Jump to content

Hijack Log


cbaiey
 Share

Recommended Posts

This is an associates computer. He said it was infected by one of those fake virus removal programs yesterday. He rebooted in safe mode and ran malwarebytes. That got rid of the rogue program but now it disables malwarebytes and windows defender as well as redirects webpages. I ran spybot S&D as well, it found a couple items (don't have that log at the moment). Below is the HiJack this log. I was not able to run the DDS script even after following the instructions, it just pulls up a text file of symbols. Thanks in advance.

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:07:51 AM, on 9/1/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\2806528402:1841739608.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Transoft Solutions\License Server\TransoftLS.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.al.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061111

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\tcosby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\AutoCAD LT 2010\AdComFolderWatch.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\AutoCAD LT 2010\AdComFolderWatch.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\AutoCAD LT 2010\AdComFolderWatch.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\AutoCAD LT 2010\AdComFolderWatch.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\AutoCAD LT 2010\AdComFolderWatch.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163693245791

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163693336801

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = skipperinc.local

O17 - HKLM\Software\..\Telephony: DomainName = skipperinc.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = skipperinc.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = skipperinc.local

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Autodesk Content Service - Unknown owner - C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: FLEXnet Licensing Service - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - Unknown owner - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (file missing)

O23 - Service: Transoft Solutions License Server V1.4 - Unknown owner - C:\Program Files\Transoft Solutions\License Server\TransoftLS.exe

O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

 

--

End of file - 11497 bytes

Link to comment
Share on other sites

cbaiey,

 

Please do the following:

 

Step 1:

 

Download DummyCreator.zip and unzip it.

  • Right-click and select: Extract all…
  • Follow the prompts to extract
  • Open the new folder that appears on the Desktop
  • Double-click DummyCreator/DummyMaker to run the tool.
  • Now, copy/paste the following into the box:

     

    C:\WINDOWS\2806528402

  • Press the Create button.

     

    Save the content of the Result.txt to your Desktop, to post along with the report of the next tool.

 

Step 2:

 

Important: Restart the computer.

 

 

Step 3:

 

Please remove any previous download of TDSSKiller (if used) and download the latest version: TDSSKiller.exe

 

Execute the file:

XP - Double-click tdsskiller.exe

 

Press the button: Start Scan

 

The tool scans and detects two object types:

Malicious (where the malware has been identified)

Suspicious (where the malware cannot be identified)

 

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

 

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

 

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default). Leave the setting as it is.

 

After clicking Next/Continue, the tool applies the selected actions.

 

 

A Reboot Required prompt may appear after a disinfection. Please reboot.

 

 

By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

 

Logs have a name like:

C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

 

Please post the TDSSKiller log in your reply.

 

 

 

Need to see the following in your reply:

**The Result.txt from DummyCreator

**The TDSSKiller log

**Whether TDSSKiller needed a reboot

 

 

Thanks!

Link to comment
Share on other sites

Thanks for the quick reply here are the logs.

 

DummyCreator by Farbar

Ran by TCosby (administrator) on 01-09-2011 at 13:25:47

**************************************************************

 

c:\WINDOWS\2806528402 [01-09-2011 13:25:47]

 

== End of log ==

 

 

TDSS did require a reboot.

 

2011/09/01 13:39:47.0375 3864 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57

2011/09/01 13:39:47.0828 3864 ================================================================================

2011/09/01 13:39:47.0828 3864 SystemInfo:

2011/09/01 13:39:47.0828 3864

2011/09/01 13:39:47.0828 3864 OS Version: 5.1.2600 ServicePack: 3.0

2011/09/01 13:39:47.0828 3864 Product type: Workstation

2011/09/01 13:39:47.0828 3864 ComputerName: SCI00110

2011/09/01 13:39:47.0828 3864 UserName: TCosby

2011/09/01 13:39:47.0828 3864 Windows directory: C:\WINDOWS

2011/09/01 13:39:47.0828 3864 System windows directory: C:\WINDOWS

2011/09/01 13:39:47.0828 3864 Processor architecture: Intel x86

2011/09/01 13:39:47.0828 3864 Number of processors: 2

2011/09/01 13:39:47.0828 3864 Page size: 0x1000

2011/09/01 13:39:47.0828 3864 Boot type: Normal boot

2011/09/01 13:39:47.0828 3864 ================================================================================

2011/09/01 13:39:49.0937 3864 Initialize success

2011/09/01 13:39:56.0562 1820 ================================================================================

2011/09/01 13:39:56.0562 1820 Scan started

2011/09/01 13:39:56.0562 1820 Mode: Manual;

2011/09/01 13:39:56.0562 1820 ================================================================================

2011/09/01 13:39:58.0562 1820 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2011/09/01 13:39:58.0687 1820 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/09/01 13:39:58.0875 1820 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/09/01 13:39:59.0093 1820 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2011/09/01 13:39:59.0265 1820 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/09/01 13:39:59.0359 1820 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/09/01 13:39:59.0796 1820 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/09/01 13:39:59.0984 1820 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2011/09/01 13:40:00.0015 1820 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2011/09/01 13:40:00.0203 1820 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2011/09/01 13:40:00.0218 1820 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2011/09/01 13:40:00.0296 1820 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2011/09/01 13:40:00.0375 1820 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2011/09/01 13:40:00.0531 1820 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2011/09/01 13:40:00.0640 1820 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2011/09/01 13:40:00.0859 1820 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2011/09/01 13:40:00.0968 1820 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2011/09/01 13:40:01.0312 1820 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2011/09/01 13:40:01.0500 1820 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/09/01 13:40:01.0953 1820 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/09/01 13:40:02.0500 1820 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/09/01 13:40:02.0937 1820 atmeltpm (dbf0d7e2df33b469eb55406fea759350) C:\WINDOWS\system32\DRIVERS\atmeltpm.sys

2011/09/01 13:40:03.0078 1820 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/09/01 13:40:03.0187 1820 b57w2k (bb1a2a73f993b623f99e03ed2f9e014c) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/09/01 13:40:03.0343 1820 BASFND (3d87b0484be1093c6614062701f375c5) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys

2011/09/01 13:40:03.0500 1820 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/09/01 13:40:03.0671 1820 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2011/09/01 13:40:04.0062 1820 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/09/01 13:40:04.0187 1820 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2011/09/01 13:40:04.0328 1820 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/09/01 13:40:04.0500 1820 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/09/01 13:40:04.0593 1820 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/09/01 13:40:05.0328 1820 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2011/09/01 13:40:05.0500 1820 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2011/09/01 13:40:05.0625 1820 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2011/09/01 13:40:06.0078 1820 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2011/09/01 13:40:06.0281 1820 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/09/01 13:40:06.0453 1820 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2011/09/01 13:40:06.0531 1820 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2011/09/01 13:40:06.0750 1820 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS

2011/09/01 13:40:06.0953 1820 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2011/09/01 13:40:07.0093 1820 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2011/09/01 13:40:07.0156 1820 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2011/09/01 13:40:07.0296 1820 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2011/09/01 13:40:07.0468 1820 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2011/09/01 13:40:07.0687 1820 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2011/09/01 13:40:08.0281 1820 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/09/01 13:40:08.0546 1820 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/09/01 13:40:08.0765 1820 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/09/01 13:40:09.0109 1820 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/09/01 13:40:09.0375 1820 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2011/09/01 13:40:09.0437 1820 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/09/01 13:40:09.0640 1820 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2011/09/01 13:40:09.0734 1820 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2011/09/01 13:40:09.0843 1820 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2011/09/01 13:40:10.0031 1820 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/09/01 13:40:10.0500 1820 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/09/01 13:40:10.0656 1820 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/09/01 13:40:10.0812 1820 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/09/01 13:40:11.0187 1820 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/09/01 13:40:11.0578 1820 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/09/01 13:40:11.0687 1820 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/09/01 13:40:11.0828 1820 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2011/09/01 13:40:12.0000 1820 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/09/01 13:40:12.0140 1820 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/09/01 13:40:12.0265 1820 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/09/01 13:40:12.0468 1820 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2011/09/01 13:40:12.0953 1820 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/09/01 13:40:13.0156 1820 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2011/09/01 13:40:13.0296 1820 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2011/09/01 13:40:13.0484 1820 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/09/01 13:40:13.0734 1820 iaStor (1c77a81756d4777ccb0425ae8107fe96) C:\WINDOWS\system32\drivers\iaStor.sys

2011/09/01 13:40:14.0156 1820 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/01 13:40:14.0218 1820 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2011/09/01 13:40:14.0328 1820 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/09/01 13:40:14.0468 1820 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/09/01 13:40:14.0640 1820 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/09/01 13:40:14.0859 1820 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/09/01 13:40:15.0328 1820 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/09/01 13:40:15.0578 1820 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/09/01 13:40:16.0078 1820 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/09/01 13:40:16.0218 1820 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/09/01 13:40:16.0328 1820 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/09/01 13:40:16.0421 1820 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/09/01 13:40:16.0468 1820 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/09/01 13:40:16.0500 1820 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/09/01 13:40:16.0578 1820 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/09/01 13:40:16.0687 1820 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2011/09/01 13:40:16.0734 1820 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/09/01 13:40:16.0781 1820 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/09/01 13:40:16.0812 1820 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/09/01 13:40:16.0890 1820 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/09/01 13:40:16.0968 1820 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/09/01 13:40:17.0796 1820 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2011/09/01 13:40:18.0078 1820 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

2011/09/01 13:40:18.0156 1820 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

2011/09/01 13:40:18.0281 1820 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/09/01 13:40:18.0453 1820 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/09/01 13:40:18.0562 1820 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/09/01 13:40:18.0625 1820 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/09/01 13:40:18.0687 1820 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/09/01 13:40:19.0156 1820 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/09/01 13:40:19.0265 1820 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/09/01 13:40:19.0359 1820 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/09/01 13:40:19.0484 1820 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/09/01 13:40:19.0578 1820 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/09/01 13:40:19.0640 1820 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/09/01 13:40:19.0734 1820 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/09/01 13:40:19.0828 1820 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/09/01 13:40:19.0921 1820 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/09/01 13:40:20.0046 1820 NetBT (3fd903637554667dc3ef40a9c5bf8a24) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/01 13:40:20.0046 1820 NetBT - detected Rootkit.Win32.ZAccess.c (0)

2011/09/01 13:40:20.0109 1820 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/09/01 13:40:20.0187 1820 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/09/01 13:40:20.0265 1820 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/09/01 13:40:20.0406 1820 nv (a93a67f645ea424f0752f8887860fb5f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/09/01 13:40:20.0656 1820 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/09/01 13:40:20.0765 1820 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/09/01 13:40:20.0828 1820 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/09/01 13:40:20.0859 1820 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/09/01 13:40:20.0906 1820 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/09/01 13:40:20.0906 1820 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/09/01 13:40:20.0937 1820 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/09/01 13:40:20.0953 1820 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/09/01 13:40:21.0078 1820 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2011/09/01 13:40:21.0109 1820 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2011/09/01 13:40:21.0156 1820 Point32 (f6210e1e4818dfb0d5d90b6bb659b513) C:\WINDOWS\system32\DRIVERS\point32.sys

2011/09/01 13:40:21.0187 1820 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/09/01 13:40:21.0218 1820 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/09/01 13:40:21.0265 1820 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/09/01 13:40:21.0296 1820 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/09/01 13:40:21.0343 1820 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2011/09/01 13:40:21.0359 1820 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2011/09/01 13:40:21.0375 1820 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2011/09/01 13:40:21.0390 1820 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2011/09/01 13:40:21.0406 1820 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2011/09/01 13:40:21.0421 1820 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/09/01 13:40:21.0453 1820 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/09/01 13:40:21.0468 1820 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/09/01 13:40:21.0484 1820 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/09/01 13:40:21.0500 1820 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/09/01 13:40:21.0515 1820 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/09/01 13:40:21.0531 1820 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/09/01 13:40:21.0593 1820 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/09/01 13:40:21.0640 1820 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/01 13:40:21.0703 1820 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/09/01 13:40:21.0765 1820 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/09/01 13:40:21.0765 1820 Serial (68a84fe8f60258e8ff17c483fe31b219) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/09/01 13:40:21.0765 1820 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: 68a84fe8f60258e8ff17c483fe31b219, Fake md5: cca207a8896d4c6a0c9ce29a4ae411a7

2011/09/01 13:40:21.0781 1820 Serial - detected Rootkit.Win32.ZAccess.e (0)

2011/09/01 13:40:21.0859 1820 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/09/01 13:40:21.0906 1820 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2011/09/01 13:40:21.0984 1820 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS

2011/09/01 13:40:22.0046 1820 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2011/09/01 13:40:22.0078 1820 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/09/01 13:40:22.0109 1820 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/09/01 13:40:22.0187 1820 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys

2011/09/01 13:40:22.0218 1820 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/09/01 13:40:22.0234 1820 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/09/01 13:40:22.0312 1820 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2011/09/01 13:40:22.0328 1820 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2011/09/01 13:40:22.0343 1820 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2011/09/01 13:40:22.0359 1820 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2011/09/01 13:40:22.0390 1820 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/09/01 13:40:22.0453 1820 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/09/01 13:40:22.0515 1820 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/09/01 13:40:22.0546 1820 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/09/01 13:40:22.0640 1820 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/09/01 13:40:22.0703 1820 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2011/09/01 13:40:22.0812 1820 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/09/01 13:40:22.0875 1820 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2011/09/01 13:40:22.0921 1820 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/09/01 13:40:22.0984 1820 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/09/01 13:40:23.0015 1820 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/09/01 13:40:23.0062 1820 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/09/01 13:40:23.0078 1820 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/09/01 13:40:23.0125 1820 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/09/01 13:40:23.0156 1820 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/09/01 13:40:23.0187 1820 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/09/01 13:40:23.0218 1820 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/09/01 13:40:23.0281 1820 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/09/01 13:40:23.0328 1820 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2011/09/01 13:40:23.0375 1820 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/09/01 13:40:23.0390 1820 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/01 13:40:23.0437 1820 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/09/01 13:40:23.0468 1820 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/09/01 13:40:23.0546 1820 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/09/01 13:40:23.0609 1820 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/09/01 13:40:23.0671 1820 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/09/01 13:40:23.0734 1820 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/09/01 13:40:23.0875 1820 MBR (0x1B8) (973e9ba32fdbb305c552ed3e1ebf0686) \Device\Harddisk1\DR3

2011/09/01 13:40:23.0890 1820 Boot (0x1200) (da6efb4dcaace1be8f2ed837b6937d63) \Device\Harddisk0\DR0\Partition0

2011/09/01 13:40:23.0906 1820 Boot (0x1200) (1b788555028cb065745ba327e0a7a199) \Device\Harddisk1\DR3\Partition0

2011/09/01 13:40:23.0906 1820 ================================================================================

2011/09/01 13:40:23.0906 1820 Scan finished

2011/09/01 13:40:23.0906 1820 ================================================================================

2011/09/01 13:40:23.0906 1792 Detected object count: 2

2011/09/01 13:40:23.0906 1792 Actual detected object count: 2

2011/09/01 13:41:13.0187 1792 NetBT (3fd903637554667dc3ef40a9c5bf8a24) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/01 13:41:13.0187 1792 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\netbt.sys) error 1813

2011/09/01 13:41:18.0671 1792 Backup copy found, using it..

2011/09/01 13:41:18.0671 1792 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured after reboot

2011/09/01 13:41:18.0671 1792 Rootkit.Win32.ZAccess.c(NetBT) - User select action: Cure

2011/09/01 13:41:18.0859 1792 Serial (68a84fe8f60258e8ff17c483fe31b219) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/09/01 13:41:18.0859 1792 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: 68a84fe8f60258e8ff17c483fe31b219, Fake md5: cca207a8896d4c6a0c9ce29a4ae411a7

2011/09/01 13:41:19.0000 1792 Backup copy found, using it..

2011/09/01 13:41:19.0000 1792 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured after reboot

2011/09/01 13:41:19.0000 1792 Rootkit.Win32.ZAccess.e(Serial) - User select action: Cure

2011/09/01 13:41:46.0062 3860 Deinitialize success

Link to comment
Share on other sites

Uuuuughh! ZeroAccess Rootkit...

 

It will take a little work, but, doable.

 

Please remove the DDS download you used before (it was probably altered), and download a new one (below). If you cannot remove the old DDS, just let it be (for now), and see if you can download the new one and use it, instead. Do post whether you were able to delete it or not. Thanks!

 

Download DDS:

http://www.bleepingcomputer.com/download/anti-virus/dds

 

Click on the ‘Download Now’ button

 

Save DDS.scr to the Desktop

 

Windows XP users - Double-click on the DDS icon to start the tool.

 

When done, DDS opens two logs

DDS.txt and Attach.txt

 

Save both reports to the Desktop.

 

Please post them in your reply.

 

(Edited to use new link.)

Edited by Aaflac
Link to comment
Share on other sites

Uuuuughh! ZeroAccess Rootkit...

 

It will take a little work, but, doable.

 

Please remove the DDS download you used before (it was probably altered), and download a new one (below). If you cannot remove the old DDS, just let it be (for now), and see if you can download the new one and use it, instead. Do post whether you were able to delete it or not. Thanks!

 

Download DDS:

 

Click on the ‘Download Now’ button

 

Save DDS.scr to the Desktop

 

Windows XP users - Double-click on the DDS icon to start the tool.

 

When done, DDS opens two logs

DDS.txt and Attach.txt

 

Save both reports to the Desktop.

 

Please post them in your reply.

 

the link isn't working

Link to comment
Share on other sites

the link isn't working

 

n/m i got it

 

The old one deleted fine.

 

It still outputs a bunch of characters. Not sure if this is a factor but the computer has AutoCad installed and windows says the dds file type is an AutoCAD LT Script.

 

Selection from the output:

MZ ÿÿ ¸ @ Ø º ´ Í!¸LÍ!This program cannot be run in DOS mode.

 

$ 1¸„:uÙêiuÙêiuÙêi¶ÖµiwÙêiuÙëiîÙêi¶Ö·idÙêi!úÚiÙêi²ßìitÙêiRichuÙêi PE L ÆãK à P 0ó ° @ í € ` ` UPX0 € àUPX1 P ° F @ à.rsrc J @ À 3.07 UPX!

•» $И…‚Û 'C „ & "ÿ÷ÿU‹ìƒì\ƒ}t+F‹Eu

ƒH‹

¨>Bÿ¿lÿ ‰HPÿuÿHr@ é uSÝŒ}÷V‹5°E¤WPLƒeôíæl»1EäP‹}ð¿ý±·ðDp; ï¶FRVV¯Uuÿ¿ýè‹Ï+MèÁ‰M™÷ÿ3ÒŠðQùÛÍNUMèÁ‹Ê1T»vé>ŠÈPE3Áá×m··ÀÈsôPBø¢p‡™åìrEðPˆTßÞ¾½ÿÓè9}qŒwÿ ƒ~Xÿºûteÿv4½5…À3tnÛ¶/jWÇ:« èî"Ý͹*Ê )XWKpÛg›ÛÿXÖðh -P¹gWøjÿh 6%Xr¿9Yˆw¤\_^3À[ÉÛßð·Â_‹L$¡ÈF‹ÑSiÒAVûÝÿÿW‹TöÂtOq3ÿ;5ÌsB‹Îiɼ}YþD‹ÁGët Ûÿö/BO…Ét ë

u

Edited by cbaiey
Link to comment
Share on other sites

Can you change the file extension:

http://www.mediacollege.com/microsoft/windows/extension-change.html

 

If not, let's press on...

 

If you have ComboFix (CF) already on your Desktop, please remove it! We'll download an updated version.

 

Download ComboFix

 

 

Save ComboFix.exe to your Desktop!!

 

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications, usually via a right clicking on the System Tray icon. They may interfere with the running of CF.

 

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link

 

 

Double-click on ComboFix.exe to run the program.

 

When given the option, DO install the Recovery Console . This program can come in very handy at times.

 

Click on Yes, to continue scanning for malware.

 

When finished, CF produces a report.

 

Please provide a copy of the C:\ComboFix.txt in your reply.

 

 

Notes:

 

1.Do not mouse-click the ComboFix window while it is running.

This action may cause it to stall.

 

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

 

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Link to comment
Share on other sites

Have to go out for a while, but will be back with you later today.

 

In the meantine, post the ComboFix results, and if you get DDS to run, do so after ComboFix, and post the information it produces.

 

Thanks for your patience.

Link to comment
Share on other sites

ComboFix log:

ComboFix 11-09-01.03 - tcosby 09/01/2011 14:54:11.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2934 [GMT -5:00]

Running from: c:\documents and settings\tcosby\Desktop\ComboFix.exe

AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Desktop\Security Protection.lnk

c:\program files\Common Files\System\Uninstall

c:\windows\$NtUninstallKB9569$

c:\windows\$NtUninstallKB9569$\1136887048

c:\windows\$NtUninstallKB9569$\2453227687\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

c:\windows\$NtUninstallKB9569$\2453227687\L\iahonoel

c:\windows\$NtUninstallKB9569$\2453227687\loader.tlb

c:\windows\$NtUninstallKB9569$\2453227687\U\$800000cf

c:\windows\$NtUninstallKB9569$\2453227687\U\@00000001

c:\windows\$NtUninstallKB9569$\2453227687\U\@000000c0

c:\windows\$NtUninstallKB9569$\2453227687\U\@000000cb

c:\windows\$NtUninstallKB9569$\2453227687\U\@000000cf

c:\windows\$NtUninstallKB9569$\2453227687\U\@80000000

c:\windows\$NtUninstallKB9569$\2453227687\U\@800000c0

c:\windows\$NtUninstallKB9569$\2453227687\U\@800000cb

c:\windows\$NtUninstallKB9569$\2453227687\U\@800000cf

c:\windows\2806528402

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\system32\c_76623.nls

c:\windows\system32\RC00C140.dll

c:\windows\system32\RC97E140.DLL

.

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected

Restored copy from - The cat found it :)

Infected copy of c:\windows\system32\msiexec.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\msiexec.exe

.

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

.

Infected copy of c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067198.exe

.

Infected copy of c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067197.exe

.

Infected copy of c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067196.exe

.

Infected copy of c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067195.exe

.

Infected copy of c:\program files\Common Files\Motive\McciCMService.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067194.exe

.

Infected copy of c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067193.EXE

.

Infected copy of c:\program files\Transoft Solutions\License Server\TransoftLS.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067191.exe

.

Infected copy of c:\program files\RealVNC\VNC4\WinVNC4.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067190.exe

.

Infected copy of c:\windows\system32\SearchIndexer.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067189.exe

.

Infected copy of c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067197.exe

Infected copy of c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067195.exe

Infected copy of c:\program files\Common Files\Motive\McciCMService.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067194.exe

Infected copy of c:\program files\Transoft Solutions\License Server\TransoftLS.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP807\A0067191.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_TDSSSERV.SYS

-------\Service_923948a7

.

.

((((((((((((((((((((((((( Files Created from 2011-08-01 to 2011-09-01 )))))))))))))))))))))))))))))))

.

.

2011-09-01 19:46 . 2008-04-14 05:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2011-09-01 15:07 . 2011-09-01 15:07 388096 ----a-r- c:\documents and settings\tcosby\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-09-01 15:07 . 2011-09-01 15:07 -------- d-----w- c:\program files\Trend Micro

2011-09-01 14:10 . 2011-09-01 18:42 43408 --sha-w- c:\windows\system32\c_76623.nl_

2011-09-01 13:49 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-01 13:49 . 2011-09-01 14:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-01 13:49 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-01 13:48 . 2007-03-09 16:25 2321288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-09-01 13:48 . 2011-08-16 13:48 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{4DBE450D-4952-47B1-9F05-CFC1BA090A00}\mpengine.dll

2011-09-01 13:48 . 2011-09-01 13:48 -------- d-----w- c:\program files\Windows Defender

2011-09-01 13:31 . 2011-09-01 13:32 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-08-31 23:51 . 2011-08-31 23:51 -------- d-----w- C:\6ae296c7ebb2d7ea6efd85

2011-08-31 22:08 . 2011-08-31 22:08 4194304 ----a-w- c:\windows\system32\iahonoel.dll

2011-08-30 10:00 . 2011-08-30 10:00 -------- d-----w- C:\dats

2011-08-15 19:49 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-15 19:49 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-08-15 18:57 . 2011-08-15 18:57 -------- d-----w- c:\documents and settings\tcosby\Application Data\Malwarebytes

2011-08-15 18:50 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-01 18:42 . 2004-08-11 23:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-09-01 18:42 . 2004-08-04 05:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys

2011-07-20 19:34 . 2011-07-20 19:28 772116456 ----a-w- c:\program files\AutoCADLT_2012_English_Win_32bit.exe

2011-07-15 13:29 . 2004-08-11 23:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-11 23:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 16:01 . 2011-07-06 18:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-24 14:10 . 2004-08-11 23:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2004-08-11 23:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-11 23:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2008-11-17 21:36 . 2009-02-09 23:49 148 ----a-w- c:\program files\clndats.cmd

2008-04-28 16:27 . 2009-02-09 23:49 51 ----a-w- c:\program files\DefragC.cmd

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-12 7204864]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2006-04-26 143360]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\tcosby\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=

"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\AAM Updates Notifier.exe"=

"c:\\Documents and Settings\\tcosby\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Documents and Settings\\tcosby\\Desktop\\tdsskiller.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5900:TCP"= 5900:TCP:RealVNC

"1046:TCP"= 1046:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/11/2004 6:00 PM 14336]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 6:25 PM 65536]

R2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2/2/2011 2:08 PM 18656]

R2 Transoft Solutions License Server V1.4;Transoft Solutions License Server V1.4;c:\program files\Transoft Solutions\License Server\TransoftLS.exe [8/1/2006 5:13 PM 307200]

S1 MpKsl01295c1f;MpKsl01295c1f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EA96A164-6E51-4037-B266-522162FC80B0}\MpKsl01295c1f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EA96A164-6E51-4037-B266-522162FC80B0}\MpKsl01295c1f.sys [?]

S1 MpKsl0fe6afb1;MpKsl0fe6afb1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B07DD3B1-E218-473C-A584-57C51DC5AEEB}\MpKsl0fe6afb1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B07DD3B1-E218-473C-A584-57C51DC5AEEB}\MpKsl0fe6afb1.sys [?]

S1 MpKsl2689a652;MpKsl2689a652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B07DD3B1-E218-473C-A584-57C51DC5AEEB}\MpKsl2689a652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B07DD3B1-E218-473C-A584-57C51DC5AEEB}\MpKsl2689a652.sys [?]

S1 MpKsl73048098;MpKsl73048098;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{480C0847-9C96-4EBD-9F22-96D12B9DD868}\MpKsl73048098.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{480C0847-9C96-4EBD-9F22-96D12B9DD868}\MpKsl73048098.sys [?]

S1 MpKsl832a6180;MpKsl832a6180;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{480C0847-9C96-4EBD-9F22-96D12B9DD868}\MpKsl832a6180.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{480C0847-9C96-4EBD-9F22-96D12B9DD868}\MpKsl832a6180.sys [?]

S1 MpKsl85713328;MpKsl85713328;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6C902E4A-524C-48F9-9BBE-89A891CE697E}\MpKsl85713328.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6C902E4A-524C-48F9-9BBE-89A891CE697E}\MpKsl85713328.sys [?]

S1 MpKsle3ed5722;MpKsle3ed5722;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F3F3846-D2BA-4B86-A3F8-14FAFF2655B7}\MpKsle3ed5722.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F3F3846-D2BA-4B86-A3F8-14FAFF2655B7}\MpKsle3ed5722.sys [?]

S1 MpKsle6531c7c;MpKsle6531c7c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6C902E4A-524C-48F9-9BBE-89A891CE697E}\MpKsle6531c7c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6C902E4A-524C-48F9-9BBE-89A891CE697E}\MpKsle6531c7c.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 8:01 AM 136176]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 8:01 AM 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/1/2011 8:49 AM 41272]

S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/11/2004 6:00 PM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-30 c:\windows\Tasks\AdobeAAMUpdater-1.0-SKIPPERINC-TCosby.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-04-14 08:44]

.

2009-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

2011-08-30 c:\windows\Tasks\clndats.job

- c:\program files\clndats.cmd [2009-02-09 21:36]

.

2011-08-30 c:\windows\Tasks\DefragC.job

- c:\program files\DefragC.cmd [2009-02-09 16:27]

.

2011-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 13:01]

.

2011-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 13:01]

.

2011-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3502457883-2455309601-993715493-1171Core.job

- c:\documents and settings\tcosby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-09 18:26]

.

2011-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3502457883-2455309601-993715493-1171UA.job

- c:\documents and settings\tcosby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-09 18:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.al.com/

uInternet Settings,ProxyOverride = <local>

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}

TCP: DhcpNameServer = 10.0.110.1

.

.

------- File Associations -------

.

.scr=AutoCADLTScriptFile

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-69582119.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-01 15:08

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.netbt]

"ImagePath"="\*"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1872)

c:\windows\system32\WININET.dll

c:\windows\system32\AcSignIcon.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\RealVNC\VNC4\WinVNC4.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\rdpclip.exe

c:\windows\system32\wscntfy.exe

c:\windows\stsystra.exe

.

**************************************************************************

.

Completion time: 2011-09-01 15:14:01 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-01 20:13

.

Pre-Run: 264,914,919,424 bytes free

Post-Run: 266,863,251,456 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 2F1DFB1AECBB8DE28D2EB573D10362AE

Link to comment
Share on other sites

Thanks again for all the help. Here are the dds logs that were run AFTER combofix:

 

DDS.txt

 

 

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by tcosby at 15:15:18 on 2011-09-01

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2741 [GMT -5:00]

.

AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k Akamai

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Transoft Solutions\License Server\TransoftLS.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\rdpclip.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\tcosby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\tcosby\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.al.com/

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163693245791

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163693336801

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 10.0.110.1

TCP: Interfaces\{6C3154BE-B917-4560-9A70-ACFCEB5A1287} : DhcpNameServer = 10.0.110.1

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

.

============= SERVICES / DRIVERS ===============

.

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-11 14336]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]

R2 Autodesk Content Service;Autodesk Content Service;c:\program files\autodesk\content service\Connect.Service.ContentService.exe [2011-2-2 18656]

R2 Transoft Solutions License Server V1.4;Transoft Solutions License Server V1.4;c:\program files\transoft solutions\license server\TransoftLS.exe [2006-8-1 307200]

S1 MpKsl01295c1f;MpKsl01295c1f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ea96a164-6e51-4037-b266-522162fc80b0}\mpksl01295c1f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ea96a164-6e51-4037-b266-522162fc80b0}\MpKsl01295c1f.sys [?]

S1 MpKsl0fe6afb1;MpKsl0fe6afb1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b07dd3b1-e218-473c-a584-57c51dc5aeeb}\mpksl0fe6afb1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b07dd3b1-e218-473c-a584-57c51dc5aeeb}\MpKsl0fe6afb1.sys [?]

S1 MpKsl2689a652;MpKsl2689a652;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b07dd3b1-e218-473c-a584-57c51dc5aeeb}\mpksl2689a652.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b07dd3b1-e218-473c-a584-57c51dc5aeeb}\MpKsl2689a652.sys [?]

S1 MpKsl73048098;MpKsl73048098;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{480c0847-9c96-4ebd-9f22-96d12b9dd868}\mpksl73048098.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{480c0847-9c96-4ebd-9f22-96d12b9dd868}\MpKsl73048098.sys [?]

S1 MpKsl832a6180;MpKsl832a6180;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{480c0847-9c96-4ebd-9f22-96d12b9dd868}\mpksl832a6180.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{480c0847-9c96-4ebd-9f22-96d12b9dd868}\MpKsl832a6180.sys [?]

S1 MpKsl85713328;MpKsl85713328;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c902e4a-524c-48f9-9bbe-89a891ce697e}\mpksl85713328.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c902e4a-524c-48f9-9bbe-89a891ce697e}\MpKsl85713328.sys [?]

S1 MpKsle3ed5722;MpKsle3ed5722;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f3f3846-d2ba-4b86-a3f8-14faff2655b7}\mpksle3ed5722.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f3f3846-d2ba-4b86-a3f8-14faff2655b7}\MpKsle3ed5722.sys [?]

S1 MpKsle6531c7c;MpKsle6531c7c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c902e4a-524c-48f9-9bbe-89a891ce697e}\mpksle6531c7c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c902e4a-524c-48f9-9bbe-89a891ce697e}\MpKsle6531c7c.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-9 136176]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-9 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-9-1 41272]

S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-11 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== File Associations ===============

.

.scr=AutoCADLTScriptFile

.

=============== Created Last 30 ================

.

2011-09-01 19:46:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2011-09-01 19:44:02 -------- d-sha-r- C:\cmdcons

2011-09-01 19:41:20 98816 ----a-w- c:\windows\sed.exe

2011-09-01 19:41:20 518144 ----a-w- c:\windows\SWREG.exe

2011-09-01 19:41:20 256000 ----a-w- c:\windows\PEV.exe

2011-09-01 19:41:20 208896 ----a-w- c:\windows\MBR.exe

2011-09-01 15:07:13 388096 ----a-r- c:\documents and settings\tcosby\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-09-01 15:07:12 -------- d-----w- c:\program files\Trend Micro

2011-09-01 14:10:09 43408 --sha-w- c:\windows\system32\c_76623.nl_

2011-09-01 13:49:39 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-01 13:49:35 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-01 13:49:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-01 13:48:45 2321288 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll

2011-09-01 13:48:42 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{4dbe450d-4952-47b1-9f05-cfc1ba090a00}\mpengine.dll

2011-09-01 13:31:43 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-08-31 23:51:02 -------- d-----w- C:\6ae296c7ebb2d7ea6efd85

2011-08-31 22:08:40 4194304 ----a-w- c:\windows\system32\iahonoel.dll

2011-08-30 10:00:00 -------- d-----w- C:\dats

2011-08-15 19:49:33 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-15 19:49:31 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-08-15 18:57:15 -------- d-----w- c:\documents and settings\tcosby\application data\Malwarebytes

2011-08-15 18:50:36 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-09-01 18:42:31 64512 ----a-w- c:\windows\system32\drivers\serial.sys

2011-09-01 18:42:31 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-07-20 19:34:11 772116456 ----a-w- c:\program files\AutoCADLT_2012_English_Win_32bit.exe

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 16:01:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2008-11-17 21:36:49 148 ----a-w- c:\program files\clndats.cmd

2008-04-28 16:27:00 51 ----a-w- c:\program files\DefragC.cmd

.

============= FINISH: 15:15:28.01 ===============

 

 

 

Attach.txt

 

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 11/16/2006 9:15:21 AM

System Uptime: 9/1/2011 3:05:55 PM (0 hours ago)

.

Motherboard: Dell Inc. | | 0MY510

Processor: Intel® Core2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 298 GiB total, 248.565 GiB free.

S: is NetworkDisk (NTFS) - 687 GiB total, 212.436 GiB free.

U: is NetworkDisk (NTFS) - 279 GiB total, 190.672 GiB free.

Y: is NetworkDisk (NTFS) - 687 GiB total, 212.436 GiB free.

Z: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP702: 6/3/2011 3:34:21 PM - Software Distribution Service 3.0

RP703: 6/4/2011 3:34:02 PM - Software Distribution Service 3.0

RP704: 6/5/2011 1:57:13 AM - Software Distribution Service 3.0

RP705: 6/5/2011 3:34:07 PM - Software Distribution Service 3.0

RP706: 6/6/2011 3:34:10 PM - Software Distribution Service 3.0

RP707: 6/7/2011 3:34:04 PM - Software Distribution Service 3.0

RP708: 6/8/2011 4:54:41 PM - System Checkpoint

RP709: 6/9/2011 1:44:42 PM - Software Distribution Service 3.0

RP710: 6/10/2011 1:44:31 PM - Software Distribution Service 3.0

RP711: 6/11/2011 1:44:14 PM - Software Distribution Service 3.0

RP712: 6/12/2011 2:07:36 AM - Software Distribution Service 3.0

RP713: 6/12/2011 1:43:47 PM - Software Distribution Service 3.0

RP714: 6/13/2011 1:44:16 PM - Software Distribution Service 3.0

RP715: 6/14/2011 1:44:17 PM - Software Distribution Service 3.0

RP716: 6/15/2011 1:44:06 PM - Software Distribution Service 3.0

RP717: 6/16/2011 1:43:27 PM - Software Distribution Service 3.0

RP718: 6/17/2011 1:42:29 PM - Software Distribution Service 3.0

RP719: 6/18/2011 1:42:34 PM - Software Distribution Service 3.0

RP720: 6/19/2011 2:07:47 AM - Software Distribution Service 3.0

RP721: 6/19/2011 1:43:03 PM - Software Distribution Service 3.0

RP722: 6/20/2011 1:43:04 PM - Software Distribution Service 3.0

RP723: 6/21/2011 2:24:04 PM - System Checkpoint

RP724: 6/21/2011 3:38:08 PM - Software Distribution Service 3.0

RP725: 6/22/2011 3:32:44 PM - Software Distribution Service 3.0

RP726: 6/23/2011 3:33:02 PM - Software Distribution Service 3.0

RP727: 6/24/2011 3:33:00 PM - Software Distribution Service 3.0

RP728: 6/25/2011 3:32:30 PM - Software Distribution Service 3.0

RP729: 6/26/2011 1:42:45 AM - Software Distribution Service 3.0

RP730: 6/26/2011 3:32:29 PM - Software Distribution Service 3.0

RP731: 6/27/2011 3:33:15 PM - Software Distribution Service 3.0

RP732: 6/28/2011 3:33:10 PM - Software Distribution Service 3.0

RP733: 6/29/2011 3:31:44 PM - Software Distribution Service 3.0

RP734: 6/30/2011 3:29:50 PM - Software Distribution Service 3.0

RP735: 7/1/2011 3:29:11 PM - Software Distribution Service 3.0

RP736: 7/2/2011 3:29:37 PM - Software Distribution Service 3.0

RP737: 7/3/2011 1:43:02 AM - Software Distribution Service 3.0

RP738: 7/3/2011 3:29:40 PM - Software Distribution Service 3.0

RP739: 7/4/2011 3:29:42 PM - Software Distribution Service 3.0

RP740: 7/5/2011 3:29:17 PM - Software Distribution Service 3.0

RP741: 7/6/2011 3:28:43 PM - Software Distribution Service 3.0

RP742: 7/7/2011 3:27:59 PM - Software Distribution Service 3.0

RP743: 7/8/2011 3:26:28 PM - Software Distribution Service 3.0

RP744: 7/9/2011 3:25:56 PM - Software Distribution Service 3.0

RP745: 7/10/2011 1:42:43 AM - Software Distribution Service 3.0

RP746: 7/10/2011 3:26:12 PM - Software Distribution Service 3.0

RP747: 7/11/2011 3:26:45 PM - Software Distribution Service 3.0

RP748: 7/12/2011 3:25:01 PM - Software Distribution Service 3.0

RP749: 7/13/2011 3:24:05 PM - Software Distribution Service 3.0

RP750: 7/14/2011 3:23:01 PM - Software Distribution Service 3.0

RP751: 7/15/2011 3:27:47 PM - Software Distribution Service 3.0

RP752: 7/16/2011 3:32:08 PM - System Checkpoint

RP753: 7/16/2011 3:33:24 PM - Software Distribution Service 3.0

RP754: 7/17/2011 1:42:44 AM - Software Distribution Service 3.0

RP755: 7/17/2011 3:33:37 PM - Software Distribution Service 3.0

RP756: 7/18/2011 3:32:51 PM - Software Distribution Service 3.0

RP757: 7/19/2011 3:32:01 PM - Software Distribution Service 3.0

RP758: 7/20/2011 2:27:18 PM - Installed Akamai NetSession Interface

RP759: 7/20/2011 2:45:54 PM - Installed DirectX

RP760: 7/21/2011 2:59:46 PM - Software Distribution Service 3.0

RP761: 7/22/2011 2:59:07 PM - Software Distribution Service 3.0

RP762: 7/23/2011 2:58:42 PM - Software Distribution Service 3.0

RP763: 7/24/2011 1:55:53 AM - Software Distribution Service 3.0

RP764: 7/24/2011 2:58:41 PM - Software Distribution Service 3.0

RP765: 7/25/2011 2:59:20 PM - Software Distribution Service 3.0

RP766: 7/26/2011 5:21:25 PM - System Checkpoint

RP767: 7/26/2011 10:52:35 PM - Software Distribution Service 3.0

RP768: 7/27/2011 10:52:10 PM - Software Distribution Service 3.0

RP769: 7/28/2011 10:52:32 PM - Software Distribution Service 3.0

RP770: 7/29/2011 10:52:05 PM - Software Distribution Service 3.0

RP771: 7/30/2011 10:52:05 PM - Software Distribution Service 3.0

RP772: 7/31/2011 1:41:42 AM - Software Distribution Service 3.0

RP773: 7/31/2011 10:51:34 PM - Software Distribution Service 3.0

RP774: 8/1/2011 10:51:08 PM - Software Distribution Service 3.0

RP775: 8/2/2011 10:50:35 PM - Software Distribution Service 3.0

RP776: 8/3/2011 10:50:20 PM - Software Distribution Service 3.0

RP777: 8/4/2011 10:49:38 PM - Software Distribution Service 3.0

RP778: 8/5/2011 11:31:01 PM - System Checkpoint

RP779: 8/7/2011 12:31:02 AM - System Checkpoint

RP780: 8/8/2011 1:31:00 AM - System Checkpoint

RP781: 8/9/2011 1:35:06 AM - System Checkpoint

RP782: 8/9/2011 11:37:41 AM - Software Distribution Service 3.0

RP783: 8/10/2011 11:35:50 AM - Software Distribution Service 3.0

RP784: 8/11/2011 12:12:27 PM - System Checkpoint

RP785: 8/12/2011 11:12:54 AM - Software Distribution Service 3.0

RP786: 8/13/2011 11:12:54 AM - Software Distribution Service 3.0

RP787: 8/14/2011 1:52:49 AM - Software Distribution Service 3.0

RP788: 8/14/2011 11:13:02 AM - Software Distribution Service 3.0

RP789: 8/15/2011 11:13:02 AM - Software Distribution Service 3.0

RP790: 8/16/2011 12:23:35 PM - System Checkpoint

RP791: 8/16/2011 2:49:31 PM - Software Distribution Service 3.0

RP792: 8/17/2011 2:46:59 PM - Software Distribution Service 3.0

RP793: 8/18/2011 2:45:19 PM - Software Distribution Service 3.0

RP794: 8/19/2011 2:44:33 PM - Software Distribution Service 3.0

RP795: 8/20/2011 2:42:37 PM - Software Distribution Service 3.0

RP796: 8/21/2011 2:25:52 AM - Software Distribution Service 3.0

RP797: 8/21/2011 2:43:44 PM - Software Distribution Service 3.0

RP798: 8/22/2011 2:44:14 PM - Software Distribution Service 3.0

RP799: 8/23/2011 2:43:03 PM - Software Distribution Service 3.0

RP800: 8/24/2011 2:43:02 PM - Software Distribution Service 3.0

RP801: 8/25/2011 2:44:48 PM - Software Distribution Service 3.0

RP802: 8/26/2011 2:49:51 PM - Software Distribution Service 3.0

RP803: 8/27/2011 2:49:49 PM - Software Distribution Service 3.0

RP804: 8/28/2011 2:25:41 AM - Software Distribution Service 3.0

RP805: 8/28/2011 2:50:04 PM - Software Distribution Service 3.0

RP806: 8/29/2011 2:49:29 PM - Software Distribution Service 3.0

RP807: 8/31/2011 7:37:46 AM - Software Distribution Service 3.0

RP808: 8/31/2011 6:39:58 PM - Software Distribution Service 3.0

RP809: 9/1/2011 8:09:40 AM - Software Distribution Service 3.0

RP810: 9/1/2011 8:47:59 AM - Installed Windows Defender

RP811: 9/1/2011 8:48:38 AM - Software Distribution Service 3.0

RP812: 9/1/2011 10:07:11 AM - Installed HiJackThis

RP813: 9/1/2011 10:40:40 AM - Software Distribution Service 3.0

RP814: 9/1/2011 1:36:29 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Community Help

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Illustrator CS5

Adobe Media Player

Adobe Reader 9.4.0

Adobe Shockwave Player 11.5

Akamai NetSession Interface

Apple Mobile Device Support

Apple Software Update

Atmel TPM Driver Installer 3.0.3.15

AutoCAD 2006 - English

AutoCAD LT 2009 - English

AutoCAD LT 2010 - English

AutoCAD LT 2011 - English

AutoCAD LT 2011 Language Pack - English

AutoCAD LT 2012 - English

AutoCAD LT 2012 Language Pack - English

Autodesk Content Service

Autodesk DWF Viewer

Autodesk Material Library 2011

Autodesk Material Library 2012

Autodesk Material Library Base Resolution Image Library 2012

Autodesk Raster Design 2006 - Object Enabler

AutoTURN 5

Bentley MicroStation (V 08.00.01.19) - 1

Broadcom Advanced Control Suite

Broadcom ASF Management Applications

Compatibility Pack for the 2007 Office system

Critical Update for Windows Media Player 11 (KB959772)

Destinations

DeviceFunctionQFolder

DeviceManagementQFolder

DivX Web Player

DocProc

DocumentViewer

DocumentViewerQFolder

eSupportQFolder

getPlus+® Download Manager for Corel

Google Chrome

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

HCS+T7F

High Definition Audio Driver Package - KB835221

HiJackThis

Hotfix for Microsoft .NET Framework 3.0 (KB932471)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Format SDK (KB902344)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB942288-v3)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

hp deskjet 5550 series (Remove only)

HP Document Viewer 5.3

HP Imaging Device Functions 5.3

hp print screen utility

HP Scanjet 4800 series

HP Software Update

HP Solution Center & Imaging Support Tools 5.3

hpg4850

hpg4850QFolder

HPProductAssistant

Intel Matrix Storage Manager

iTunes

J2SE Runtime Environment 5.0 Update 6

Malwarebytes' Anti-Malware version 1.51.1.1800

MCU

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft English TTS Engine

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Access database engine 2007 (English)

Microsoft Office Basic Edition 2003

Microsoft Office Live Add-in 1.4

Microsoft Office Sounds

Microsoft Silverlight

Microsoft Streets & Trips 2007

Microsoft Streets & Trips 2010

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable Package

Microsoft_VC80_CRT_x86

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFCLOC_x86

Microsoft_VC90_ATL_x86

Microsoft_VC90_CRT_x86

Microsoft_VC90_MFC_x86

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

NVIDIA Drivers

Octoshape add-in for Adobe Flash Player

OGA Notifier 2.0.0048.0

PanoStandAlone

PC-Warrants

PDF Settings CS5

PowerDVD 5.7

QuickTime

Roxio DLA

Roxio Express Labeler

Roxio RecordNow Audio

Roxio RecordNow Copy

Roxio RecordNow Data

SAPI Wrapper

Scan

ScannerCopy

ScanSoft PDF Professional 4

SCDOT Standards

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Shadow Copy Client

SolutionCenter

Sonic Update Manager

Spybot - Search & Destroy

TTS Wrapper

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB971930)

Update for Windows Internet Explorer 8 (KB973874)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB978506)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB943729)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951618-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VBA (2720)

VC80CRTRedist - 8.0.50727.762

VNC Enterprise Edition E4.4.3

WebFldrs XP

WebReg

Windows Defender

Windows Defender Signatures

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 11

Windows PowerShell 1.0

Windows PowerShell 1.0 MUI pack

Windows Presentation Foundation

Windows Search 4.0

Windows XP Service Pack 3

WinZip

XML Paper Specification Shared Components Pack 1.0

.

==== Event Viewer Messages From Past Week ========

.

9/1/2011 9:10:50 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm

9/1/2011 9:10:10 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

9/1/2011 8:49:24 AM, error: Service Control Manager [7000] - The Windows Defender service failed to start due to the following error: Access is denied.

9/1/2011 8:49:09 AM, error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

9/1/2011 8:04:00 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

9/1/2011 7:59:50 AM, error: TermServDevices [1111] - Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

9/1/2011 7:59:29 AM, error: TermServDevices [1111] - Driver HP Officejet J5700 series required for printer HP Officejet J5700 series is unknown. Contact the administrator to install the driver before you log in again.

9/1/2011 7:59:29 AM, error: TermServDevices [1111] - Driver Adobe PDF Converter required for printer Adobe PDF is unknown. Contact the administrator to install the driver before you log in again.

9/1/2011 7:50:10 AM, error: Print [33] - The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 6a7

9/1/2011 2:52:02 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: Access is denied.

9/1/2011 10:13:22 AM, error: Print [33] - The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 54b

9/1/2011 10:11:36 AM, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).

9/1/2011 10:01:14 AM, error: NETLOGON [5719] - No Domain Controller is available for domain SKIPPERINC due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

9/1/2011 1:43:01 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

8/31/2011 6:37:49 PM, error: Service Control Manager [7000] - The McAfee Security Scan Component Host Service service failed to start due to the following error: Access is denied.

8/31/2011 6:37:49 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service McComponentHostService with arguments "" in order to run the server: {CC6F4D12-8575-4CFF-9455-CF5774AEB13B}

8/31/2011 6:22:22 PM, error: Service Control Manager [7034] - The McAfee Security Scan Component Host Service service terminated unexpectedly. It has done this 1 time(s).

8/31/2011 6:22:01 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000010' while processing the file 'loader.tlb' on the volume 'ACPI#PNP0303#2&da1a3ff&0'. It has stopped monitoring the volume.

8/31/2011 6:19:33 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.

8/31/2011 6:19:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Autodesk Content Service service to connect.

8/31/2011 6:19:27 PM, error: Service Control Manager [7000] - The Microsoft Antimalware Service service failed to start due to the following error: Access is denied.

8/31/2011 6:19:27 PM, error: Service Control Manager [7000] - The Autodesk Content Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

8/31/2011 6:18:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

8/31/2011 5:28:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McComponentHostService with arguments "" in order to run the server: {CC6F4D12-8575-4CFF-9455-CF5774AEB13B}

8/31/2011 5:28:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

8/31/2011 5:26:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter

8/31/2011 5:14:25 PM, error: Service Control Manager [7022] - The Autodesk Content Service service hung on starting.

8/31/2011 5:08:42 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000010' while processing the file 'L' on the volume 'ACPI#PNP0303#2&da1a3ff&0'. It has stopped monitoring the volume.

8/31/2011 5:08:41 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

.

==== End Of File ===========================

Link to comment
Share on other sites

Thanks for providing the reports, cbaiey. Good work!! Keep it up!

 

 

The diagnostic tools are showing that the removal tools are working.

However, would appreciate you give an actual update on how the computer is runnning, and, whether you are having any more malware problems.

 

Something to work on:

The information provided shows that two AntiVirus programs are runnning:

AV: McAfee VirusScan *Disabled/Updated*

AV: Microsoft Security Essentials *Disabled/Updated

 

Too much protection often results in reduced protection. AV programs conflict with each other, etc. Would remove one of the programs, and, my unsolicited opinion is: would keep MSE or install avast! Free. Have used both of these, and have been satisfied with both. In my experience, and from the comments available from credible sources, McAfee is rather "resource intensive".

 

Pressing on...

 

We need to scan the system with a special tool.

  • Please download Junction.zip and save it.

    Unzip it and place the junction.exe file in the Windows directory (C:\Windows). (No need to run it.)

  • Go to Start > Run, and copy/paste the following command in the Open box and click OK:

    cmd /c junction -s >log.txt&log.txt

    A command window opens and scans the system.

    Next, a log file opens in Notepad.

    Please copy the contents of log.txt, and provide in your reply.

Next, download Security Check:

http://screen317.changelog.fr/SecurityCheck.exe

 

Save to the Desktop.

Double click SecurityCheck.exe and follow the on-screen instructions (in the black box.)

 

When done, a Notepad document opens automatically: checkup.txt

Please post the contents of checkup.txt in your reply.

 

 

Do not rush...going out to get supper. Will be back later.

Link to comment
Share on other sites

  • 1 month later...

It appears that the malware issue presented is resolved, therefore the topic is closed.

 

Please send me or any Moderator a Personal Message (PM) with this topic's link if there is a reason to re-open it.

 

 

Thanks.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...