[SOLVED] Computer running extremely slow

jackdup · 09-22-2011, 06:02 AM

I am not sure if this is in the right forum as I am unsure if the problem is a virus, spyware etc or something else. It is my sister's computer who is here visiting from out of town and asked if I could have a look at her computer as it is running very slow.

It is indeed running slow. Attached are the files requested in the instructions and below is the dds log also as per the instructions.

I should point out that I ran dds first as instructed and then while gmer had been running for about 30 minutes dds started again and ran, and then about an hour later dds started another time and ran. While gmer was running I saw dds run probably 5 times all on its own. I don't recall this happening on my computer when I ran these programs several months ago so don't think that is normal but don't really know for sure either.

I would appreciate if someone could reveiw it and determine if this needs to be moved to another forum or whether you can help me here.

Thank you

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by HP_Owner at 14:09:01 on 2011-09-21
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1329 [GMT -4:00]
.
AV: Security Manager Anti-Virus *Disabled/Outdated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Freedom Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://sympatico.msn.ca/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = ;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\bell\security manager\pkR.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\bell\security manager\FBHR.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Memeo Instant Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui
mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
uPolicies-system: DisableRegistryTools = 1
uPolicies-system: NoAdminPage = 1
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} - hxxps://activation.sympatico.ca/wizlet/SympaticoWebflow/static/controls/BellCanadaActiveX.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 www.f-secure.com
Hosts: 127.0.0.1 www.mcafee.com
Hosts: 127.0.0.1 www.sophos.com
Hosts: 127.0.0.1 www.symantec.com
Hosts: 127.0.0.1 www.viruslist.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 297168]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
S2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\Savrtpel.sys [2002-7-25 34992]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-14 1025352]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20020823.004\NAVENG.SYS [2006-1-20 66816]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20020823.004\NAVEX15.SYS [2006-1-20 590944]
S3 SAVRT;SAVRT;c:\windows\system32\drivers\savrt.sys [2002-7-25 235184]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-14 54408]
.
=============== File Associations ===============
.
regfile="%1"
scrfile="%1" /S "%3"
.
=============== Created Last 30 ================
.
2011-09-21 17:20:43 -------- d-----w- C:\ELAINES COMPUTER
2011-09-21 02:40:28 1409 ----a-w- c:\windows\QTFont.for
2011-09-21 02:38:53 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-09-21 02:38:53 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-09-21 02:38:47 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-09-21 02:38:47 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-09-21 02:38:33 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-09-21 02:38:33 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2011-09-21 02:37:50 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-09-21 02:37:50 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
.
==================== Find3M ====================
.
2004-08-04 04:00:00 94784 --sh--w- c:\windows\twain.dll
2004-08-04 04:00:00 50688 --sh--w- c:\windows\twain_32.dll
2004-08-04 04:00:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 04:00:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 04:00:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2004-08-04 04:00:00 343040 --sh--w- c:\windows\system32\msvcrt.dll
2006-02-17 06:00:34 2 --sh--w- c:\windows\system32\netstat.com
2007-12-04 18:38:13 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 04:00:00 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 04:00:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
2006-02-17 06:00:34 2 --sh--w- c:\windows\system32\taskkill.com
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: SAMSUNG_SP1614C rev.SW100-30 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x89E09808]<<
_asm { MOV EAX, 0x89e09728; XCHG [ESP], EAX; PUSH EAX; PUSH 0x89e0feb4; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x89D42AB8]
\Driver\Disk[0x89D98A08] -> IRP_MJ_CREATE -> 0x89E09808
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x89e09808
user & kernel MBR OK
Warning: possible MBR rootkit infection !
.
============= FINISH: 14:09:47.70 ===============

jackdup · 09-24-2011, 06:10 PM

I have my sister's computer here from out of town and have posted the logs in another post as per the instructions. She may have to leave before I have a reply to that post, which is okay as I know you are very busy, and that can't be helped.

The issue I have that I would like a reply to right away is how to stop DDS from running. About every 30-60 minutes it runs again and when it gets to the end presents the message about the two logs which will open once you click ok but these logs don't open. That part isn't a problem as I have already posted the logs, I just don't know why it keeps running itself and how to stop it.

I would really like to look after this before my sister takes her computer and leaves in the event there isn't a reply to my original post. I even changed the name from dds.scr to dds with no extension. I then double clicked it and it would not run so just assumed it would no longer run iteslf but it just ran again now.

If someone could please tell me how to get rid of dds running over and over again I will be happy and if by chance someone has a chance to reply to my original post that would be great but again if not I completely understand, would just like to get this one issue resolved now and will wait my turn on the other post.

Thank you

**chemist** · 09-24-2011, 06:57 PM

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

I have combined both of your threads. Did you save dds.scr to your desktop, or is it in your Downloads folder?

Delete it and let me know if you still have trouble with it.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

Download Details - Microsoft Download Center - Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here

Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:

Please continue as follows:

Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
Please click Yes to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

jackdup · 09-24-2011, 08:10 PM

Thanks very much for the quick reply. I only have one question before following your instructions. The anti-virus is AVG 2011 and it can only be disabled for 15 minutes according to the link you supplied, which is confirmed after trying it. Will this allow enough time to perform the steps you have provided as I don't want AVG to re-enable itself half way through the process you provided and end up causing a problem.

The other question you asked was regarding where dds was saved and I believe it was saved in a folder rather than on the desktop, sorry about that. I have deleted it from the hard drive so should know in the next little bit if it someone runs itself again.

Thanks again

jackdup · 09-24-2011, 08:47 PM

dds did run again. I then realized I had downloaded it to a folder and then copied it to the desktop and ran it. When I deleted it above I deleted it from the folder and not the desktop. I have now deleted it from the desktop as well and will know shortly if someone it runs again.

I downloaded the Recovery console file to the desktop as well as combofix and then disabled AVG and drug the recovery console onto combofix as instructed. It created a restore point and backed the registry and then started going through the various stages. There was no mention of installing the recovery console.

Here is the combofix log it created.

ComboFix 11-09-24.04 - HP_Owner 24/09/2011 23:29:31.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1286 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Security Manager Anti-Virus *Disabled/Outdated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Freedom Firewall *Disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\~WRD0197.tmp
C:\~WRD0231.tmp
C:\~WRD0293.tmp
C:\~WRD0313.tmp
C:\~WRD0532.tmp
C:\~WRD1258.tmp
C:\~WRD1304.tmp
C:\~WRD1500.tmp
C:\~WRD1575.tmp
C:\~WRD1914.tmp
C:\~WRD2464.tmp
C:\~WRD2705.tmp
C:\~WRD3472.tmp
C:\~WRD3492.tmp
C:\~WRD3871.tmp
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Owner\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\BackupNotify.exe.cd4639e.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\BalloonMsg.exe.c892f05.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\cdrfinder.exe.6f03412c.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\hpqimvac.exe.290054de.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\HpqPhUnl.exe.e1eda619.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\hpqselsk.exe.a048b05c.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\ImageZoneSynchRulesAgent.exe.16741c67.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.11f1da13.ini
c:\documents and settings\HP_Owner\WINDOWS
c:\program files\INSTALL.LOG
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\netstat.com
c:\windows\system32\no
c:\windows\system32\ps2.bat
c:\windows\system32\taskkill.com
D:\Autorun.inf
L:\Autorun.inf
L:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
2011-09-21 22:48 . 2011-09-21 22:48 1409 ----a-w- c:\windows\QTFont.for
2011-09-21 17:20 . 2011-09-25 02:49 -------- d-----w- C:\ELAINES COMPUTER
2011-09-21 02:38 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-09-21 02:38 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-09-21 02:38 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-09-21 02:38 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-09-21 02:38 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-09-21 02:38 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2011-09-21 02:37 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-09-21 02:37 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-04 04:00 94784 --sh--w- c:\windows\twain.dll
2004-08-04 04:00 50688 --sh--w- c:\windows\twain_32.dll
2004-08-04 04:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 04:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 04:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2004-08-04 04:00 343040 --sh--w- c:\windows\system32\msvcrt.dll
2007-12-04 18:38 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 04:00 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 04:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-06 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-04-23 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-04-30 79112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]
.
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
Seagate Product Registration.lnk - c:\documents and settings\HP_Owner\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2011-8-21 1731736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Instant Update.lnk - c:\program files\U.S. Robotics\Instant Update\InstUpDt.exe [2010-11-23 281376]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-8-11 757760]
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-1-17 57344]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup=c:\windows\pss\NetAssistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=c:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherEye]
c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 10:06 88363 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-07-20 10:22 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-07-28 18:34 2551808 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 04:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w- c:\program files\DAEMON Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C62 Series]
2002-04-10 07:00 74240 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S0BIC1.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4600 Series]
2004-03-04 10:00 98304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATI9AA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-03-18 00:10 61952 ----a-w- c:\windows\system32\Hdaudpropshortcut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-04-17 20:41 196608 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 14:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2004-06-04 20:38 286720 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2003-02-11 13:02 61440 ----a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 14:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2004-05-19 16:24 385024 ----a-w- c:\progra~1\NETASS~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 09:57 81920 ----a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 20:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-14 13:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security Manager]
2006-06-20 19:30 270336 ----a-w- c:\program files\Bell\Security Manager\Rps.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-07-28 17:40 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSA.exe]
2006-05-15 15:41 1986560 ----a-w- c:\program files\Bell\Sympatico Security Advisor\SSA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-12-06 16:45 32881 ----a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-12-06 17:08 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 4:48 AM 32592]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/01/2006 3:27 PM 642560]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 4:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09/11/2010 11:20 PM 297168]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [08/02/2011 5:33 AM 269520]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [22/04/2010 8:33 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [30/04/2010 10:47 AM 14088]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 9:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 9:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 9:42 PM 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/08/2011 1:33 AM 7390560]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [14/05/2011 10:14 PM 1025352]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Common Files\Symantec Shared\cfgwiz.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
AddRemove-Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-09-24 23:36
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-09-24 23:39:10
ComboFix-quarantined-files.txt 2011-09-25 03:38
.
Pre-Run: 27,066,724,352 bytes free
Post-Run: 29,316,882,432 bytes free
.
- - End Of File - - D95039D57AA816E29E74012B8628C517

**chemist** · 09-24-2011, 09:20 PM

Hello again, jackdup. Are you still experiencing problems?

------------------------------------------------------

Please uninstall the following via the Add or Remove Programs section of your Control Panel if they still exist:

LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)

------------------------------------------------------

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:

SecCenter::
AV: Security Manager Anti-Virus *Disabled/Outdated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Freedom Firewall *Disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

DDS::
uInternet Settings,ProxyOverride = 127.0.0.1

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"=-

Save this Notepad file as CFScript.txt to your Desktop and then close the file.

Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

jackdup · 09-25-2011, 06:50 AM

Quote:

Originally Posted by chemist

Hello again, jackdup. Are you still experiencing problems?

If you are prompted to update ComboFix and have an internet connection, please choose Yes

------------------------------------------------------

I am not sure if you are referring to DDS running or in general when you asked if I am still experiencing problems? DDS didn't run again, but haven't used the computer otherwise so not sure if there are still problems.

The computer is not connected to the internet but could move it to a location where it could be connected if that is important and can run combofix again if required. The log below was run without updating combofix so please let me know if I should run it again.

I removed LiveUpdate but when I tried to remove LiveReg it said it couldn't be removed as some of the components were being used by another application and then listed Norton Personal Firewall. I looked for it in add/remove programs but didn't find it however there is a group for it in the start menu so am unsure how to get rid of it.

Did combofix get rid of the backdoor trojan/rootkit you referred to in your first post?

ComboFix 11-09-24.04 - HP_Owner 25/09/2011 9:27.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1227 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
2011-09-21 22:48 . 2011-09-21 22:48 1409 ----a-w- c:\windows\QTFont.for
2011-09-21 17:20 . 2011-09-25 03:39 -------- d-----w- C:\ELAINES COMPUTER
2011-09-21 02:38 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-09-21 02:38 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-09-21 02:38 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-09-21 02:38 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-09-21 02:38 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-09-21 02:38 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2011-09-21 02:37 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-09-21 02:37 . 2001-08-17 18:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-04 04:00 94784 --sh--w- c:\windows\twain.dll
2004-08-04 04:00 50688 --sh--w- c:\windows\twain_32.dll
2004-08-04 04:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 04:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 04:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 04:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-06 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-04-23 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-04-30 79112]
.
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
Seagate Product Registration.lnk - c:\documents and settings\HP_Owner\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2011-8-21 1731736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Instant Update.lnk - c:\program files\U.S. Robotics\Instant Update\InstUpDt.exe [2010-11-23 281376]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-8-11 757760]
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-1-17 57344]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup=c:\windows\pss\NetAssistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=c:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherEye]
c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 10:06 88363 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-07-20 10:22 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-07-28 18:34 2551808 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 04:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w- c:\program files\DAEMON Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C62 Series]
2002-04-10 07:00 74240 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S0BIC1.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4600 Series]
2004-03-04 10:00 98304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATI9AA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-03-18 00:10 61952 ----a-w- c:\windows\system32\Hdaudpropshortcut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-04-17 20:41 196608 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 14:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2004-06-04 20:38 286720 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2003-02-11 13:02 61440 ----a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 14:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2004-05-19 16:24 385024 ----a-w- c:\progra~1\NETASS~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 09:57 81920 ----a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 20:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-14 13:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security Manager]
2006-06-20 19:30 270336 ----a-w- c:\program files\Bell\Security Manager\Rps.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-07-28 17:40 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSA.exe]
2006-05-15 15:41 1986560 ----a-w- c:\program files\Bell\Sympatico Security Advisor\SSA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-12-06 16:45 32881 ----a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-12-06 17:08 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 4:48 AM 32592]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/01/2006 3:27 PM 642560]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 4:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09/11/2010 11:20 PM 297168]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [08/02/2011 5:33 AM 269520]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [22/04/2010 8:33 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [30/04/2010 10:47 AM 14088]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 9:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 9:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 9:42 PM 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/08/2011 1:33 AM 7390560]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [14/05/2011 10:14 PM 1025352]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-09-25 09:32
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\WININET.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-09-25 09:34:40
ComboFix-quarantined-files.txt 2011-09-25 13:34
ComboFix2.txt 2011-09-25 03:39
.
Pre-Run: 29,344,686,080 bytes free
Post-Run: 29,326,217,216 bytes free
.
- - End Of File - - C23B048AD518D7BD673C14556323EC75

**chemist** · 09-25-2011, 07:29 AM

Hello again, jackdup. Norton Personal Firewall was listed as installed in the Attach.txt log you provided. Still don't see it in Add/Remove?

I meant, is the computer still running slow, and if dds keeps running still?

I may have been mistaken about the rootkit/backdoor.

------------------------------------------------------

Download TDSSKiller.exe and Save it to your Desktop.

Double-click TDSSKiller.exe then click 'Start scan'.

If no infection is found, click 'Close' twice and let me know.

If an infection is found, click 'Continue' to Cure the infection.

**Note: If you do not see the 'Cure' option, you MUST select 'Skip'.

Once the system scan is completed, click 'Reboot now'.

It will produce a log here > C:\TDSSKiller.2.6.0.0_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

------------------------------------------------------

jackdup · 09-25-2011, 08:38 AM

DDS isn't running anymore but am curious if it is a common problem for it to keep running iteslf every 30-60 minutes and why it does so. It would seem that somewhere there is a process running that tries to start it and would like to get rid of that process rather than just deleting the DDS from the desktop.

The computer does seem to be running better.

I checked add/remove programs again and can't find Norton Personal Firewall. I went to start-programs and tried to start Norton Personal Firewall and it began searching for the exe to run it so it would seem like it is no longer on the computer but add/remove programs still will not let me remove LiveReg as it says Norton Personal Firewall is using some of the components so somewhere there are some remnants of it which I would like to get rid of as well.

Below is the log you requested. The 4 threats detected did not have a cure so left them as skip.

Thank you

11:18:08.0515 0904 TDSS rootkit removing tool 2.6.0.0 Sep 23 2011 07:42:37
11:18:08.0562 0904 ============================================================
11:18:08.0562 0904 Current date / time: 2011/09/25 11:18:08.0562
11:18:08.0562 0904 SystemInfo:
11:18:08.0562 0904
11:18:08.0562 0904 OS Version: 5.1.2600 ServicePack: 2.0
11:18:08.0562 0904 Product type: Workstation
11:18:08.0562 0904 ComputerName: YOUR-4F1261A8E5
11:18:08.0562 0904 UserName: HP_Owner
11:18:08.0562 0904 Windows directory: C:\WINDOWS
11:18:08.0562 0904 System windows directory: C:\WINDOWS
11:18:08.0562 0904 Processor architecture: Intel x86
11:18:08.0562 0904 Number of processors: 1
11:18:08.0562 0904 Page size: 0x1000
11:18:08.0562 0904 Boot type: Normal boot
11:18:08.0562 0904 ============================================================
11:18:10.0796 0904 Initialize success
11:18:13.0015 1668 ============================================================
11:18:13.0015 1668 Scan started
11:18:13.0015 1668 Mode: Manual;
11:18:13.0015 1668 ============================================================
11:18:15.0031 1668 Abiosdsk - ok
11:18:15.0078 1668 abp480n5 - ok
11:18:15.0234 1668 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:18:15.0296 1668 ACPI - ok
11:18:15.0484 1668 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:18:15.0515 1668 ACPIEC - ok
11:18:15.0734 1668 adpu160m - ok
11:18:15.0859 1668 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
11:18:15.0859 1668 aec - ok
11:18:15.0906 1668 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
11:18:15.0906 1668 AFD - ok
11:18:16.0015 1668 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
11:18:16.0078 1668 AgereSoftModem - ok
11:18:16.0093 1668 Aha154x - ok
11:18:16.0109 1668 aic78u2 - ok
11:18:16.0125 1668 aic78xx - ok
11:18:16.0140 1668 AliIde - ok
11:18:16.0156 1668 amsint - ok
11:18:16.0234 1668 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:18:16.0234 1668 Arp1394 - ok
11:18:16.0250 1668 asc - ok
11:18:16.0281 1668 asc3350p - ok
11:18:16.0296 1668 asc3550 - ok
11:18:16.0359 1668 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:18:16.0359 1668 AsyncMac - ok
11:18:16.0406 1668 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:18:16.0406 1668 atapi - ok
11:18:16.0421 1668 Atdisk - ok
11:18:16.0453 1668 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:18:16.0453 1668 Atmarpc - ok
11:18:16.0500 1668 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:18:16.0500 1668 audstub - ok
11:18:16.0546 1668 AVGIDSDriver (2d18221aab3db2d408d6c55c0f23090a) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
11:18:16.0546 1668 AVGIDSDriver - ok
11:18:16.0609 1668 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
11:18:16.0625 1668 AVGIDSEH - ok
11:18:16.0640 1668 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
11:18:16.0640 1668 AVGIDSFilter - ok
11:18:16.0703 1668 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
11:18:16.0703 1668 AVGIDSShim - ok
11:18:16.0750 1668 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
11:18:16.0750 1668 Avgldx86 - ok
11:18:16.0765 1668 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
11:18:16.0765 1668 Avgmfx86 - ok
11:18:16.0796 1668 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
11:18:16.0812 1668 Avgrkx86 - ok
11:18:16.0843 1668 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
11:18:16.0843 1668 Avgtdix - ok
11:18:16.0875 1668 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:18:16.0875 1668 Beep - ok
11:18:17.0000 1668 catchme - ok
11:18:17.0031 1668 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:18:17.0031 1668 cbidf2k - ok
11:18:17.0062 1668 cd20xrnt - ok
11:18:17.0078 1668 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:18:17.0078 1668 Cdaudio - ok
11:18:17.0093 1668 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
11:18:17.0093 1668 Cdfs - ok
11:18:17.0140 1668 Cdrom (7b53584d94e9d8716b2de91d5f1cb42d) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:18:17.0140 1668 Cdrom - ok
11:18:17.0156 1668 Changer - ok
11:18:17.0187 1668 CmdIde - ok
11:18:17.0218 1668 Cpqarray - ok
11:18:17.0312 1668 CSS DVP (10d08460d2415b38d4179d91a6ae3a25) C:\WINDOWS\system32\DRIVERS\css-dvp.sys
11:18:17.0312 1668 CSS DVP - ok
11:18:17.0328 1668 dac2w2k - ok
11:18:17.0343 1668 dac960nt - ok
11:18:17.0375 1668 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
11:18:17.0375 1668 Disk - ok
11:18:17.0453 1668 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
11:18:17.0484 1668 dmboot - ok
11:18:17.0515 1668 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
11:18:17.0531 1668 dmio - ok
11:18:17.0546 1668 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:18:17.0562 1668 dmload - ok
11:18:17.0625 1668 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
11:18:17.0656 1668 DMusic - ok
11:18:17.0671 1668 dpti2o - ok
11:18:17.0718 1668 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
11:18:17.0718 1668 drmkaud - ok
11:18:17.0828 1668 dtscsi (12aca694b50ea53563c1e7c99e7bb27d) C:\WINDOWS\System32\Drivers\dtscsi.sys
11:18:17.0828 1668 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\dtscsi.sys. md5: 12aca694b50ea53563c1e7c99e7bb27d
11:18:17.0828 1668 dtscsi ( LockedFile.Multi.Generic ) - warning
11:18:17.0828 1668 dtscsi - detected LockedFile.Multi.Generic (1)
11:18:17.0875 1668 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
11:18:17.0875 1668 Fastfat - ok
11:18:17.0921 1668 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:18:17.0921 1668 Fdc - ok
11:18:17.0953 1668 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
11:18:17.0968 1668 Fips - ok
11:18:18.0000 1668 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:18:18.0000 1668 Flpydisk - ok
11:18:18.0046 1668 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
11:18:18.0062 1668 FltMgr - ok
11:18:18.0109 1668 Freedom (6b913f0a848b2bed3f59add9b27c6de9) C:\WINDOWS\system32\DRIVERS\FREEDOM.SYS
11:18:18.0109 1668 Freedom - ok
11:18:18.0171 1668 FreeTdi (19d2587523425e52ecb264a15f56d62b) C:\WINDOWS\system32\Drivers\FreeTdi.sys
11:18:18.0171 1668 FreeTdi - ok
11:18:18.0187 1668 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:18:18.0187 1668 Fs_Rec - ok
11:18:18.0218 1668 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:18:18.0234 1668 Ftdisk - ok
11:18:18.0265 1668 GEARAspiWDM (8210b0b16e674586d331e804f81635bd) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
11:18:18.0281 1668 GEARAspiWDM - ok
11:18:18.0296 1668 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:18:18.0296 1668 Gpc - ok
11:18:18.0359 1668 HdAudAddService (160b24fd894e79e71c983ea403a6e6e7) C:\WINDOWS\system32\drivers\HdAudio.sys
11:18:18.0375 1668 HdAudAddService - ok
11:18:18.0406 1668 HDAudBus (cbbb304dc69e0b56f789852f6455f7ec) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:18:18.0406 1668 HDAudBus - ok
11:18:18.0468 1668 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:18:18.0484 1668 HidUsb - ok
11:18:18.0500 1668 hpn - ok
11:18:18.0546 1668 HSFHWBS2 (6db36593abdda54c505b77a4f135d5f3) C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys
11:18:18.0562 1668 HSFHWBS2 - ok
11:18:18.0656 1668 HSF_DPV (01dc6300bd5b4eaa3de6fc3fa4adb82a) C:\WINDOWS\system32\DRIVERS\USR_MDMV.sys
11:18:18.0765 1668 HSF_DPV - ok
11:18:18.0828 1668 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
11:18:18.0828 1668 HTTP - ok
11:18:18.0859 1668 i2omgmt - ok
11:18:18.0875 1668 i2omp - ok
11:18:18.0921 1668 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:18:18.0937 1668 i8042prt - ok
11:18:19.0031 1668 ialm (0acebb31989cbf9a5663fe4a33d28d21) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
11:18:19.0078 1668 ialm - ok
11:18:19.0125 1668 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:18:19.0125 1668 Imapi - ok
11:18:19.0140 1668 ini910u - ok
11:18:19.0281 1668 IntcAzAudAddService (eafd29c7918325b45e0dabafd82ef75f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:18:19.0375 1668 IntcAzAudAddService - ok
11:18:19.0437 1668 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:18:19.0437 1668 IntelIde - ok
11:18:19.0500 1668 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:18:19.0500 1668 intelppm - ok
11:18:19.0531 1668 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
11:18:19.0531 1668 Ip6Fw - ok
11:18:19.0562 1668 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:18:19.0562 1668 IpFilterDriver - ok
11:18:19.0593 1668 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:18:19.0593 1668 IpInIp - ok
11:18:19.0640 1668 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:18:19.0640 1668 IpNat - ok
11:18:19.0687 1668 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:18:19.0718 1668 IPSec - ok
11:18:19.0734 1668 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:18:19.0734 1668 IRENUM - ok
11:18:19.0765 1668 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:18:19.0765 1668 isapnp - ok
11:18:19.0828 1668 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
11:18:19.0828 1668 Iviaspi - ok
11:18:19.0890 1668 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:18:19.0890 1668 Kbdclass - ok
11:18:19.0937 1668 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:18:19.0953 1668 kbdhid - ok
11:18:20.0015 1668 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
11:18:20.0015 1668 kmixer - ok
11:18:20.0078 1668 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
11:18:20.0078 1668 KSecDD - ok
11:18:20.0109 1668 lbrtfdc - ok
11:18:20.0171 1668 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:18:20.0171 1668 mdmxsdk - ok
11:18:20.0203 1668 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:18:20.0203 1668 mnmdd - ok
11:18:20.0234 1668 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
11:18:20.0234 1668 Modem - ok
11:18:20.0281 1668 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
11:18:20.0296 1668 MODEMCSA - ok
11:18:20.0328 1668 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:18:20.0328 1668 Mouclass - ok
11:18:20.0375 1668 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:18:20.0375 1668 mouhid - ok
11:18:20.0390 1668 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
11:18:20.0406 1668 MountMgr - ok
11:18:20.0421 1668 mraid35x - ok
11:18:20.0468 1668 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:18:20.0468 1668 MRxDAV - ok
11:18:20.0531 1668 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:18:20.0546 1668 MRxSmb - ok
11:18:20.0609 1668 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
11:18:20.0609 1668 Msfs - ok
11:18:20.0671 1668 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:18:20.0671 1668 MSKSSRV - ok
11:18:20.0750 1668 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:18:20.0750 1668 MSPCLOCK - ok
11:18:20.0781 1668 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
11:18:20.0781 1668 MSPQM - ok
11:18:20.0812 1668 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:18:20.0828 1668 mssmbios - ok
11:18:20.0843 1668 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
11:18:20.0859 1668 Mup - ok
11:18:21.0078 1668 NAVENG (e7a76c4b031b2f8a7ec0f2c37d813f61) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20020823.004\NAVENG.SYS
11:18:21.0093 1668 NAVENG - ok
11:18:21.0187 1668 NAVEX15 (72c10b37eb15f373e163da9ec399cbf5) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20020823.004\NAVEX15.SYS
11:18:21.0234 1668 NAVEX15 - ok
11:18:21.0265 1668 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
11:18:21.0281 1668 NDIS - ok
11:18:21.0296 1668 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:18:21.0296 1668 NdisTapi - ok
11:18:21.0328 1668 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:18:21.0328 1668 Ndisuio - ok
11:18:21.0359 1668 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:18:21.0359 1668 NdisWan - ok
11:18:21.0390 1668 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
11:18:21.0390 1668 NDProxy - ok
11:18:21.0421 1668 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:18:21.0421 1668 NetBIOS - ok
11:18:21.0453 1668 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:18:21.0453 1668 NetBT - ok
11:18:21.0531 1668 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:18:21.0531 1668 NIC1394 - ok
11:18:21.0562 1668 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
11:18:21.0562 1668 Npfs - ok
11:18:21.0687 1668 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
11:18:21.0734 1668 Ntfs - ok
11:18:21.0796 1668 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:18:21.0796 1668 Null - ok
11:18:21.0828 1668 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:18:21.0843 1668 NwlnkFlt - ok
11:18:21.0875 1668 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:18:21.0875 1668 NwlnkFwd - ok
11:18:21.0906 1668 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:18:21.0906 1668 ohci1394 - ok
11:18:21.0937 1668 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
11:18:21.0937 1668 Parport - ok
11:18:21.0968 1668 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
11:18:21.0968 1668 PartMgr - ok
11:18:22.0015 1668 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:18:22.0015 1668 ParVdm - ok
11:18:22.0046 1668 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
11:18:22.0046 1668 PCI - ok
11:18:22.0078 1668 PCIDump - ok
11:18:22.0109 1668 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:18:22.0125 1668 PCIIde - ok
11:18:22.0171 1668 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:18:22.0171 1668 Pcmcia - ok
11:18:22.0187 1668 PDCOMP - ok
11:18:22.0203 1668 PDFRAME - ok
11:18:22.0218 1668 PDRELI - ok
11:18:22.0234 1668 PDRFRAME - ok
11:18:22.0250 1668 perc2 - ok
11:18:22.0265 1668 perc2hib - ok
11:18:22.0312 1668 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
11:18:22.0312 1668 Pfc - ok
11:18:22.0359 1668 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:18:22.0359 1668 PptpMiniport - ok
11:18:22.0421 1668 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys
11:18:22.0421 1668 Ps2 - ok
11:18:22.0437 1668 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
11:18:22.0437 1668 PSched - ok
11:18:22.0484 1668 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:18:22.0484 1668 Ptilink - ok
11:18:22.0500 1668 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:18:22.0500 1668 PxHelp20 - ok
11:18:22.0515 1668 ql1080 - ok
11:18:22.0562 1668 Ql10wnt - ok
11:18:22.0578 1668 ql12160 - ok
11:18:22.0593 1668 ql1240 - ok
11:18:22.0625 1668 ql1280 - ok
11:18:22.0656 1668 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:18:22.0671 1668 RasAcd - ok
11:18:22.0703 1668 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:18:22.0703 1668 Rasl2tp - ok
11:18:22.0750 1668 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:18:22.0750 1668 RasPppoe - ok
11:18:22.0781 1668 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:18:22.0781 1668 Raspti - ok
11:18:22.0828 1668 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:18:22.0828 1668 Rdbss - ok
11:18:22.0859 1668 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:18:22.0875 1668 RDPCDD - ok
11:18:22.0921 1668 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
11:18:22.0937 1668 RDPWD - ok
11:18:22.0984 1668 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:18:22.0984 1668 redbook - ok
11:18:23.0078 1668 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
11:18:23.0078 1668 rtl8139 - ok
11:18:23.0140 1668 SAVRT (150d350419025d04aaf5f84017625e0c) C:\WINDOWS\system32\Drivers\SAVRT.SYS
11:18:23.0171 1668 Suspicious file (Forged): C:\WINDOWS\system32\Drivers\SAVRT.SYS. Real md5: 150d350419025d04aaf5f84017625e0c, Fake md5: a188dd1054df2bd8fd76fdeae7c0c3c3
11:18:23.0171 1668 SAVRT ( ForgedFile.Multi.Generic ) - warning
11:18:23.0171 1668 SAVRT - detected ForgedFile.Multi.Generic (1)
11:18:23.0218 1668 SAVRTPEL (9eca4c90cb1796d130cd53b6a25b5d14) C:\WINDOWS\system32\Drivers\SAVRTPEL.SYS
11:18:23.0218 1668 Suspicious file (Forged): C:\WINDOWS\system32\Drivers\SAVRTPEL.SYS. Real md5: 9eca4c90cb1796d130cd53b6a25b5d14, Fake md5: 26cc048ee729eb1d1ab69fb1f4260e8e
11:18:23.0218 1668 SAVRTPEL ( ForgedFile.Multi.Generic ) - warning
11:18:23.0218 1668 SAVRTPEL - detected ForgedFile.Multi.Generic (1)
11:18:23.0296 1668 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:18:23.0296 1668 Secdrv - ok
11:18:23.0343 1668 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
11:18:23.0359 1668 Serial - ok
11:18:23.0406 1668 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:18:23.0406 1668 Sfloppy - ok
11:18:23.0437 1668 Simbad - ok
11:18:23.0453 1668 Sparrow - ok
11:18:23.0500 1668 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
11:18:23.0500 1668 splitter - ok
11:18:23.0578 1668 sptd (d8df37df94172aff3c3b719e4e5ed95d) C:\WINDOWS\system32\Drivers\sptd.sys
11:18:23.0578 1668 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d8df37df94172aff3c3b719e4e5ed95d
11:18:23.0578 1668 sptd ( LockedFile.Multi.Generic ) - warning
11:18:23.0578 1668 sptd - detected LockedFile.Multi.Generic (1)
11:18:23.0625 1668 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
11:18:23.0640 1668 sr - ok
11:18:23.0687 1668 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
11:18:23.0703 1668 Srv - ok
11:18:23.0750 1668 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
11:18:23.0750 1668 StarOpen - ok
11:18:23.0796 1668 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:18:23.0796 1668 swenum - ok
11:18:23.0828 1668 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
11:18:23.0843 1668 swmidi - ok
11:18:23.0859 1668 symc810 - ok
11:18:23.0875 1668 symc8xx - ok
11:18:24.0000 1668 SymEvent (84ddd3d1aee15466b38195c4d22a8194) C:\Program Files\Symantec\SYMEVENT.SYS
11:18:24.0000 1668 SymEvent - ok
11:18:24.0015 1668 SYMIDSCO - ok
11:18:24.0031 1668 sym_hi - ok
11:18:24.0046 1668 sym_u3 - ok
11:18:24.0093 1668 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
11:18:24.0093 1668 sysaudio - ok
11:18:24.0171 1668 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:18:24.0187 1668 Tcpip - ok
11:18:24.0218 1668 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:18:24.0218 1668 TDPIPE - ok
11:18:24.0234 1668 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
11:18:24.0250 1668 TDTCP - ok
11:18:24.0265 1668 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:18:24.0265 1668 TermDD - ok
11:18:24.0296 1668 TosIde - ok
11:18:24.0328 1668 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
11:18:24.0328 1668 Udfs - ok
11:18:24.0359 1668 ultra - ok
11:18:24.0406 1668 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
11:18:24.0484 1668 Update - ok
11:18:24.0562 1668 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:18:24.0578 1668 usbccgp - ok
11:18:24.0609 1668 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:18:24.0625 1668 usbehci - ok
11:18:24.0656 1668 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:18:24.0656 1668 usbhub - ok
11:18:24.0703 1668 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:18:24.0703 1668 usbprint - ok
11:18:24.0718 1668 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:18:24.0734 1668 usbscan - ok
11:18:24.0765 1668 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:18:24.0765 1668 USBSTOR - ok
11:18:24.0812 1668 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:18:24.0843 1668 usbuhci - ok
11:18:24.0875 1668 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
11:18:24.0890 1668 VgaSave - ok
11:18:24.0937 1668 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:18:24.0937 1668 ViaIde - ok
11:18:24.0968 1668 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
11:18:24.0968 1668 VolSnap - ok
11:18:25.0046 1668 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:18:25.0046 1668 Wanarp - ok
11:18:25.0062 1668 wanatw - ok
11:18:25.0078 1668 WDICA - ok
11:18:25.0125 1668 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
11:18:25.0125 1668 wdmaud - ok
11:18:25.0203 1668 winachsf (35104d888a90ebc18f71fdc2374d2bb9) C:\WINDOWS\system32\DRIVERS\HSF_USR.sys
11:18:25.0234 1668 winachsf - ok
11:18:25.0328 1668 MBR (0x1B8) (0ac6d996bce152aed9600e6d6b797e2e) \Device\Harddisk0\DR0
11:18:25.0328 1668 \Device\Harddisk0\DR0 - ok
11:18:25.0343 1668 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk5\DR7
11:18:25.0343 1668 \Device\Harddisk5\DR7 - ok
11:18:25.0359 1668 MBR (0x1B8) (66d0b28c8b44e531d0c19f436252abaa) \Device\Harddisk6\DR8
11:18:25.0359 1668 \Device\Harddisk6\DR8 - ok
11:18:25.0375 1668 Boot (0x1200) (fe2527122f3d6e839d6346d3b8fb7f8a) \Device\Harddisk0\DR0\Partition0
11:18:25.0375 1668 \Device\Harddisk0\DR0\Partition0 - ok
11:18:25.0390 1668 Boot (0x1200) (c22fa2d9ba43b08c5ebd1f3ace4c64c2) \Device\Harddisk0\DR0\Partition1
11:18:25.0390 1668 \Device\Harddisk0\DR0\Partition1 - ok
11:18:25.0390 1668 Boot (0x1200) (05a5371232afd5139cdc965f373379be) \Device\Harddisk5\DR7\Partition0
11:18:25.0390 1668 \Device\Harddisk5\DR7\Partition0 - ok
11:18:25.0390 1668 Boot (0x1200) (2aa7dc8bc9d4ded0caabee586495404b) \Device\Harddisk6\DR8\Partition0
11:18:25.0406 1668 \Device\Harddisk6\DR8\Partition0 - ok
11:18:25.0406 1668 ============================================================
11:18:25.0406 1668 Scan finished
11:18:25.0406 1668 ============================================================
11:18:25.0421 3152 Detected object count: 4
11:18:25.0421 3152 Actual detected object count: 4
11:19:29.0953 3152 dtscsi ( LockedFile.Multi.Generic ) - skipped by user
11:19:29.0953 3152 dtscsi ( LockedFile.Multi.Generic ) - User select action: Skip
11:19:29.0953 3152 SAVRT ( ForgedFile.Multi.Generic ) - skipped by user
11:19:29.0953 3152 SAVRT ( ForgedFile.Multi.Generic ) - User select action: Skip
11:19:29.0953 3152 SAVRTPEL ( ForgedFile.Multi.Generic ) - skipped by user
11:19:29.0953 3152 SAVRTPEL ( ForgedFile.Multi.Generic ) - User select action: Skip
11:19:29.0953 3152 sptd ( LockedFile.Multi.Generic ) - skipped by user
11:19:29.0953 3152 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
11:20:15.0312 3708 Deinitialize success

**chemist** · 09-25-2011, 10:41 AM

Hello again, jackdup.

Quote:

am curious if it is a common problem for it to keep running iteslf every 30-60 minutes and why it does so

No, this is not a common problem. I have only seen it once before on another forum, and don't know why it would happen.

Simply deleting dds should solve the problem.

------------------------------------------------------

Please download the Norton Removal Tool and Save it to your Desktop.

Close all programs and double-click the Norton_Removal_Tool.exe then click Run
In Vista/Win7, right-click and choose 'Run as administrator'.
Follow the on-screen instructions.
Restart your computer if asked.
Then delete Norton_Removal_Tool.exe from your desktop.

------------------------------------------------------

See if LiveReg is still listed. If it is, can you remove it now?

------------------------------------------------------

jackdup · 09-25-2011, 12:11 PM

Live Reg and the Norton Personal Firewall group are both gone.

Can I also delete everything else from the desktop or is there something else that has to be done?
Thanks

**chemist** · 09-25-2011, 12:29 PM

Hello again, jackdup. Almost done. We'll clean up in the next step.

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Under the Scanner tab, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy/Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

Java 2 Runtime Environment, SE v1.4.2_03

These are all outdated, and security risks by having them installed still. Reboot your computer once all those Java components are removed.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

In fact, you should be able to update your current Java, Java(TM) 6 Update 24, by going to Control Panel (Classic View) and double-clicking on the Java icon (looks like a coffee cup). Click on the Update tab. On the lower right, click on Update Now. An update should begin. Allow the install of the new Java.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.

After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button.
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
  - Trace and Log Files
- Click OK on Delete Temporary Files Window.
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
- Click OK to leave the Temporary Files Window.
- Click OK to leave the Java Control Panel.

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.

If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
Turn off the real-time scanner of any existing antivirus program while performing the online scan.
Tick the box next to YES, I accept the Terms of Use.
Click Start
If using Internet Explorer, allow the ActiveX control to install when asked.
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings and ensure these options are ticked:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
Tick all the boxes that correspond to your external/inserted drives.
Click Start
Wait for the scan to finish, then click 'Finish'.
Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Copy/paste that log as a reply to this topic.

------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report

jackdup · 09-25-2011, 12:41 PM

I'm assuming there is no way to complete this process without being connected to the internet? To this point I have been downloading everything to a flash drive and then copying it to her desktop and running it.

**chemist** · 09-25-2011, 01:21 PM

You will need a connection for the ESET scan. It isn't possible to hook up the desktop?

Also, do you know why your sister hasn't upgraded to SP3?

jackdup · 09-25-2011, 01:33 PM

She lives in the middle of no where and only has a very slow dial up connection so any downloads take forever. I can move things around here and connect it to the internet and download whatever is necessary. The only reason I was apprehensive is that once connected through broadband I am concerned when she gets home she will have to reconfigure things to use the dial-up again and she won't be able to figure out how to do it and it has been more than 10 years since I have done it so may be difficult for me to offer her advise over the phone when I have no idea what I am doing either. I was hoping to leave everything as is as far as connecting so she has no problems when she gets home but on the other hand want to make sure everything is fixed up before she goes home as well.

**chemist** · 09-25-2011, 02:32 PM

I'm going to leave it up to you. Without an online scan, we can't be sure everything is gone.

You can do an MBAM scan, but it won't be with the latest definitions, since you can't download the updates once installed.

Instead of the online scan, you can download Dr. Web CureIt!, which is an offline scanner:

This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I do not want it to clean anything right now, I only want to see a Report of what it finds.

Please download Dr.Web CureIt and Save it to your Desktop:
Double-click the cureit.exe file and click Run if prompted.
Click Update if you are connected to the internet, else click Start.
Click OK to the prompt to run the express scan.
This will scan the files currently running in memory and when/if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Decline the Full version FREE trial.
Once the short scan has finished, click Complete scan
Click Settings then click Change settings
Click Actions
Change all drop-down boxes to Report
Click Apply and then click OK
Click the green arrow at the right, and the scan will start.
Click No to All if it asks if you want to cure/move the file.
When the scan has finished, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web CureIt
Post the contents of the log from Dr.Web you saved previously in your next reply.

------------------------------------------------------

jackdup · 09-25-2011, 09:18 PM

Sorry I didn't get back to you sooner. I have the computer moved and connected to the internet now so should I run the Dr.Web CureIt in addition to Mban and ESET? I am running these now but can run Dr.Web CureIt as well.

Thanks

**chemist** · 09-26-2011, 03:56 AM

No, MBAM and ESET are all you need to do.

jackdup · 09-26-2011, 11:32 AM

Below are the logs you requested.

I unintsalled the Java 2 per your instructions and when I went to update the current version of Java nothing happened when I hit the update now button. It shows last update 10:48 PM 25/08/11.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7799
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
26/09/2011 12:05:12 AM
mbam-log-2011-09-26 (00-05-12).txt
Scan type: Quick scan
Objects scanned: 165574
Time elapsed: 3 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=9a909bba5537844391a1d3e29b7421e8
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-09-26 05:35:35
# local_time=2011-09-26 01:35:35 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1032 16777173 100 96 0 60106287 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=232942
# found=2
# cleaned=0
# scan_time=8422
C:\Program Files\Common Files\PestPatrol\Quarantine\20061117194526.zip Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Common Files\PestPatrol\Quarantine\20061117194647.zip Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I

Thank you

**chemist** · 09-26-2011, 12:07 PM

Hello again, jackdup. You're welcome.

You should be able to navigate to those two files detected by ESET and delete them. Let me know.

Go here to install the latest Java > Download Free Java Software

Let me know if you were successful.

After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button.
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
  - Trace and Log Files
- Click OK on Delete Temporary Files Window.
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
- Click OK to leave the Temporary Files Window.
- Click OK to leave the Java Control Panel.

------------------------------------------------------

You might want to consider going to Microsoft Update and installing all the latest Windows Updates, including SP3, while this computer is hooked up to a decent connection.

Microsoft Windows Update

It may take a while. Let me know.

------------------------------------------------------