
21:48:57.0812 3804winmgmt - ok
21:48:57.0843 3804WmdmPmSN (f4db1f1417ff329e8ff217d5c474d5d7) C:\WINDOWS\system32\MsPMSNSv.dll
21:48:57.0843 3804WmdmPmSN - ok
21:48:57.0890 3804Wmi (bab489a5fe26f2d0c910cf7af7e4cf92) C:\WINDOWS\System32\advapi32.dll
21:48:57.0890 3804Wmi - ok
21:48:57.0921 3804WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
21:48:57.0937 3804WmiApSrv - ok
21:48:58.0093 3804WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
21:48:58.0125 3804WPFFontCache_v0400 - ok
21:48:58.0171 3804WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:48:58.0171 3804WS2IFSL - ok
21:48:58.0187 3804wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
21:48:58.0203 3804wscsvc - ok
21:48:58.0234 3804wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
21:48:58.0234 3804wuauserv - ok
21:48:58.0234 3804WUSB54GSCV2 - ok
21:48:58.0265 3804WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
21:48:58.0281 3804WZCSVC - ok
21:48:58.0312 3804xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
21:48:58.0312 3804xmlprov - ok
21:48:58.0328 3804MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:48:58.0437 3804\Device\Harddisk0\DR0 - ok
21:48:58.0437 3804MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
21:48:58.0546 3804\Device\Harddisk1\DR1 - ok
21:48:58.0546 3804Boot (0x1200) (6c4d039391b5a85019a75bf46acbf1c0) \Device\Harddisk0\DR0\Partition0
21:48:58.0546 3804\Device\Harddisk0\DR0\Partition0 - ok
21:48:58.0562 3804Boot (0x1200) (e0ae1736a69a6b479669278dc93d61f6) \Device\Harddisk1\DR1\Partition0
21:48:58.0562 3804\Device\Harddisk1\DR1\Partition0 - ok
21:48:58.0562 3804Boot (0x1200) (b4993675494671af9a46a7dbc1218bd7) \Device\Harddisk1\DR1\Partition1
21:48:58.0578 3804\Device\Harddisk1\DR1\Partition1 - ok
21:48:58.0578 3804============================================================
21:48:58.0578 3804Scan finished
21:48:58.0578 3804============================================================
21:48:58.0578 3388Detected object count: 1
21:48:58.0578 3388Actual detected object count: 1
21:49:53.0156 3388C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
21:49:53.0156 3388sptd ( LockedFile.Multi.Generic ) - User select action: Quarantine
 
Things to know:
1. The Alerts from Mbam blocking outgoing access are from the malware. It is trying to remotely connect to server. The IP you gave is a site in Germany. While the popups may be annoying, as the malware is removed, they should stop. It is a good thing that the access is being blocked.
2. I have removed processes for AVG Secure Search. It is NOT doing it's job. I highly recommend using the Web of Trust (WOT) add-on is a safe surfing tool for your browser. It rates site in 4 areas and will prevent sites with poor reputations from loading.
3. The Somoto Toolbar[ is bundled with other 3rd party programs and should not be on the system.
4. The plugin SweetIM in Firefox should be removed.
5.Virtual Clone Drive, part of CloneCD CD/DVD copying sofware has been discontinued and should be removed. Note: Located in c:\program files\Elaborate Bytes\VirtualCloneDrive

Please uninstall #3,4,5. Then use Windows explorer to access Compouter> Local Drive(C)> Programs> Do a right click> Delete on each program folder you uninstalled.
-----------------------------------------------
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\system32\dds_trash_log.cmd
DDS::
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
TB: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
Extra::
Firefox:: 
Firefox-: - Profile- c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ov3wgo5u.default\
Firefox-: prefs.js- Search.DeafaultURL
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-

Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Please update the following:
Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
Adobe Reader > Current is vX(10.xx)> Adobe Reader Update
Java(TM) > Current is v6u31> Java Updates .
Uninstall any earlier versions in of both as they are vulnerabilities for the system.
--====================
I need to replace a file so we need to look for a clean file:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
sptd.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Completed!

CFlog
========
ComboFix 12-04-26.01 - Administrator 04/27/2012 13:22:46.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1367 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\dds_trash_log.cmd"
.
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 02:49 . 2012-04-27 02:49--------d-----w-C:\TDSSKiller_Quarantine
2012-04-26 16:38 . 2012-04-04 20:5622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-04-25 04:01 . 2012-04-25 04:01--------d-----w-c:\program files\Common Files\Steam
2012-04-24 22:57 . 2012-04-24 22:57--------d-s---w-c:\documents and settings\NetworkService\UserData
2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\program files\Common Files\Symantec Shared
2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 17:09 . 2009-06-05 17:09774144----a-w-c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-27_02.43.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-27 02:53 . 2012-04-27 02:5316384 c:\windows\Temp\Perflib_Perfdata_620.dat
+ 2001-08-23 12:00 . 2012-04-27 02:4787674 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2012-04-18 19:0687674 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2012-04-27 02:47502402 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-04-18 19:06502402 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-18 39408]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-10-29 3077528]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-17 113664]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-7-5 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2012-02-28 23:381987976----a-w-c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 05:311657376----a-w-c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-04-25 04:021242448----a-w-d:\steam games\Steam.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Ubisoft\\Related Designs\\Dawn of Discovery\\tools\\Anno4Web.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57924:TCP"= 57924:TCP:pando Media Booster
"57924:UDP"= 57924:UDP:pando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/15/2009 6:36 PM 721904]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 6:38 PM 1373576]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2012 11:38 AM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/26/2012 11:38 AM 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9e3f9fd9ba96e;Google Update Service (gupdate1c9e3f9fd9ba96e);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2.sys --> c:\windows\system32\DRIVERS\WUSB54GSCV2.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ElbyCDIO
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Intels51
NETw3x32
3dkeybd
StkAMini
fcprintservice
hsf_dpv
icdsptsv
mmc_2K
wampmysqld
rdnaoflsvc
vvoice
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
.
2012-04-27 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C6DA8D22-8FB1-49C6-8F14-BEAF68B8EC05}: NameServer = 68.94.156.1,68.94.157.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Administrator\Application Data\Move Networks
FF - Ext: Poster: {d48a39ba-8f80-4fce-8ee1-bc710561c55d} - %profile%\extensions\{d48a39ba-8f80-4fce-8ee1-bc710561c55d}
FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-27 13:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3620)
c:\windows\system32\msi.dll
.
Completion time: 2012-04-27 13:31:49
ComboFix-quarantined-files.txt 2012-04-27 18:31
ComboFix2.txt 2012-04-27 02:47
.
Pre-Run: 15,510,802,432 bytes free
Post-Run: 15,506,968,576 bytes free
.
- - End Of File - - 6245B3D69548AD9BEE05AB3043452F78
===============================================
System Look
SystemLook 30.07.11 by jpshortstuff
Log created at 14:02 on 27/04/2012 by Administrator
Administrator - Elevation successful
========== filefind ==========
Searching for "sptd.sys"
C:\WINDOWS\system32\drivers\sptd.sys--a---- 721904 bytes[23:36 15/07/2009][23:36 15/07/2009] (Unable to calculate MD5)
-= EOF =-
 
This is looking good! What problems remain, if any?

Regarding this:
Basically here are my problems... The other day I thought I'd be cool and clean my computer up because I'm tired of all the programs that have accumulated in the startup and my program list is so long that it covered my entire screen. So i started deleting and uninstalling old things I didn't use and ran some sort of cleaner called cc cleaner I believe, cleared out my temp files and all that good stuff. Then I downloaded a program called steam so I could buy games for my kids.
Click to expand...

Remind me to help you with this when we finish. I'll give you instructions on the right way to do it and what you need and don't need to start and run in the background. I'll suggest safe "cleaners", tell you why you shouldn't use a Registry Cleaner, how to uninstall a program and remove the program folder, what you don't need on the Startup Menu and the few processes you do need and why you can't just delete one entry to remove in some cases.
===========================================
We need to get one setting fixed:
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
Extra::
Firefox::
Firefox-: - Profile- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\
Firefox-: - prefs.js- Search.DefaultURL
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
I'd like to run an online virus scan:
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Please leave the log in your next reply.
 
Bobbye,
It seems that no problems remain and the computer is running much smoother now with no unusual behavior. But, ESETOnline found some things. See below.

New CF Log

ComboFix 12-04-26.01 - Administrator 04/28/2012 16:21:52.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1348 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-28 )))))))))))))))))))))))))))))))
.
.
2012-04-27 19:01 . 2012-04-27 19:01--------d-----w-c:\program files\Common Files\Java
2012-04-27 19:01 . 2012-04-27 19:0173728----a-w-c:\windows\system32\javacpl.cpl
2012-04-27 02:49 . 2012-04-27 02:49--------d-----w-C:\TDSSKiller_Quarantine
2012-04-26 16:38 . 2012-04-04 20:5622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-04-25 04:01 . 2012-04-25 04:01--------d-----w-c:\program files\Common Files\Steam
2012-04-24 22:57 . 2012-04-24 22:57--------d-s---w-c:\documents and settings\NetworkService\UserData
2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\program files\Common Files\Symantec Shared
2012-04-13 19:12 . 2012-04-25 04:46--------d-----w-c:\documents and settings\All Users\Application Data\Norton
2012-04-04 05:53 . 2012-04-04 05:53182160----a-w-c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-04-04 05:53 . 2012-04-04 05:53182160----a-w-c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-27 19:01 . 2010-04-15 20:23472808----a-w-c:\windows\system32\deployJava1.dll
2009-06-05 17:09 . 2009-06-05 17:09774144----a-w-c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-27_02.43.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-27 19:01 . 2012-04-27 19:0116384 c:\windows\Temp\Perflib_Perfdata_570.dat
+ 2001-08-23 12:00 . 2012-04-27 02:4787674 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2012-04-18 19:0687674 c:\windows\system32\perfc009.dat
+ 2011-06-06 17:55 . 2011-06-06 17:5517304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 17:55 . 2011-06-06 17:5535736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 17:55 . 2011-06-06 17:5588992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 17:55 . 2011-06-06 17:5594608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 17:55 . 2011-06-06 17:5549064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 17:55 . 2011-06-06 17:5517824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 17:55 . 2011-06-06 17:5563912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 17:55 . 2011-06-06 17:5564928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 17:55 . 2011-06-06 17:5563384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
+ 2001-08-23 12:00 . 2012-04-27 02:47502402 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2012-04-18 19:06502402 c:\windows\system32\perfh009.dat
+ 2012-04-27 19:01 . 2012-04-27 19:01157472 c:\windows\system32\javaws.exe
+ 2012-04-27 19:01 . 2012-04-27 19:01149280 c:\windows\system32\javaw.exe
+ 2012-04-27 19:01 . 2012-04-27 19:01149280 c:\windows\system32\java.exe
+ 2012-04-27 19:01 . 2012-04-27 19:01203776 c:\windows\Installer\365a484.msi
+ 2012-04-27 19:01 . 2012-04-27 19:01901120 c:\windows\Installer\365a47d.msi
+ 2011-06-06 17:55 . 2011-06-06 17:55249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55937920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearm.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2012-04-27 18:59 . 2012-04-27 18:592295808 c:\windows\Installer\365a477.msi
+ 2011-06-06 17:55 . 2011-06-06 17:552215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 17:55 . 2011-06-06 17:551189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
+ 2011-06-06 17:55 . 2011-06-06 17:556543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 17:55 . 2011-06-06 17:551240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 17:55 . 2011-06-06 17:551480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2012-04-04 11:17 . 2012-04-04 11:1716613376 c:\windows\Installer\365a478.msp
+ 2011-06-06 17:55 . 2011-06-06 17:5524731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-18 39408]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-10-29 3077528]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-17 113664]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-7-5 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2012-02-28 23:381987976----a-w-c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 05:311657376----a-w-c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-04-25 04:021242448----a-w-d:\steam games\Steam.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Ubisoft\\Related Designs\\Dawn of Discovery\\tools\\Anno4Web.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57924:TCP"= 57924:TCP:pando Media Booster
"57924:UDP"= 57924:UDP:pando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/15/2009 6:36 PM 721904]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 6:38 PM 1373576]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2012 11:38 AM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/26/2012 11:38 AM 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9e3f9fd9ba96e;Google Update Service (gupdate1c9e3f9fd9ba96e);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2009 10:18 PM 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2.sys --> c:\windows\system32\DRIVERS\WUSB54GSCV2.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - ElbyCDIO
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Intels51
NETw3x32
3dkeybd
StkAMini
fcprintservice
hsf_dpv
icdsptsv
mmc_2K
wampmysqld
rdnaoflsvc
vvoice
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 03:18]
.
2012-04-28 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C6DA8D22-8FB1-49C6-8F14-BEAF68B8EC05}: NameServer = 68.94.156.1,68.94.157.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ov3wgo5u.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Administrator\Application Data\Move Networks
FF - Ext: Poster: {d48a39ba-8f80-4fce-8ee1-bc710561c55d} - %profile%\extensions\{d48a39ba-8f80-4fce-8ee1-bc710561c55d}
FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-28 16:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\msi.dll
.
Completion time: 2012-04-28 16:27:57
ComboFix-quarantined-files.txt 2012-04-28 21:27
ComboFix2.txt 2012-04-27 18:31
ComboFix3.txt 2012-04-27 02:47
.
Pre-Run: 14,815,543,296 bytes free
Post-Run: 14,803,599,360 bytes free
.
- - End Of File - - 3C6511DE4E1FB3A589C3970118610D99
ESETOnline LOG
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\fegnqddd.exe.virWin32/Agent.PAZ trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090685.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090699.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090757.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090770.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1027\A0090783.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1028\A0090964.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1028\A0090976.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1028\A0090988.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1028\A0091002.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091022.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091041.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091058.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091082.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091111.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091135.sysWin32/Sirefef.DA trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0091343.exeWin32/Agent.PAZ trojan
C:\System Volume Information\_restore{139AC616-FFF5-408F-A2C8-04590E0B6FA9}\RP1029\A0094461.exeWin32/Agent.PAZ trojan
 
Glad to hear the problems have been resolved.

There are no new entries in the Eset scan. The Qoobox is where Combofix puts the files it quarantined. They are no longer active and will be removed when Combofix is uninstalled. System Volume is where restore points are kept. the malware in the restore point is not active on the system unless you do a system restore and happen to pick one of those infected restore points. Because of that, at the end of cleaning, I will have you set a new, clean restore point and drop the old ones. Unfortunately, virus scanners can't read 'location.'

*NewlyCreated* - JAVAQUICKSTARTERSERVICE> Unfortunately, when you update Java, Sun throws this in. It doesn't need to run:
Click on Start> Run> type in services.msc> Enter> Double click on Java Quick Start> Change the Startup type to Disabled> Stop the Service.
Exit Services.
================================================
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
  • Choose Disc Cleanup
  • Click "OK" to select the partition or drive you want.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
Empty the Recycle Bin
==============================================
You may find the following helpful: (Links are Bold Blue)
Tips for added security and safer browsing:
  1. Browser Security
    [o] Making Internet Explorer Safer
    [o] Use a Site Advisor..
  2. Have layered Security:
    [o]Antivirus Software(only one):
    [o]Firewall (only one)
  3. Antispyware/Security: I recommend all of the following:
    [o]Spywareblaster:Protects against bad ActiveX.
    [o]IE/Spyad Restricts bad domains.
    [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
  4. Stay current on updates:
    [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
    [o] Adobe Reade. Uninstall old.
    [o]Java Uninstall old.
  5. Reset Cookies to prevent Tracking Cookies:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
    [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
  6. Do regular Maintenance
    [o]To include Disc Cleanup, Defrag, Error Check/
    [o]Remove Temporary Internet Files regularly:TFC
  7. Understand Restore Points: System Restore Guide
  8. Practice Safe Email Handling
  9. [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.
 

Similar threads

S
Problem with computer installation
Replies
0
Views
147
Smilady
S
A
The official "Bing Wallpaper app" does some nasty, malware-like things to Windows
2
Replies
48
Views
1K
ZedRM
ZedRM
PierreJG
Linux Shortcuts does not work
Replies
2
Views
160
TooQik
T

Latest posts

Back