Jump to content

sambora1984

Advanced Member
  • Content Count

    1,198
  • Joined

  • Last visited

Everything posted by sambora1984

  1. Hi Conspire, Thanks for all your help trying to sort this one. I guess it won't do any harm to start the machine from fresh anyway...it will keep me busy for half a day! Thanks again, Sambora1984
  2. Hi Conspire, Ok made sure it was the right file name this time sorry about that! Thanks ComboFix 11-05-23.02 - Ishbel 24/05/2011 19:58:26.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.982 [GMT 1:00] Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ishbel\Desktop\CFScript.txt FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . FILE :: "c:\windows\Explorermgr.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\Explorermgr.exe . Infected copy of c:\windows\system32\kernel32.dll was found and disinfected Restored copy from - c:\windows\ERDNT\cache\kernel32.dll . . ((((((((((((((((((((((((( Files Created from 2011-04-24 to 2011-05-24 ))))))))))))))))))))))))))))))) . . 2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro 2011-05-07 15:52 . 2011-05-24 19:06 -------- d-----w- c:\program files\ddbndqyl . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112] "%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] 2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] 2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] 2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= . R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] . Contents of the 'Scheduled Tasks' folder . 2011-05-22 c:\windows\Tasks\WebReg Photosmart C4100 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\ FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-24 20:09 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable C:\ljsaqqic.exe 166256 bytes executable . scan completed successfully hidden files: 2 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(880) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(2960) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ZoneLabs\vsmon.exe c:\program files\Common Files\AOL\ACS\AOLAcsd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\windows\system32\HPZipm12.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe c:\windows\AGRSMMSG.exe c:\windows\ALCXMNTR.EXE c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe . ************************************************************************** . Completion time: 2011-05-24 20:16:27 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-24 19:16 ComboFix2.txt 2011-05-23 17:52 ComboFix3.txt 2011-05-20 21:12 ComboFix4.txt 2011-05-19 17:25 . Pre-Run: 51,658,248,192 bytes free Post-Run: 51,637,104,640 bytes free . - - End Of File - - 9EE09893BE94B16D0FC2CB02D23A3083
  3. Hi again, here are the results from the latest run of ComboFix as requested... thanks ComboFix 11-05-18.04 - Ishbel 23/05/2011 18:31:28.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.946 [GMT 1:00] Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ishbel\Desktop\CFScriptv2.txt FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 ))))))))))))))))))))))))))))))) . . 2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro 2011-05-07 16:09 . 2011-05-07 16:38 166256 ----a-w- c:\windows\Explorermgr.exe 2011-05-07 15:52 . 2011-05-20 20:38 -------- d-----w- c:\program files\ddbndqyl 2011-04-24 13:06 . 2011-05-19 17:12 -------- d-----w- c:\documents and settings\Administrator 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\program files\SpywareBlaster . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112] "%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] 2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] 2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] 2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= . R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] . Contents of the 'Scheduled Tasks' folder . 2011-05-22 c:\windows\Tasks\WebReg Photosmart C4100 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\ FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-23 18:42 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable C:\ljsaqqic.exe 166256 bytes executable . scan completed successfully hidden files: 2 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(880) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(2796) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . Completion time: 2011-05-23 18:52:44 ComboFix-quarantined-files.txt 2011-05-23 17:52 ComboFix2.txt 2011-05-20 21:12 ComboFix3.txt 2011-05-19 17:25 . Pre-Run: 51,856,650,240 bytes free Post-Run: 51,864,117,248 bytes free . - - End Of File - - F1EA4BFB19781AC746624A6E3E39F02A
  4. Hi, Couldn't download from link again but managed to send it via email from another machine! Thanks aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software Run date: 2011-05-22 16:03:45 ----------------------------- 16:03:45.109 OS Version: Windows 5.1.2600 Service Pack 3 16:03:45.109 Number of processors: 1 586 0x401 16:03:45.109 ComputerName: EMMA UserName: 16:03:46.375 Initialize success 16:04:14.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 16:04:14.515 Disk 0 Vendor: SAMSUNG_SP0802N TK200-04 Size: 76351MB BusType: 3 16:04:16.531 Disk 0 MBR read successfully 16:04:16.546 Disk 0 MBR scan 16:04:16.546 Disk 0 unknown MBR code 16:04:18.578 Disk 0 scanning sectors +156340800 16:04:18.593 Disk 0 scanning C:\WINDOWS\system32\drivers 16:04:24.515 Service scanning 16:04:25.703 Disk 0 trace - called modules: 16:04:25.718 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 16:04:25.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a58dab8] 16:04:25.781 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000006f[0x8a571130] 16:04:25.781 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5b9d98] 16:04:25.781 Scan finished successfully 16:04:39.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ishbel\Desktop\MBR.dat" 16:04:39.484 The log file has been saved successfully to "C:\Documents and Settings\Ishbel\Desktop\aswMBR.txt"
  5. Hi there, Scan doesn't appear to have found anything. Forgot to say I've had trouble open the first two links of the virus file scanners you posted and as well I couldn't access this TDSSKiller link (had to use previous download of the program)...is this a concern? Also noticed a system tray notification style box popped up yesterday saying malicious software was not completed removed...click here to resolve. I decided not to in case it was false although the first screen of it suggested it was a Microsoft thing...wasn't convinced by it though. Thanks 2011/05/21 18:42:14.0343 2828 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29 2011/05/21 18:42:15.0406 2828 ================================================================================ 2011/05/21 18:42:15.0406 2828 SystemInfo: 2011/05/21 18:42:15.0406 2828 2011/05/21 18:42:15.0406 2828 OS Version: 5.1.2600 ServicePack: 3.0 2011/05/21 18:42:15.0406 2828 Product type: Workstation 2011/05/21 18:42:15.0406 2828 ComputerName: EMMA 2011/05/21 18:42:15.0406 2828 UserName: Ishbel 2011/05/21 18:42:15.0406 2828 Windows directory: C:\WINDOWS 2011/05/21 18:42:15.0406 2828 System windows directory: C:\WINDOWS 2011/05/21 18:42:15.0406 2828 Processor architecture: Intel x86 2011/05/21 18:42:15.0406 2828 Number of processors: 1 2011/05/21 18:42:15.0406 2828 Page size: 0x1000 2011/05/21 18:42:15.0406 2828 Boot type: Normal boot 2011/05/21 18:42:15.0406 2828 ================================================================================ 2011/05/21 18:42:15.0687 2828 Initialize success 2011/05/21 18:42:22.0046 2764 ================================================================================ 2011/05/21 18:42:22.0046 2764 Scan started 2011/05/21 18:42:22.0046 2764 Mode: Manual; 2011/05/21 18:42:22.0046 2764 ================================================================================ 2011/05/21 18:42:23.0281 2764 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/05/21 18:42:23.0515 2764 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/05/21 18:42:23.0953 2764 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/05/21 18:42:24.0140 2764 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2011/05/21 18:42:24.0328 2764 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys 2011/05/21 18:42:24.0531 2764 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 2011/05/21 18:42:25.0109 2764 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2011/05/21 18:42:25.0609 2764 AR5523 (92637b97f57c1669d521a54482c4579c) C:\WINDOWS\system32\DRIVERS\WG11TND5.sys 2011/05/21 18:42:25.0796 2764 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/05/21 18:42:26.0281 2764 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/05/21 18:42:26.0453 2764 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/05/21 18:42:26.0734 2764 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/05/21 18:42:26.0890 2764 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/05/21 18:42:27.0062 2764 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/05/21 18:42:27.0296 2764 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/05/21 18:42:27.0484 2764 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/05/21 18:42:27.0718 2764 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/05/21 18:42:27.0859 2764 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/05/21 18:42:28.0046 2764 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys 2011/05/21 18:42:28.0218 2764 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/05/21 18:42:29.0015 2764 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/05/21 18:42:29.0234 2764 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/05/21 18:42:29.0453 2764 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/05/21 18:42:29.0640 2764 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/05/21 18:42:29.0812 2764 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/05/21 18:42:29.0984 2764 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS 2011/05/21 18:42:30.0250 2764 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/05/21 18:42:30.0531 2764 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/05/21 18:42:30.0796 2764 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2011/05/21 18:42:30.0968 2764 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/05/21 18:42:31.0140 2764 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2011/05/21 18:42:31.0312 2764 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/05/21 18:42:31.0500 2764 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 2011/05/21 18:42:31.0703 2764 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/05/21 18:42:31.0875 2764 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/05/21 18:42:32.0000 2764 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 2011/05/21 18:42:32.0125 2764 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/05/21 18:42:32.0328 2764 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/05/21 18:42:32.0671 2764 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys 2011/05/21 18:42:32.0843 2764 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 2011/05/21 18:42:33.0015 2764 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2011/05/21 18:42:33.0171 2764 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/05/21 18:42:33.0593 2764 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/05/21 18:42:33.0765 2764 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 2011/05/21 18:42:33.0937 2764 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/05/21 18:42:34.0250 2764 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/05/21 18:42:34.0421 2764 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/05/21 18:42:34.0593 2764 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/05/21 18:42:34.0750 2764 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/05/21 18:42:34.0937 2764 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/05/21 18:42:35.0109 2764 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/05/21 18:42:35.0296 2764 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/05/21 18:42:35.0484 2764 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/05/21 18:42:35.0671 2764 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/05/21 18:42:35.0781 2764 ISWKL (2e41433579de4381f1b0f7b30b013ddc) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 2011/05/21 18:42:35.0968 2764 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys 2011/05/21 18:42:36.0140 2764 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/05/21 18:42:36.0296 2764 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/05/21 18:42:36.0468 2764 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/05/21 18:42:36.0703 2764 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/05/21 18:42:36.0875 2764 lanusb (73f6efd2a2315af34f7872559686c471) C:\WINDOWS\system32\DRIVERS\glausb.sys 2011/05/21 18:42:37.0203 2764 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys 2011/05/21 18:42:37.0375 2764 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys 2011/05/21 18:42:37.0625 2764 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 2011/05/21 18:42:37.0796 2764 LVUSBSta (64bc29c3a0388bfc580bb8b1346f7659) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys 2011/05/21 18:42:38.0015 2764 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/05/21 18:42:38.0187 2764 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/05/21 18:42:38.0343 2764 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/05/21 18:42:38.0484 2764 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/05/21 18:42:38.0656 2764 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/05/21 18:42:38.0921 2764 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/05/21 18:42:39.0093 2764 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/05/21 18:42:39.0312 2764 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/05/21 18:42:39.0500 2764 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/05/21 18:42:39.0671 2764 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/05/21 18:42:39.0828 2764 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/05/21 18:42:40.0015 2764 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/05/21 18:42:40.0171 2764 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/05/21 18:42:40.0328 2764 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/05/21 18:42:40.0484 2764 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/05/21 18:42:40.0671 2764 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/05/21 18:42:40.0843 2764 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/05/21 18:42:41.0000 2764 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/05/21 18:42:41.0187 2764 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/05/21 18:42:41.0390 2764 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/05/21 18:42:41.0609 2764 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/05/21 18:42:41.0875 2764 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/05/21 18:42:42.0140 2764 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/05/21 18:42:42.0484 2764 NETMDUSB (986acdece933131288f1957dc359865f) C:\WINDOWS\system32\Drivers\NETMDUSB.sys 2011/05/21 18:42:42.0734 2764 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/05/21 18:42:43.0000 2764 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\WINDOWS\system32\drivers\nmwcd.sys 2011/05/21 18:42:43.0328 2764 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\WINDOWS\system32\drivers\nmwcdc.sys 2011/05/21 18:42:43.0562 2764 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcj.sys 2011/05/21 18:42:43.0828 2764 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcm.sys 2011/05/21 18:42:44.0000 2764 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/05/21 18:42:44.0156 2764 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS 2011/05/21 18:42:44.0453 2764 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/05/21 18:42:44.0703 2764 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/05/21 18:42:44.0906 2764 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/05/21 18:42:45.0156 2764 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/05/21 18:42:45.0343 2764 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/05/21 18:42:45.0671 2764 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/05/21 18:42:45.0921 2764 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/05/21 18:42:46.0078 2764 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/05/21 18:42:46.0250 2764 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/05/21 18:42:46.0515 2764 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/05/21 18:42:46.0687 2764 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/05/21 18:42:47.0453 2764 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys 2011/05/21 18:42:47.0718 2764 PID_PEPI (84b9084692fe00df09f20e516d831c57) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 2011/05/21 18:42:47.0984 2764 PPPoEWin (8ae03e978bc99f31ae31b183cd373951) C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS 2011/05/21 18:42:48.0140 2764 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/05/21 18:42:48.0343 2764 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys 2011/05/21 18:42:48.0515 2764 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/05/21 18:42:48.0687 2764 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/05/21 18:42:49.0015 2764 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/05/21 18:42:49.0968 2764 RapportCerberus_25973 (3d80f6fb972cffab9a760892f9ab7232) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys 2011/05/21 18:42:50.0109 2764 RapportEI (2c1507b17cd25b3f5d3ddf530fd23bda) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys 2011/05/21 18:42:50.0171 2764 RapportPG (701e59b8e6ebff150dad0c4dba835932) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 2011/05/21 18:42:50.0390 2764 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/05/21 18:42:50.0687 2764 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/05/21 18:42:50.0890 2764 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/05/21 18:42:51.0062 2764 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/05/21 18:42:51.0265 2764 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/05/21 18:42:51.0484 2764 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/05/21 18:42:51.0703 2764 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/05/21 18:42:51.0921 2764 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/05/21 18:42:52.0203 2764 RT73 (4f153709d0691c6de8c9a4c5e813907c) C:\WINDOWS\system32\DRIVERS\rt73.sys 2011/05/21 18:42:52.0406 2764 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS 2011/05/21 18:42:52.0640 2764 RTLWUSB (f564f1c5813b47a86903d42cd778311c) C:\WINDOWS\system32\DRIVERS\wg111v2.sys 2011/05/21 18:42:52.0906 2764 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/05/21 18:42:53.0109 2764 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/05/21 18:42:53.0312 2764 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/05/21 18:42:53.0625 2764 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/05/21 18:42:54.0015 2764 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/05/21 18:42:54.0359 2764 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/05/21 18:42:54.0625 2764 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/05/21 18:42:54.0953 2764 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/05/21 18:42:55.0234 2764 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/05/21 18:42:55.0437 2764 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/05/21 18:42:55.0687 2764 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/05/21 18:42:56.0640 2764 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/05/21 18:42:56.0859 2764 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/05/21 18:42:57.0062 2764 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/05/21 18:42:57.0218 2764 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/05/21 18:42:57.0390 2764 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/05/21 18:42:57.0859 2764 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/05/21 18:42:58.0125 2764 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/05/21 18:42:58.0343 2764 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2011/05/21 18:42:58.0640 2764 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/05/21 18:42:58.0781 2764 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/05/21 18:42:58.0968 2764 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/05/21 18:42:59.0125 2764 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/05/21 18:42:59.0281 2764 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/05/21 18:42:59.0437 2764 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/05/21 18:42:59.0640 2764 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/05/21 18:42:59.0781 2764 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys 2011/05/21 18:42:59.0953 2764 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/05/21 18:43:00.0125 2764 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/05/21 18:43:00.0296 2764 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/05/21 18:43:00.0421 2764 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys 2011/05/21 18:43:00.0765 2764 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/05/21 18:43:00.0937 2764 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2011/05/21 18:43:01.0125 2764 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2011/05/21 18:43:01.0390 2764 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/05/21 18:43:01.0765 2764 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys 2011/05/21 18:43:01.0921 2764 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2011/05/21 18:43:02.0109 2764 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/05/21 18:43:02.0281 2764 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/05/21 18:43:02.0453 2764 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2011/05/21 18:43:02.0703 2764 ZY202_XP (bd6354de4d081de96c79bdb53f55ca82) C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys 2011/05/21 18:43:03.0015 2764 ================================================================================ 2011/05/21 18:43:03.0015 2764 Scan finished 2011/05/21 18:43:03.0015 2764 ================================================================================
  6. Hello, Here are the results of the virscan and combofix as requested...couldn't get either of the first two links to run so used virscan. thanks VirSCAN.org Scanned Report : Scanned time : 2011/05/20 21:12:35 (BST) Scanner results: 5% Scanner(s) (2/37) found malware! File Name : null0.19106781029606734.exe File Size : 100958 byte File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : b0fa2f95250378c192b479f045e59164 SHA1 : 333ac1b30d4cd1a8ed695e7f745546d71188fe3e Online report : http://file.virscan.org/report/6017fcf6650af3a768b4ca503a29e783.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 5.1.0.2 20110521040419 2011-05-21 0.08 - AhnLab V3 2011.05.21.00 2011.05.21 2011-05-21 0.08 - AntiVir 8.2.4.242 7.11.8.85 2011-05-20 0.29 - Antiy 2.0.18 20110205.7694535 2011-02-05 0.12 Trojan/Win32.SpyEyes.gqv[sPY] Arcavir 2011 201105080215 2011-05-08 0.04 - Authentium 5.1.1 201105201654 2011-05-20 1.42 - AVAST! 4.7.4 110520-1 2011-05-20 0.01 - AVG 8.5.850 271.1.1/3649 2011-05-20 0.25 - BitDefender 7.90123.7367409 7.37525 2011-05-21 5.88 - ClamAV 0.96.5 13097 2011-05-20 0.02 - Comodo 4.0 8774 2011-05-20 0.08 - CP Secure 1.3.0.5 2011.05.21 2011-05-21 3.40 - Dr.Web 5.0.2.3300 2011.05.21 2011-05-21 11.94 - F-Prot 4.4.4.56 20110520 2011-05-20 1.41 Possible W32/Heuristic-MU2!Eldorado (damaged, not disinfectable) F-Secure 7.02.73807 2011.05.20.05 2011-05-20 3.34 - Fortinet 4.2.257 13.246 2011-05-20 0.08 - GData 22.397/22.112 20110520 2011-05-20 0.08 - ViRobot 20110520 2011.05.20 2011-05-20 0.08 - Ikarus T3.1.32.20.0 2011.05.20.78434 2011-05-20 4.73 - JiangMin 13.0.900 2011.05.20 2011-05-20 0.08 - Kaspersky 5.5.10 2011.05.20 2011-05-20 0.10 - KingSoft 2009.2.5.15 2011.5.20.18 2011-05-20 0.09 - McAfee 5400.1158 6340 2011-05-08 9.18 - Microsoft 1.6903 2011.05.20 2011-05-20 0.08 - NOD32 3.0.21 6138 2011-05-20 0.03 - Norman 6.07.08 6.07.00 2011-05-20 14.02 - Panda 9.05.01 2011.05.19 2011-05-19 0.16 - Trend Micro 9.200-1012 8.168.15 2011-05-20 0.02 - Quick Heal 11.00 2011.05.20 2011-05-20 0.12 - Rising 20.0 23.58.04.03 2011-05-20 0.14 - Sophos 3.19.1 4.65 2011-05-21 3.76 - Sunbelt 3.9.2493.2 9337 2011-05-20 0.12 - Symantec 1.3.0.24 20110519.002 2011-05-19 0.08 - nProtect 20110519.01 3454403 2011-05-19 0.12 - The Hacker 6.7.0.1 v00176 2011-04-18 0.20 - VBA32 3.12.16.0 20110520.1647 2011-05-20 5.14 - VirusBuster 5.2.0.28 13.6.365.0/52137182011-05-20 0.00 - VirSCAN.org Scanned Report : Scanned time : 2011/05/20 21:18:01 (BST) Scanner results: 38% Scanner(s) (14/37) found malware! File Name : Explorermgr.exe File Size : 166256 byte File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 6c1e199ccc02acaf6e962eb75acb8c98 SHA1 : 742db8306bdbc1759d73eabd7914a93f94478cc7 Online report : http://file.virscan.org/report/2222a28a8ca81c5f9e6034410daa9ea2.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 5.1.0.2 20110521040419 2011-05-21 0.08 - AhnLab V3 2011.05.21.00 2011.05.21 2011-05-21 0.08 - AntiVir 8.2.4.242 7.11.8.85 2011-05-20 0.29 TR/Lebag.bpc Antiy 2.0.18 20110205.7694535 2011-02-05 0.13 - Arcavir 2011 201105080215 2011-05-08 0.04 Trojan.Lebag.Bqq Authentium 5.1.1 201105201654 2011-05-20 1.64 - AVAST! 4.7.4 110520-1 2011-05-20 0.02 Win32:Dropper-gen [Drp] AVG 8.5.850 271.1.1/3649 2011-05-20 0.25 Generic22.PDI BitDefender 7.90123.7367409 7.37525 2011-05-21 5.92 Backdoor.Generic.634174 ClamAV 0.96.5 13097 2011-05-20 0.04 - Comodo 4.0 8774 2011-05-20 0.08 - CP Secure 1.3.0.5 2011.05.21 2011-05-21 0.07 - Dr.Web 5.0.2.3300 2011.05.21 2011-05-21 11.93 Trojan.DownLoader2.39905 F-Prot 4.4.4.56 20110520 2011-05-20 1.57 - F-Secure 7.02.73807 2011.05.20.05 2011-05-20 0.20 Trojan.Win32.Lebag.bpc [AVP] Fortinet 4.2.257 13.246 2011-05-20 0.08 - GData 22.397/22.112 20110520 2011-05-20 0.08 - ViRobot 20110520 2011.05.20 2011-05-20 0.08 - Ikarus T3.1.32.20.0 2011.05.20.78434 2011-05-20 6.89 Trojan.Win32.Lebag JiangMin 13.0.900 2011.05.20 2011-05-20 0.08 - Kaspersky 5.5.10 2011.05.20 2011-05-20 0.09 Trojan.Win32.Lebag.bpc KingSoft 2009.2.5.15 2011.5.20.18 2011-05-20 0.08 - McAfee 5400.1158 6340 2011-05-08 9.10 PWS-Zbot.gen.cy Microsoft 1.6903 2011.05.20 2011-05-20 0.08 - NOD32 3.0.21 6138 2011-05-20 0.03 a variant of Win32/Injector.GAW trojan Norman 6.07.08 6.07.00 2011-05-20 12.01 - Panda 9.05.01 2011.05.19 2011-05-19 0.08 - Trend Micro 9.200-1012 8.168.15 2011-05-20 0.03 TROJ_SPNR.06EJ11 Quick Heal 11.00 2011.05.20 2011-05-20 0.08 - Rising 20.0 23.58.04.03 2011-05-20 0.08 - Sophos 3.19.1 4.65 2011-05-21 3.54 Mal/Zbot-CJ Sunbelt 3.9.2493.2 9337 2011-05-20 0.08 - Symantec 1.3.0.24 20110519.002 2011-05-19 0.00 - nProtect 20110519.01 3454403 2011-05-19 0.08 - The Hacker 6.7.0.1 v00176 2011-04-18 0.08 - VBA32 3.12.16.0 20110520.1647 2011-05-20 4.26 Trojan.Lebag.bqq VirusBuster 5.2.0.28 13.6.365.0/52137182011-05-20 0.00 - ComboFix 11-05-18.04 - Ishbel 20/05/2011 21:26:41.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.971 [GMT 1:00] Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ishbel\Desktop\CFScript.txt FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . FILE :: "c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys" "c:\windows\pss\ljsaqqic.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\HP_Owner\WINDOWS c:\program files\Internet Explorer\IEXPLOREmgr.exe c:\program files\ddbndqyl . . . . Failed to delete . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_Micorsoft Windows Service . . ((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 ))))))))))))))))))))))))))))))) . . 2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro 2011-05-07 16:09 . 2011-05-07 16:38 166256 ----a-w- c:\windows\Explorermgr.exe 2011-05-07 15:52 . 2011-05-20 20:38 -------- d-----w- c:\program files\ddbndqyl 2011-04-24 13:06 . 2011-05-19 17:12 -------- d-----w- c:\documents and settings\Administrator 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\program files\SpywareBlaster 2011-04-23 10:47 . 2011-04-23 10:47 100958 ----a-w- c:\program files\Mozilla Firefox\null0.19106781029606734.exe 2011-04-22 10:55 . 2011-04-22 10:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer 2011-04-22 10:54 . 2011-04-22 10:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112] "%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] 2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] 2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] 2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= . R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] . Contents of the 'Scheduled Tasks' folder . 2011-05-07 c:\windows\Tasks\WebReg Photosmart C4100 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q= FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-20 22:01 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable . scan completed successfully hidden files: 1 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(880) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(712) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\AOL\ACS\AOLAcsd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\windows\system32\HPZipm12.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\windows\AGRSMMSG.exe c:\windows\ALCXMNTR.EXE c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe . ************************************************************************** . Completion time: 2011-05-20 22:12:42 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-20 21:12 ComboFix2.txt 2011-05-19 17:25 . Pre-Run: 51,096,637,440 bytes free Post-Run: 51,280,097,280 bytes free . - - End Of File - - E0F4FA02ADA3B9B9F81FC5F72251CEB5
  7. Hi Conspire, Got this combofix run...ZoneAlarm somehow re-enabled half way through but it seemed to get to the end ok after i disabled it again. Thanks ComboFix 11-05-18.04 - Ishbel 19/05/2011 18:05:50.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.997 [GMT 1:00] Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\WINDOWS c:\documents and settings\David\WINDOWS c:\documents and settings\Default User\WINDOWS c:\documents and settings\Ishbel\WINDOWS c:\documents and settings\LogMeInRemoteUser\WINDOWS c:\program files\Internet Explorer\IEXPLOREmgr.exe c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\Drivers\lvlnjonw.sys c:\windows\system32\ps2.bat D:\Autorun.inf . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_MYWEBSEARCHSERVICE . . ((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 ))))))))))))))))))))))))))))))) . . 2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro 2011-05-07 16:09 . 2011-05-07 16:38 166256 ----a-w- c:\windows\Explorermgr.exe 2011-05-07 15:52 . 2011-05-19 17:17 -------- d-----w- c:\program files\ddbndqyl 2011-04-24 13:06 . 2011-05-19 17:12 -------- d-----w- c:\documents and settings\Administrator 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\program files\SpywareBlaster 2011-04-23 10:47 . 2011-04-23 10:47 100958 ----a-w- c:\program files\Mozilla Firefox\null0.19106781029606734.exe 2011-04-22 10:55 . 2011-04-22 10:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer 2011-04-22 10:54 . 2011-04-22 10:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112] "%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] 2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] 2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] 2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= . R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149] S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys --> c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys [?] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WUAUSERV . Contents of the 'Scheduled Tasks' folder . 2011-05-07 c:\windows\Tasks\WebReg Photosmart C4100 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q= FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false . - - - - ORPHANS REMOVED - - - - . HKCU-Run-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE AddRemove-AOL Emergency Connect Utility 1.0 - c:\program files\Common Files\AOL\ECU\uninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-19 18:17 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable C:\ljsaqqic.exe 166256 bytes executable . scan completed successfully hidden files: 2 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(880) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(3336) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\AOL\ACS\AOLAcsd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\windows\system32\HPZipm12.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\windows\AGRSMMSG.exe c:\windows\ALCXMNTR.EXE c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe . ************************************************************************** . Completion time: 2011-05-19 18:25:40 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-19 17:25 . Pre-Run: 51,903,340,544 bytes free Post-Run: 51,850,108,928 bytes free . - - End Of File - - A5910C4D6C09B8C68A300292CB85A1C4
  8. Hi Conspire, Sorry I've not replied yet I am once again away from this machine but hope to carry out the next steps tomorrow evening. I will post results asap! Thanks
  9. TDSS Report: Rebooted immediately after scan finished. Thanks 2011/05/15 10:15:11.0031 1684 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29 2011/05/15 10:15:11.0718 1684 ================================================================================ 2011/05/15 10:15:11.0718 1684 SystemInfo: 2011/05/15 10:15:11.0718 1684 2011/05/15 10:15:11.0718 1684 OS Version: 5.1.2600 ServicePack: 3.0 2011/05/15 10:15:11.0718 1684 Product type: Workstation 2011/05/15 10:15:11.0718 1684 ComputerName: EMMA 2011/05/15 10:15:11.0718 1684 UserName: Ishbel 2011/05/15 10:15:11.0718 1684 Windows directory: C:\WINDOWS 2011/05/15 10:15:11.0718 1684 System windows directory: C:\WINDOWS 2011/05/15 10:15:11.0718 1684 Processor architecture: Intel x86 2011/05/15 10:15:11.0718 1684 Number of processors: 1 2011/05/15 10:15:11.0718 1684 Page size: 0x1000 2011/05/15 10:15:11.0718 1684 Boot type: Normal boot 2011/05/15 10:15:11.0718 1684 ================================================================================ 2011/05/15 10:15:12.0234 1684 Initialize success 2011/05/15 10:15:18.0968 3468 ================================================================================ 2011/05/15 10:15:18.0968 3468 Scan started 2011/05/15 10:15:18.0968 3468 Mode: Manual; 2011/05/15 10:15:18.0968 3468 ================================================================================ 2011/05/15 10:15:20.0687 3468 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/05/15 10:15:20.0906 3468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/05/15 10:15:21.0328 3468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/05/15 10:15:21.0531 3468 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2011/05/15 10:15:21.0718 3468 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys 2011/05/15 10:15:21.0937 3468 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 2011/05/15 10:15:22.0531 3468 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2011/05/15 10:15:23.0093 3468 AR5523 (92637b97f57c1669d521a54482c4579c) C:\WINDOWS\system32\DRIVERS\WG11TND5.sys 2011/05/15 10:15:23.0312 3468 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/05/15 10:15:23.0750 3468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/05/15 10:15:23.0953 3468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/05/15 10:15:24.0375 3468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/05/15 10:15:24.0546 3468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/05/15 10:15:24.0718 3468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/05/15 10:15:24.0906 3468 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/05/15 10:15:25.0156 3468 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/05/15 10:15:25.0375 3468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/05/15 10:15:25.0546 3468 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/05/15 10:15:25.0734 3468 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys 2011/05/15 10:15:25.0937 3468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/05/15 10:15:26.0703 3468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/05/15 10:15:26.0937 3468 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/05/15 10:15:27.0265 3468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/05/15 10:15:27.0468 3468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/05/15 10:15:27.0671 3468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/05/15 10:15:27.0812 3468 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS 2011/05/15 10:15:28.0140 3468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/05/15 10:15:28.0375 3468 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/05/15 10:15:28.0625 3468 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2011/05/15 10:15:28.0828 3468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/05/15 10:15:29.0031 3468 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2011/05/15 10:15:29.0250 3468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/05/15 10:15:29.0437 3468 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 2011/05/15 10:15:29.0656 3468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/05/15 10:15:29.0843 3468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/05/15 10:15:30.0046 3468 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 2011/05/15 10:15:30.0265 3468 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/05/15 10:15:30.0468 3468 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/05/15 10:15:30.0765 3468 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys 2011/05/15 10:15:30.0953 3468 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 2011/05/15 10:15:31.0203 3468 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2011/05/15 10:15:31.0406 3468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/05/15 10:15:31.0734 3468 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/05/15 10:15:31.0921 3468 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 2011/05/15 10:15:32.0187 3468 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/05/15 10:15:32.0468 3468 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/05/15 10:15:32.0671 3468 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/05/15 10:15:32.0875 3468 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/05/15 10:15:33.0078 3468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/05/15 10:15:33.0296 3468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/05/15 10:15:33.0500 3468 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/05/15 10:15:33.0750 3468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/05/15 10:15:33.0953 3468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/05/15 10:15:34.0203 3468 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/05/15 10:15:34.0312 3468 ISWKL (2e41433579de4381f1b0f7b30b013ddc) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 2011/05/15 10:15:34.0515 3468 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys 2011/05/15 10:15:34.0687 3468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/05/15 10:15:34.0890 3468 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/05/15 10:15:35.0171 3468 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/05/15 10:15:35.0375 3468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/05/15 10:15:35.0609 3468 lanusb (73f6efd2a2315af34f7872559686c471) C:\WINDOWS\system32\DRIVERS\glausb.sys 2011/05/15 10:15:36.0031 3468 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys 2011/05/15 10:15:36.0250 3468 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys 2011/05/15 10:15:36.0515 3468 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 2011/05/15 10:15:36.0718 3468 LVUSBSta (64bc29c3a0388bfc580bb8b1346f7659) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys 2011/05/15 10:15:37.0062 3468 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/05/15 10:15:37.0312 3468 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/05/15 10:15:37.0515 3468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/05/15 10:15:37.0703 3468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/05/15 10:15:37.0875 3468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/05/15 10:15:38.0328 3468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/05/15 10:15:38.0531 3468 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/05/15 10:15:38.0765 3468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/05/15 10:15:39.0000 3468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/05/15 10:15:39.0218 3468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/05/15 10:15:39.0421 3468 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/05/15 10:15:39.0625 3468 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/05/15 10:15:39.0812 3468 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/05/15 10:15:40.0000 3468 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/05/15 10:15:40.0296 3468 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/05/15 10:15:40.0484 3468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/05/15 10:15:40.0671 3468 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/05/15 10:15:40.0843 3468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/05/15 10:15:41.0062 3468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/05/15 10:15:41.0281 3468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/05/15 10:15:41.0468 3468 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/05/15 10:15:41.0656 3468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/05/15 10:15:41.0859 3468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/05/15 10:15:42.0125 3468 NETMDUSB (986acdece933131288f1957dc359865f) C:\WINDOWS\system32\Drivers\NETMDUSB.sys 2011/05/15 10:15:42.0343 3468 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/05/15 10:15:42.0562 3468 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\WINDOWS\system32\drivers\nmwcd.sys 2011/05/15 10:15:42.0734 3468 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\WINDOWS\system32\drivers\nmwcdc.sys 2011/05/15 10:15:42.0937 3468 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcj.sys 2011/05/15 10:15:43.0171 3468 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcm.sys 2011/05/15 10:15:43.0375 3468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/05/15 10:15:43.0515 3468 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS 2011/05/15 10:15:43.0734 3468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/05/15 10:15:43.0953 3468 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/05/15 10:15:44.0140 3468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/05/15 10:15:44.0312 3468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/05/15 10:15:44.0500 3468 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/05/15 10:15:44.0734 3468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/05/15 10:15:44.0937 3468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/05/15 10:15:45.0109 3468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/05/15 10:15:45.0312 3468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/05/15 10:15:45.0609 3468 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/05/15 10:15:45.0812 3468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/05/15 10:15:46.0593 3468 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys 2011/05/15 10:15:46.0781 3468 PID_PEPI (84b9084692fe00df09f20e516d831c57) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 2011/05/15 10:15:47.0046 3468 PPPoEWin (8ae03e978bc99f31ae31b183cd373951) C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS 2011/05/15 10:15:47.0281 3468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/05/15 10:15:47.0484 3468 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys 2011/05/15 10:15:47.0671 3468 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/05/15 10:15:47.0875 3468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/05/15 10:15:48.0062 3468 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/05/15 10:15:48.0671 3468 RapportCerberus_25973 (3d80f6fb972cffab9a760892f9ab7232) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys 2011/05/15 10:15:48.0796 3468 RapportEI (2c1507b17cd25b3f5d3ddf530fd23bda) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys 2011/05/15 10:15:48.0843 3468 RapportPG (701e59b8e6ebff150dad0c4dba835932) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 2011/05/15 10:15:49.0062 3468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/05/15 10:15:49.0281 3468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/05/15 10:15:49.0484 3468 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/05/15 10:15:49.0671 3468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/05/15 10:15:49.0875 3468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/05/15 10:15:50.0078 3468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/05/15 10:15:50.0296 3468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/05/15 10:15:50.0500 3468 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/05/15 10:15:50.0750 3468 RT73 (4f153709d0691c6de8c9a4c5e813907c) C:\WINDOWS\system32\DRIVERS\rt73.sys 2011/05/15 10:15:50.0906 3468 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS 2011/05/15 10:15:51.0093 3468 RTLWUSB (f564f1c5813b47a86903d42cd778311c) C:\WINDOWS\system32\DRIVERS\wg111v2.sys 2011/05/15 10:15:51.0328 3468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/05/15 10:15:51.0531 3468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/05/15 10:15:51.0734 3468 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/05/15 10:15:51.0953 3468 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/05/15 10:15:52.0406 3468 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/05/15 10:15:52.0703 3468 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/05/15 10:15:52.0906 3468 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/05/15 10:15:53.0171 3468 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/05/15 10:15:53.0406 3468 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/05/15 10:15:53.0578 3468 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/05/15 10:15:53.0781 3468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/05/15 10:15:54.0375 3468 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/05/15 10:15:54.0609 3468 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/05/15 10:15:54.0828 3468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/05/15 10:15:55.0000 3468 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/05/15 10:15:55.0203 3468 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/05/15 10:15:55.0500 3468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/05/15 10:15:55.0828 3468 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/05/15 10:15:56.0062 3468 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2011/05/15 10:15:56.0265 3468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/05/15 10:15:56.0437 3468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/05/15 10:15:56.0640 3468 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/05/15 10:15:56.0906 3468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/05/15 10:15:57.0109 3468 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/05/15 10:15:57.0437 3468 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/05/15 10:15:57.0703 3468 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/05/15 10:15:57.0906 3468 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys 2011/05/15 10:15:58.0312 3468 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/05/15 10:15:58.0500 3468 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/05/15 10:15:58.0687 3468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/05/15 10:15:58.0859 3468 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys 2011/05/15 10:15:59.0156 3468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/05/15 10:15:59.0359 3468 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2011/05/15 10:15:59.0546 3468 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2011/05/15 10:15:59.0828 3468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/05/15 10:16:00.0109 3468 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys 2011/05/15 10:16:00.0343 3468 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2011/05/15 10:16:00.0531 3468 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/05/15 10:16:00.0734 3468 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/05/15 10:16:00.0937 3468 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2011/05/15 10:16:01.0171 3468 ZY202_XP (bd6354de4d081de96c79bdb53f55ca82) C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys 2011/05/15 10:16:01.0375 3468 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0) 2011/05/15 10:16:01.0390 3468 ================================================================================ 2011/05/15 10:16:01.0390 3468 Scan finished 2011/05/15 10:16:01.0390 3468 ================================================================================ 2011/05/15 10:16:01.0406 2536 Detected object count: 1 2011/05/15 10:16:15.0234 2536 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot 2011/05/15 10:16:15.0234 2536 \HardDisk0 - ok 2011/05/15 10:16:15.0234 2536 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure 2011/05/15 10:16:57.0375 2916 Deinitialize success
  10. Hi Conspire, Forgive me for posting everything but I cannot see where I can attach any files in the reply dialog...am I being stupid?! Anyway here are the requested logs. I look forward to your reply. Many thanks DDS------------------- . DDS (Ver_11-03-05.01) - NTFSx86 Run by Ishbel at 17:38:33.25 on 14/05/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.908 [GMT 1:00] . FW: ZoneAlarm Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Mozilla Firefox\firefox.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\AGRSMMSG.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\NETGEAR\WG111T\wlan111t.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\CheckPoint\ZAForceField\ForceField.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Ishbel\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZon1.dll mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\ddbndqyl\ljsaqqic.exe, BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZon1.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZon1.dll TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_ActiveX.exe -update activex mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [KBD] c:\hp\kbd\KBD.EXE mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [PS2] c:\windows\system32\ps2.exe mRun: [%FP%Friendly fts.exe] "c:\program files\voyagertest\fts.exe" mRun: [AutoTBar] c:\program files\hp\digital imaging\bin\AUTOTBAR.EXE mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [<NO NAME>] mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden" mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe IE: &Search IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 Notify: igfxcui - igfxsrvc.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\ishbel\applic~1\mozilla\firefox\profiles\n01olo1j.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q= FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false ============= SERVICES / DRIVERS =============== . . =============== Created Last 30 ================ . . ==================== Find3M ==================== . . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: SAMSUNG_SP0802N rev.TK200-04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5724F0]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5787d0]; MOV EAX, [0x8a57884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A58DAB8] 3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000006e[0x8A565F18] 5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A564D98] \Driver\atapi[0x8A563DF0] -> IRP_MJ_CREATE -> 0x8A5724F0 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x8A57233B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 17:42:37.71 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_11-03-05.01) . Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 26/06/2005 13:12:26 System Uptime: 14/05/2011 17:29:41 (0 hours ago) . Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | Gamila/Giovani/Neon series Processor: Intel® Celeron® CPU 2.66GHz | Socket 478 | 2666/133mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 68 GiB total, 48.543 GiB free. D: is FIXED (FAT32) - 7 GiB total, 2.875 GiB free. E: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Description: Nokia 6500c Device ID: ROOT\WPD\0000 Manufacturer: Nokia Name: Nokia 6500c PNP Device ID: ROOT\WPD\0000 Service: WUDFRd . ==== System Restore Points =================== . No restore point in system. . ==== Installed Programs ====================== . . ==== Event Viewer Messages From Past Week ======== . . ==== End Of File =========================== GMER: GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-14 18:02:46 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_SP0802N rev.TK200-04 Running: 1dq0ri0g.exe; Driver: C:\DOCUME~1\Ishbel\LOCALS~1\Temp\uxldapoc.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xABAE3FA2] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xABB9E534] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xABAE4A38] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xABBB76DC] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xABB9ECC0] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xABBB1EB4] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xABBB22A2] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xABBBB916] SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xF7424DB6] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xABB9EDF6] SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xF7423E12] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xABAE81AC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xABAE81DE] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xABBB0DF0] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xABAE8340] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xABBB9B44] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xABAE4B0E] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xABBB41CE] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xABBB3DF8] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xABAE440A] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xABAE82B6] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xABAE8220] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xABAE8252] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xABB9E0F4] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xABAE8284] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xABB9E7DC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xABAE3F48] SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xF7423E86] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xABBBAE12] SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xF7424C92] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xABAE3EE4] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xABBB2F0A] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xABBB2C86] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xABAE3E80] ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [C0, EC, B9, AB, B4, 1E, BB, ...] {SHR AH, 0xb9; STOSD ; MOV AH, 0x1e; MOV EBX, 0xbb22a2ab; STOSD } PAGE ntoskrnl.exe!ZwCreateSemaphore + 449 8057BC56 7 Bytes JMP B9E078E8 ? C:\DOCUME~1\Ishbel\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB .text C:\WINDOWS\system32\ctfmon.exe[236] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD .text C:\WINDOWS\system32\ctfmon.exe[236] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012 ? C:\WINDOWS\System32\svchost.exe[308] time/date stamp mismatch; .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB .text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD .text C:\WINDOWS\System32\svchost.exe[308] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833 ? C:\WINDOWS\system32\svchost.exe[388] time/date stamp mismatch; .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB .text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD .text C:\WINDOWS\system32\svchost.exe[388] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833 .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
  11. Hi thanks for replying. I'm not currently with the infected machine. I won't be able to run these logs until saturday unless I get to the machine before then. I'd Appreciate if you would keep this thread open as I will reply as soon as I can. Thanks
  12. Hi Please help with this nasty little recurring virus thing. I have spent hours deleting startup entries running malwarebytes, spybot etc but with no luck. The offending item can be seen in the log below at F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\ddbndqyl\ljsaqqic.exe I've even tried replacing the system.ini and win.ini from the C:\windows\pss folder but this didn't have much effect. After every reboot any file that has been deleted simply re-appears! Please help. Thanks Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 18:02:38, on 07/05/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NETGEAR\WG111T\wlan111t.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CheckPoint\ZAForceField\ForceField.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://b.casalemedia.com/V2/52928/68146/index.html?XX R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZon1.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\ddbndqyl\ljsaqqic.exe, O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZon1.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZon1.dll O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [iSW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Startup: ljsaqqic.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ? O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{21000BEC-F93D-4E81-9CCA-BF6F00B866B4}: NameServer = 192.168.0.1 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 10141 bytes
  13. Hi Guys, No luck, it detected the USB device but couldn't load drivers. No joy this time. I think I will install it onto a new internal, nice and easy and use the big usb drive as a general storage device. Thanks
  14. Try a firmware upgrade. I have looked on the Linksys website and it is less than clear as to where you will find it. Maybe someone else will know... I had problems with a linksys wireless router and the customer help wasn't great.
  15. Do you have any wireless encryption enabled? Also, do you have DHCP enabled?
  16. Ok Guys will do. Should be tomorrow afternoon when I get round to it.
  17. Well....I didn't quite take all of that on board first time, but I will certainly give it a try. Thanks!
  18. yeh i tried setting bios to take the usb as first boot option but still no joy. The external hard drive is to replace an internal hard drive. I'm well aware it would be simpler and cheaper to install a new sata hard disk but the external one is there and that's what I've been asked to do! if it won't work then I will just have to leave it be
  19. Hi guys, I'm trying to install Windows 2000 onto a Western Digital MyBook 250GB. During the installation it fails to see the drive or if it does it cannot get access to it. Now I have attempted to supply third party drivers by pressing F6 during setup, however I don't have any suitable drivers and I get the message: "Windows could not find file Txtsetup.oem". Is this a common problem? Any suggestions on how to get Windows 2000 onto this External HardDisk which will act as the primary drive, in fact the only drive attached to the PC once I get the OS installed on it! Cheers
  20. Ok thanks very much Juliet. Your help has been fantastic.
  21. The other accounts are never used to the best of my knowledge so I will just remove them. Will deleting these accounts remove any nasties that might be hidden in them? I'm almost certain these accounts have never accessed the internet or even used.
  22. Hi again, Ok No Lop didn't find a thing but DrWeb found a few. In general the computer appears to be OK now and after running DrWeb it almost seems to be running a bit smoother-maybe my imagination! On the whole it looks like whatever was giving it grief has been sorted. So thank you very much for all your help Juliet. NoLop Log: NoLop! Log by Skate_Punk_21 Fix running from: C:\Documents and Settings\Chris\Desktop [24/02/2007] [21:18:28] ---Infection Files Found/Removed--- NO INFECTION FILES FOUND - Cleaning Aborted. ---Listing AppData sub directories--- C:\Documents and Settings\Administrator\Application Data\Identities C:\Documents and Settings\Administrator\Application Data\Microsoft C:\Documents and Settings\All Users\Application Data\Adobe C:\Documents and Settings\All Users\Application Data\Apple Computer C:\Documents and Settings\All Users\Application Data\Avg7 C:\Documents and Settings\All Users\Application Data\Command Software C:\Documents and Settings\All Users\Application Data\Cyberlink C:\Documents and Settings\All Users\Application Data\Driving Test Success C:\Documents and Settings\All Users\Application Data\Hazard Perception Training C:\Documents and Settings\All Users\Application Data\Ipswitch C:\Documents and Settings\All Users\Application Data\Microsoft C:\Documents and Settings\All Users\Application Data\Microsoft Help C:\Documents and Settings\All Users\Application Data\Msn6 C:\Documents and Settings\All Users\Application Data\Napster C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory C:\Documents and Settings\All Users\Application Data\Quicktime C:\Documents and Settings\All Users\Application Data\Safeworld Software C:\Documents and Settings\All Users\Application Data\Sbsi C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy C:\Documents and Settings\All Users\Application Data\Symantec C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage C:\Documents and Settings\Bill\Application Data\Avg7 -- EMPTY Directory C:\Documents and Settings\Bill\Application Data\Identities C:\Documents and Settings\Bill\Application Data\Microsoft C:\Documents and Settings\Bill\Application Data\Mozilla C:\Documents and Settings\Bill\Application Data\Talkback C:\Documents and Settings\Chris\Application Data\Adobe C:\Documents and Settings\Chris\Application Data\Adobeum C:\Documents and Settings\Chris\Application Data\Apple Computer C:\Documents and Settings\Chris\Application Data\Arcsoft C:\Documents and Settings\Chris\Application Data\Avg7 -- EMPTY Directory C:\Documents and Settings\Chris\Application Data\Command Software C:\Documents and Settings\Chris\Application Data\Cyberlink C:\Documents and Settings\Chris\Application Data\Fujifilm C:\Documents and Settings\Chris\Application Data\Google C:\Documents and Settings\Chris\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Chris\Application Data\Identities C:\Documents and Settings\Chris\Application Data\Ipswitch C:\Documents and Settings\Chris\Application Data\Lavasoft -- EMPTY Directory C:\Documents and Settings\Chris\Application Data\Macromedia C:\Documents and Settings\Chris\Application Data\Microsoft C:\Documents and Settings\Chris\Application Data\Miller147 C:\Documents and Settings\Chris\Application Data\Mozilla C:\Documents and Settings\Chris\Application Data\Msn6 C:\Documents and Settings\Chris\Application Data\Real C:\Documents and Settings\Chris\Application Data\Roxio C:\Documents and Settings\Chris\Application Data\Safeworld Software C:\Documents and Settings\Chris\Application Data\Smartftp C:\Documents and Settings\Chris\Application Data\Sun C:\Documents and Settings\Chris\Application Data\Symantec C:\Documents and Settings\Chris\Application Data\Talkback C:\Documents and Settings\Chris\Application Data\Yahoo! Messenger C:\Documents and Settings\Chris_2\Application Data\Identities C:\Documents and Settings\Chris_2\Application Data\Microsoft C:\Documents and Settings\Default User\Application Data\Identities C:\Documents and Settings\Default User\Application Data\Microsoft C:\Documents and Settings\Karen\Application Data\Adobe C:\Documents and Settings\Karen\Application Data\Avg7 -- EMPTY Directory C:\Documents and Settings\Karen\Application Data\Identities C:\Documents and Settings\Karen\Application Data\Macromedia C:\Documents and Settings\Karen\Application Data\Microsoft C:\Documents and Settings\Karen\Application Data\Mozilla C:\Documents and Settings\Karen\Application Data\Real C:\Documents and Settings\Karen\Application Data\Talkback C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory C:\Documents and Settings\Localservice\Application Data\Macromedia C:\Documents and Settings\Localservice\Application Data\Microsoft C:\Documents and Settings\Margaret\Application Data\Avg7 -- EMPTY Directory C:\Documents and Settings\Margaret\Application Data\Identities C:\Documents and Settings\Margaret\Application Data\Microsoft C:\Documents and Settings\Networkservice\Application Data\Microsoft C:\Documents and Settings\Owner\Application Data\Identities C:\Documents and Settings\Owner\Application Data\Microsoft Dr Web: pacificpoker.exe;C:\Documents and Settings\Chris\My Documents\Karen's Folder;Adware.Casino;Incurable.Moved.; MiniBugTransporter.dll;C:\program files\Common Files\Real\WeatherBug;Adware.Minibug;Incurable.Moved.; COH32.exe;C:\program files\Common Files\Symantec Shared\COH;Probably MULDROP.Trojan;Incurable.Moved.; A0179069.reg;C:\System Volume Information\_restore{FA0AEF56-AD23-4B9A-AB1F-3EE2A72D3AC5}\RP1166;Probably SCRIPT.Virus;Incurable.Moved.; A0180344.exe;C:\System Volume Information\_restore{FA0AEF56-AD23-4B9A-AB1F-3EE2A72D3AC5}\RP1167;Probably MULDROP.Trojan;Incurable.Moved.; A0180359.exe;C:\System Volume Information\_restore{FA0AEF56-AD23-4B9A-AB1F-3EE2A72D3AC5}\RP1167;Adware.NewDotNet;Incurable.Moved.; A0180360.exe;C:\System Volume Information\_restore{FA0AEF56-AD23-4B9A-AB1F-3EE2A72D3AC5}\RP1167;Adware.NewDotNet;Incurable.Moved.; ycomp4 0 2 10.dll;C:\WINDOWS\Downloaded Program Files;Probably DLOADER.Trojan;Incurable.Moved.; And the new HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 09:03:54, on 25/02/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\program files\My Book\WD Backup\uBBMonitor.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE C:\Documents and Settings\Chris\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Evesham O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P39 "EPSON Stylus Photo R240 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R240" O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: WD Backup Monitor.lnk = C:\program files\My Book\WD Backup\uBBMonitor.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://www.etel-internet.co.uk O16 - DPF: ConferenceRoom Java Client - http://208.187.22.155:8000/java/cr.cab O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136212480446 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab O16 - DPF: {7584C670-2274-4EFB--D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://192.168.1.2/Remote/msrdp.cab O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/contr...loadcontrol.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...bio4_0_2_10.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GINBILLARD8 Class) - http://216.127.51.94/g_bin_eng/billard8_2_0_0_6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B735019A-2841-4AA0-8F7E-6532AD58D584}: NameServer = 195.7.224.57 195.7.224.143 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
  23. Ok here we go: PandaScan found some 26 bad boys. Scan results: Incident Status Location Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.zedo.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.statcounter.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.apmebf.com/] Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[stat.onestat.com/] Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.bravenet.com/] Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.weborama.fr/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[server.iad.liveperson.net/hc/58032969] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\d68tnkg5.default\cookies.txt[server.iad.liveperson.net/hc/58032969] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\qu9hswed.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\qu9hswed.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\qu9hswed.default\cookies.txt[.advertising.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\qu9hswed.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\qu9hswed.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\qu9hswed.default\cookies.txt[statse.webtrendslive.com/] Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\qu9hswed.default\cookies.txt[.tradedoubler.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\qu9hswed.default\cookies.txt[ad.yieldmanager.com/] Adware:adware/gator Not disinfected C:\GatorPatch.log Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\program files\Kazaa\bdcore.dll Adware:adware/cydoor Not disinfected C:\WINDOWS\system32\cd_clint.dll And the new HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 20:38:46, on 24/02/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\program files\My Book\WD Backup\uBBMonitor.exe C:\Program Files\Internet Explorer\iexplore.exe C:\program files\MSN Messenger\msnmsgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Chris\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Evesham O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P39 "EPSON Stylus Photo R240 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R240" O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: WD Backup Monitor.lnk = C:\program files\My Book\WD Backup\uBBMonitor.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://www.etel-internet.co.uk O16 - DPF: ConferenceRoom Java Client - http://208.187.22.155:8000/java/cr.cab O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136212480446 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab O16 - DPF: {7584C670-2274-4EFB--D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://192.168.1.2/Remote/msrdp.cab O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/contr...loadcontrol.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...bio4_0_2_10.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GINBILLARD8 Class) - http://216.127.51.94/g_bin_eng/billard8_2_0_0_6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B735019A-2841-4AA0-8F7E-6532AD58D584}: NameServer = 195.7.224.57 195.7.224.143 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe Thanks
  24. Hi Juliet, Sorry for taking so long to reply. I'm not often at this computer to try the fixes you have suggested however I will be here for the next few days so hopefully I can get it all sorted this weekend! I have removed the programs you suggested however Kazaa won't remove through Add/Remove so that's something that will have stay for now until i find a way of removing it...it hasn't been used for a number of years and was installed many years ago. As for AVG I have actually installed a fully functioning copy of Norton Internet Security 2007 which has scanned the system and found nothing. AVG will cause a conflict with NIS so I hope the all clear from Norton is enough. MSN plus! has been removed as have all HJT entries. I have attached the current HJT log as it just before this gets posted. Thanks very much, Chris Logfile of HijackThis v1.99.1 Scan saved at 18:52:22, on 23/02/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\Mixer.exe C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\program files\My Book\WD Backup\uBBMonitor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Chris\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Evesham O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P39 "EPSON Stylus Photo R240 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R240" O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: WD Backup Monitor.lnk = C:\program files\My Book\WD Backup\uBBMonitor.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://www.etel-internet.co.uk O16 - DPF: ConferenceRoom Java Client - http://208.187.22.155:8000/java/cr.cab O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136212480446 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab O16 - DPF: {7584C670-2274-4EFB--D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://192.168.1.2/Remote/msrdp.cab O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/contr...loadcontrol.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...bio4_0_2_10.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GINBILLARD8 Class) - http://216.127.51.94/g_bin_eng/billard8_2_0_0_6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B735019A-2841-4AA0-8F7E-6532AD58D584}: NameServer = 195.7.224.57 195.7.224.143 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
  25. Hi Juliet Thank you for your reply. I have run HJT and the uninstall manager and both logs are attached. I also ran the ATF cleaner. However, I could not get drweb-cureit to work. I don't know if I'm doing something wrong. I downloaded from the link you said and saved to desktop. Double click the icon and it opens to give 2 options: start or update I click start it says do you want to allow express scan to run etc etc... Yes. At this point nothing happens, it simply shows a screen saying "Buy Now" or "50% Discount". I have looked in the task manager to see if there is any background activity...none...cpu floats between 0 and 2%. I have also left it at this page for approx 10-15 mins. No joy- not a thing. I've never used it before so I'm not sure if this is normal...but I can't get near any of the other stuff you have mentioned in your reply. Thanks very much for your help so far. Here are the logs: HJT: Logfile of HijackThis v1.99.1 Scan saved at 16:19:21, on 09/02/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Mixer.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\WINDOWS\system32\ctfmon.exe C:\program files\My Book\WD Backup\uBBMonitor.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\msiexec.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Chris\Desktop\HijackThis.exe C:\WINDOWS\system32\notepad.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Evesham O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P39 "EPSON Stylus Photo R240 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R240" O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: WD Backup Monitor.lnk = C:\program files\My Book\WD Backup\uBBMonitor.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://www.etel-internet.co.uk O16 - DPF: ConferenceRoom Java Client - http://208.187.22.155:8000/java/cr.cab O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136212480446 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab O16 - DPF: {7584C670-2274-4EFB--D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://192.168.1.2/Remote/msrdp.cab O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/contr...loadcontrol.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...bio4_0_2_10.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GINBILLARD8 Class) - http://216.127.51.94/g_bin_eng/billard8_2_0_0_6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B735019A-2841-4AA0-8F7E-6532AD58D584}: NameServer = 195.7.224.57 195.7.224.143 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Uninstall list: Ad-aware 6 Personal Adobe Reader 7.0.7 AVG Free Edition Belkin 802.11g Wireless PCI Card BigFix BM Win app CGI-lid CM 03-04 CNXT V92 Data Fax Voice DouglasWorld Screen Saver Enhanced MediaLoads Enhanced search EPSON Printer Software EVEREST Home Edition v2.01 Exif Viewer Ver.1.1 EZface ActiveX 200 FinePixViewer Ver.4.3 FUJIFILM USB Driver Help Features Help Finder HijackThis 1.99.1 Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) IE Win-enhancer Internet Explorer Q903235 Ipswitch WS_FTP Pro iTunes Java SE Runtime Environment 6 Kazaa Media Desktop 2.0.2 Launcher Macromedia Flash Player 8 Messenger Plus! Messenger-Control plug-in for Ad-Aware SE Microsoft .NET Framework (English) Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 2.0 Beta Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Flight Simulator 98 Microsoft Internationalized Domain Names Mitigation APIs Microsoft MSDN Express Library 2005 Beta - English Microsoft National Language Support Downlevel APIs Microsoft Office FrontPage 2003 Microsoft Office Professional Edition 2003 Microsoft Office Project Professional 2003 Microsoft Office Visio Professional 2003 Microsoft SQL Native Client Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual Basic 6.0 Enterprise Edition Microsoft Web Publishing Wizard 1.53 Mozilla Firefox (2.0.0.1) MSN Messenger 7.5 Napster Napster Burn Engine Nero - Burning Rom NVIDIA Drivers PCI Audio Driver PCPitstop Panda AntiVirus Scan (remove only) PHP 4.3.0 PowerDVD QuickTime RealPlayer Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901190) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB926255) Shockwave Smart Link 56K Voice Modem Smart VPN Client V2.22 SmartFTP Client Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) USB Drivers Voyager 105 ADSL Modem WD Backup WD Firewire HID Driver Win Search Winamp3 (remove only) Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Installer Clean Up Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows Media Player 9 Hotfix [see KB885492 for more information] Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 WinZip ZoneAlarm Pro
×
×
  • Create New...