Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93117 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 djcarter

djcarter

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 06 July 2010 - 08:56 AM

Hi, I would like some help please. My computer has been running slowly and programs frequently stop responding.

Here is a hijackthis log.

Thanks in advance

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:55:42, on 06/07/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Documents and Settings\The User\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\DOCUME~1\THEUSE~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\trend micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gooofullsearch.com/bar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://roonic.com/re...a...10&ie=UTF-8
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.uk.acer.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files\DVD Shrink 3.2.0.15\tbhelper.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: EndNote Web - {82D2E569-25A7-4E4D-9FA3-C5025B4B7912} - C:\Program Files\EndNote Web\ENWIEPlug.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: EndNote Web - {945C8270-A848-11D5-A805-00B0D092F45B} - C:\Program Files\EndNote Web\ENWIEPlug.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [Preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SamsungPCSuiteTrayApplication] C:\Program Files\Samsung\Samsung PC Studio 7\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Samsung.PCSync] C:\Program Files\Samsung\Samsung PC Studio 7\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\The User\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: MagicDisc.lnk.disabled
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Plant%20Tycoon/Images/stg_drm.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208204733746
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Plant%20Tycoon/Images/armhelper.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eLock Service (eLockService) - - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 16348 bytes

    Advertisements

Register to Remove


#2 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 07 July 2010 - 06:05 AM

Welcome to the forum.......Please do this:

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


Click on Fix Checked when finished and exit HijackThis.

-----------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
5.Give it atleast 20-30 minutes to finish if needed.



MrC

#3 djcarter

djcarter

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 07 July 2010 - 12:41 PM

Thanks! :thumbup:

Here is the Combofix log

ComboFix 10-07-06.03 - The User 07/07/2010 13:54:20.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.539 [GMT 1:00]
Running from: c:\documents and settings\The User\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\THEUSE~1\LOCALS~1\Temp\1.wmv
c:\documents and settings\HelpAssistant\AUTOSET.EXE
c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
c:\documents and settings\The User\AUTOSET.EXE
c:\documents and settings\The User\GoToAssistDownloadHelper.exe
c:\documents and settings\The User\Local Settings\Application Data\{35CF093F-D2FC-447A-9A74-A20C7A1A4040}
c:\documents and settings\The User\Local Settings\Application Data\{35CF093F-D2FC-447A-9A74-A20C7A1A4040}\chrome.manifest
c:\documents and settings\The User\Local Settings\Application Data\{35CF093F-D2FC-447A-9A74-A20C7A1A4040}\chrome\content\_cfg.js
c:\documents and settings\The User\Local Settings\Application Data\{35CF093F-D2FC-447A-9A74-A20C7A1A4040}\chrome\content\overlay.xul
c:\documents and settings\The User\Local Settings\Application Data\{35CF093F-D2FC-447A-9A74-A20C7A1A4040}\install.rdf
c:\program files\DVD Shrink 3.2.0.15\tbHElper.dll
c:\program files\NetMeeting\secedit.exe.vir
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\logs

.
((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-06-26 15:25 . 2010-06-26 15:25 -------- d-----w- c:\program files\DVD Shrink
2010-06-26 15:07 . 2010-06-26 15:07 -------- d-----w- c:\documents and settings\The User\Application Data\PropMgrAsync
2010-06-26 15:05 . 2010-06-26 15:05 -------- d-----w- c:\documents and settings\The User\Application Data\Toolbar4
2010-06-26 15:00 . 2010-07-07 13:04 -------- d-----w- c:\program files\DVD Shrink 3.2.0.15
2010-06-24 18:54 . 2010-06-24 18:54 227152 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-24 14:00 . 2010-06-24 14:01 -------- d-----w- c:\program files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2010-06-24 13:50 . 2010-06-24 13:50 -------- d-----w- c:\program files\Common Files\Common Share
2010-06-24 13:50 . 2008-12-18 12:38 719872 ----a-w- c:\windows\system32\devil.dll
2010-06-24 13:50 . 2008-12-18 12:38 351744 ----a-w- c:\windows\system32\avisynth.dll
2010-06-24 13:50 . 2008-12-18 12:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-06-24 13:50 . 2010-06-24 13:50 -------- d-----w- c:\program files\OJOsoft
2010-06-23 19:44 . 2010-06-23 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-23 19:44 . 2010-06-23 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-06-23 19:44 . 2010-06-23 19:44 -------- d-----w- c:\program files\McAfee Security Scan
2010-06-07 13:49 . 2010-06-07 13:49 -------- d-----w- c:\documents and settings\The User\Local Settings\Application Data\WBFSManager
2010-06-07 13:45 . 2010-06-07 13:45 -------- d-----w- c:\program files\WBFS
2010-06-07 13:19 . 2010-04-26 21:10 1718912 ----a-w- c:\windows\system32\BootMan.exe
2010-06-07 13:19 . 2010-02-23 10:51 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2010-06-07 13:19 . 2010-02-23 10:51 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2010-06-07 13:19 . 2010-02-23 10:51 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2010-06-07 13:19 . 2010-02-23 10:51 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-04-12 00:49 . 2009-12-03 01:22 -------- d-----w- c:\program files\trend micro
2010-07-07 13:18 . 2008-05-07 14:04 -------- d-----w- c:\documents and settings\The User\Application Data\uTorrent
2010-07-07 13:17 . 2008-05-03 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-07-07 13:09 . 2009-12-17 11:34 -------- d-----w- c:\documents and settings\The User\Application Data\Dropbox
2010-07-07 13:06 . 2009-06-24 13:08 81984 ----a-w- c:\windows\system32\bdod.bin
2010-07-07 12:42 . 2009-03-17 16:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-06 18:11 . 2009-12-18 19:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 19:07 . 2007-08-07 22:02 -------- d-----w- c:\program files\Microsoft SQL Server
2010-07-03 18:09 . 2010-05-01 09:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-06-28 00:08 . 2008-04-02 06:48 -------- d-----w- c:\program files\Launch Manager
2010-06-24 19:55 . 2008-05-06 18:03 -------- d-----w- c:\documents and settings\The User\Application Data\Apple Computer
2010-06-20 22:38 . 2007-08-07 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-20 20:25 . 2009-12-08 21:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-07 10:51 . 2008-04-17 08:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-27 14:06 . 2010-05-27 14:03 -------- d-----w- c:\documents and settings\The User\Application Data\Teleca
2010-05-27 14:05 . 2010-05-27 14:05 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-05-27 14:05 . 2010-05-27 14:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2010-05-27 14:02 . 2010-05-27 14:02 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-05-27 14:02 . 2010-05-27 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2010-05-27 14:02 . 2010-05-27 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2010-05-27 14:02 . 2010-05-27 13:58 -------- d-----w- c:\program files\HTC
2010-05-27 13:59 . 2010-05-27 13:59 -------- d-----w- c:\program files\Spirent Communications
2010-05-25 07:37 . 2010-05-25 07:37 -------- d-----w- c:\documents and settings\The User\Application Data\Trusteer
2010-05-25 07:37 . 2010-05-25 07:37 -------- d-----w- c:\program files\Trusteer
2010-05-25 07:35 . 2010-05-25 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-05-24 07:37 . 2008-07-28 11:12 93936 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-24 07:35 . 2008-04-02 06:41 8224 ----a-w- c:\documents and settings\The User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-22 13:18 . 2010-05-22 13:16 -------- d-----w- c:\program files\iTunes
2010-05-22 13:18 . 2010-05-22 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-22 13:17 . 2010-05-22 13:17 -------- d-----w- c:\program files\iPod
2010-05-22 13:17 . 2008-07-15 21:42 -------- d-----w- c:\program files\Common Files\Apple
2010-05-22 13:11 . 2009-09-14 10:18 -------- d-----w- c:\program files\QuickTime
2010-05-22 13:02 . 2009-05-08 11:55 -------- d-----w- c:\program files\Bonjour
2010-05-16 18:50 . 2009-11-20 21:25 76712 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-04 17:20 . 2007-04-18 12:31 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-05 03:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-05 03:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2007-03-08 13:47 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2009-12-18 19:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-12-18 19:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2004-08-05 03:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 07:33 . 2009-04-30 16:48 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 07:33 . 2008-12-26 21:11 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-07 11:36 . 2010-04-07 11:24 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]
"{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}"= "c:\program files\DVD Shrink 3.2.0.15\tbcore3.dll" [2010-03-26 2550272]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{c86ff9fa-aeed-451b-a9cc-39a53173ae2e}]
[HKEY_CLASSES_ROOT\TBSB07458.TBSB07458.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07458.TBSB07458]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\The User\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\The User\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\The User\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-04 2002160]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-02-24 319280]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-05 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Preload"="c:\windows\RUNXMLPL.exe" [2007-04-21 20480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-07-04 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-05-28 342528]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SamsungPCSuiteTrayApplication"="c:\program files\Samsung\Samsung PC Studio 7\LaunchApplication.exe" [2008-08-07 278016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2010-04-07 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
"Samsung.PCSync"="c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe" [2007-12-04 1241088]

c:\documents and settings\The User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\The User\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
MagicDisc.lnk.disabled [2009-7-20 656]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-4-2 45056]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^The User^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\The User\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^The User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\The User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-04-01 09:39 486856 ------w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 14:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-03-28 10:20 1079296 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SamsungPCSuiteTrayApplication]
2008-08-07 17:10 278016 ------w- c:\program files\Samsung\Samsung PC Studio 7\LaunchApplication.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Documents and Settings\\The User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:limewire
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"8500:TCP"= 8500:TCP:Services

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [18/05/2010 16:11 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [18/05/2010 16:11 166376]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 09:43 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 09:43 74480]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 13:03 169312]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [06/10/2008 18:16 82696]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [18/05/2010 16:11 840936]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [18/09/2008 12:09 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [12/02/2009 16:52 104456]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 09:43 7408]
S2 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BTWSp50.sys --> c:\windows\system32\Drivers\BTWSp50.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [20/01/2009 19:16 172032]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [07/06/2010 14:19 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [07/06/2010 14:19 8456]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [27/05/2010 14:59 24576]
S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [13/01/2009 14:32 135680]
S3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [13/01/2009 14:32 8320]
S3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [13/01/2009 14:32 12288]
S3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [13/01/2009 14:32 12288]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/05/2008 16:21 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2016-04-12 c:\windows\Tasks\User_Feed_Synchronization-{BD01A600-5529-4904-B81B-59F2C534B718}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://gooofullsearch.com/bar
uInternet Connection Wizard,ShellNext = hxxp://en.uk.acer.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\documents and settings\The User\Application Data\Mozilla\Firefox\Profiles\qftgx7ko.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?FORM=Z9FD1
FF - prefs.js: keyword.URL - hxxp://www.gooofullsearch.com/google?cx=partner-pub-1706725243366868:bicno8bf36s&cof=FORID%3A10&ie=UTF-8&hl=es&q=
FF - component: c:\documents and settings\The User\Application Data\Mozilla\Firefox\Profiles\qftgx7ko.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\The User\Application Data\Mozilla\Firefox\Profiles\qftgx7ko.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
AddRemove-GOLD - d:\gold\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 14:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1428)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(6292)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\MFC71U.DLL
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\documents and settings\The User\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Samsung\Samsung PC Studio 7\PhoneBrowser.dll
c:\program files\Samsung\Samsung PC Studio 7\PCSCM_Samsung.dll
c:\program files\Samsung\Samsung PC Studio 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Samsung\Samsung PC Studio 7\Resource\PhoneBrowser_Samsung.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Kontiki\KService.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\THEUSE~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Common Files\Teleca Shared\logger.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
.
**************************************************************************
.
Completion time: 2010-07-07 14:28:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-07 13:28

Pre-Run: 4,419,063,808 bytes free
Post-Run: 5,011,030,016 bytes free

- - End Of File - - 760C90085A074FCB430ECD59627DA9D7

#4 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 07 July 2010 - 01:14 PM

Please do this:

Copy all the text in the code box into notepad.
Save it as fix.reg
Save as file type > All files
Save it to your desktop

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
"ProxyEnable"=-

If you did it right it will look like this except with a different name:

Posted Image

Now double click on it and allow it to merge into the registry.

--------------------------------------

Lets check for a couple of infections:

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Click on TDSSKiller.exe to run it.
Once completed it will create a log in your C:\ drive called TDSSKiller_*** (*** denotes version & date)

Please post the content of the TDSSKiller log

and.....

Download MBRCheck.exe to your desktop
XP users > double click on MBRCheck.exe to run it
Vista and Windows 7 users > right click on MBRCheck.exe and select Run as Administrator
It will show a black screen with some data on it
Click on the black C:\ in the upper left hand corner of the black screen
Choose Edit > Select All > Press Enter to copy the data to your clip board
Press Enter again to close MBRCheck
Now open up notepad or wordpad and paste the data in (press Control+V)

Post the results in your reply

MrC


#5 djcarter

djcarter

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 07 July 2010 - 02:00 PM

Here are the logs

MBRCheck, version 1.0.2
© 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


================================================================

20:55:50:281 8220 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
20:55:50:281 8220
20:55:50:281 8220 SystemInfo:

20:55:50:281 8220 OS Version: 5.1.2600 ServicePack: 2.0
20:55:50:281 8220 Product type: Workstation
20:55:50:281 8220 ComputerName: ACER-47CBE8A5ED
20:55:50:281 8220 UserName: The User
20:55:50:281 8220 Windows directory: C:\WINDOWS
20:55:50:281 8220 System windows directory: C:\WINDOWS
20:55:50:281 8220 Processor architecture: Intel x86
20:55:50:281 8220 Number of processors: 1
20:55:50:281 8220 Page size: 0x1000
20:55:50:296 8220 Boot type: Normal boot
20:55:50:296 8220 ================================================================================
20:55:52:187 8220 Initialize success
20:55:52:187 8220
20:55:52:187 8220 Scanning Services ...
20:55:52:312 8220 Raw services enum returned 429 services
20:55:52:328 8220
20:55:52:328 8220 Scanning Drivers ...
20:55:54:109 8220 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
20:55:54:140 8220 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:55:54:156 8220 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
20:55:54:203 8220 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
20:55:54:312 8220 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
20:55:54:406 8220 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
20:55:54:468 8220 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
20:55:54:484 8220 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
20:55:54:484 8220 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
20:55:54:500 8220 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
20:55:54:546 8220 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
20:55:54:562 8220 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
20:55:54:578 8220 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
20:55:54:593 8220 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
20:55:54:609 8220 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
20:55:54:640 8220 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:55:54:718 8220 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
20:55:54:765 8220 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
20:55:54:812 8220 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
20:55:54:875 8220 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:55:54:906 8220 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:55:54:968 8220 atksgt (72bc628af75c4c3250f2a3bac260265a) C:\WINDOWS\system32\DRIVERS\atksgt.sys
20:55:55:062 8220 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:55:55:125 8220 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:55:55:171 8220 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
20:55:55:265 8220 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
20:55:55:390 8220 bdfm (ced6717bd8b67284afcf692b9316b464) C:\WINDOWS\system32\drivers\bdfm.sys
20:55:55:453 8220 Bdfndisf (dd3a1af8bdacbf45919f087caa99579b) C:\WINDOWS\system32\DRIVERS\bdfndisf.sys
20:55:55:531 8220 bdfsfltr (70975049e22b2efec260816cf505e6e7) C:\WINDOWS\system32\drivers\bdfsfltr.sys
20:55:55:671 8220 bdftdif (a7bdb1958d9b8245a0ba83f46abb630c) C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
20:55:55:828 8220 BDSelfPr (5eaf583c0b1cc2499761ea3b065f5db2) C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys
20:55:55:890 8220 BDVEDISK (bc79b27bc351436b07f57d80bec76036) C:\Program Files\BitDefender\BitDefender 2009\BDVEDISK.sys
20:55:56:000 8220 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:55:56:046 8220 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
20:55:56:046 8220 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:55:56:078 8220 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:55:56:109 8220 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
20:55:56:140 8220 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:55:56:156 8220 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
20:55:56:171 8220 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:55:56:312 8220 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
20:55:56:328 8220 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
20:55:56:343 8220 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
20:55:56:359 8220 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
20:55:56:390 8220 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
20:55:56:406 8220 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
20:55:56:421 8220 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
20:55:56:437 8220 DKbFltr (060db81dfb79c8244eb65d10b6c7873f) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
20:55:56:500 8220 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
20:55:56:609 8220 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
20:55:56:656 8220 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:55:56:687 8220 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
20:55:56:703 8220 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
20:55:56:734 8220 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
20:55:56:796 8220 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) C:\WINDOWS\system32\epmntdrv.sys
20:55:56:953 8220 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\WINDOWS\system32\EuGdiDrv.sys
20:55:57:046 8220 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
20:55:57:078 8220 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
20:55:57:125 8220 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
20:55:57:171 8220 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
20:55:57:171 8220 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:55:57:234 8220 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:55:57:343 8220 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
20:55:57:406 8220 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:55:57:453 8220 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:55:57:468 8220 gagp30kx (4216cd545e5c30807b560c5dcaa812e6) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
20:55:57:515 8220 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
20:55:57:578 8220 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:55:57:671 8220 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:55:57:718 8220 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:55:57:796 8220 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
20:55:57:843 8220 HSFHWAZL (6a5c4732d6803f84e2987edd8e4359ce) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
20:55:57:921 8220 HSF_DPV (21c31273c6cc4826e74be8ae3b09d4a8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
20:55:58:109 8220 HTCAND32 (cbd09ed9cf6822177ee85aea4d8816a2) C:\WINDOWS\system32\Drivers\ANDROIDUSB.sys
20:55:58:171 8220 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
20:55:58:234 8220 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
20:55:58:312 8220 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
20:55:58:390 8220 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:55:58:625 8220 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:55:59:015 8220 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\DRIVERS\iaStor.sys
20:55:59:093 8220 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:55:59:171 8220 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
20:55:59:296 8220 int15 (f8f75594c17fe7bce1b4045bb7199868) C:\WINDOWS\system32\drivers\int15.sys
20:55:59:453 8220 int15.sys (4d8d5b1c895ea0f2a721b98a7ce198f1) C:\Acer\Empowering Technology\eRecovery\int15.sys
20:55:59:781 8220 IntcAzAudAddService (b45a576ad280dd4f605f58b24cdaafe1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:56:00:171 8220 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:56:00:203 8220 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:56:00:250 8220 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:56:00:312 8220 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:56:00:343 8220 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:56:00:406 8220 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:56:00:515 8220 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:56:00:546 8220 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys
20:56:00:593 8220 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:56:00:625 8220 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:56:00:671 8220 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:56:00:703 8220 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:56:00:812 8220 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
20:56:00:875 8220 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
20:56:00:921 8220 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
20:56:00:984 8220 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
20:56:01:046 8220 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
20:56:01:140 8220 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:56:01:203 8220 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:56:01:234 8220 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
20:56:01:281 8220 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:56:01:328 8220 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:56:01:453 8220 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
20:56:01:468 8220 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
20:56:01:515 8220 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:56:01:578 8220 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:56:01:687 8220 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
20:56:01:718 8220 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:56:01:750 8220 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:56:01:765 8220 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
20:56:01:781 8220 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:56:01:812 8220 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
20:56:01:968 8220 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
20:56:01:984 8220 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:56:02:046 8220 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
20:56:02:093 8220 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:56:02:218 8220 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:56:02:265 8220 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:56:02:312 8220 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:56:02:343 8220 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
20:56:02:375 8220 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:56:02:406 8220 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:56:02:578 8220 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:56:02:625 8220 nmwcd (65ac8baa2f916ee9203ee48d7fcee605) C:\WINDOWS\system32\drivers\ccdcmb.sys
20:56:02:687 8220 nmwcdc (29af182734a247240d89a0fe63dbef03) C:\WINDOWS\system32\drivers\ccdcmbo.sys
20:56:02:765 8220 nmwcdsa (a579a2cc4768b4b3f7e4f86808ea8206) C:\WINDOWS\system32\drivers\nmwcdsa.sys
20:56:02:859 8220 nmwcdsac (0a6436274d5cdb33b6ac2fc304037d82) C:\WINDOWS\system32\drivers\nmwcdsac.sys
20:56:02:906 8220 nmwcdsacj (23ca32dec0f1e68448c9c3c1f2e1deee) C:\WINDOWS\system32\drivers\nmwcdsacj.sys
20:56:02:984 8220 nmwcdsacm (23ca32dec0f1e68448c9c3c1f2e1deee) C:\WINDOWS\system32\drivers\nmwcdsacm.sys
20:56:03:062 8220 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
20:56:03:140 8220 NSCIRDA (6216798d29c3ba9d0d6f40bbbab694a5) C:\WINDOWS\system32\DRIVERS\nscirda.sys
20:56:03:187 8220 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
20:56:03:296 8220 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
20:56:03:343 8220 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:56:03:390 8220 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:56:03:406 8220 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:56:03:437 8220 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:56:03:515 8220 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
20:56:03:546 8220 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
20:56:03:578 8220 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:56:03:640 8220 pccsmcfd (175cc28dcf819f78caa3fbd44ad9e52a) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
20:56:03:671 8220 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
20:56:03:703 8220 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:56:03:781 8220 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
20:56:03:953 8220 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
20:56:03:984 8220 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
20:56:04:125 8220 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:56:04:140 8220 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
20:56:04:218 8220 Profos (1bfe86c679a43994e36e623fb6898cdb) C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys
20:56:04:296 8220 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
20:56:04:328 8220 psdfilter (32338659e9da79055406f2157cd0e1df) C:\WINDOWS\system32\Drivers\psdfilter.sys
20:56:04:390 8220 psdvdisk (4c7947014674df40b7af52342a9157d0) C:\WINDOWS\system32\Drivers\psdvdisk.sys
20:56:04:437 8220 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:56:04:468 8220 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:56:04:500 8220 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
20:56:04:546 8220 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
20:56:04:609 8220 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
20:56:04:625 8220 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
20:56:04:640 8220 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
20:56:04:750 8220 RapportKELL (c0f3df267c1845eff848f2d20a1950e6) C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
20:56:04:843 8220 RapportPG (cd16081bd232712f43e755c00741a9d5) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
20:56:04:921 8220 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:56:04:984 8220 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
20:56:05:078 8220 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:56:05:093 8220 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:56:05:125 8220 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:56:05:203 8220 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:56:05:281 8220 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:56:05:312 8220 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:56:05:343 8220 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
20:56:05:375 8220 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:56:05:437 8220 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:56:05:500 8220 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
20:56:05:515 8220 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
20:56:05:640 8220 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
20:56:05:687 8220 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:56:05:718 8220 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
20:56:05:781 8220 sffdisk (1d9f1bec651815741f088a8fb88e17ee) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
20:56:05:828 8220 sffp_sd (586499fd312ffd7f78553f408e71682e) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
20:56:05:906 8220 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:56:06:000 8220 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
20:56:06:062 8220 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:56:06:109 8220 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
20:56:06:218 8220 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
20:56:06:390 8220 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
20:56:06:390 8220 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
20:56:06:484 8220 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
20:56:06:546 8220 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
20:56:06:578 8220 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
20:56:06:656 8220 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:56:06:687 8220 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:56:06:796 8220 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
20:56:06:828 8220 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
20:56:06:843 8220 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
20:56:06:859 8220 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
20:56:06:921 8220 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
20:56:06:937 8220 SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
20:56:07:046 8220 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
20:56:07:140 8220 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:56:07:234 8220 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:56:07:250 8220 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
20:56:07:281 8220 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:56:07:359 8220 tifm21 (78213f01ce781f93180bef5eb5b3ad81) C:\WINDOWS\system32\drivers\tifm21.sys
20:56:07:500 8220 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
20:56:07:578 8220 Trufos (b16d66a71de03285e14e9f165b59eda4) C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys
20:56:07:703 8220 tvicport (97dd70feca64fb4f63de7bb7e66a80b1) C:\WINDOWS\system32\drivers\tvicport.sys
20:56:07:750 8220 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
20:56:07:843 8220 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
20:56:07:859 8220 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
20:56:07:906 8220 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
20:56:08:015 8220 upperdev (2522747ba661514e3770e508cce45b64) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
20:56:08:078 8220 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
20:56:08:187 8220 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:56:08:250 8220 usbehci (b0d7020386c7187ef9c5a9643f289cd3) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:56:08:359 8220 usbhub (ace960e54148821e8e48f5d191562c28) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:56:08:453 8220 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:56:08:531 8220 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:56:08:593 8220 usbser (49106ee29074e6a3d3ac9e24c6d791d8) C:\WINDOWS\system32\DRIVERS\usbser.sys
20:56:08:765 8220 UsbserFilt (8aa5f86a6c3b3234beed9556d145bfac) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
20:56:08:812 8220 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:56:08:859 8220 usbuhci (ff6e4fdeb82dc228efa490336409c6bd) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:56:08:953 8220 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
20:56:09:203 8220 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
20:56:09:265 8220 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:56:09:296 8220 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:56:09:328 8220 VNUSB (c48e230878ea1946f0c4026a9d8e9a61) C:\WINDOWS\system32\DRIVERS\VNUSB.sys
20:56:09:468 8220 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
20:56:09:484 8220 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:56:09:546 8220 Wdf01000 (4769596d7cc0f5fa447d2babc239672a) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
20:56:09:843 8220 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
20:56:09:937 8220 winachsf (307d248f97835b6879bdd361086924fe) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
20:56:10:093 8220 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
20:56:10:171 8220 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
20:56:10:203 8220 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:56:10:265 8220 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:56:10:390 8220 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:56:10:453 8220 zntport (40ac8590cc9006dbb99ffcb37879d4c6) C:\WINDOWS\system32\drivers\zntport.sys
20:56:10:484 8220
20:56:10:484 8220 Completed
20:56:10:484 8220
20:56:10:484 8220 Results:
20:56:10:484 8220 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:56:10:484 8220 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:56:10:484 8220
20:56:10:500 8220 KLMD(ARK) unloaded successfully

Edited by MrCharlie, 07 July 2010 - 02:21 PM.


#6 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 07 July 2010 - 02:23 PM

OK....there's a problem with your master boot record, there's a couple of different ways to fix this.

I'll get back to you asap with the best way to do, MrC


#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 July 2010 - 04:42 PM

Hello dj,
You have a mbr rookit that will require a new tool to remove.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 djcarter

djcarter

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 08 July 2010 - 01:48 AM

Heres the log

Thanks again

djcarter

C:\Documents and Settings\The User\Desktop\HelpAsst_mebroot_fix.exe
08/07/2010 at 8:02:17.82

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"8500:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"8500:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2116581359-257712658-3243960628-1007
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 08/07/2010 at 8:43:48.01

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys spyq.sys >>UNKNOWN [0x86D8D938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86d6a1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 08 July 2010 - 05:35 AM

Please do the following:
Please note the spaces

Click Start>Run and type helpasst -folder then hit Enter.
The tool will run and prompt for confirmation to remove any HelpAssistant folders found.
If prompted, restart your computer.

When complete, click Start>Run and type helpasst -mbrt then hit Enter.
Post the new log that opens when it finishes.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 djcarter

djcarter

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 08 July 2010 - 06:15 AM

Here is the new log, though it looks the same as the last one...

C:\Documents and Settings\The User\Desktop\HelpAsst_mebroot_fix.exe
08/07/2010 at 8:02:17.82

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"8500:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"8500:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2116581359-257712658-3243960628-1007
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 08/07/2010 at 8:43:48.01

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys spyq.sys >>UNKNOWN [0x86D8D938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86d6a1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Folder removal routine ~ 08/07/2010 at 13:08:17.60

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking for HelpAssistant directories ~~

none found

~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 08/07/2010 at 13:09:41.78

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys spxb.sys >>UNKNOWN [0x86D8D938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86d6a1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

    Advertisements

Register to Remove


#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 08 July 2010 - 06:32 AM

Please run a new Combofix scan and post the results :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 djcarter

djcarter

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 08 July 2010 - 01:03 PM

ComboFix 10-07-07.02 - The User 08/07/2010 19:24:38.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.117 [GMT 1:00]
Running from: c:\documents and settings\The User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-08 07:02 . 2010-07-08 07:02 -------- d-----w- C:\HelpAsst_backup
2010-06-26 15:25 . 2010-06-26 15:25 -------- d-----w- c:\program files\DVD Shrink
2010-06-26 15:07 . 2010-06-26 15:07 -------- d-----w- c:\documents and settings\The User\Application Data\PropMgrAsync
2010-06-26 15:05 . 2010-06-26 15:05 -------- d-----w- c:\documents and settings\The User\Application Data\Toolbar4
2010-06-26 15:00 . 2010-07-07 13:04 -------- d-----w- c:\program files\DVD Shrink 3.2.0.15
2010-06-24 18:54 . 2010-06-24 18:54 227152 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-24 14:00 . 2010-06-24 14:01 -------- d-----w- c:\program files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2010-06-24 13:50 . 2010-06-24 13:50 -------- d-----w- c:\program files\Common Files\Common Share
2010-06-24 13:50 . 2008-12-18 12:38 719872 ----a-w- c:\windows\system32\devil.dll
2010-06-24 13:50 . 2008-12-18 12:38 351744 ----a-w- c:\windows\system32\avisynth.dll
2010-06-24 13:50 . 2008-12-18 12:38 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-06-24 13:50 . 2010-06-24 13:50 -------- d-----w- c:\program files\OJOsoft
2010-06-23 19:44 . 2010-06-23 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-23 19:44 . 2010-06-23 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-06-23 19:44 . 2010-06-23 19:44 -------- d-----w- c:\program files\McAfee Security Scan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-04-12 00:49 . 2009-12-03 01:22 -------- d-----w- c:\program files\trend micro
2010-07-08 18:43 . 2008-05-07 14:04 -------- d-----w- c:\documents and settings\The User\Application Data\uTorrent
2010-07-08 18:42 . 2008-05-03 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-07-08 18:17 . 2009-12-17 11:34 -------- d-----w- c:\documents and settings\The User\Application Data\Dropbox
2010-07-08 18:08 . 2009-06-24 13:08 81984 ----a-w- c:\windows\system32\bdod.bin
2010-07-08 18:04 . 2009-03-17 16:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-07 16:31 . 2007-08-07 22:02 -------- d-----w- c:\program files\Microsoft SQL Server
2010-07-06 18:11 . 2009-12-18 19:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 14:54 . 2010-07-06 14:54 388096 ----a-r- c:\documents and settings\The User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-03 18:09 . 2010-05-01 09:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-07-03 10:36 . 2009-12-08 21:22 117760 ----a-w- c:\documents and settings\The User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-03 06:56 . 2009-12-18 21:36 52224 ----a-w- c:\documents and settings\The User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-28 00:08 . 2008-04-02 06:48 -------- d-----w- c:\program files\Launch Manager
2010-06-24 19:55 . 2008-05-06 18:03 -------- d-----w- c:\documents and settings\The User\Application Data\Apple Computer
2010-06-20 22:38 . 2007-08-07 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-20 20:25 . 2009-12-08 21:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-07 13:45 . 2010-06-07 13:45 -------- d-----w- c:\program files\WBFS
2010-06-07 10:51 . 2008-04-17 08:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-27 14:06 . 2010-05-27 14:03 -------- d-----w- c:\documents and settings\The User\Application Data\Teleca
2010-05-27 14:05 . 2010-05-27 14:05 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-05-27 14:05 . 2010-05-27 14:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2010-05-27 14:02 . 2010-05-27 14:02 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-05-27 14:02 . 2010-05-27 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2010-05-27 14:02 . 2010-05-27 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2010-05-27 14:02 . 2010-05-27 13:58 -------- d-----w- c:\program files\HTC
2010-05-27 13:59 . 2010-05-27 13:59 -------- d-----w- c:\program files\Spirent Communications
2010-05-25 07:37 . 2010-05-25 07:37 -------- d-----w- c:\documents and settings\The User\Application Data\Trusteer
2010-05-25 07:37 . 2010-05-25 07:37 -------- d-----w- c:\program files\Trusteer
2010-05-25 07:35 . 2010-05-25 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-05-24 07:37 . 2008-07-28 11:12 93936 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-24 07:35 . 2008-04-02 06:41 8224 ----a-w- c:\documents and settings\The User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-22 13:18 . 2010-05-22 13:16 -------- d-----w- c:\program files\iTunes
2010-05-22 13:18 . 2010-05-22 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-22 13:17 . 2010-05-22 13:17 -------- d-----w- c:\program files\iPod
2010-05-22 13:17 . 2008-07-15 21:42 -------- d-----w- c:\program files\Common Files\Apple
2010-05-22 13:11 . 2009-09-14 10:18 -------- d-----w- c:\program files\QuickTime
2010-05-22 13:02 . 2009-05-08 11:55 -------- d-----w- c:\program files\Bonjour
2010-05-22 12:55 . 2010-05-22 12:55 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-18 15:11 . 2010-05-18 15:11 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-05-16 18:50 . 2009-11-20 21:25 76712 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-04 17:20 . 2007-04-18 12:31 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-05 03:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-05 03:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2007-03-08 13:47 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2009-12-18 19:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-12-18 19:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 21:10 . 2010-06-07 13:19 1718912 ----a-w- c:\windows\system32\BootMan.exe
2010-04-20 05:51 . 2004-08-05 03:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 07:33 . 2009-04-30 16:48 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 07:33 . 2008-12-26 21:11 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-07 11:36 . 2010-04-07 11:24 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]
"{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}"= "c:\program files\DVD Shrink 3.2.0.15\tbcore3.dll" [2010-03-26 2550272]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{c86ff9fa-aeed-451b-a9cc-39a53173ae2e}]
[HKEY_CLASSES_ROOT\TBSB07458.TBSB07458.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07458.TBSB07458]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\The User\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\The User\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\The User\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-04 2002160]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-02-24 319280]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Preload"="c:\windows\RUNXMLPL.exe" [2007-04-21 20480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-07-04 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-05-28 342528]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SamsungPCSuiteTrayApplication"="c:\program files\Samsung\Samsung PC Studio 7\LaunchApplication.exe" [2008-08-07 278016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2010-04-07 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
"Samsung.PCSync"="c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe" [2007-12-04 1241088]

c:\documents and settings\The User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\The User\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
MagicDisc.lnk.disabled [2009-7-20 656]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-4-2 45056]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^The User^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\The User\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^The User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\The User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-04-01 09:39 486856 ------w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 14:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-03-28 10:20 1079296 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SamsungPCSuiteTrayApplication]
2008-08-07 17:10 278016 ------w- c:\program files\Samsung\Samsung PC Studio 7\LaunchApplication.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Documents and Settings\\The User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:limewire

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [18/05/2010 16:11 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [18/05/2010 16:11 166376]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 09:43 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 09:43 74480]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 13:03 169312]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [06/10/2008 18:16 82696]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [18/05/2010 16:11 840936]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [18/09/2008 12:09 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [12/02/2009 16:52 104456]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 09:43 7408]
S2 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BTWSp50.sys --> c:\windows\system32\Drivers\BTWSp50.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [20/01/2009 19:16 172032]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [07/06/2010 14:19 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [07/06/2010 14:19 8456]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [27/05/2010 14:59 24576]
S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [13/01/2009 14:32 135680]
S3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [13/01/2009 14:32 8320]
S3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [13/01/2009 14:32 12288]
S3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [13/01/2009 14:32 12288]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/05/2008 16:21 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2016-04-12 c:\windows\Tasks\User_Feed_Synchronization-{BD01A600-5529-4904-B81B-59F2C534B718}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://gooofullsearch.com/bar
uInternet Connection Wizard,ShellNext = hxxp://en.uk.acer.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\documents and settings\The User\Application Data\Mozilla\Firefox\Profiles\qftgx7ko.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?FORM=Z9FD1
FF - prefs.js: keyword.URL - hxxp://www.gooofullsearch.com/google?cx=partner-pub-1706725243366868:bicno8bf36s&cof=FORID%3A10&ie=UTF-8&hl=es&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 19:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1424)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(18024)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\MFC71U.DLL
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\documents and settings\The User\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-08 19:50:21
ComboFix-quarantined-files.txt 2010-07-08 18:50
ComboFix2.txt 2010-07-07 13:28

Pre-Run: 4,859,830,272 bytes free
Post-Run: 4,841,148,416 bytes free

- - End Of File - - E07221925546D9F972168FFB01242E55

#13 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 08 July 2010 - 01:08 PM

Be sure to do all 3 steps.

1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
Ask.com

Next:

Please click Start>Run and type (or copy and paste it) the following bolded command then hit Enter.

helpasst -cleanup

And final

Good job :thumbup:

The following will implement some cleanup procedures as well as reset System Restore points:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


To be on the safe side, I would also change all my passwords.


Here's my usual all clean post

Log looks good :D


  • Make your Internet Explorer more secure - This can be done by following these simple instructions:[list=1]
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.


I would suggest you read How to Prevent Malware:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 djcarter

djcarter

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 09 July 2010 - 04:06 AM

Thank you so much for your help! :thumbup:

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 July 2010 - 07:07 PM

You're more than welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users