Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Browser Re-directs; Microsoft Office Fails to Load; Anti-Virus Fails to Update:upset:

This is a discussion on Browser Re-directs; Microsoft Office Fails to Load; Anti-Virus Fails to Update:upset: within the Resolved HJT Threads forums, part of the Tech Support Forum category. Here is the list of the problems in order of which I noticed things going awry: 1. My Firefox browser


 
 
Thread Tools Search this Thread
Old 06-04-2010, 04:01 PM   #1
Registered Member
 
Join Date: Jun 2010
Posts: 7
OS: Windows 7 Ultimate



Here is the list of the problems in order of which I noticed things going awry:

1. My Firefox browser will re-direct my google searches to a new Firefox window pop-up with "google-analytics" in its address bar, but would never finish loading the new popped-up window. Firefox would also re-direct and never finish loading my google searches by opening a new tab with a "directdlr.com/....." in its address bar.

2. Microsoft Office 2010 applications don't open, instead a "DW20.exe" and a "DWWin.exe" replicates itself an infinite number of times in my processes, maxing out my CPU.

3. My anti-virus applications (Spyware Doctor, Microsoft Security Essentials, avast!, malwarebytes) won't update, and therefore won't run or scan. Firefox also won't load various anti-virus sites, such as this message board.

4. Other applications crash directly upon opening them (VLC Media Player)

Solutions that I've tried:

1. Resetting my router. I'd read somewhere online that doing this would solve the problem. It did not.

2. Trying to restore from a restore point. I opened System Restore, but the restore points were all very recent and within the timeframe of infection.

3. Un-installing Microsoft Office 2010 and re-installing. System won't let me un-install.

Here are my scan reports:

DDS (Ver_10-03-17.01) - NTFSx86
Run by dildon at 14:31:20.50 on Fri 06/04/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1215.675 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\TEMP\Nbk.exe
C:\Users\dildon\AppData\Roaming\3fd72769.exe
C:\Windows\TEMP\Nbl.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\dildon\Desktop\dds.com
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = about:blank
uSearch Bar =
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [DriverMax]
uRun: [DriverMax_RESTART]
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [M5T8QL3YW3] c:\windows\temp\Nbl.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.162.167,93.188.166.198
TCP: {79DBCE05-447C-4F8D-8BCD-FF3BCB44BF05} = 93.188.162.167,93.188.166.198

================= FIREFOX ===================

FF - ProfilePath - c:\users\dildon\appdata\roaming\mozilla\firefox\profiles\09hf860w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62047&p=
FF - component: c:\users\dildon\appdata\roaming\mozilla\firefox\profiles\09hf860w.default\extensions\{12bedecf-4ae9-437a-8866-94b8a1adae0d}\components\Engine.dll
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\dildon\appdata\roaming\move networks\plugins\071802000001\npqmp071802000001.dll
FF - plugin: c:\users\dildon\appdata\roaming\mozilla\firefox\profiles\09hf860w.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-3 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-3 164048]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-3 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-3 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-3 40384]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-6-3 112592]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2009-9-26 819600]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-3 276816]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-9-23 447832]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-3 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-3 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-3 19160]
R3 sftfs;sftfs;c:\program files\microsoft application virtualization client\drivers\SftFSlh.sys [2009-9-23 543064]
R3 sftplay;sftplay;c:\program files\microsoft application virtualization client\drivers\sftplaylh.sys [2009-9-23 190312]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2009-9-23 21848]
R3 sftvol;sftvol;c:\program files\microsoft application virtualization client\drivers\SftVollh.sys [2009-9-23 14680]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-9-23 203608]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-3 38224]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-6-3 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-6-3 1141712]

=============== Created Last 30 ================

2010-06-04 06:40:02 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-06-04 06:38:30 0 d-----w- c:\programdata\Alwil Software
2010-06-04 05:53:33 0 d-----w- c:\users\dildon\appdata\roaming\Malwarebytes
2010-06-04 05:53:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 05:53:03 0 d-----w- c:\programdata\Malwarebytes
2010-06-04 05:53:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 05:53:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 05:50:06 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 15:20:16 767952 ----a-w- c:\windows\BDTSupport.dll
2010-06-03 15:20:13 882 ----a-w- c:\windows\RegSDImport.xml
2010-06-03 15:20:13 880 ----a-w- c:\windows\RegISSImport.xml
2010-06-03 15:20:13 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-06-03 15:20:13 131 ----a-w- c:\windows\IDB.zip
2010-06-03 15:20:12 1152444 ----a-w- c:\windows\UDB.zip
2010-06-03 15:20:11 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-06-03 15:20:11 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-06-03 15:19:32 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-06-03 15:19:32 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-03 15:19:32 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-06-03 15:19:16 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-03 15:19:16 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-06-03 15:19:16 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-06-03 15:19:16 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-03 15:19:08 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-06-03 15:19:08 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-03 15:19:02 0 d-----w- c:\users\dildon\appdata\roaming\PC Tools
2010-06-03 15:19:02 0 d-----w- c:\programdata\PC Tools
2010-06-03 15:19:02 0 d-----w- c:\program files\Spyware Doctor
2010-06-03 15:19:02 0 d-----w- c:\program files\common files\PC Tools
2010-06-03 15:18:50 0 d---a-w- c:\programdata\TEMP
2010-06-03 15:07:56 0 d-----w- c:\windows\system32\appmgmt
2010-06-03 03:09:53 130141426 ----a-w- c:\windows\MEMORY.DMP
2010-06-03 02:42:03 77312 ----a-w- c:\windows\system32\ernel32.dll
2010-06-01 23:09:37 77312 ----a-w- c:\users\dildon\appdata\roaming\3fd72769.exe
2010-05-27 07:12:49 0 d-----w- c:\program files\Sony
2010-05-27 07:08:50 0 d-----w- c:\program files\Sony Setup
2010-05-26 06:22:07 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-12 04:45:59 740864 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-08 21:33:56 427520 ----a-w- c:\windows\system32\vbscript.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-w- c:\windows\fonts\StaticCache.dat
2010-03-03 09:39:10 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-03-01 18:28:17 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 14:33:15.66 ===============


GMER 1.0.15.15281 - https://www.gmer.net
Rootkit scan 2010-06-04 15:25:20
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\dildon\AppData\Local\Temp\kwpyipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x83762CDC]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x83762ECE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x837630D6]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x83762982]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82820AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82820104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828203F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82808FB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828201DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82820958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828206F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82820F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828211A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8E4C78EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8E4C7A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 828728E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 828923D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 14A3 82899770 8 Bytes [DC, 2C, 76, 83, CE, 2E, 76, ...] {FSUBR QWORD [ESI+ESI*2]; OR ESI, 0x2e; JBE 0xffffffffffffff8b}
.text ntoskrnl.exe!KeRemoveQueueEx + 14DB 828997A8 4 Bytes [D6, 30, 76, 83] {SALC ; XOR [ESI-0x7d], DH}
.text ntoskrnl.exe!KeRemoveQueueEx + 192F 82899BFC 4 Bytes [82, 29, 76, 83]
PAGE ntoskrnl.exe!ZwLoadDriver 829DE124 7 Bytes JMP 8E4C7A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 82A1EDF7 5 Bytes JMP 8E4C3536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!RtlCompareUnicodeStrings + 50C 82A461AA 5 Bytes JMP 8E4C4F28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 82A8FED5 7 Bytes JMP 8E4C78EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text peauth.sys 8F72BC9D 28 Bytes [5E, 7D, C8, 99, 72, E6, 69, ...]
.text peauth.sys 8F72BCC1 28 Bytes [5E, 7D, C8, 99, 72, E6, 69, ...]
PAGE peauth.sys 8F731B9B 72 Bytes JMP F81F95C7
PAGE peauth.sys 8F731BEC 111 Bytes JMP AB8634E6
PAGE peauth.sys 8F731E20 101 Bytes [66, 16, 46, AF, 53, 41, 06, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtProtectVirtualMemory 77085360 5 Bytes JMP 0017000A
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtWriteVirtualMemory 77085EE0 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!KiUserExceptionDispatcher 77086448 5 Bytes JMP 0016000A
.text C:\Windows\system32\svchost.exe[1028] ole32.dll!CoCreateInstance 76A257FC 5 Bytes JMP 0060000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!GetCursorPos 76BDC198 5 Bytes JMP 010C000A
.text C:\Windows\System32\spoolsv.exe[1104] ntdll.dll!NtResumeThread 770858F0 5 Bytes JMP 0060000A
.text C:\Windows\Explorer.EXE[1524] ntdll.dll!NtProtectVirtualMemory 77085360 5 Bytes JMP 002C000A
.text C:\Windows\Explorer.EXE[1524] ntdll.dll!NtWriteVirtualMemory 77085EE0 5 Bytes JMP 002D000A
.text C:\Windows\Explorer.EXE[1524] ntdll.dll!KiUserExceptionDispatcher 77086448 5 Bytes JMP 0027000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85478D01

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\[email protected] 55550
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\[email protected] 2001:0:4137:9e74:1cd6:d8db:b3e9:be91
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\[email protected] 387

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Thank you very kindly for all help.

Here is a link to an attachment to a post I accidentally made in another forum:

https://www.techsupportforum.com/atta...set-attach.rar

I'll attach again if/when the thread gets deleted.
dildon is offline  
Sponsored Links
Advertisement
 
Old 06-08-2010, 05:01 AM   #2
TSF-Emeritus
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



Hi

Please do the following:

Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2



**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
__________________


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
CatByte is offline  
Old 06-08-2010, 11:17 PM   #3
Registered Member
 
Join Date: Jun 2010
Posts: 7
OS: Windows 7 Ultimate



Thanks for the reply! Here are my results:

ComboFix 10-06-08.03 - dildon 06/08/2010 22:53:18.2.1 - x86
Running from: c:\users\dildon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\5e5a5k5.tmp

.
((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-06-05 00:47 . 2010-06-09 06:06 -------- d-----w- c:\users\dildon\AppData\Local\temp
2010-06-05 00:21 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-05 00:19 . 2010-06-05 00:19 -------- d-----w- c:\program files\Panda Security
2010-06-05 00:13 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\f36decbb.exe
2010-06-04 06:38 . 2010-06-04 06:38 -------- d-----w- c:\programdata\Alwil Software
2010-06-04 06:38 . 2010-06-04 06:38 -------- d-----w- c:\program files\Alwil Software
2010-06-04 05:53 . 2010-06-04 05:53 -------- d-----w- c:\users\dildon\AppData\Roaming\Malwarebytes
2010-06-04 05:53 . 2010-06-04 05:53 -------- d-----w- c:\programdata\Malwarebytes
2010-06-04 05:53 . 2010-06-05 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 05:50 . 2010-06-05 01:48 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 15:19 . 2010-06-05 01:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-03 15:19 . 2010-06-05 01:12 -------- d-----w- c:\program files\Spyware Doctor
2010-06-03 15:19 . 2010-06-03 15:19 -------- d-----w- c:\users\dildon\AppData\Roaming\PC Tools
2010-06-03 15:19 . 2010-06-03 15:19 -------- d-----w- c:\programdata\PC Tools
2010-06-03 06:50 . 2010-06-03 06:50 -------- d-----w- c:\windows\Sun
2010-06-03 03:28 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\A931sKU.dll
2010-06-03 03:10 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\c3s7e3aA9.dll
2010-06-03 02:41 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\qGMYW1u9.dll
2010-06-01 18:39 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9c1sKUO79.dll
2010-05-27 23:00 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9a17eI179.dll
2010-05-27 23:00 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\ad490917.exe
2010-05-27 07:21 . 2010-05-27 07:21 -------- d-----w- c:\users\dildon\AppData\Roaming\Publish Providers
2010-05-27 07:16 . 2010-05-27 07:16 -------- d-----w- c:\users\dildon\AppData\Roaming\Sony
2010-05-27 07:16 . 2010-05-27 07:16 -------- d-----w- c:\users\dildon\AppData\Local\Sony
2010-05-27 07:12 . 2010-06-05 01:12 -------- d-----w- c:\program files\Sony
2010-05-27 07:08 . 2010-05-27 07:08 -------- d-----w- c:\program files\Sony Setup
2010-05-26 06:22 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-12 04:45 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 02:14 . 2010-03-01 20:56 -------- d-----w- c:\users\dildon\AppData\Roaming\vlc
2010-06-08 01:32 . 2010-03-01 17:28 -------- d-----w- c:\users\dildon\AppData\Roaming\SoftGrid Client
2010-06-06 23:25 . 2010-03-01 09:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-06 20:22 . 2010-03-01 17:18 -------- d-----w- c:\programdata\Soulseek
2010-06-05 01:12 . 2010-03-03 10:27 -------- d-----w- c:\users\dildon\AppData\Roaming\Winamp
2010-05-21 21:14 . 2010-03-01 08:42 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 10:01 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-04-23 03:30 . 2010-03-01 18:31 57560 ----a-w- c:\users\dildon\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-22 02:27 . 2010-03-09 01:55 -------- d-----w- c:\program files\Java
2010-04-13 00:29 . 2010-04-22 02:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-w- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 20:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R1 dadtbosc;dadtbosc;c:\windows\system32\drivers\dadtbosc.sys [x]
R2 MSWU-ad490917;MSWU-ad490917;c:\windows\system32\ad490917.exe [2010-05-27 75264]
R2 MSWU-f36decbb;MSWU-f36decbb;c:\windows\system32\f36decbb.exe [2010-05-27 75264]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2009-09-26 819600]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2009-09-23 447832]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S3 sftfs;sftfs;c:\program files\Microsoft Application Virtualization Client\drivers\sftfslh.sys [2009-09-23 543064]
S3 sftplay;sftplay;c:\program files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys [2009-09-23 190312]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-09-23 21848]
S3 sftvol;sftvol;c:\program files\Microsoft Application Virtualization Client\drivers\sftvollh.sys [2009-09-23 14680]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2009-09-23 203608]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\users\dildon\AppData\Roaming\Mozilla\Firefox\Profiles\09hf860w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62047&p=
FF - component: c:\users\dildon\AppData\Roaming\Mozilla\Firefox\Profiles\09hf860w.default\extensions\{12bedecf-4ae9-437a-8866-94b8a1adae0d}\components\Engine.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\dildon\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll
FF - plugin: c:\users\dildon\AppData\Roaming\Mozilla\Firefox\Profiles\09hf860w.default\extensions\[email protected]\plugins\npTVUAx.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft Security Essentials\MpCmdRun.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2010-06-08 23:11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-09 06:11
ComboFix2.txt 2010-06-05 00:54

Pre-Run: 36,386,738,176 bytes free
Post-Run: 36,364,836,864 bytes free

- - End Of File - - C368DE03C673012CC42562DF7D224CB8
dildon is offline  
Sponsored Links
Advertisement
 
Old 06-09-2010, 05:17 AM   #4
TSF-Emeritus
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



Hi,

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
https://www.techsupportforum.com/f100/browser-re-directs-microsoft-office-fails-to-load-anti-virus-fails-to-update-upset-487720.html#post2757001


Collect::
c:\windows\system32\f36decbb.exe
c:\windows\system32\Spool\prtprocs\w32x86\A931sKU.dll
c:\windows\system32\Spool\prtprocs\w32x86\c3s7e3aA9.dll
c:\windows\system32\Spool\prtprocs\w32x86\qGMYW1u9.dll
c:\windows\system32\Spool\prtprocs\w32x86\9c1sKUO79.dll
c:\windows\system32\Spool\prtprocs\w32x86\9a17eI179.dll
c:\windows\system32\ad490917.exe

DirLook::
c:\users\dildon\AppData\Roaming\Publish Providers

Driver::
dadtbosc
MSWU-ad490917
MSWU-f36decbb

TDL::
C:\Windows\system32\drivers\atapi.sys
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT::

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.


  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
__________________


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
CatByte is offline  
Old 06-10-2010, 08:40 AM   #5
Registered Member
 
Join Date: Jun 2010
Posts: 7
OS: Windows 7 Ultimate



Here is my ComboFix report:

ComboFix 10-06-08.03 - dildon 06/09/2010 20:02:21.3.1 - x86
Running from: c:\users\dildon\Desktop\ComboFix.exe
Command switches used :: c:\users\dildon\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ad490917.exe
c:\windows\system32\f36decbb.exe
c:\windows\system32\Spool\prtprocs\w32x86\9a17eI179.dll
c:\windows\system32\Spool\prtprocs\w32x86\9c1sKUO79.dll
c:\windows\system32\Spool\prtprocs\w32x86\A931sKU.dll
c:\windows\system32\Spool\prtprocs\w32x86\c3s7e3aA9.dll
c:\windows\system32\Spool\prtprocs\w32x86\qGMYW1u9.dll
c:\windows\TEMP\sKU1m9g1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_dadtbosc
-------\Service_MSWU-ad490917
-------\Service_MSWU-f36decbb


((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))
.

2010-06-10 03:13 . 2010-06-10 03:13 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-10 03:13 . 2010-06-10 03:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-10 02:51 . 2010-06-10 02:54 -------- d-----w- C:\32788R22FWJFW
2010-06-09 10:20 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\O3o7oCEI9.dll
2010-06-09 07:54 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 07:54 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 07:54 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 07:54 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 07:54 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-09 07:21 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\Y7cE1a.dll
2010-06-09 07:15 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\179iQG.dll
2010-06-09 06:41 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\3o7oC1s9.dll
2010-06-09 06:04 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\55555.dll
2010-06-08 01:34 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\aA3kU9m.dll
2010-06-07 06:10 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\c7s31s.dll
2010-06-06 23:26 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\oCE17kU.dll
2010-06-05 02:51 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17y3c7.dll
2010-06-05 02:47 . 2010-05-27 23:00 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5a5k5.dll
2010-06-05 00:47 . 2010-06-10 03:16 -------- d-----w- c:\users\dildon\AppData\Local\temp
2010-06-05 00:21 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-05 00:19 . 2010-06-05 00:19 -------- d-----w- c:\program files\Panda Security
2010-06-04 06:38 . 2010-06-04 06:38 -------- d-----w- c:\programdata\Alwil Software
2010-06-04 06:38 . 2010-06-04 06:38 -------- d-----w- c:\program files\Alwil Software
2010-06-04 05:53 . 2010-06-04 05:53 -------- d-----w- c:\users\dildon\AppData\Roaming\Malwarebytes
2010-06-04 05:53 . 2010-06-04 05:53 -------- d-----w- c:\programdata\Malwarebytes
2010-06-04 05:53 . 2010-06-05 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 05:50 . 2010-06-05 01:48 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 15:19 . 2010-06-05 01:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-03 15:19 . 2010-06-05 01:12 -------- d-----w- c:\program files\Spyware Doctor
2010-06-03 15:19 . 2010-06-03 15:19 -------- d-----w- c:\users\dildon\AppData\Roaming\PC Tools
2010-06-03 15:19 . 2010-06-03 15:19 -------- d-----w- c:\programdata\PC Tools
2010-06-03 06:50 . 2010-06-03 06:50 -------- d-----w- c:\windows\Sun
2010-05-27 07:21 . 2010-05-27 07:21 -------- d-----w- c:\users\dildon\AppData\Roaming\Publish Providers
2010-05-27 07:16 . 2010-05-27 07:16 -------- d-----w- c:\users\dildon\AppData\Roaming\Sony
2010-05-27 07:16 . 2010-05-27 07:16 -------- d-----w- c:\users\dildon\AppData\Local\Sony
2010-05-27 07:12 . 2010-06-05 01:12 -------- d-----w- c:\program files\Sony
2010-05-27 07:08 . 2010-05-27 07:08 -------- d-----w- c:\program files\Sony Setup
2010-05-26 06:22 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-12 04:45 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-09 07:18 . 2010-03-01 17:28 -------- d-----w- c:\users\dildon\AppData\Roaming\SoftGrid Client
2010-06-08 02:14 . 2010-03-01 20:56 -------- d-----w- c:\users\dildon\AppData\Roaming\vlc
2010-06-06 23:25 . 2010-03-01 09:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-06 20:22 . 2010-03-01 17:18 -------- d-----w- c:\programdata\Soulseek
2010-06-05 01:12 . 2010-03-03 10:27 -------- d-----w- c:\users\dildon\AppData\Roaming\Winamp
2010-05-21 21:14 . 2010-03-01 08:42 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 10:01 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-04-23 03:30 . 2010-03-01 18:31 57560 ----a-w- c:\users\dildon\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-22 02:27 . 2010-03-09 01:55 -------- d-----w- c:\program files\Java
2010-04-13 00:29 . 2010-04-22 02:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-w- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\dildon\AppData\Roaming\Publish Providers ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 20:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2009-09-26 819600]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2009-09-23 447832]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S3 sftfs;sftfs;c:\program files\Microsoft Application Virtualization Client\drivers\sftfslh.sys [2009-09-23 543064]
S3 sftplay;sftplay;c:\program files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys [2009-09-23 190312]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-09-23 21848]
S3 sftvol;sftvol;c:\program files\Microsoft Application Virtualization Client\drivers\sftvollh.sys [2009-09-23 14680]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2009-09-23 203608]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\users\dildon\AppData\Roaming\Mozilla\Firefox\Profiles\09hf860w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62047&p=
FF - component: c:\users\dildon\AppData\Roaming\Mozilla\Firefox\Profiles\09hf860w.default\extensions\{12bedecf-4ae9-437a-8866-94b8a1adae0d}\components\Engine.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\dildon\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll
FF - plugin: c:\users\dildon\AppData\Roaming\Mozilla\Firefox\Profiles\09hf860w.default\extensions\[email protected]\plugins\npTVUAx.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft Security Essentials\MpCmdRun.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2010-06-09 20:20:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-10 03:20
ComboFix2.txt 2010-06-09 06:11
ComboFix3.txt 2010-06-05 00:54

Pre-Run: 33,380,364,288 bytes free
Post-Run: 33,245,802,496 bytes free

- - End Of File - - D4268A8C88FD3E4AE4917D87B2BAE87D


Here is the MalwareBytes' Report:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4185

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/9/2010 9:10:09 PM
mbam-log-2010-06-09 (21-10-09).txt

Scan type: Quick scan
Objects scanned: 120199
Time elapsed: 23 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\spool\prtprocs\w32x86\179iQG.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\17y3c7.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\3o7oC1s9.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\55555.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\5a5k5.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\aA3kU9m.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\c7s31s.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\O3o7oCEI9.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\oCE17kU.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\Y7cE1a.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

And, lastly, my Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, June 10, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, June 10, 2010 04:32:59
Records in database: 4244336
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\
L:\
M:\
Q:\

Scan statistics:
Objects scanned: 77771
Threats found: 5
Infected objects found: 13
Suspicious objects found: 0
Scan duration: 01:55:00


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\9a17eI179.dll.vir Infected: Backdoor.Win32.TDSS.rt 1
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\9c1sKUO79.dll.vir Infected: Backdoor.Win32.TDSS.rt 1
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\A931sKU.dll.vir Infected: Backdoor.Win32.TDSS.rt 1
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\c3s7e3aA9.dll.vir Infected: Backdoor.Win32.TDSS.rt 1
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\qGMYW1u9.dll.vir Infected: Backdoor.Win32.TDSS.rt 1
C:\Qoobox\Quarantine\C\Windows\temp\_5e5a5k5_.tmp.zip Infected: Backdoor.Win32.TDSS.rt 1
C:\Qoobox\Quarantine\C\Windows\temp\_sKU1m9g1_.tmp.zip Infected: Backdoor.Win32.TDSS.rt 1
C:\Users\dildon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\2c3b3a57-67cb9956 Infected: Exploit.Java.Agent.f 1
C:\Users\dildon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6aa23129-383fabb2 Infected: Exploit.Java.Agent.a 1
C:\Users\dildon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6aa23129-383fabb2 Infected: Exploit.Java.CVE-2009-3867.a 1
C:\Users\dildon\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\2d475f78-1cb78c6f Infected: Trojan-Downloader.Java.Agent.br 3

Selected area has been scanned.
dildon is offline  
Old 06-10-2010, 09:42 AM   #6
TSF-Emeritus
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



Hi

Please do the following;

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
https://www.techsupportforum.com/f100/browser-re-directs-microsoft-office-fails-to-load-anti-virus-fails-to-update-upset-487720.html

Collect::
c:\windows\system32\Spool\prtprocs\w32x86\O3o7oCEI9.dll
c:\windows\system32\Spool\prtprocs\w32x86\Y7cE1a.dll
c:\windows\system32\Spool\prtprocs\w32x86\179iQG.dll
c:\windows\system32\Spool\prtprocs\w32x86\3o7oC1s9.dll
c:\windows\system32\Spool\prtprocs\w32x86\55555.dll
c:\windows\system32\Spool\prtprocs\w32x86\aA3kU9m.dll
c:\windows\system32\Spool\prtprocs\w32x86\c7s31s.dll
c:\windows\system32\Spool\prtprocs\w32x86\oCE17kU.dll
c:\windows\system32\Spool\prtprocs\w32x86\17y3c7.dll
c:\windows\system32\Spool\prtprocs\w32x86\5a5k5.dll
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT

  • Download TDSSKiller and save it to your Desktop.
  • Extract the file and run it.
  • Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes the version & date)

please post the content of that log
__________________


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
CatByte is offline  
Old 06-10-2010, 11:35 PM   #7
Registered Member
 
Join Date: Jun 2010
Posts: 7
OS: Windows 7 Ultimate



ComboFix:

ComboFix 10-06-08.03 - dildon 06/10/2010 23:13:28.4.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1215.312 [GMT -7:00]
Running from: c:\users\dildon\Desktop\ComboFix.exe
Command switches used :: c:\users\dildon\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-11 06:22 . 2010-06-11 06:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-11 06:22 . 2010-06-11 06:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-11 06:08 . 2010-06-11 06:09 -------- d-----w- C:\32788R22FWJFW
2010-06-10 03:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 03:29 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-09 07:54 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 07:54 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 07:54 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 07:54 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 07:54 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-05 00:47 . 2010-06-11 06:22 -------- d-----w- c:\users\dildon\AppData\Local\temp
2010-06-05 00:21 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-05 00:19 . 2010-06-05 00:19 -------- d-----w- c:\program files\Panda Security
2010-06-04 06:38 . 2010-06-04 06:38 -------- d-----w- c:\programdata\Alwil Software
2010-06-04 06:38 . 2010-06-04 06:38 -------- d-----w- c:\program files\Alwil Software
2010-06-04 05:53 . 2010-06-04 05:53 -------- d-----w- c:\users\dildon\AppData\Roaming\Malwarebytes
2010-06-04 05:53 . 2010-06-04 05:53 -------- d-----w- c:\programdata\Malwarebytes
2010-06-04 05:53 . 2010-06-10 03:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 05:50 . 2010-06-05 01:48 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 15:19 . 2010-06-05 01:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-03 15:19 . 2010-06-05 01:12 -------- d-----w- c:\program files\Spyware Doctor
2010-06-03 15:19 . 2010-06-03 15:19 -------- d-----w- c:\users\dildon\AppData\Roaming\PC Tools
2010-06-03 15:19 . 2010-06-03 15:19 -------- d-----w- c:\programdata\PC Tools
2010-06-03 06:50 . 2010-06-03 06:50 -------- d-----w- c:\windows\Sun
2010-05-27 07:21 . 2010-05-27 07:21 -------- d-----w- c:\users\dildon\AppData\Roaming\Publish Providers
2010-05-27 07:16 . 2010-05-27 07:16 -------- d-----w- c:\users\dildon\AppData\Roaming\Sony
2010-05-27 07:16 . 2010-05-27 07:16 -------- d-----w- c:\users\dildon\AppData\Local\Sony
2010-05-27 07:12 . 2010-06-05 01:12 -------- d-----w- c:\program files\Sony
2010-05-27 07:08 . 2010-05-27 07:08 -------- d-----w- c:\program files\Sony Setup
2010-05-26 06:22 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 06:12 . 2010-03-01 18:31 57560 ----a-w- c:\users\dildon\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-10 04:12 . 2010-03-01 17:28 -------- d-----w- c:\users\dildon\AppData\Roaming\SoftGrid Client
2010-06-08 02:14 . 2010-03-01 20:56 -------- d-----w- c:\users\dildon\AppData\Roaming\vlc
2010-06-06 23:25 . 2010-03-01 09:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-06 20:22 . 2010-03-01 17:18 -------- d-----w- c:\programdata\Soulseek
2010-06-05 01:12 . 2010-03-03 10:27 -------- d-----w- c:\users\dildon\AppData\Roaming\Winamp
2010-05-21 21:14 . 2010-03-01 08:42 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 10:01 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-04-22 02:27 . 2010-03-09 01:55 -------- d-----w- c:\program files\Java
2010-04-13 00:29 . 2010-04-22 02:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-w- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 20:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2009-09-26 819600]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2009-09-23 447832]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
S3 sftfs;sftfs;c:\program files\Microsoft Application Virtualization Client\drivers\sftfslh.sys [2009-09-23 543064]
S3 sftplay;sftplay;c:\program files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys [2009-09-23 190312]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-09-23 21848]
S3 sftvol;sftvol;c:\program files\Microsoft Application Virtualization Client\drivers\sftvollh.sys [2009-09-23 14680]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2009-09-23 203608]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\users\dildon\AppData\Roaming\Mozilla\Firefox\Profiles\09hf860w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62047&p=
FF - component: c:\users\dildon\AppData\Roaming\Mozilla\Firefox\Profiles\09hf860w.default\extensions\{12bedecf-4ae9-437a-8866-94b8a1adae0d}\components\Engine.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\dildon\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll
FF - plugin: c:\users\dildon\AppData\Roaming\Mozilla\Firefox\Profiles\09hf860w.default\extensions\[email protected]\plugins\npTVUAx.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-10 23:25:47
ComboFix-quarantined-files.txt 2010-06-11 06:25
ComboFix2.txt 2010-06-10 03:20
ComboFix3.txt 2010-06-09 06:11
ComboFix4.txt 2010-06-05 00:54

Pre-Run: 33,824,292,864 bytes free
Post-Run: 33,898,897,408 bytes free

- - End Of File - - 7248F066BA6817B86BA2866FF8618D64

TDSSKiller info:

23:32:02:445 5440 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
23:32:02:446 5440 ================================================================================
23:32:02:446 5440 SystemInfo:

23:32:02:446 5440 OS Version: 6.1.7600 ServicePack: 0.0
23:32:02:446 5440 Product type: Workstation
23:32:02:446 5440 ComputerName: DILDON-STINKBOX
23:32:02:449 5440 UserName: dildon
23:32:02:449 5440 Windows directory: C:\Windows
23:32:02:449 5440 Processor architecture: Intel x86
23:32:02:451 5440 Number of processors: 1
23:32:02:451 5440 Page size: 0x1000
23:32:02:451 5440 Boot type: Normal boot
23:32:02:451 5440 ================================================================================
23:32:03:333 5440 Initialize success
23:32:03:334 5440
23:32:03:335 5440 Scanning Services ...
23:32:09:121 5440 Raw services enum returned 445 services
23:32:09:141 5440
23:32:09:142 5440 Scanning Drivers ...
23:32:12:010 5440 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
23:32:12:453 5440 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
23:32:12:786 5440 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
23:32:13:166 5440 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
23:32:13:468 5440 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
23:32:13:756 5440 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
23:32:14:111 5440 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
23:32:14:498 5440 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
23:32:14:854 5440 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
23:32:15:674 5440 ALCXWDM (7997b6f02cbda0e31fa18cc85871b938) C:\Windows\system32\drivers\RTKVAC.SYS
23:32:16:061 5440 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
23:32:16:409 5440 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
23:32:16:637 5440 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
23:32:17:143 5440 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
23:32:17:475 5440 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
23:32:17:762 5440 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
23:32:18:177 5440 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
23:32:18:469 5440 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
23:32:18:725 5440 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
23:32:18:921 5440 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
23:32:19:234 5440 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
23:32:19:550 5440 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
23:32:19:846 5440 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
23:32:20:117 5440 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
23:32:20:458 5440 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
23:32:20:686 5440 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
23:32:21:031 5440 blbdrive (4a7a4276724d6bbc48a754bfda426c43) C:\Windows\system32\DRIVERS\blbdrive.sys
23:32:21:312 5440 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
23:32:21:608 5440 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
23:32:21:955 5440 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
23:32:22:216 5440 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
23:32:22:542 5440 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
23:32:22:818 5440 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
23:32:23:103 5440 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
23:32:23:505 5440 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
23:32:23:995 5440 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
23:32:24:463 5440 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
23:32:24:896 5440 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
23:32:25:158 5440 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
23:32:25:564 5440 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
23:32:25:890 5440 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
23:32:26:518 5440 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
23:32:26:630 5440 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
23:32:26:685 5440 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
23:32:26:745 5440 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
23:32:27:478 5440 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
23:32:27:894 5440 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
23:32:28:257 5440 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
23:32:28:723 5440 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
23:32:29:008 5440 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
23:32:29:315 5440 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
23:32:29:862 5440 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
23:32:30:378 5440 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
23:32:30:741 5440 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
23:32:31:252 5440 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
23:32:31:674 5440 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
23:32:31:791 5440 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
23:32:31:985 5440 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
23:32:32:741 5440 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
23:32:32:961 5440 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
23:32:33:512 5440 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
23:32:33:804 5440 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
23:32:33:924 5440 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
23:32:34:037 5440 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
23:32:34:154 5440 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
23:32:34:318 5440 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
23:32:34:451 5440 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
23:32:34:528 5440 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
23:32:34:594 5440 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
23:32:34:771 5440 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
23:32:35:151 5440 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
23:32:36:291 5440 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
23:32:36:404 5440 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
23:32:36:598 5440 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
23:32:36:673 5440 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
23:32:36:785 5440 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
23:32:36:961 5440 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
23:32:37:095 5440 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
23:32:37:222 5440 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
23:32:37:386 5440 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
23:32:37:505 5440 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
23:32:37:662 5440 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
23:32:37:787 5440 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
23:32:37:891 5440 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
23:32:38:077 5440 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
23:32:38:263 5440 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
23:32:38:377 5440 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
23:32:38:565 5440 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\Windows\system32\drivers\klmd.sys
23:32:38:746 5440 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
23:32:38:916 5440 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
23:32:39:058 5440 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
23:32:39:171 5440 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
23:32:39:397 5440 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
23:32:39:521 5440 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
23:32:39:635 5440 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
23:32:39:892 5440 ltmodem5 (838df9675a08116f057b6bc530fbbe15) C:\Windows\system32\DRIVERS\ltmdmnt.sys
23:32:40:044 5440 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
23:32:40:295 5440 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
23:32:40:520 5440 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
23:32:40:652 5440 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
23:32:40:927 5440 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
23:32:41:046 5440 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
23:32:41:301 5440 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
23:32:41:476 5440 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
23:32:41:643 5440 MpFilter (dfa1cd670ea50a21c87c92c727c50950) C:\Windows\system32\DRIVERS\MpFilter.sys
23:32:41:775 5440 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
23:32:42:035 5440 MpNWMon (77075a384a94b83e19d78efbcf8a832e) C:\Windows\system32\DRIVERS\MpNWMon.sys
23:32:42:177 5440 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
23:32:42:244 5440 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
23:32:42:333 5440 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
23:32:42:406 5440 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
23:32:42:553 5440 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
23:32:42:667 5440 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
23:32:42:812 5440 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
23:32:42:955 5440 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
23:32:43:182 5440 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
23:32:43:235 5440 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
23:32:43:282 5440 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
23:32:43:336 5440 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
23:32:43:425 5440 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
23:32:43:572 5440 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
23:32:43:821 5440 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
23:32:43:955 5440 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
23:32:44:333 5440 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
23:32:44:501 5440 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
23:32:44:765 5440 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
23:32:44:949 5440 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
23:32:45:088 5440 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
23:32:45:226 5440 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
23:32:45:332 5440 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
23:32:45:498 5440 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
23:32:45:643 5440 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
23:32:45:761 5440 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
23:32:45:903 5440 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
23:32:46:061 5440 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
23:32:46:163 5440 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
23:32:46:285 5440 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
23:32:46:457 5440 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
23:32:46:643 5440 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
23:32:46:864 5440 NVENETFD (1657f3fbd9061526c14ff37e79306f98) C:\Windows\system32\DRIVERS\nvm60x32.sys
23:32:47:002 5440 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
23:32:47:112 5440 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
23:32:47:241 5440 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
23:32:47:325 5440 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
23:32:47:385 5440 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
23:32:47:441 5440 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
23:32:47:493 5440 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
23:32:47:553 5440 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\Windows\system32\drivers\pavboot.sys
23:32:47:662 5440 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
23:32:47:776 5440 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
23:32:47:867 5440 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
23:32:48:017 5440 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
23:32:48:248 5440 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
23:32:48:455 5440 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
23:32:48:582 5440 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
23:32:48:711 5440 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
23:32:48:940 5440 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
23:32:49:083 5440 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
23:32:49:196 5440 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
23:32:49:324 5440 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
23:32:49:473 5440 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
23:32:49:592 5440 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
23:32:49:746 5440 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
23:32:49:904 5440 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
23:32:50:026 5440 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
23:32:50:183 5440 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
23:32:50:300 5440 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
23:32:50:444 5440 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
23:32:50:556 5440 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
23:32:50:641 5440 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
23:32:50:745 5440 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
23:32:50:925 5440 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
23:32:51:051 5440 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
23:32:51:196 5440 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
23:32:51:297 5440 ROOTMODEM (564297827d213f52c7a3a2ff749568ca) C:\Windows\system32\Drivers\RootMdm.sys
23:32:51:471 5440 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
23:32:51:576 5440 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
23:32:51:897 5440 sbp2port (7dadaa93967cbee5a5e65537c5d5d6ff) C:\Windows\system32\DRIVERS\sbp2port.sys
23:32:51:973 5440 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
23:32:52:023 5440 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
23:32:52:161 5440 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
23:32:52:301 5440 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
23:32:52:423 5440 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
23:32:52:487 5440 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
23:32:52:551 5440 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
23:32:52:680 5440 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
23:32:52:821 5440 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
23:32:52:952 5440 sftfs (fcd8208f6a4717726b8ee6943fe70a02) C:\Program Files\Microsoft Application Virtualization Client\drivers\sftfslh.sys
23:32:53:057 5440 sftplay (55aada41c4dfe59eeabee1bff1563ec5) C:\Program Files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys
23:32:53:241 5440 Sftredir (5b31ea26bfad7053224534d31501d4fc) C:\Windows\system32\DRIVERS\Sftredirlh.sys
23:32:53:315 5440 sftvol (a933b21cd2e0a340a7056f7dbc1c096a) C:\Program Files\Microsoft Application Virtualization Client\drivers\sftvollh.sys
23:32:53:415 5440 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
23:32:53:555 5440 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
23:32:53:687 5440 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
23:32:53:810 5440 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
23:32:53:921 5440 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
23:32:54:063 5440 srv (50a83ca406c808bd35ac9141a0c7618f) C:\Windows\system32\DRIVERS\srv.sys
23:32:54:366 5440 srv2 (dce7e10feaabd4cae95948b3de5340bb) C:\Windows\system32\DRIVERS\srv2.sys
23:32:54:572 5440 srvnet (bd1433a32792fd0dc450479094fc435a) C:\Windows\system32\DRIVERS\srvnet.sys
23:32:54:682 5440 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
23:32:54:878 5440 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
23:32:55:026 5440 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
23:32:55:150 5440 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
23:32:55:543 5440 Tcpip (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\drivers\tcpip.sys
23:32:55:791 5440 TCPIP6 (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\DRIVERS\tcpip.sys
23:32:55:868 5440 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
23:32:55:947 5440 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
23:32:56:126 5440 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
23:32:56:224 5440 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
23:32:56:272 5440 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
23:32:56:332 5440 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
23:32:56:424 5440 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
23:32:56:486 5440 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
23:32:56:723 5440 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
23:32:56:884 5440 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
23:32:57:021 5440 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
23:32:57:176 5440 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
23:32:57:295 5440 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
23:32:57:418 5440 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
23:32:57:598 5440 usbehci (ff32d4f3ec3c68b2ca61782c7964f54e) C:\Windows\system32\DRIVERS\usbehci.sys
23:32:57:843 5440 usbhub (b0dfc7b484e0ca0c27bda5433b82d94a) C:\Windows\system32\DRIVERS\usbhub.sys
23:32:58:101 5440 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
23:32:58:607 5440 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
23:32:58:712 5440 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
23:32:58:786 5440 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
23:32:58:916 5440 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
23:32:59:016 5440 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
23:32:59:106 5440 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
23:32:59:203 5440 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
23:32:59:493 5440 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
23:32:59:806 5440 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
23:33:01:059 5440 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
23:33:01:121 5440 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
23:33:01:201 5440 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
23:33:01:260 5440 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
23:33:02:447 5440 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
23:33:02:513 5440 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
23:33:02:628 5440 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
23:33:03:872 5440 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
23:33:03:976 5440 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
23:33:04:025 5440 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
23:33:05:187 5440 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
23:33:05:197 5440 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
23:33:05:348 5440 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
23:33:05:625 5440 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
23:33:05:741 5440 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
23:33:05:812 5440 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
23:33:05:875 5440 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\Windows\system32\DRIVERS\WinUsb.sys
23:33466 5440 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
23:33573 5440 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
23:33684 5440 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
23:33817 5440 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
23:33825 5440
23:33825 5440 Completed
23:33826 5440
23:33826 5440 Results:
23:33826 5440 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:33827 5440 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:33827 5440
23:33971 5440 KLMD(ARK) unloaded successfully


Hmm... Does this mean I'm cured?
dildon is offline  
Old 06-11-2010, 07:02 AM   #8
TSF-Emeritus
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



How is your computer running now?

Have the redirects stopped?

Please rerun the GMER scan and post the log

thanks

One more scan


Open NOTEPAD and copy/paste the text in the quotebox below into it:

Quote:
@echo off
@mbr.exe -t
start mbr.log


Save this as look.bat Choose to "Save type as - All Files"

It should look like this:

Right click on look.bat & run as administrator. Please post the log it produces.
__________________


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
CatByte is offline  
Old 06-11-2010, 07:13 AM   #9
TSF-Emeritus
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



double post
__________________


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
CatByte is offline  
Old 06-13-2010, 12:55 PM   #10
Registered Member
 
Join Date: Jun 2010
Posts: 7
OS: Windows 7 Ultimate



My browser seems to run okay, but from time-to-time, I will still see the "google-analytics" address appear in my status bar when I try to access a site through a google search.

Also, my Microsoft Office applications aren't loading consistently, but I don't know if that is connected to the browser redirects at this point. I do get an error message when trying to open Office, saying that my "internet connection has been lost".

GMER:

GMER 1.0.15.15281 - https://www.gmer.net
Rootkit scan 2010-06-13 12:48:11
Windows 6.1.7600
Running: fxfnwfjb.exe; Driver: C:\Users\dildon\AppData\Local\Temp\kwpyipow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2BAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2B104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2B3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C13FB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2B1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2B958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2B6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2BF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 828468E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 828663D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 8F6D1C9D 28 Bytes [44, 35, 58, AE, 1C, 3A, 9A, ...]
.text peauth.sys 8F6D1CC1 28 Bytes [44, 35, 58, AE, 1C, 3A, 9A, ...]
PAGE peauth.sys 8F6D7E20 17 Bytes [49, 34, 02, 27, EE, EE, F5, ...]
PAGE peauth.sys 8F6D7E32 83 Bytes [10, 79, EF, 38, 49, C0, CD, ...]
PAGE peauth.sys 8F6D802C 102 Bytes [D0, 69, B2, 3A, E2, 9E, C0, ...]
PAGE [email protected]@3PADA + 4F90 960FA000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE [email protected]@3PADA + 50B3 960FA123 629 Bytes [55, 0F, 96, FE, 05, 34, 55, ...]
PAGE [email protected]@3PADA + 5329 960FA399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE [email protected]@3PADA + 538F 960FA3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE [email protected]@3PADA + 543B 960FA4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Winamp\winamp.exe[1388] USER32.dll!SetScrollRange 75C7AE3C 5 Bytes JMP 1001C759 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1388] USER32.dll!GetScrollInfo 75C85151 7 Bytes JMP 1001C68B C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1388] USER32.dll!SetScrollInfo 75C86632 7 Bytes JMP 1001C703 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1388] USER32.dll!GetScrollRange 75CA1B6C 5 Bytes JMP 1001C6D8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1388] USER32.dll!SetScrollPos 75CA1BD0 5 Bytes JMP 1001C72E C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1388] USER32.dll!GetScrollPos 75CA252B 5 Bytes JMP 1001C6B3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1388] USER32.dll!EnableScrollBar 75CA386D 7 Bytes JMP 1001C663 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1388] USER32.dll!ShowScrollBar 75CA5785 5 Bytes JMP 1001C787 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2712] ntdll.dll!LdrLoadDll 7787F585 5 Bytes JMP 00DF13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:2084] 96107F2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\[email protected]:catalog:LastCatalogCrawlId 86
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\87
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\[email protected] 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\[email protected] 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\[email protected] 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\[email protected] 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\[email protected] 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\[email protected] 87

---- EOF - GMER 1.0.15 ----

look.bat log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, https://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
kernel: MBR read successfully
user & kernel MBR OK
dildon is offline  
Old 06-13-2010, 02:05 PM   #11
TSF-Emeritus
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



Hi,

use this utility, then do a defrag:

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.


NEXT

Download and run Auslogics Disc Defragmenter


NEXT


If you connect via a router - reset the router:
  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you donít know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.


NEXT


Please post a fresh DDS Log
__________________


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
CatByte is offline  
Old 06-14-2010, 08:43 PM   #12
Registered Member
 
Join Date: Jun 2010
Posts: 7
OS: Windows 7 Ultimate



DDS (Ver_10-03-17.01) - NTFSx86
Run by dildon at 20:23:38.59 on Mon 06/14/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1215.243 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\microsoft shared\virtualization handler\cvh.exe
Q:\140062.enu\OFFICE14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\dildon\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\dildon\appdata\roaming\mozilla\firefox\profiles\09hf860w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62047&p=
FF - component: c:\users\dildon\appdata\roaming\mozilla\firefox\profiles\09hf860w.default\extensions\{12bedecf-4ae9-437a-8866-94b8a1adae0d}\components\Engine.dll
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\dildon\appdata\roaming\move networks\plugins\071802000001\npqmp071802000001.dll
FF - plugin: c:\users\dildon\appdata\roaming\mozilla\firefox\profiles\09hf860w.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-4 28552]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2009-9-26 819600]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-9-23 447832]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
R3 sftfs;sftfs;c:\program files\microsoft application virtualization client\drivers\SftFSlh.sys [2009-9-23 543064]
R3 sftplay;sftplay;c:\program files\microsoft application virtualization client\drivers\sftplaylh.sys [2009-9-23 190312]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2009-9-23 21848]
R3 sftvol;sftvol;c:\program files\microsoft application virtualization client\drivers\SftVollh.sys [2009-9-23 14680]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-9-23 203608]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2010-06-15 01:41:26 0 d-----w- c:\users\dildon\appdata\roaming\Auslogics
2010-06-15 01:41:13 0 d-----w- c:\program files\Auslogics
2010-06-15 01:29:05 17 ----a-w- c:\windows\system32\shortcut_ex.dat
2010-06-11 06:25:03 0 d-sh--w- C:\$RECYCLE.BIN
2010-06-10 03:30:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 03:29:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-09 07:54:34 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-09 07:54:33 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 07:54:24 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 07:54:19 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 07:54:19 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-05 00:28:20 98816 ----a-w- c:\windows\sed.exe
2010-06-05 00:28:20 77312 ----a-w- c:\windows\MBR.exe
2010-06-05 00:28:20 256512 ----a-w- c:\windows\PEV.exe
2010-06-05 00:28:20 161792 ----a-w- c:\windows\SWREG.exe
2010-06-05 00:21:09 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-05 00:19:35 0 d-----w- c:\program files\Panda Security
2010-06-05 00:13:45 65536 --sha-w- c:\users\dildon\ntuser.dat{2670cf82-7037-11df-9c60-000c6ef46dd7}.TM.blf
2010-06-05 00:13:45 524288 --sha-w- c:\users\dildon\ntuser.dat{2670cf82-7037-11df-9c60-000c6ef46dd7}.TMContainer00000000000000000002.regtrans-ms
2010-06-05 00:13:45 524288 --sha-w- c:\users\dildon\ntuser.dat{2670cf82-7037-11df-9c60-000c6ef46dd7}.TMContainer00000000000000000001.regtrans-ms
2010-06-04 06:38:30 0 d-----w- c:\programdata\Alwil Software
2010-06-04 05:53:33 0 d-----w- c:\users\dildon\appdata\roaming\Malwarebytes
2010-06-04 05:53:03 0 d-----w- c:\programdata\Malwarebytes
2010-06-04 05:53:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 05:50:06 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 15:19:02 0 d-----w- c:\users\dildon\appdata\roaming\PC Tools
2010-06-03 15:19:02 0 d-----w- c:\programdata\PC Tools
2010-06-03 15:19:02 0 d-----w- c:\program files\Spyware Doctor
2010-06-03 15:19:02 0 d-----w- c:\program files\common files\PC Tools
2010-06-03 15:18:50 0 d---a-w- c:\programdata\TEMP
2010-06-03 15:07:56 0 d-----w- c:\windows\system32\appmgmt
2010-06-03 03:09:53 171379954 ----a-w- c:\windows\MEMORY.DMP
2010-05-27 07:12:49 0 d-----w- c:\program files\Sony
2010-05-27 07:08:50 0 d-----w- c:\program files\Sony Setup
2010-05-26 06:22:07 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-05-21 21:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-w- c:\windows\fonts\StaticCache.dat
2010-03-03 09:39:10 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-03-01 18:28:17 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 20:25:39.27 ===============

How am I looking?
Attached Files
File Type: rar Attach.rar (2.5 KB, 21 views)
dildon is offline  
Old 06-15-2010, 07:00 AM   #13
TSF-Emeritus
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



Hi,

The log looks clean

Please empty your Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


Now do the following:

You can delete the DDS and GMER folders from your desktop.


NEXT

Follow these steps to uninstall Combofix
Make sure your security programs are totally disabled.
Click START then RUN
Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.






Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


If there are any logs/tools remaining > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.
[LIST][*]It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article [*] Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe.

[*]Keep Windows updated by regularly checking their website at :
https://windowsupdate.microsoft.com/

This will ensure your computer has always the latest security updates available installed on your computer.


[*]Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.


  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Greento go
    • Yellow for caution
    • Red to stop
    • WOT has an addon available for both Firefox and IE


  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  • Think Prevention.
  • PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
__________________


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
CatByte is offline  
Old 06-15-2010, 08:34 PM   #14
Registered Member
 
Join Date: Jun 2010
Posts: 7
OS: Windows 7 Ultimate



Yeah, my computer is running 1000X better than before I posted at this forum. Thank you very very kindly for the input, and I will direct anyone with virus problem to this forum.

Keep up the good works!
dildon is offline  
Old 06-16-2010, 12:32 AM   #15
TSF-Emeritus
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



you are welcome

stay safe

~CB
__________________


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
CatByte is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 07:19 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts