Solved Svchost hogging resources ... internet searches being redirected

Status
Not open for further replies.
J

jgf

Posts: 30   +0
System is Vista Home Premium 32, SP2; AV is Avira for full time protection, supplemented by weekly scans with MSE, Malwarebytes, and Spybot. Installed Ad-Aware today, after over three hours just to scan my C drive I stopped it; though it did find three items. After reading a thread on a similar problem, I d/l'd and ran combofix (safe mode w/network, all programs closed); but did nothing with it beyond that.

Both problems appeared simultaneously a few days ago. Clicking on any result from a web search will briefly get the correct URL in the status bar, it is quickly replaced by the likes of "exclusivephonedeals.com" or "bigyellowdirectory.com". Fortunately my browser is set to not allow redirects; if I click on the search result several times I eventually get the correct page.

The second, and more serious, problem is that something persistently opens a new system svchost running 16-18 LAN services which quickly consumes 90% CPU and 150-400meg memory. If left unattended this rapidly overheats the CPU and the system restarts. So now I'm running task manager constantly so I can keep an eye on the cpu monitor in the system tray. This occurs whether I'm online or not, doesn't matter if I physically disconnect the cable. Also occurs in safe mode, though there only three of the LAN items appear in the offending svchost: ikeext, profsvc, and winmgmt. (As I type this I had to "end process" the svchost, using 80% cpu and 450meg memory.)

//////////////////////////

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-05 04:50:50
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000009b Hitachi_ rev.V5CO
Running: twk7oxr4.exe; Driver: C:\Users\KHRODK~1\AppData\Local\Temp\pxldapow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E2C1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 dvd43llh.sys (dvd43llh.sys/RIF)
Device \Driver\atapi \Device\Ide\IdePort0 84E2C1F8
Device \Driver\atapi \Device\Ide\IdePort0 dvd43llh.sys (dvd43llh.sys/RIF)
Device \Driver\atapi \Device\Ide\IdePort1 84E2C1F8
Device \Driver\atapi \Device\Ide\IdePort1 dvd43llh.sys (dvd43llh.sys/RIF)
Device \FileSystem\Ntfs \Ntfs 84E2F1F8

AttachedDevice \Driver\tdx \Device\Tcp pctgntdi.sys

Device \Device\0000009d -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725040VLA#4&2019003&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----
 
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_22
Run by Khrod Kat at 4:58:36 on 2011-06-05
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1116 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\Ctxfihlp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DriveGLEAM\drivegleam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
J:\misc\GPU-Z.0.4.2.exe
J:\Paint Shop Pro 8\MB-Ruler\MB-Ruler.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\Explorer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dogpile.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T5246
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DriveGLEAM] "c:\program files\drivegleam\drivegleam.exe" /STARTUP
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AtiTrayTools] "c:\program files\ray adams\ati tray tools\atitray.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTunerWrapper.exe" /S
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1
StartupFolder: c:\users\khrodk~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\mb-ruler.lnk - j:\paint shop pro 8\mb-ruler\MB-Ruler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gpu-z.lnk - j:\misc\GPU-Z.0.4.2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mb-ruler.lnk - j:\paint shop pro 8\mb-ruler\MB-Ruler.exe
uPolicies-explorer: TaskbarNoThumbnail = 1 (0x1)
uPolicies-explorer: HideSCABattery = 0 (0x0)
uPolicies-explorer: HideSCANetwork = 0 (0x0)
uPolicies-explorer: HideSCAVolume = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bcsims.com\gpltd
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{D134D271-3206-4109-89F4-3A2CD7808D2C} : DhcpNameServer = 192.168.0.1 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dogpile.com/
FF - component: c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: WeatherBug: {3EC9C995-8072-4fc0-953E-4F30620D17F3} - %profile%\extensions\{3EC9C995-8072-4fc0-953E-4F30620D17F3}
FF - Ext: FireShot: {0b457cAA-602d-484a-8fe7-c1d894a011ba} - %profile%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: Fast Youtube Downloader: fastYoutubeDownloader@yevgenyandrov.net - %profile%\extensions\fastYoutubeDownloader@yevgenyandrov.net
FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2011-3-27 20384]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-1-30 233136]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-25 172032]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-12 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-12 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-12 61960]
R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [2007-9-6 5504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-3-25 21504]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-1-30 88040]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2010-1-30 818432]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-26 1153368]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-5-4 5550592]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-11-25 176128]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-1-30 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2010-1-30 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-1-30 115216]
R3 rxpvbus;Reality XP Avionics Bus Driver;c:\windows\system32\drivers\rxpvbus.sys [2005-11-4 44032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ARLGIFXTP;ARLGIFXTP;c:\users\khrodk~1\appdata\local\temp\arlgifxtp.exe --> c:\users\khrodk~1\appdata\local\temp\ARLGIFXTP.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-4-26 84832]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2011-5-25 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-5-25 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [2009-2-19 30984]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2006-12-29 247808]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2009-2-24 1984]
S3 SaiHFF04;SaiHFF04;c:\windows\system32\drivers\SaiHFF04.sys [2007-1-30 126344]
S3 SaiIFF04;Immersion's HID USB Driver (FF04);c:\windows\system32\drivers\SaiIFF04.sys [2007-1-30 16256]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 VZOTLKSYW;VZOTLKSYW;c:\users\khrodk~1\appdata\local\temp\vzotlksyw.exe --> c:\users\khrodk~1\appdata\local\temp\VZOTLKSYW.exe [?]
.
=============== Created Last 30 ================
.
2011-06-05 08:21:38 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-05 04:32:38 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-05 04:32:35 -------- d-----w- c:\users\khrod kat\appdata\local\temp
2011-06-05 04:21:07 98816 ----a-w- c:\windows\sed.exe
2011-06-05 04:21:07 518144 ----a-w- c:\windows\SWREG.exe
2011-06-05 04:21:07 256512 ----a-w- c:\windows\PEV.exe
2011-06-05 04:21:07 208896 ----a-w- c:\windows\MBR.exe
2011-06-05 03:59:51 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-05 03:54:32 -------- d-----w- c:\program files\Lavasoft
2011-06-03 12:31:30 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{05f44ba6-b9c3-4c92-a4f1-8650533e0ed1}\mpengine.dll
2011-05-31 13:42:50 -------- d-----w- c:\users\khrod kat\appdata\local\DestinationFinder
2011-05-31 13:02:28 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-05-31 13:02:28 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-05-31 13:00:28 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-05-28 09:59:38 -------- d-----w- c:\users\khrod kat\appdata\roaming\runic games
2011-05-28 09:41:19 -------- d-----w- c:\program files\common files\Datalode
2011-05-25 09:18:25 53248 ------w- c:\windows\Ctregrun.exe
2011-05-25 07:26:39 -------- d-----w- c:\program files\common files\Creative Labs Shared
2011-05-25 07:26:00 102400 ----a-w- c:\windows\system32\cttele32.dll
2011-05-25 07:24:25 -------- d-----w- c:\windows\system32\Data
2011-05-25 07:24:11 22691984 ----a-w- c:\windows\system32\AppSetup.exe
2011-05-24 12:45:03 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-23 05:08:03 -------- d-----w- c:\programdata\PopCap Games
2011-05-14 16:16:20 -------- d-----w- c:\program files\ATI Technologies
2011-05-14 16:16:18 -------- d-----w- c:\program files\ATI
2011-05-14 16:15:36 -------- d-----w- C:\ATI
2011-05-06 16:44:11 -------- d-----w- c:\users\khrod kat\appdata\roaming\atitray
2011-05-06 16:25:44 -------- d-----w- c:\program files\Ray Adams
2011-05-06 15:06:02 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-06 15:06:02 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-06 15:05:30 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 07:25:52 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-05-25 07:25:52 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-05-12 23:08:30 737280 ----a-w- c:\windows\iun6002.exe
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_ rev.V5CO -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x854624D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x854687f0]; MOV EAX, [0x8546886c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x8205311B] -> \Device\Harddisk0\DR0[0x8538A0C8]
3 CLASSPNP[0x885A08B3] -> nt!IofCallDriver[0x8205311B] -> [0x84ED1E00]
5 acpi[0x826E86BC] -> nt!IofCallDriver[0x8205311B] -> [0x84ED87E8]
\Driver\nvstor32[0x84FEEB48] -> IRP_MJ_CREATE -> 0x854624D0
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\0000009d -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725040VLA#4&2019003&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 781422766 (+7): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 4:59:51.06 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 2/6/2008 3:20:17 PM
System Uptime: 6/5/2011 4:45:50 AM (0 hours ago)
.
Motherboard: Gateway | | MCP61SM2MA
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2200/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 69 GiB total, 3.657 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 4.513 GiB free.
E: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is FIXED (NTFS) - 146 GiB total, 59.989 GiB free.
L: is FIXED (NTFS) - 146 GiB total, 17.94 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB CF Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
Manufacturer: Generic
Name: USB CF Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB MS Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#920321111113&3#
Manufacturer: Generic
Name: USB MS Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#920321111113&3#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB SD Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#920321111113&0#
Manufacturer: Generic
Name: USB SD Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#920321111113&0#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB SM Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#920321111113&2#
Manufacturer: Generic
Name: USB SM Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#920321111113&2#
Service: WUDFRd
.
==== System Restore Points ===================
.
RP1312: 6/1/2011 8:31:33 AM - Windows Update
RP1313: 6/2/2011 8:31:04 AM - Windows Update
RP1314: 6/3/2011 8:31:04 AM - Windows Update
.
==== Installed Programs ======================
.
.
µTorrent
ActiveSky Version 6 and ActiveSky Graphics
Ad-Aware
Adobe Audition 1.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
aerosoft's - New Spanish Airports - FS2004
aerosoft's - Pro Flight Emulator Deluxe
Aircraft Container SDK
Allway Sync version 10.3.8
ALMS 2009 GT2 MOD v1.2 for GTR2
Amnesia - The Dark Descent
Apple Application Support
Apple Software Update
Applian FLV Player
Application Mover
ArcSoft VideoImpression 2
Ashampoo Burning Studio 6
Astroburn Lite
ATI Catalyst Install Manager
AV DVD Player Morpher
Avira AntiVir Personal - Free Antivirus
AVS DVD Copy version 4.1.1
AVS DVD Player version 2.4
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Bejeweled 2 Deluxe 1.0
BitComet 1.17
BlindWrite 6
Brazil Megapack 05/2008 FS2004 v1.0
CCleaner (remove only)
CD Recovery Toolbox Free 1.1
Chessmaster 7000
Core Temp version 0.99.8
CR-Software's - German Landmarks FS2004
Creative ALchemy
Creative Audio Control Panel
Creative Console Launcher
Creative MediaSource 5
Creative Smart Recorder
Creative Software AutoUpdate
Creative Sound Blaster Properties
Creative System Information
Creative WaveStudio 7
Curtiss-Wright AT-32 Condor for FSX or FS2004
D-Fend Reloaded 0.9.1 (deinstall)
DDS Converter 2.1
DDS Thumbnail Viewer
Deus Ex
Digital Media Reader
DriveGLEAM V1.08
Driver Sweeper 2.1.0
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD43 v4.6.0
DVDFab 7.0.4.0 (15/04/2010)
eMachines Recovery Center Installer
erLT
Farm Frenzy 3 American Pie
Farm Frenzy 2
feelThere Florida Landings 1.0
Flight Simulator 2004 Special Effects SDK
Flight Simulator 2004 Traffic Toolbox SDK
Flight Simulator 2004 Weather Themes SDK
FlightSim Manager
FormatFactory 2.50
Fraps
Free Easy Burner V 3.8
FS Panel Studio for FSX Build 20207
FS Real Time v1.64
FSRepaint
Game Booster
GARMIN 400 Series Trainer
German Landmarks FS2004
Ground Environment Professional
GT Legends 1.1.0.0
GTR 2 1.0.0.0
GTR2 Championship Manager
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
Insectoid 1.02
ISO Recorder
IsoBuster 2.0
Jasc Paint Shop Pro 8
Jasc Paint Shop Pro 8.10 Update Patch
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) SE Runtime Environment 6 Update 1
JGoodies JDiskReport 1.3.2
Legendary 707
Lockheed Orion 9 for FSX or FS2004
Malwarebytes' Anti-Malware version 1.51.0.1200
Media Player Classic - Home Cinema v1.5.0.2827
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Baseline Security Analyzer 2.1
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft IntelliPoint 8.0
Microsoft IntelliType Pro 7.1
Microsoft Office 97, Professional Edition
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Windows Media Video 9 VCM
Microsoft WSE 2.0 SP3 Runtime
Morrowind
Moscow Global Scenery - Version 1.2
Mozilla Firefox (3.6.17)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
No One Lives Forever
NoteTab Light (Remove only)
NVIDIA DDS Utilities
NVIDIA Photoshop Plug-ins
Object Fix Zip
OneTouch Version 3.0
OpenAL
PC Tools Firewall Plus 6.0
PicNic
Player
Power2Go 5.0
Prompt Media Player 2.1
Ptolemy
Python 2.4.1
Python 2.5.4
Python 2.6 comtypes-0.6.2
Python 2.6 psyco-1.6
Python 2.6 pywin32-214
Python 2.6.5
QuickTime
Railroad Tycoon II - Platinum
Ray Adams ATI Tray Tools
Real Environment Xtreme FS2004
Rename Us 3.03
Richard Burns Rally
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
RunAlyzer
SceneryConfigEditor v1.0.5 (remove only)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Sierra Utilities
SimCity 2000® Special Edition
Simmer's Sky - Japanese Airports vol.1
Simmer's Sky - Japanese Airports vol.2
Simmer's Sky - Japanese Airports vol.3
Simmer's Sky - Japanese Airports vol.4
Simmer's Sky - Japanese Airports vol.5
Simmer's Sky - Japanese Airports vol.6
Simmer's Sky - Japanese Airports vol.7
Simmer's Sky - Japanese Airports vol.8
Simmer's Sky - Japanese Airports vol.9
SolSuite 2010 v10.1
Sonar Screensaver 1.00
Spare Backup
Spybot - Search & Destroy
StreamTransport version: 1.0.2.2041
Super Flight Planner 3.0.3
System47 Screen Saver
TES Construction Set
TextCrawler 1.1.4
Thumbplug TGA
TorchED
Torchlight
TUGZip 3.4
UK SRTM Terrain Mesh Scenery for FS2004
Ultimate Terrain - Canada & Alaska
Ultimate Terrain - Europe
Ultimate Terrain - USA
UltimateDefrag V1 FREE Public Domain Version
Unlocker 1.8.8
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
URL Snooper v2.28.01
VcrSaver
Virtual City
Vista Visual Master
WinBMD
Windows Media Player Firefox Plugin
WinPcap 4.1.1
WinRAR archiver
Works Upgrade
World of Warcraft FREE Trial
WSGT by RMT for GTR2
wxPython 2.5.3.1 (ansi) for Python 2.4
wxPython 2.8.0.1 (ansi) for Python 2.5
wxPython 2.8.11.0 (ansi) for Python 2.6
X-treme King Air B200 v.2.0.1
XQDC X-Setup Pro 9.2.100
XviD MPEG4 Video Codec (remove only)
.
==== Event Viewer Messages From Past Week ========
.
6/5/2011 4:51:36 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
6/5/2011 4:48:31 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
6/5/2011 4:48:06 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/5/2011 4:48:06 AM, Error: Service Control Manager [7000] - The NVR0FLASHDev service failed to start due to the following error: The system cannot find the file specified.
6/5/2011 4:46:35 AM, Error: EventLog [6008] - The previous system shutdown at 4:44:01 AM on 6/5/2011 was unexpected.
6/5/2011 4:41:39 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
6/5/2011 4:41:38 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
6/5/2011 12:30:20 AM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
6/5/2011 12:30:12 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
6/5/2011 12:21:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
6/5/2011 12:18:36 AM, Error: Service Control Manager [7034] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 3 time(s).
6/5/2011 12:16:22 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
6/5/2011 12:16:22 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
6/5/2011 12:16:22 AM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
6/5/2011 12:16:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/5/2011 12:02:49 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
6/5/2011 12:02:47 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atitray avipbb i8042prt MpFilter spldr sptd ssmdrv Wanarpv6
6/5/2011 12:02:47 AM, Error: Service Control Manager [7019] - The Print Spooler service depends on a service in a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.
6/5/2011 12:02:47 AM, Error: Service Control Manager [7018] - Detected circular dependencies auto-starting services. Check the service dependency tree.
6/5/2011 12:02:47 AM, Error: Service Control Manager [7001] - The Creative Audio Service service depends on the Windows Audio service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 12:02:47 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
6/5/2011 12:02:41 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
6/5/2011 12:02:41 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
6/5/2011 12:01:49 AM, Error: sptd [4] - Driver detected an internal error in its data structures for .
6/4/2011 9:59:06 AM, Error: srv [2020] - The server was unable to allocate from the system paged pool because the pool was empty.
6/4/2011 9:36:39 AM, Error: srv [2018] - The server was unable to allocate from the system paged pool because the server reached the configured limit for paged pool allocations.
6/4/2011 9:35:18 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.23.77 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
6/4/2011 8:04:28 AM, Error: EventLog [6008] - The previous system shutdown at 8:02:55 AM on 6/4/2011 was unexpected.
6/4/2011 8:01:03 AM, Error: Microsoft-Windows-Kernel-General [6] - An I/O operation initiated by the Registry failed unrecoverably.The Registry could not flush hive (file): '\SystemRoot\System32\Config\SOFTWARE'.
6/4/2011 8:00:45 AM, Error: Microsoft-Windows-Kernel-General [6] - An I/O operation initiated by the Registry failed unrecoverably.The Registry could not flush hive (file): '\??\C:\Users\Khrod Kat\ntuser.dat'.
6/4/2011 5:15:32 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.20.26 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
6/4/2011 5:13:04 AM, Error: Microsoft-Windows-SharedAccess_NAT [34001] - The ICS_IPV6 failed to configure IPv6 stack.
6/4/2011 5:09:46 AM, Error: EventLog [6008] - The previous system shutdown at 5:07:41 AM on 6/4/2011 was unexpected.
6/4/2011 11:41:00 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.1184.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
6/4/2011 11:30:33 PM, Error: EventLog [6008] - The previous system shutdown at 11:27:18 PM on 6/4/2011 was unexpected.
6/3/2011 3:15:30 PM, Error: EventLog [6008] - The previous system shutdown at 3:10:29 PM on 6/3/2011 was unexpected.
5/31/2011 3:56:29 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 99.168.75.182 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
5/29/2011 7:48:06 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.17.211 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
5/29/2011 12:39:42 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.16.42 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
 
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6773

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

6/5/2011 4:35:29 AM
mbam-log-2011-06-05 (04-35-29).txt

Scan type: Quick scan
Objects scanned: 149040
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



////////////////////////////
I know you didn't ask, but here is the Ad-Aware log.
/////////////////////////
AdAware log deleted by Bobbye. Not requested.
 
Addendum: in my own plodding way, I noticed the "Warning: possible TDL3 rootkit infection !" message, researched it, and applied the Kaspersky fix from the bleepingcomputer site. It detected the rootkit and said it cured it. Whether that is part, or all, of the problem remains to be seen. Either way I'd be interested in anything of note you may gleam from that mass of logs I dumped here (90% of which is completely unintelligible to me).
 
I know you didn't ask, but here is the Ad-Aware log.
Click to expand...

No, I didn't. Please observe the following:
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
=========================================
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
==============================================
If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=======================================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
========================================
Please get your security down to one antivirus, one firewall (two or more antimalware programs). It is important when you use a suite to be aware of what''s in it.
AV: Microsoft Security Essentials: Antivirus, Firewall, antimalware
AV: AntiVir Desktop: Antivirus
FW: PC Tools Firewall Plus 6.0
----------------------Total: 2 AV, 2 Firewall...(SP is okay)-------------------------
Click to expand...
================================
P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent and BitComet for the following reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
--------------------------------
If you decide not to uninstall these file sharing programs, please disable them and do not use them while we are cleaning.
 
The TDSkiller is what I ran from Kaspersky, it supposedly found and cured a TDL4 rootkit. (This may have been the trouble. Have been using the computer since starting this thread and the offending svchost hasn't reared its ugly head, nor have I experienced more than the usual amount of websearch redirects.)

Avira is the only active AV software on the system; the others are run on demand.

Am aware of the risks of P2P software and, on the rare occasions I use it, only use torrents from a specific source. (uTorrent hasn't been used for at least a year, BitComet perhaps once a month.) FWIW, all downloads, whether from a torrent source or from Microsoft, go to a separate partition where they're hit with all my antimalware programs before I even access a readme.

Will do the ESET scan later this evening and get back to you.
 
ComboFix 11-06-04.02 - Khrod Kat 06/05/2011 0:23.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1503 [GMT -4:00]
Running from: c:\users\Khrod Kat\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\defender.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
c:\users\Khrod Kat\AppData\Roaming\inst.exe
c:\users\Khrod Kat\Documents\reg_bkp.reg
c:\windows\system\idapi32.dll
c:\windows\system\msvbvm60.dll
c:\windows\system32\SCLabel.ocx
c:\windows\system32\spool\prtprocs\w32x86\Ppbiproc.dll
c:\windows\Update.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-05-05 to 2011-06-05 )))))))))))))))))))))))))))))))
.
.
2011-06-05 04:30 . 2011-06-05 04:30 -------- d-----w- c:\users\Khrod Kat\AppData\Local\temp
2011-06-05 04:12 . 2011-06-05 04:20 -------- d-----w- C:\32788R22FWJFW
2011-06-05 03:59 . 2011-06-05 03:59 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-05 03:54 . 2011-06-05 03:54 -------- d-----w- c:\programdata\Lavasoft
2011-06-05 03:54 . 2011-06-05 03:54 -------- d-----w- c:\program files\Lavasoft
2011-06-03 12:31 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{05F44BA6-B9C3-4C92-A4F1-8650533E0ED1}\mpengine.dll
2011-05-31 13:42 . 2011-05-31 13:42 -------- d-----w- c:\users\Khrod Kat\AppData\Local\DestinationFinder
2011-05-31 13:02 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-05-31 13:02 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-05-31 13:00 . 2011-05-31 13:00 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-05-28 09:59 . 2011-05-28 09:59 -------- d-----w- c:\users\Khrod Kat\AppData\Roaming\runic games
2011-05-28 09:41 . 2011-05-28 09:41 -------- d-----w- c:\program files\Common Files\Datalode
2011-05-25 09:18 . 2006-10-06 18:17 53248 ------w- c:\windows\Ctregrun.exe
2011-05-25 07:26 . 2011-05-25 07:26 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2011-05-25 07:26 . 2008-02-04 14:27 102400 ----a-w- c:\windows\system32\cttele32.dll
2011-05-25 07:24 . 2011-05-25 07:25 -------- d-----w- c:\windows\system32\Data
2011-05-25 07:24 . 2009-05-18 18:34 22691984 ----a-w- c:\windows\system32\AppSetup.exe
2011-05-24 12:45 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-23 05:08 . 2011-05-26 09:15 -------- d-----w- c:\programdata\PopCap Games
2011-05-14 16:16 . 2011-05-14 16:16 -------- d-----w- c:\program files\ATI Technologies
2011-05-14 16:16 . 2011-05-14 18:30 -------- d-----w- c:\program files\ATI
2011-05-14 16:15 . 2011-05-14 16:15 -------- d-----w- C:\ATI
2011-05-06 16:44 . 2011-05-06 16:44 -------- d-----w- c:\users\Khrod Kat\AppData\Roaming\atitray
2011-05-06 16:25 . 2011-05-06 16:25 -------- d-----w- c:\program files\Ray Adams
2011-05-06 15:06 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-06 15:06 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-06 15:05 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2010-01-04 07:09 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-01-04 07:09 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 07:25 . 2010-04-13 08:19 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-05-25 07:25 . 2010-04-13 08:19 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-05-12 23:08 . 2009-06-24 06:56 737280 ----a-w- c:\windows\iun6002.exe
2011-05-09 20:46 . 2010-05-06 00:43 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-03 09:23 . 2010-05-12 13:31 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-10 17:03 . 2011-04-21 08:50 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-21 08:50 1136640 ----a-w- c:\windows\system32\mfc42.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DriveGLEAM"="c:\program files\DriveGLEAM\drivegleam.exe" [2009-10-23 86560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AtiTrayTools"="c:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2011-03-27 929280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-06 281768]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" [2009-08-22 24576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"CTxfiHlp"="CTXFIHLP.EXE" [2010-05-05 25600]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]
.
c:\users\Khrod Kat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MB-Ruler.lnk - j:\paint shop pro 8\MB-Ruler\MB-Ruler.exe [2009-3-29 1729536]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GPU-Z.lnk - j:\misc\GPU-Z.0.4.2.exe [2010-5-15 521568]
MB-Ruler.lnk - j:\paint shop pro 8\MB-Ruler\MB-Ruler.exe [2009-3-29 1729536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoThumbnail"= 1 (0x1)
"HideSCABattery"= 0 (0x0)
"HideSCANetwork"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2010-05-05 23:56 25600 ----a-w- c:\windows\System32\Ctxfihlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
2002-09-24 13:21 86016 ----a-w- c:\program files\Visioneer OneTouch\OneTouchMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTuner]
2009-08-22 18:25 24576 ----a-w- c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
2007-09-14 00:22 5252936 ----a-w- c:\program files\Spare Backup\SpareBackup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecisionWrapper.exe" /s
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3867056976-849016701-749785769-1000]
"EnableNotificationsRef"=dword:00000001
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-03 691696]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2011-03-27 20384]
R1 MpKsl0f70f70a;MpKsl0f70f70a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{952C9FE2-9A5C-48BD-9199-4EDE1505C3CA}\MpKsl0f70f70a.sys [x]
R1 MpKsl103ede34;MpKsl103ede34;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{01B9831C-72E7-48C1-9915-F4CC1013D5E6}\MpKsl103ede34.sys [x]
R1 MpKsl1e1f2bc1;MpKsl1e1f2bc1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C4A23112-7ACC-4A6E-B018-B7509526E591}\MpKsl1e1f2bc1.sys [x]
R1 MpKsl1ee6ef91;MpKsl1ee6ef91;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AECCA0F-562A-42E2-9FE7-F8085C6A8A95}\MpKsl1ee6ef91.sys [x]
R1 MpKsl2d4ba727;MpKsl2d4ba727;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{952C9FE2-9A5C-48BD-9199-4EDE1505C3CA}\MpKsl2d4ba727.sys [x]
R1 MpKsl3b8d7755;MpKsl3b8d7755;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07DD9922-8C20-47ED-B9DC-43D7EE33E988}\MpKsl3b8d7755.sys [x]
R1 MpKsl3cf75429;MpKsl3cf75429;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DEB3B208-9C6A-495B-8F03-6F71490D24FE}\MpKsl3cf75429.sys [x]
R1 MpKsl43f62011;MpKsl43f62011;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AECCA0F-562A-42E2-9FE7-F8085C6A8A95}\MpKsl43f62011.sys [x]
R1 MpKsl4b5ebc92;MpKsl4b5ebc92;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{77387393-FF56-4D04-B075-D1B686C7D2F3}\MpKsl4b5ebc92.sys [x]
R1 MpKsl58842128;MpKsl58842128;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DEB3B208-9C6A-495B-8F03-6F71490D24FE}\MpKsl58842128.sys [x]
R1 MpKsl5b2b60ca;MpKsl5b2b60ca;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E8D3056-3418-4F22-A4E8-45F3AC0E6EFD}\MpKsl5b2b60ca.sys [x]
R1 MpKsl5ddde673;MpKsl5ddde673;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0A6590A4-02EF-4645-8FD9-7B749D27F641}\MpKsl5ddde673.sys [x]
R1 MpKsl6134ecdc;MpKsl6134ecdc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF0D3EC4-CEC2-4970-B234-1EE163D110B6}\MpKsl6134ecdc.sys [x]
R1 MpKsl718d1d64;MpKsl718d1d64;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C4A23112-7ACC-4A6E-B018-B7509526E591}\MpKsl718d1d64.sys [x]
R1 MpKsl8ec72540;MpKsl8ec72540;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{517DD5B7-A9CA-4D71-94F0-CB5DDD2E3A8A}\MpKsl8ec72540.sys [x]
R1 MpKsl9c1f60a1;MpKsl9c1f60a1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B5A497F2-2210-4991-B750-A7CDC84BD29C}\MpKsl9c1f60a1.sys [x]
R1 MpKsla21e8826;MpKsla21e8826;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EB33FFD9-5B96-4DF1-B3C5-5353D9246D1C}\MpKsla21e8826.sys [x]
R1 MpKslab3c7881;MpKslab3c7881;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F21A05D4-AF4A-4988-8C62-DF5EB8E3BEAC}\MpKslab3c7881.sys [x]
R1 MpKslbc6dab23;MpKslbc6dab23;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AECCA0F-562A-42E2-9FE7-F8085C6A8A95}\MpKslbc6dab23.sys [x]
R1 MpKslca39f714;MpKslca39f714;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E8D3056-3418-4F22-A4E8-45F3AC0E6EFD}\MpKslca39f714.sys [x]
R1 MpKsld100c05f;MpKsld100c05f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A557C83D-2243-45EB-8AE0-636F69F67062}\MpKsld100c05f.sys [x]
R1 MpKsld2b27410;MpKsld2b27410;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F21A05D4-AF4A-4988-8C62-DF5EB8E3BEAC}\MpKsld2b27410.sys [x]
R1 MpKslde1ece80;MpKslde1ece80;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ADB9C3EA-CAEF-49FA-83C5-C87C591A7FC1}\MpKslde1ece80.sys [x]
R1 MpKslf38ff5f5;MpKslf38ff5f5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EC2E3395-A7BD-4883-A55B-D1753305677C}\MpKslf38ff5f5.sys [x]
R1 MpKslf5f3803f;MpKslf5f3803f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A81245E9-066A-43F0-9D0E-165C3443761B}\MpKslf5f3803f.sys [x]
R1 MpKslf824e5d5;MpKslf824e5d5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7FD14708-1216-4D3F-8C6A-04932F0C80B9}\MpKslf824e5d5.sys [x]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-05 172032]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-05-13 136360]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [2007-09-06 5504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-05-25 2151128]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-11-23 88040]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 ALSysIO;ALSysIO;c:\users\KHRODK~1\AppData\Local\Temp\ALSysIO.sys [x]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-05 5550592]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-05 176128]
R3 ARLGIFXTP;ARLGIFXTP;c:\users\KHRODK~1\AppData\Local\Temp\ARLGIFXTP.exe [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-05-25 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-05-25 79360]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2010-05-06 171096]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2010-05-06 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2010-05-06 1324120]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2010-05-06 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2010-05-06 72792]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2010-05-06 72792]
R3 DisplayLinkUsbPort;DisplayLink USB Device; [x]
R3 GPU-Z;GPU-Z;c:\users\KHRODK~1\AppData\Local\Temp\GPU-Z.sys [x]
R3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\DRIVERS\imhidusb.sys [2002-12-04 30984]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2006-12-29 247808]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 papycpu;papycpu; [x]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-12 70664]
R3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw.sys [2010-01-13 115216]
R3 SaiHFF04;SaiHFF04;c:\windows\system32\DRIVERS\SaiHFF04.sys [2007-01-30 126344]
R3 SaiIFF04;Immersion's HID USB Driver (FF04);c:\windows\system32\DRIVERS\SaiIFF04.sys [2007-01-30 16256]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 VZOTLKSYW;VZOTLKSYW;c:\users\KHRODK~1\AppData\Local\Temp\VZOTLKSYW.exe [x]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-01-07 233136]
S3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclock.sys [2009-09-15 38248]
S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-07 58816]
S3 rxpvbus;Reality XP Avionics Bus Driver;c:\windows\system32\DRIVERS\rxpvbus.sys [2005-11-04 44032]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 06:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dogpile.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T5246
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: bcsims.com\gpltd
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
FF - ProfilePath - c:\users\Khrod Kat\AppData\Roaming\Mozilla\Firefox\Profiles\nq6fx598.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dogpile.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: WeatherBug: {3EC9C995-8072-4fc0-953E-4F30620D17F3} - %profile%\extensions\{3EC9C995-8072-4fc0-953E-4F30620D17F3}
FF - Ext: FireShot: {0b457cAA-602d-484a-8fe7-c1d894a011ba} - %profile%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: Fast Youtube Downloader: fastYoutubeDownloader@yevgenyandrov.net - %profile%\extensions\fastYoutubeDownloader@yevgenyandrov.net
FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-Bionix Wallpaper - j:\misc\bionix\Bionix Wallpaper.exe
MSConfigStartUp-EVGAPrecision - c:\program files\EVGA Precision\EVGAPrecisionWrapper.exe
MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
MSConfigStartUp-UpdReg - c:\windows\UpdReg.EXE
AddRemove-PaperPort 7.02 - c:\program files\ScanSoft\PaperPort\Config\DeIsL1.isu
AddRemove-Rarewings.com Stearman Hammond Y-1s - c:\users\Khrod Kat\Desktop\_fs9_hold\_tmp\Aircraft\Uninstal.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-05 00:30
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_ rev.V5CO -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x853F04D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x853f67f0]; MOV EAX, [0x853f686c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x8204811B] -> \Device\Harddisk0\DR0[0x8532C780]
3 CLASSPNP[0x885A78B3] -> nt!IofCallDriver[0x8204811B] -> [0x85267700]
5 acpi[0x826F06BC] -> nt!IofCallDriver[0x8204811B] -> [0x84E5F470]
\Driver\nvstor32[0x853C7D28] -> IRP_MJ_CREATE -> 0x853F04D0
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\0000009c -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725040VLA#4&2019003&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 781422766 (+7): user != kernel
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3867056976-849016701-749785769-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick]
@DACL=(02 0000)
.
[HKEY_USERS\S-1-5-21-3867056976-849016701-749785769-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm]
@DACL=(02 0000)
"wheel"=dword:00000001
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-06-05 00:32:33
ComboFix-quarantined-files.txt 2011-06-05 04:32
.
Pre-Run: 4,476,948,480 bytes free
Post-Run: 4,428,873,728 bytes free
.
- - End Of File - - CA54C3A05E5C7F1ADC47793E21325337
 
Avira is the only active AV software on the system; the others are run on demand.
Click to expand...
The only "demand" that would be okay would be something like the Eset Online Virus scanner. Neither of these should be used as "on Demand" scanner. Please remove one of them.

You are also running PC Tools Firewall Plus Since MSE has a firewall, that means you are also running 2 firewalls. Please remove one of them.
=============================
Please remove the TDSSKiller you currently have. Since it still appears that there is a rootkit on the system, I would like you to download and scan again from the link I left in Reply #5.

I have some script written to be run in Combofix, but I will wait until I get the Eset logs and the new logs from TDSSKiller.
 
MSE has no firewall that I've found in any of the tabs or docs. It is installed but real time protection is turned off, same for Malwarebytes and Spybot. They are in the context menu so can be called if desired, but Avira is the only active AV program running. Once a week Avira does a full scan, then is disabled while the others get their turn, enabled one at a time, to also do a full scan. This system has served me well for three years on this computer and for five years prior on my XP computer.
 
BTW, d/l'd TDSKiller again, ran it; it squawked about there being a new version, so I let it go off in the ether and d/l yet another.

2011/06/07 13:38:31.0132 6180 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48
2011/06/07 13:38:32.0006 6180 ================================================================================
2011/06/07 13:38:32.0006 6180 SystemInfo:
2011/06/07 13:38:32.0006 6180
2011/06/07 13:38:32.0006 6180 OS Version: 6.0.6002 ServicePack: 2.0
2011/06/07 13:38:32.0006 6180 Product type: Workstation
2011/06/07 13:38:32.0006 6180 ComputerName: POS
2011/06/07 13:38:32.0006 6180 UserName: Khrod Kat
2011/06/07 13:38:32.0006 6180 Windows directory: C:\Windows
2011/06/07 13:38:32.0006 6180 System windows directory: C:\Windows
2011/06/07 13:38:32.0006 6180 Processor architecture: Intel x86
2011/06/07 13:38:32.0006 6180 Number of processors: 2
2011/06/07 13:38:32.0006 6180 Page size: 0x1000
2011/06/07 13:38:32.0006 6180 Boot type: Normal boot
2011/06/07 13:38:32.0006 6180 ================================================================================
2011/06/07 13:38:32.0583 6180 Initialize success
2011/06/07 13:38:36.0327 6268 ================================================================================
2011/06/07 13:38:36.0327 6268 Scan started
2011/06/07 13:38:36.0327 6268 Mode: Manual;
2011/06/07 13:38:36.0327 6268 ================================================================================
2011/06/07 13:38:36.0717 6268 ac97intc (4b56caafed0b0b996341d74ce0e76565) C:\Windows\system32\drivers\ac97intc.sys
2011/06/07 13:38:36.0795 6268 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/06/07 13:38:36.0857 6268 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/06/07 13:38:36.0920 6268 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/06/07 13:38:37.0076 6268 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/06/07 13:38:37.0107 6268 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/06/07 13:38:37.0201 6268 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\Windows\system32\drivers\Afc.sys
2011/06/07 13:38:37.0247 6268 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/06/07 13:38:37.0357 6268 AgereSoftModem (2e3abaacbf547abbb5e73a504a56d05a) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/06/07 13:38:37.0497 6268 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/06/07 13:38:37.0544 6268 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/06/07 13:38:37.0575 6268 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/06/07 13:38:37.0762 6268 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/06/07 13:38:37.0778 6268 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/06/07 13:38:37.0825 6268 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/06/07 13:38:37.0871 6268 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2011/06/07 13:38:38.0027 6268 amdkmdag (19529728442d4794b96d1b8a9a63eca1) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/06/07 13:38:38.0199 6268 amdkmdap (b44737ff566b5888d15fdb66849f34e5) C:\Windows\system32\DRIVERS\atikmpag.sys
2011/06/07 13:38:38.0324 6268 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/06/07 13:38:38.0417 6268 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/06/07 13:38:38.0480 6268 ASPI (e54e27976e2c5a6465d44c10b1d87ac0) C:\Windows\System32\DRIVERS\ASPI32.sys
2011/06/07 13:38:38.0527 6268 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/06/07 13:38:38.0558 6268 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/06/07 13:38:38.0698 6268 AtiHdmiService (d7672d90ef03d0e2efdb02df5045a359) C:\Windows\system32\drivers\AtiHdmi.sys
2011/06/07 13:38:38.0792 6268 atitray (6cceb2cb70eaf24df999ebf1dea67ea9) C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
2011/06/07 13:38:38.0870 6268 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/06/07 13:38:38.0963 6268 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\Windows\system32\DRIVERS\avipbb.sys
2011/06/07 13:38:39.0010 6268 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
2011/06/07 13:38:39.0073 6268 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/06/07 13:38:39.0151 6268 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/06/07 13:38:39.0244 6268 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/06/07 13:38:39.0275 6268 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/06/07 13:38:39.0322 6268 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/06/07 13:38:39.0353 6268 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/06/07 13:38:39.0369 6268 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/06/07 13:38:39.0400 6268 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/06/07 13:38:39.0431 6268 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/06/07 13:38:39.0525 6268 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/06/07 13:38:39.0634 6268 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/06/07 13:38:39.0681 6268 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/06/07 13:38:39.0728 6268 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/06/07 13:38:39.0790 6268 CmBatt (0fed59edb4a83ff17f1778827b88ab1a) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/06/07 13:38:39.0821 6268 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/06/07 13:38:39.0946 6268 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/06/07 13:38:39.0977 6268 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/06/07 13:38:40.0040 6268 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/06/07 13:38:40.0118 6268 CT20XUT (b9106942eb5dd0e034ab40a9d48d056e) C:\Windows\system32\drivers\CT20XUT.SYS
2011/06/07 13:38:40.0243 6268 CT20XUT.SYS (b9106942eb5dd0e034ab40a9d48d056e) C:\Windows\System32\drivers\CT20XUT.SYS
2011/06/07 13:38:40.0289 6268 ctac32k (f2b1d0a3d21bd0d9f46457cbcec1a0e9) C:\Windows\system32\drivers\ctac32k.sys
2011/06/07 13:38:40.0336 6268 ctaud2k (44f60a5e3c3a8a6bba4c280948ea6095) C:\Windows\system32\drivers\ctaud2k.sys
2011/06/07 13:38:40.0430 6268 ctdvda2k (8cbe82d6bbf206e144f22cb33fab1f2c) C:\Windows\system32\drivers\ctdvda2k.sys
2011/06/07 13:38:40.0711 6268 CTEXFIFX (4ae083d16ac9fc9bdf98498f93426226) C:\Windows\system32\drivers\CTEXFIFX.SYS
2011/06/07 13:38:40.0789 6268 CTEXFIFX.SYS (4ae083d16ac9fc9bdf98498f93426226) C:\Windows\System32\drivers\CTEXFIFX.SYS
2011/06/07 13:38:40.0820 6268 CTHWIUT (b610bfe02f9fc0cb0b1cde3ec4c13ffa) C:\Windows\system32\drivers\CTHWIUT.SYS
2011/06/07 13:38:40.0867 6268 CTHWIUT.SYS (b610bfe02f9fc0cb0b1cde3ec4c13ffa) C:\Windows\System32\drivers\CTHWIUT.SYS
2011/06/07 13:38:40.0898 6268 ctprxy2k (f0f19a13c948e5289601e354b08e0941) C:\Windows\system32\drivers\ctprxy2k.sys
2011/06/07 13:38:40.0991 6268 ctsfm2k (c7b2c36a6203a5f3d0a378fd78c5ddd6) C:\Windows\system32\drivers\ctsfm2k.sys
2011/06/07 13:38:41.0054 6268 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/06/07 13:38:41.0132 6268 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/06/07 13:38:41.0241 6268 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/06/07 13:38:41.0350 6268 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\Windows\system32\DRIVERS\dvd43llh.sys
2011/06/07 13:38:41.0397 6268 dvdmmg (a29d99d10e57ece72b551d788c7d885b) C:\Windows\system32\drivers\dvdmmg.sys
2011/06/07 13:38:41.0553 6268 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/06/07 13:38:41.0647 6268 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/06/07 13:38:41.0740 6268 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/06/07 13:38:41.0803 6268 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/06/07 13:38:41.0865 6268 emupia (fb2d6d4d14ae801f5267b0368fc0cb0c) C:\Windows\system32\drivers\emupia2k.sys
2011/06/07 13:38:41.0927 6268 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/06/07 13:38:42.0037 6268 ezplay (73e701e0fa4d2fc7d22efceff276c50a) C:\Windows\system32\Drivers\ezplay.sys
2011/06/07 13:38:42.0068 6268 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/06/07 13:38:42.0115 6268 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/06/07 13:38:42.0208 6268 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/06/07 13:38:42.0255 6268 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/06/07 13:38:42.0317 6268 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/06/07 13:38:42.0364 6268 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/06/07 13:38:42.0442 6268 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/06/07 13:38:42.0505 6268 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/06/07 13:38:42.0707 6268 ha20x2k (7ff1ced1201c169a783b0e81cc561fba) C:\Windows\system32\drivers\ha20x2k.sys
2011/06/07 13:38:42.0770 6268 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2011/06/07 13:38:42.0832 6268 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/06/07 13:38:42.0879 6268 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/06/07 13:38:42.0941 6268 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/06/07 13:38:42.0988 6268 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/06/07 13:38:43.0019 6268 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/06/07 13:38:43.0066 6268 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/06/07 13:38:43.0113 6268 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/06/07 13:38:43.0160 6268 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/06/07 13:38:43.0238 6268 ialm (8318e04a6455ced1020bcc5039b62cfa) C:\Windows\system32\DRIVERS\ialmnt5.sys
2011/06/07 13:38:43.0331 6268 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/06/07 13:38:43.0363 6268 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/06/07 13:38:43.0425 6268 imhidusb (0836f03aa73ee78f1c884c4e9211aa72) C:\Windows\system32\DRIVERS\imhidusb.sys
2011/06/07 13:38:43.0487 6268 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2011/06/07 13:38:43.0519 6268 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2011/06/07 13:38:43.0565 6268 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/06/07 13:38:43.0628 6268 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/06/07 13:38:43.0721 6268 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/06/07 13:38:43.0768 6268 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/06/07 13:38:43.0815 6268 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/06/07 13:38:43.0862 6268 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/06/07 13:38:43.0893 6268 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/06/07 13:38:43.0971 6268 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/06/07 13:38:44.0018 6268 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/06/07 13:38:44.0049 6268 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/06/07 13:38:44.0111 6268 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/06/07 13:38:44.0174 6268 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\Windows\system32\DRIVERS\L8042Kbd.sys
2011/06/07 13:38:44.0283 6268 L8042mou (8a5993705add14352c9a279fa8338334) C:\Windows\system32\DRIVERS\L8042mou.Sys
2011/06/07 13:38:44.0377 6268 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\Windows\system32\DRIVERS\LHidFilt.Sys
2011/06/07 13:38:44.0408 6268 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/06/07 13:38:44.0470 6268 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\Windows\system32\DRIVERS\LMouFilt.Sys
2011/06/07 13:38:44.0564 6268 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\Windows\system32\DRIVERS\LMouKE.Sys
2011/06/07 13:38:44.0611 6268 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/06/07 13:38:44.0642 6268 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/06/07 13:38:44.0673 6268 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/06/07 13:38:44.0720 6268 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/06/07 13:38:44.0767 6268 LUsbFilt (77030525cd86a93f1af34fa9b96d33ce) C:\Windows\system32\Drivers\LUsbFilt.Sys
2011/06/07 13:38:44.0798 6268 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/06/07 13:38:44.0907 6268 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/06/07 13:38:44.0938 6268 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/06/07 13:38:44.0985 6268 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/06/07 13:38:45.0016 6268 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/06/07 13:38:45.0063 6268 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/06/07 13:38:45.0125 6268 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/06/07 13:38:45.0219 6268 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/06/07 13:38:45.0874 6268 MpNWMon (f32e2d6a1640a469a9ed4f1929a4a861) C:\Windows\system32\DRIVERS\MpNWMon.sys
2011/06/07 13:38:45.0921 6268 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/06/07 13:38:45.0983 6268 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/06/07 13:38:46.0015 6268 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/06/07 13:38:46.0077 6268 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/06/07 13:38:46.0155 6268 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/06/07 13:38:46.0217 6268 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/06/07 13:38:46.0233 6268 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/06/07 13:38:46.0264 6268 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/06/07 13:38:46.0327 6268 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/06/07 13:38:46.0373 6268 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/06/07 13:38:46.0420 6268 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/06/07 13:38:46.0529 6268 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/06/07 13:38:46.0545 6268 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/06/07 13:38:46.0607 6268 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/06/07 13:38:46.0639 6268 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/06/07 13:38:46.0670 6268 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/06/07 13:38:46.0701 6268 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/06/07 13:38:46.0748 6268 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/06/07 13:38:46.0857 6268 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/06/07 13:38:46.0919 6268 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/06/07 13:38:46.0951 6268 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/06/07 13:38:46.0982 6268 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/06/07 13:38:47.0029 6268 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/06/07 13:38:47.0044 6268 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/06/07 13:38:47.0153 6268 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/06/07 13:38:47.0231 6268 netr73 (2dd6bb85c8bdae6116565ab5beca4f7c) C:\Windows\system32\DRIVERS\netr73.sys
2011/06/07 13:38:47.0325 6268 NETw2v32 (6e9edc1020b319e7676387b8cdf2398c) C:\Windows\system32\DRIVERS\NETw2v32.sys
2011/06/07 13:38:47.0450 6268 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/06/07 13:38:47.0512 6268 NisDrv (17e2c08c5ecfbe94a7c67b1c275ee9d9) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
2011/06/07 13:38:47.0575 6268 NPF (b9730495e0cf674680121e34bd95a73b) C:\Windows\system32\drivers\npf.sys
2011/06/07 13:38:47.0606 6268 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/06/07 13:38:47.0668 6268 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/06/07 13:38:47.0777 6268 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/06/07 13:38:47.0840 6268 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/06/07 13:38:47.0887 6268 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/06/07 13:38:47.0933 6268 NVENETFD (1efec38a852ab35883bfff3427b92b3f) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2011/06/07 13:38:47.0965 6268 NVNET (1efec38a852ab35883bfff3427b92b3f) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2011/06/07 13:38:48.0105 6268 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/06/07 13:38:48.0136 6268 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/06/07 13:38:48.0167 6268 nvstor32 (8ee374b6fb3cb2bb8d70395218b464a5) C:\Windows\system32\DRIVERS\nvstor32.sys
2011/06/07 13:38:48.0230 6268 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/06/07 13:38:48.0308 6268 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/06/07 13:38:48.0355 6268 ossrv (ac5bf1a610effaae9cfc48cb53483f08) C:\Windows\system32\drivers\ctoss2k.sys
2011/06/07 13:38:48.0401 6268 papycpu (2f886a56d520f872e7e4ba9423a9b07b) C:\Windows\system32\drivers\papycpu.sys
2011/06/07 13:38:48.0511 6268 papycpu2 (b2fce3df242eaaa317fa2e4946d26a03) C:\Windows\System32\DRIVERS\papycpu2.sys
2011/06/07 13:38:48.0542 6268 papyjoy (f7a2e22cad3843cd8e4648ae61e7cc06) C:\Windows\System32\DRIVERS\papyjoy.sys
2011/06/07 13:38:48.0589 6268 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
2011/06/07 13:38:48.0635 6268 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/06/07 13:38:48.0667 6268 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
2011/06/07 13:38:48.0698 6268 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/06/07 13:38:48.0729 6268 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2011/06/07 13:38:48.0776 6268 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/06/07 13:38:48.0885 6268 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys
2011/06/07 13:38:48.0932 6268 PCTAppEvent (cc174f32cc9c18ea3109c4b0fc2ca8df) C:\Windows\system32\drivers\PCTAppEvent.sys
2011/06/07 13:38:48.0979 6268 PCTFW-PacketFilter (4a7ef973fcd9c6cad6040ebb61262a5c) C:\Windows\system32\drivers\pctNdis-PacketFilter.sys
2011/06/07 13:38:49.0010 6268 pctgntdi (39e8623f9f29dbc9e053a696d85f8ac6) C:\WINDOWS\System32\drivers\pctgntdi.sys
2011/06/07 13:38:49.0057 6268 pctNDIS (8bbe917bc4da64b0ba8db33d4c0e0b7d) C:\Windows\system32\DRIVERS\pctNdis.sys
2011/06/07 13:38:49.0103 6268 pctplfw (6d74df36716a458619a62dd764fc4f8b) C:\WINDOWS\System32\drivers\pctplfw.sys
2011/06/07 13:38:49.0213 6268 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/06/07 13:38:49.0353 6268 Point32 (420336f91eb745811cf130c80ede0653) C:\Windows\system32\DRIVERS\point32.sys
2011/06/07 13:38:49.0415 6268 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/06/07 13:38:49.0431 6268 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/06/07 13:38:49.0493 6268 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/06/07 13:38:49.0556 6268 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/06/07 13:38:49.0587 6268 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/06/07 13:38:49.0649 6268 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/06/07 13:38:49.0681 6268 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/06/07 13:38:49.0727 6268 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/06/07 13:38:49.0759 6268 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/06/07 13:38:49.0790 6268 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/06/07 13:38:49.0899 6268 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/06/07 13:38:49.0930 6268 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/06/07 13:38:49.0977 6268 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/06/07 13:38:50.0039 6268 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/06/07 13:38:50.0086 6268 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/06/07 13:38:50.0164 6268 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
2011/06/07 13:38:50.0258 6268 RMCAST (eec7ee5675294b03e88aa868540007c1) C:\Windows\system32\DRIVERS\RMCAST.sys
2011/06/07 13:38:50.0320 6268 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/06/07 13:38:50.0383 6268 rxpvbus (d6b23dfd46a1aee5ca6645fc4591df9b) C:\Windows\system32\DRIVERS\rxpvbus.sys
2011/06/07 13:38:50.0429 6268 SaiClass (dd3bba364c3b89ccb1fd8fd427c7b37f) C:\Windows\system32\drivers\SaiNtBus.sys
2011/06/07 13:38:50.0476 6268 SaiHFF04 (a0992e358585f9afe1b801eaf6e611bd) C:\Windows\system32\DRIVERS\SaiHFF04.sys
2011/06/07 13:38:50.0554 6268 SaiIFF04 (6e0015d8bd138c6b4430d249b55733fa) C:\Windows\system32\DRIVERS\SaiIFF04.sys
2011/06/07 13:38:50.0585 6268 SaiMini (20a15c1468f8961aa5e62966c38cb9e8) C:\Windows\system32\DRIVERS\SaiMini.sys
2011/06/07 13:38:50.0601 6268 SaiNtHid (a007103ef0e50fb0e0ed08b511d721d7) C:\Windows\system32\DRIVERS\SaiNtHid.sys
2011/06/07 13:38:50.0648 6268 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/06/07 13:38:50.0710 6268 sdbus (4339a2585708c7d9b0c0ce5aad3dd6ff) C:\Windows\system32\DRIVERS\sdbus.sys
2011/06/07 13:38:50.0741 6268 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/06/07 13:38:50.0804 6268 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
2011/06/07 13:38:50.0819 6268 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
2011/06/07 13:38:50.0851 6268 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/06/07 13:38:50.0929 6268 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/06/07 13:38:50.0944 6268 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/06/07 13:38:50.0975 6268 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/06/07 13:38:51.0007 6268 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/06/07 13:38:51.0038 6268 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/06/07 13:38:51.0053 6268 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/06/07 13:38:51.0085 6268 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/06/07 13:38:51.0147 6268 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/06/07 13:38:51.0225 6268 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/06/07 13:38:51.0365 6268 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
2011/06/07 13:38:51.0365 6268 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/06/07 13:38:51.0365 6268 sptd - detected LockedFile.Multi.Generic (1)
2011/06/07 13:38:51.0428 6268 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/06/07 13:38:51.0475 6268 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
2011/06/07 13:38:51.0506 6268 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
2011/06/07 13:38:51.0553 6268 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
2011/06/07 13:38:51.0662 6268 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/06/07 13:38:51.0709 6268 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/06/07 13:38:51.0787 6268 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/06/07 13:38:51.0802 6268 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/06/07 13:38:51.0880 6268 Tcpip (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\drivers\tcpip.sys
2011/06/07 13:38:51.0943 6268 Tcpip6 (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\DRIVERS\tcpip.sys
2011/06/07 13:38:51.0989 6268 tcpipreg (9bf343f4c878d6ad6922b2c5a4fefe0d) C:\Windows\system32\drivers\tcpipreg.sys
2011/06/07 13:38:52.0036 6268 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/06/07 13:38:52.0067 6268 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/06/07 13:38:52.0161 6268 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/06/07 13:38:52.0208 6268 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/06/07 13:38:52.0270 6268 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/06/07 13:38:52.0317 6268 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/06/07 13:38:52.0348 6268 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/06/07 13:38:52.0395 6268 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/06/07 13:38:52.0442 6268 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/06/07 13:38:52.0535 6268 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/06/07 13:38:52.0567 6268 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/06/07 13:38:52.0598 6268 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/06/07 13:38:52.0629 6268 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/06/07 13:38:52.0676 6268 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/06/07 13:38:52.0754 6268 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2011/06/07 13:38:52.0801 6268 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/06/07 13:38:52.0832 6268 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/06/07 13:38:52.0957 6268 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/06/07 13:38:52.0988 6268 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/06/07 13:38:53.0019 6268 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2011/06/07 13:38:53.0050 6268 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2011/06/07 13:38:53.0081 6268 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/06/07 13:38:53.0128 6268 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/06/07 13:38:53.0206 6268 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/06/07 13:38:53.0253 6268 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/06/07 13:38:53.0300 6268 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/06/07 13:38:53.0347 6268 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/06/07 13:38:53.0362 6268 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/06/07 13:38:53.0393 6268 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/06/07 13:38:53.0425 6268 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/06/07 13:38:53.0487 6268 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/06/07 13:38:53.0518 6268 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/06/07 13:38:53.0565 6268 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/06/07 13:38:53.0674 6268 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/06/07 13:38:53.0721 6268 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/07 13:38:53.0752 6268 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/07 13:38:53.0783 6268 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/06/07 13:38:53.0846 6268 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/06/07 13:38:54.0002 6268 WmFilter (19f9881d8b3484fedb605d0216876898) C:\Windows\system32\drivers\WmFilter.sys
2011/06/07 13:38:54.0080 6268 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/06/07 13:38:54.0158 6268 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/06/07 13:38:54.0251 6268 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/06/07 13:38:54.0298 6268 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
2011/06/07 13:38:54.0314 6268 ================================================================================
2011/06/07 13:38:54.0314 6268 Scan finished
2011/06/07 13:38:54.0314 6268 ================================================================================
2011/06/07 13:38:54.0329 6252 Detected object count: 1
2011/06/07 13:38:54.0329 6252 Actual detected object count: 1
2011/06/07 13:41:48.0754 6252 HKLM\SYSTEM\ControlSet001\services\sptd - will be deleted after reboot
2011/06/07 13:41:48.0785 6252 HKLM\SYSTEM\ControlSet003\services\sptd - will be deleted after reboot
2011/06/07 13:41:48.0785 6252 C:\Windows\system32\Drivers\sptd.sys - will be deleted after reboot
2011/06/07 13:41:48.0785 6252 LockedFile.Multi.Generic(sptd) - User select action: Delete
2011/06/07 13:41:57.0630 6172 Deinitialize success

//////////////
FWIW, sptd is a "sata pass through driver" apparently left from a Daemon Tools install; don't recall the project, but I never deciphered what I was to do with that software so removed it ages ago.
 
Thank you for setting me straight on the lack of firewall in MSE. Settings usualy suggest the Windows Firewall being enabled.

DId you intentionally install a keylogger on the system in 2009?
 
I don't even know what a keylogger is. Bought this PC from a neighbor in '08, deleted everything but the OS, full malware scans, repartitioned, new vid card, PS (necessary for the vid card), and sound card. (Had I known what a POS Vista would be, I'd also have deleted it in favor of XP Pro.)

//////////////
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=f27a4def0092804aaeeb9d3daeab7c71
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-09 10:21:35
# local_time=2011-06-09 06:21:35 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 20450802 20450802 0 0
# compatibility_mode=1797 16775165 100 94 803797 43993263 2251885 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 33716056 144197291 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=1152143
# found=10
# cleaned=10
# scan_time=25132
C:\Documents and Settings\All Users\Spybot - Search & Destroy\Recovery\WinAgentws1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Khrod Kat\Desktop\frostwire-4.21.5.windows.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Khrod Kat\Desktop\sdac.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Khrod Kat\Desktop\zfdc.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Khrod Kat\Desktop\Knights & Merchants\Knights & Merchants.zip a variant of Win32/Packed.PECrypt32.A application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Khrod Kat\Desktop\_DL\shock\SYSTEMSHOCK-Portable-v1.2.7z Win32/PrcView application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AV DVD Player Morpher\DealioKit1-stub-0.exe Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\ProgramData\defender.exe.vir a variant of Win32/Kryptik.OSZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\72a60c26-35a3f629 a variant of Win32/Kryptik.ORD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\dvd_dl\dvd_player_morpher_aff.exe Win32/Adware.Toolbar.Dealio application (deleted - quarantined) 00000000000000000000000000000000 C


////////////////////////

I can account for most of the items ESET found (after approximately seven hours scanning):
the item in AV DVD Player Morpher is an optional toolbar install, as is the OpenCandy item in frostwire (never installed, leery of its source; OpenCandy often triggers AV alerts in cnet d/l's); the item in Spybot I assume is their own signature file or a previously quarantined item; the item in Knights&Merchants is curious, Avira also detects it but in VirusTotal Avira was the only one to detect it; and PrcView is a valid program that can be used for nefarious purposes (of no concern here since it supposedly doesn't work on any windows past XP) .

That leaves: sdac.exe and zfdc.exe (there are no hidden files on this system, these were NOT on the desktop), the former is, according to a quick net search, a Sun Desktop utility about which I know nothing, the latter a disc copy utility I never used (d/l'd to desktop, virus scanned, and moved to a "storage" folder ...deleted weeks ago); the Kryptik items, one in a folder left by Combofix, the other buried several levels in a Sun Java directory, are the unknowns here - neither Avira, Malwarebytes, Spybot, MSE, Ad-Aware, nor a Kaspersky online scan saw those.

FWIW, since running the TDSKiller I've not experienced the problems which initiated this thread; but since we're already knee deep in this we might as well make certain nothing else is lurking on this system.
 
A keyloggger actually logs every key you type. That means passwords, bank information, personaal information> anything typed on the keyboard. The entry I see is:
c:\windows\iun6002.exe. It was created 2009-06-24 06:56 by Spyware.DsktopSurveil which logs keystrokes, program use, and captures screenshots. It can run in hidden mode.It shows 737280 entries or processes of some kind.

This is desckibed a "desktop surveliannce." A few people intentionally use a keylogger if for some reason, they need a record of what it typed. The date of the entry is 2009 which means it got on or was put on after you got it from your neighbor.
=======================================
Eset entries: Some of the infected files are in the Java cache so it will need to be emptied:
To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel.
    java.png
    The Java Control Panel appears.
    plugin_cache1.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    plugin_cache2.jpg

    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    plugin_cache3.jpg

    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Images courtesy java.com
==================================================
The directions for the Eset scan clearly say
Uncheck 'Remove found threats'" with a screen shot right above it. Maybe that doesn't make sense to you but there is a reason for it. I would have used a special cleaning program that not only removed those particular files, but associated files and temporary internet.
================================================
You didn't need to explain all the entries in the Eset log. That's my job and I will act on what I see and confirm. I'm not out to pass any judgement on you- just to try to find and remove malware entries. Please be assured that I know what the Qoobox is, that I know what the Sun Java entries are, that I will instruct you based on my best information and judgement.
====================================================
Some sources of infection:
1. J Drive> What is that?
2. Delio app which is usually a toolbar.
3. Frostwire.
====================================================
 
Didn't mean to second guess procedures here, just thought I might head off some questions and streamline our dialog.

Looked at the iun6002.exe; it shows a filedate of 5/12/2011 and the popup identifies it as "SUF60Runtime" from "Indigo Rose Corp" (no luck researching that, the first page of results listed half a dozen different sites vending everything from sewing supplies to software ...though one of the software products is an install program, that's certainly suspect to me). From your description I see no need for this, or any, keyloggers on my system. I've renamed the file, give the word and it will disappear.

I know little of Java so had left its CP settings untouched; but the cache should now be clear.

Running ESET, I just d/l'd and ran it with default settings.

On my system, the C drive is a partition just for windows and software that insists on being installed there, D is the Vista recover partition, E is DVD, F G H and I are card readers (only use the one for my camera card, don't even know what the others are for), J and L are partitions containing applications, games, and storage (K is the data stick, when plugged in).

I've forgotten what application contained the Delio, but I didn't let it install the toolbar.

Frostwire was never installed; while recommended as a replacement for Limewire, I could never find any reliable information about it ...but did hear of some malicious software using the same name. (FWIW, I'm trying to save the trouble of recording literally hundreds of 45rpm singles into my computer ...these date from my high school years ...when 8-track tapes were still a commercial product.) The file was d/l'd, AV scanned, then stuck in a holding directory while I researched it ...and forgotten. Now deleted.
 
J:\dvd_dl\dvd_player_morpher_aff.exe Win32/Adware.Toolbar.Dealio application (deleted - quarantined) 00000000000000000000000000000000 C
Click to expand...

C:\Documents and Settings\Khrod Kat\Desktop\frostwire-4.21.5.windows.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
Click to expand...
===============================================
I am trying to assist you in lmaking you aware of malware source and location. It is not necessary for you to explain these entries, I know what they are for or from. I can only go by the entries I see- if I see them, they are on the system. Since the issue has been resolved and since you can acount for all the entries:

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
 
My apologies; I thought the more information I provided the easier your job became. For example the fact that Frostwire was never installed but merely d/l'd and kept in a "holding tank".

Combofix uninstalled and OTC did its thing.

I am fanatic about restore points, creating them before any installs, updates, or upgrades; and a new one each week after the full av scans. My problem is remembering to remove the older ones before they consume too much HD real estate. But I am now down to the most recent only. Hopefully this system is now clean; compared to others, I can't complain, in twenty years this is only the fourth time anything has gotten past my AV defences. Thank you for the assistance and information; ESET will remain on my system, not active but for a periodic scan.
 
I know little of Java so had left its CP settings untouched; but the cache should now be clear.
Click to expand...
What you need to know is that Java puts out frequent updates. They are usually for security, so keeping any old versions on the system are vulnerabilities. Unfortunately, Java hasn't learned how to overwrite the older version, so the user must go into Add/Remove Programs and uninstall it.

I have a setting recommendation about the Java files:
Control Panel> Java> Temporary Internet Files> Settings> Uncheck 'Keep temporary files on my computer'> Disc Space> Move the slider all the way to the left so as not to save disc space for these temporary files> Click on OK> Apply> OK

Being a 'fanantic' about restore points is a good thing! Many don't understand their purpose and importance. I open more logs with "No" restore points than those with them. They are especially important in a malware situation- the system can become so corrupted that sometimes, the only way in is through a restore point. And frankly, a restore point has saved my a.. more than once!

One user thought that every time the computer started up it was from a restore point! It took many posts to make him understand that restore points are "user invoked", not startup points.

About Frostwire- again You didn't have to download it. But you did download from Frostwire and got malware with it. Was it worth it?

If it's not an imposition, I would feel more comfortable letting you go if you did an update and rescanned with Eset Online Virus scanner. I'd like to make sure all the files associated with the malware are gone. Please follow the instructions to Uncheck 'Remove found threats. This is clearly stated in the instructions and you were not told to run it with the default settings.

If Eset finds any other entries, I'll follow with the removal program and it will be clear to you why we handle it this way.
 
Java changes made (the slider had to be moved first since unchecking the option greys out the rest of the page).

With Frostwire, I was under the impression there'd be no problem with such software as long as I didn't actually run it. Avira cleared this during d/l and it sat forgotten on my HD for weeks, long enough that not only Avira but MSE, Malwarebytes, and Spybot must have scanned it a dozen times, not to mention a Kaspersky online scan.

No problem running ESET again. Don't know if it will take seven hours this time but will give it the overnight shift.
 
FrostWire is a peer-to-peer file sharing program for the Gnutella and BitTorrent protocols. FrostWire is written in Java, and is a fork of LimeWire, another popular Gnutella client.

frostwire-4.21.5.windows.exe is the executable. This is not the setup, it's the executable on the desktop. How/where did you get the exe file?
Since you don't intend to use it, consider removing it from the system.
=================================
FYI: File Sharing- Some Information:

Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.


So although you indicate that you did not actually install Froswire, you did use it and you did get malware.
C:\Documents and Settings\Khrod Kat\Desktop\frostwire-4.21.5.windows.exe
Click to expand...
 
Don't recall from where I d/l'd Frostwire. Had been using Limewire, when the feds shut that down everyone got a stream of emails about Frostwire being the "official" replacement; it seemed odd that this "official" replacement had no official website and was available from about a dozen different places. So my d/l sat there untouched while I did more research; seems there is/was an actual Frostwire that was a somewhat slimmed down version of Limewire, unfortunately there also is/was a malicious file of the same name circulating. The entire situation seemed too flakey so I pursued it no further, and forgot about the file (I did not install, run, or even click on it). Things often go unnoticed on my desktop since I have "hide desktop icons" selected (due to arcane graphics problems which no one has been able to solve).

Am aware of the hazards of torrent files, but deal primarily with a couple of members only sites that have proven quite reliable ...and these are used so seldom I must remember to log in once a month to keep my membership active.
 
A tip to keep track of the Desktop without having the icons display:

Right click on the Taskbar> Choose Toolbars> Choose Desktop.

Now of you keep the icons hidden, you will see the word 'Desktop>>' to the left of the Notification Area. Click on the >> and the contents of the desktop will display in a list, top to bottom, in alpha order, with folders first, then files, above the Notification Area. You can left click to Open or right click to Delete (or use any of the other features on the right click context menu.)
==============================================
The system is clean. Let me know if you have any more questions.
 
I just use the keyboard windows+E to invoke windows explorer, and there is my desktop listing. (FWIW, the graphics anomaly is in some games the desktop icons, some system tray items, and occasionally the start button, will flicker on the screen while the game is running. Two years of tech forums and emails, even going from a GeForce to an ATi, has produced no solution; so I hide the icons and live with it.).

Ran ESET again last night, only took three hours this time, and it reported no threats detected. Thanks for all the help and information, hopefully I won't need it again.
 
Status
Not open for further replies.

Similar threads

G
Inactive Problem with 92062d.msi won't allow programs to install or uninstall
Replies
16
Views
3K
Broni
Broni
Sicxie
Solved Unable to get rid of uniidealse [logs / phase 2]
Replies
24
Views
4K
Broni
Broni
Dbsharpshooter
Solved Aperture.displaymarketplace.com redirect
Replies
16
Views
2K
Broni
Broni

Latest posts

Back