Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

2012 Vista Internet Security and browser hijacking [Solved]

Started by drewdreworld , Nov 28 2011 02:22 PM

This topic is locked

#1
drewdreworld

Posted 28 November 2011 - 02:22 PM

Member

Member
90 posts

I'm posting from my desktop, the infection is on my laptop.

It appeared while I was trying to watch some TV online..I knew it was an infection so I immediately shutdown and rebooted into safe mode trying mbam. I ran rkill to run mbam and that seemed to work but I appear to still have a browser hijacking. I also used a registry "fix" that I found on a bleepingcomputer guide for 2012 vista internet security infection. Firefox is acting very strange though. It'll redicrect a lot, I'm expecting that out of a virus, but sometimes it'll open a new firefox (or multiple new firefoxes)and it'll have 6 tabs that show my firefox's install path.

Thank you so much for any help

OTL logfile created on: 11/28/2011 2:43:50 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = F:\Drew\New Downloaded Music
Windows Vista Ultimate Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 56.15% Memory free
4.21 Gb Paging File | 3.34 Gb Available in Paging File | 79.19% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 29.30 Gb Total Space | 4.06 Gb Free Space | 13.85% Space Free | Partition Type: NTFS
Drive F: | 119.75 Gb Total Space | 36.02 Gb Free Space | 30.08% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/28 14:42:11 | 000,584,192 | ---- | M] (OldTimer Tools) -- F:\Drew\New Downloaded Music\OTL.exe
PRC - [2011/11/10 02:54:52 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox47\plugin-container.exe
PRC - [2011/11/10 02:54:50 | 000,912,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox47\firefox.exe
PRC - [2009/03/05 15:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/31 05:34:41 | 001,177,368 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2008/05/31 05:34:41 | 000,311,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2008/05/31 05:34:39 | 000,282,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2008/03/19 16:08:58 | 000,607,576 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2007/04/18 01:53:29 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2006/11/02 04:45:32 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PING.EXE
PRC - [2005/09/14 09:46:42 | 000,233,472 | ---- | M] () -- C:\Program Files\VentSrv\ventrilo_srv.exe
PRC - [2005/07/13 20:18:10 | 000,073,728 | ---- | M] () -- C:\Program Files\VentSrv\ventrilo_svc.exe
PRC - [2005/05/26 05:12:26 | 000,544,768 | ---- | M] (Motorola Inc.) -- C:\Windows\sm56hlpr.exe
PRC - [2005/03/18 02:35:46 | 000,098,393 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/06/25 10:24:48 | 000,049,152 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

========== Modules (No Company Name) ==========

MOD - [2011/11/10 02:54:51 | 000,849,368 | ---- | M] () -- C:\Program Files\Mozilla Firefox47\js3250.dll
MOD - [2011/11/06 23:30:44 | 008,522,400 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2008/06/03 02:35:18 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll
MOD - [2006/11/02 04:46:10 | 000,227,328 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2005/05/26 05:12:26 | 000,065,536 | ---- | M] () -- C:\Windows\sm56spn.dll
MOD - [2005/05/26 05:12:26 | 000,065,536 | ---- | M] () -- C:\Windows\sm56itl.dll
MOD - [2005/05/26 05:12:26 | 000,065,536 | ---- | M] () -- C:\Windows\sm56ger.dll
MOD - [2005/05/26 05:12:26 | 000,065,536 | ---- | M] () -- C:\Windows\sm56fra.dll
MOD - [2005/05/26 05:12:26 | 000,065,536 | ---- | M] () -- C:\Windows\sm56eng.dll
MOD - [2005/05/26 05:12:26 | 000,065,536 | ---- | M] () -- C:\Windows\sm56brz.dll
MOD - [2005/05/26 05:12:26 | 000,049,152 | ---- | M] () -- C:\Windows\sm56jpn.dll
MOD - [2005/05/26 05:12:26 | 000,045,056 | ---- | M] () -- C:\Windows\sm56cht.dll
MOD - [2005/05/26 05:12:26 | 000,045,056 | ---- | M] () -- C:\Windows\sm56chs.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (hpdj)
SRV - [2010/11/19 05:57:14 | 001,150,936 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/15 13:02:36 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/05/31 05:34:39 | 000,282,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2008/03/19 16:08:58 | 000,607,576 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2005/07/13 20:18:10 | 000,073,728 | ---- | M] () [Auto | Running] -- C:\Program Files\VentSrv\ventrilo_svc.exe -- (Ventrilo)

========== Driver Services (SafeList) ==========

DRV - [2010/11/25 09:43:00 | 000,239,168 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/11/09 21:49:50 | 004,323,040 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam C160(UVC)
DRV - [2010/11/09 21:48:12 | 000,283,744 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvrs.sys -- (LVRS)
DRV - [2010/07/16 13:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2010/03/30 03:31:09 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/30 03:31:09 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/03/30 03:31:09 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/06/10 05:38:16 | 000,335,872 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr61.sys -- (rt61x86)
DRV - [2008/06/03 05:22:56 | 003,695,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2008/06/03 05:22:56 | 003,695,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/05/31 05:34:56 | 000,096,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2008/05/31 05:34:55 | 000,026,184 | ---- | M] (GRISOFT, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2006/11/02 03:51:03 | 000,006,144 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\beep.sys -- (Beep)
DRV - [2006/11/02 02:36:49 | 000,068,096 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ac97via.sys -- (VIAudio)
DRV - [2006/11/02 02:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2005/10/27 02:06:30 | 000,356,096 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rt61.sys -- (RT61)
DRV - [2005/05/26 05:14:46 | 000,924,876 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2005/03/09 14:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\Windows\System32\drivers\AmdK8.sys -- (AmdK8)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:58971

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.teamliquid.net"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.07076007
FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.6.0.8442
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 58971
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2629: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@veoh.com/VeohPlayer: F:\Drew\Veoh\Plugins\noreg\NPVeohVersion.dll File not found
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/02/17 04:54:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/26 19:35:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.24\extensions\\Components: C:\Program Files\Mozilla Firefox47\components [2011/11/10 02:54:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.24\extensions\\Plugins: C:\Program Files\Mozilla Firefox47\plugins [2011/11/10 02:54:53 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: F:\Drew\Veoh\Plugins\noreg\videofinder4

[2010/07/18 13:40:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\user\AppData\Roaming\mozilla\Extensions
[2011/11/28 02:03:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\134mu3pb.default\extensions
[2010/04/22 16:14:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\134mu3pb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2007/10/30 00:34:27 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\134mu3pb.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2008/05/09 02:37:28 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\134mu3pb.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2008/03/06 18:32:20 | 000,000,000 | ---D | M] (Move Media Player) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\134mu3pb.default\extensions\[email protected]
[2011/10/27 00:47:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/03/22 19:05:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
[2011/10/27 00:47:27 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\PROGRAM FILES\MOZILLA FIREFOX47\EXTENSIONS\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

Hosts file not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG, Technologies CZ, s.r.o )
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG, Technologies CZ, s.r.o )
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - F:\Drew\Veoh\Plugins\reg\VeohToolbar.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG, Technologies CZ, s.r.o )
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SMSERIAL] C:\Windows\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe File not found
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O13 - gopher Prefix: missing
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{70AD7DCD-6D2B-4770-AFD8-6B04F95FE44E}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7CBE46F8-F3D9-4973-AB49-669E7C3565D4}: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
O18 - Protocol\Handler\bw+0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw+0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw-0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw00 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw00s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw-0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw10 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw10s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw20 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw20s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw30 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw30s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw40 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw40s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw50 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw50s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw60 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw60s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw70 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw70s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw80 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw80s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw90 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw90s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwa0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwa0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwb0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwb0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwc0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwc0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwd0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwd0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwe0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwe0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwf0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwf0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwg0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwg0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwh0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwh0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwi0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwi0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwj0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwj0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwk0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwk0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwl0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwl0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwm0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwm0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwn0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwn0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwo0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwo0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwp0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwp0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwq0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwq0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwr0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwr0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bws0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bws0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwt0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwt0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwu0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwu0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwv0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwv0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bww0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bww0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwx0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwx0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwy0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwy0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwz0 {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwz0s {a8681551-2848-419f-9210-e6d9b9f179ac} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\offline-8876480 {A8681551-2848-419F-9210-E6D9B9F179AC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O21 - SSODL: pimatolef - {0716abfa-bff7-41be-aca0-cfa6e0c94d60} - c:\windows\system32\yedonuse.dll File not found
O21 - SSODL: riniretuf - {7bede538-d8d2-42d6-bdf3-cc268179925b} - c:\windows\system32\yedonuse.dll File not found
O21 - SSODL: wijiziyel - {eaee5f18-a72e-4d2c-a694-0fa607d66cbd} - c:\windows\system32\yedonuse.dll File not found
O22 - SharedTaskScheduler: {0716abfa-bff7-41be-aca0-cfa6e0c94d60} - gahurihor - c:\windows\system32\yedonuse.dll File not found
O22 - SharedTaskScheduler: {7bede538-d8d2-42d6-bdf3-cc268179925b} - gahurihor - c:\windows\system32\yedonuse.dll File not found
O22 - SharedTaskScheduler: {eaee5f18-a72e-4d2c-a694-0fa607d66cbd} - gahurihor - c:\windows\system32\yedonuse.dll File not found
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/27 22:08:43 | 009,851,496 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\user\Desktop\mbam-setup.exe

========== Files - Modified Within 30 Days ==========

[2011/11/28 14:00:54 | 000,005,056 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/28 14:00:54 | 000,005,056 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/28 01:06:36 | 000,620,816 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/11/28 01:06:36 | 000,104,480 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/11/28 01:00:18 | 000,043,408 | -HS- | M] () -- C:\Windows\System32\c_00405.nl_
[2011/11/28 00:59:20 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/27 22:21:33 | 000,000,000 | ---- | M] () -- C:\ProgramData\cY1532y3.exe.b
[2011/11/27 22:20:11 | 000,000,112 | ---- | M] () -- C:\ProgramData\p6N6d7.dat
[2011/11/27 22:20:10 | 000,115,712 | ---- | M] () -- C:\ProgramData\cY1532y3.exe
[2011/11/27 22:09:12 | 000,000,920 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/27 22:01:44 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\user\Desktop\mbam-setup.exe
[2011/11/27 22:00:26 | 001,008,114 | ---- | M] () -- C:\Users\user\Desktop\rkill.com
[2011/11/27 21:56:12 | 000,001,134 | ---- | M] () -- C:\Users\user\Desktop\FixNCR.reg
[2011/11/27 21:50:12 | 000,009,890 | -HS- | M] () -- C:\Users\user\AppData\Local\r8wr47l8ha3xng
[2011/11/27 21:50:12 | 000,009,890 | -HS- | M] () -- C:\ProgramData\r8wr47l8ha3xng
[2011/11/14 18:53:51 | 000,000,657 | ---- | M] () -- C:\Users\Public\Desktop\World of Warcraft.lnk
[2011/11/11 21:17:45 | 000,002,377 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk

========== Files Created - No Company Name ==========

[2011/11/27 22:21:33 | 000,115,712 | ---- | C] () -- C:\ProgramData\cY1532y3.exe
[2011/11/27 22:21:33 | 000,000,000 | ---- | C] () -- C:\ProgramData\cY1532y3.exe.b
[2011/11/27 22:14:31 | 000,000,112 | ---- | C] () -- C:\ProgramData\p6N6d7.dat
[2011/11/27 22:06:37 | 001,008,114 | ---- | C] () -- C:\Users\user\Desktop\rkill.com
[2011/11/27 22:06:08 | 000,001,134 | ---- | C] () -- C:\Users\user\Desktop\FixNCR.reg
[2011/11/27 21:15:59 | 000,009,890 | -HS- | C] () -- C:\Users\user\AppData\Local\r8wr47l8ha3xng
[2011/11/27 21:15:59 | 000,009,890 | -HS- | C] () -- C:\ProgramData\r8wr47l8ha3xng
[2010/12/18 22:54:40 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010/12/05 23:19:18 | 000,815,104 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2010/12/05 23:19:18 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2010/11/09 21:45:32 | 000,102,744 | ---- | C] () -- C:\Windows\System32\LogiDPPApp.exe
[2010/11/09 21:45:30 | 010,871,128 | ---- | C] () -- C:\Windows\System32\LogiDPP.dll
[2010/11/09 21:45:20 | 000,316,248 | ---- | C] () -- C:\Windows\System32\DevManagerCore.dll
[2010/11/09 21:31:42 | 000,026,286 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2010/04/22 15:50:10 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/04/21 03:53:51 | 000,000,172 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010/01/25 06:13:05 | 000,000,122 | -HS- | C] () -- C:\Windows\System32\ukivojum.ini
[2010/01/24 06:12:16 | 000,000,122 | -HS- | C] () -- C:\Windows\System32\asizowuv.ini
[2010/01/24 03:41:46 | 000,000,122 | -HS- | C] () -- C:\Windows\System32\ufidisav.ini
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2008/06/13 01:53:00 | 001,176,974 | -HS- | C] () -- C:\Windows\System32\yinrlvod.ini
[2008/06/03 02:02:02 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/05/31 04:07:01 | 000,000,022 | ---- | C] () -- C:\ProgramData\pskt.ini
[2008/05/31 04:05:57 | 000,802,320 | ---- | C] () -- C:\Windows\System32\eNnmmnnn.ini
[2008/04/28 20:09:10 | 000,172,033 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2008/04/11 20:21:28 | 000,000,690 | ---- | C] () -- C:\Windows\mozver.dat
[2008/03/05 23:38:44 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe
[2008/02/05 02:24:16 | 000,000,227 | ---- | C] () -- C:\Windows\PowerReg.dat
[2008/02/05 02:24:13 | 000,045,568 | ---- | C] () -- C:\Windows\UniFish3.exe
[2007/12/14 11:32:52 | 000,012,632 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2007/08/30 01:29:04 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2007/06/24 16:22:27 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2007/06/24 16:21:00 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2007/06/24 16:21:00 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2007/06/24 16:21:00 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2007/05/20 19:32:43 | 000,009,825 | ---- | C] () -- C:\Windows\hpdj5100.ini
[2007/05/03 16:19:00 | 000,035,281 | ---- | C] () -- C:\Windows\scunin.dat
[2007/04/18 01:55:31 | 000,000,024 | ---- | C] () -- C:\Windows\cdplayer.ini
[2007/04/03 00:04:20 | 000,000,000 | ---- | C] () -- C:\Windows\iPlayer.INI
[2007/03/29 14:12:40 | 000,118,784 | R--- | C] () -- C:\Windows\bwUnin-7.2.0.137-8876480SL.exe
[2007/03/27 02:55:48 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2007/03/22 18:10:15 | 000,000,029 | ---- | C] () -- C:\Windows\atid.ini
[2007/03/22 16:23:14 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2007/03/22 16:16:02 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2007/03/20 18:09:38 | 000,065,536 | ---- | C] () -- C:\Windows\sm56ger.dll
[2007/03/20 18:09:38 | 000,065,536 | ---- | C] () -- C:\Windows\sm56fra.dll
[2007/03/20 18:09:38 | 000,065,536 | ---- | C] () -- C:\Windows\sm56eng.dll
[2007/03/20 18:09:38 | 000,045,056 | ---- | C] () -- C:\Windows\sm56cht.dll
[2007/03/20 18:09:38 | 000,045,056 | ---- | C] () -- C:\Windows\sm56chs.dll
[2007/03/20 18:09:37 | 000,065,536 | ---- | C] () -- C:\Windows\sm56spn.dll
[2007/03/20 18:09:37 | 000,065,536 | ---- | C] () -- C:\Windows\sm56itl.dll
[2007/03/20 18:09:37 | 000,065,536 | ---- | C] () -- C:\Windows\sm56brz.dll
[2007/03/20 18:09:37 | 000,049,152 | ---- | C] () -- C:\Windows\sm56jpn.dll
[2007/03/20 17:03:04 | 000,003,972 | ---- | C] () -- C:\Windows\System32\drivers\PciBus.sys
[2006/12/12 11:24:42 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2006/11/02 07:55:52 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:46:27 | 000,371,224 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:34:29 | 000,063,488 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2006/11/02 07:34:23 | 000,080,010 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2006/11/02 07:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,620,816 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,480 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 02:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 02:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2004/07/10 17:55:38 | 000,252,416 | ---- | C] () -- C:\Windows\System32\wsiShared.dll

========== LOP Check ==========

[2011/04/21 00:41:52 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\.minecraft
[2007/03/22 18:13:00 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\acccore
[2007/03/22 16:21:45 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\Aim
[2007/05/01 13:20:25 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\Helios
[2007/09/04 11:44:16 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\ourTunes
[2008/06/04 03:28:10 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\SoundSpectrum
[2008/06/01 15:03:54 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\Uniblue
[2011/03/17 11:30:35 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\wsInspector
[2011/11/28 00:57:39 | 000,032,626 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 171 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >

#2
Essexboy

Posted 28 November 2011 - 03:28 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there - lets get to work shall we

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:58971
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 58971
O21 - SSODL: pimatolef - {0716abfa-bff7-41be-aca0-cfa6e0c94d60} - c:\windows\system32\yedonuse.dll File not found
O21 - SSODL: riniretuf - {7bede538-d8d2-42d6-bdf3-cc268179925b} - c:\windows\system32\yedonuse.dll File not found
O21 - SSODL: wijiziyel - {eaee5f18-a72e-4d2c-a694-0fa607d66cbd} - c:\windows\system32\yedonuse.dll File not found
O22 - SharedTaskScheduler: {0716abfa-bff7-41be-aca0-cfa6e0c94d60} - gahurihor - c:\windows\system32\yedonuse.dll File not found
O22 - SharedTaskScheduler: {7bede538-d8d2-42d6-bdf3-cc268179925b} - gahurihor - c:\windows\system32\yedonuse.dll File not found
O22 - SharedTaskScheduler: {eaee5f18-a72e-4d2c-a694-0fa607d66cbd} - gahurihor - c:\windows\system32\yedonuse.dll File not found
[2011/11/27 22:21:33 | 000,000,000 | ---- | M] () -- C:\ProgramData\cY1532y3.exe.b
[2011/11/27 22:20:11 | 000,000,112 | ---- | M] () -- C:\ProgramData\p6N6d7.dat
[2011/11/27 22:20:10 | 000,115,712 | ---- | M] () -- C:\ProgramData\cY1532y3.exe
[2011/11/27 21:50:12 | 000,009,890 | -HS- | M] () -- C:\Users\user\AppData\Local\r8wr47l8ha3xng
[2011/11/27 21:50:12 | 000,009,890 | -HS- | M] () -- C:\ProgramData\r8wr47l8ha3xng
[2011/11/27 22:21:33 | 000,115,712 | ---- | C] () -- C:\ProgramData\cY1532y3.exe
[2011/11/27 22:21:33 | 000,000,000 | ---- | C] () -- C:\ProgramData\cY1532y3.exe.b
[2011/11/27 22:14:31 | 000,000,112 | ---- | C] () -- C:\ProgramData\p6N6d7.dat
[2011/11/27 21:15:59 | 000,009,890 | -HS- | C] () -- C:\Users\user\AppData\Local\r8wr47l8ha3xng
[2011/11/27 21:15:59 | 000,009,890 | -HS- | C] () -- C:\ProgramData\r8wr47l8ha3xng

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

AND FINALLY

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

#3
drewdreworld

Posted 28 November 2011 - 04:00 PM

Member

Topic Starter
Member
90 posts

Thank you so much for your help! Combofix is running on the infected machine right now. It just popped up and said I am infected with rootkit.zeroaccess and said I might need to run it again. Do you want me to run it the second time or move on to the third step (aswMBR.exe)?

#4
Essexboy

Posted 28 November 2011 - 04:18 PM

GeekU Moderator

Retired Staff
69,964 posts

No run it again then follow with aswMBR please

#5
drewdreworld

Posted 28 November 2011 - 05:49 PM

Member

Topic Starter
Member
90 posts

I tried to run it again and it popped up with a message saying "Illegal operation attempted on a registry key that has been marked for deletion."
It gave me the same message when I tried to open firefox. Want me to reboot and try combofix again or move on or is this bad? =D

#6
drewdreworld

Posted 28 November 2011 - 11:17 PM

Member

Topic Starter
Member
90 posts

Posting the OTL log from when i ran it first, then the first combo fix log, then the second combofix log, then the aswMBR log last..
Also, I didn't click fix in the aswMBR after the scan, as you did not specifically tell me to do so.

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 58971 removed from network.proxy.http_port
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\pimatolef deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0716abfa-bff7-41be-aca0-cfa6e0c94d60}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\riniretuf deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7bede538-d8d2-42d6-bdf3-cc268179925b}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\wijiziyel deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{eaee5f18-a72e-4d2c-a694-0fa607d66cbd}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{0716abfa-bff7-41be-aca0-cfa6e0c94d60} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0716abfa-bff7-41be-aca0-cfa6e0c94d60}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{7bede538-d8d2-42d6-bdf3-cc268179925b} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7bede538-d8d2-42d6-bdf3-cc268179925b}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{eaee5f18-a72e-4d2c-a694-0fa607d66cbd} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{eaee5f18-a72e-4d2c-a694-0fa607d66cbd}\ not found.
C:\ProgramData\cY1532y3.exe.b moved successfully.
C:\ProgramData\p6N6d7.dat moved successfully.
C:\ProgramData\cY1532y3.exe moved successfully.
C:\Users\user\AppData\Local\r8wr47l8ha3xng moved successfully.
C:\ProgramData\r8wr47l8ha3xng moved successfully.
File C:\ProgramData\cY1532y3.exe not found.
File C:\ProgramData\cY1532y3.exe.b not found.
File C:\ProgramData\p6N6d7.dat not found.
File C:\Users\user\AppData\Local\r8wr47l8ha3xng not found.
File C:\ProgramData\r8wr47l8ha3xng not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
F:\Drew\New Downloaded Music\cmd.bat deleted successfully.
F:\Drew\New Downloaded Music\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 563 bytes

User: Public

User: TEMP
->Temp folder emptied: 49660 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: user
->Temp folder emptied: 30507700 bytes
->Temporary Internet Files folder emptied: 36305906 bytes
->Java cache emptied: 210235 bytes
->FireFox cache emptied: 37617934 bytes
->Flash cache emptied: 2033327 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5006495 bytes
RecycleBin emptied: 232501 bytes

Total Files Cleaned = 107.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 11282011_163531

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

ComboFix 11-11-28.02 - user 11/28/2011 17:06:20.1.1 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.2047.1419 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Rescue
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Rescue\HDD Rescue.lnk
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Rescue\Uninstall HDD Rescue.lnk
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Scanner
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Scanner\Scanner.lnk
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Scanner\Uninstall Scanner.lnk
c:\windows\$NtUninstallKB2142$
c:\windows\$NtUninstallKB2142$\250873514\@
c:\windows\$NtUninstallKB2142$\250873514\bckfg.tmp
c:\windows\$NtUninstallKB2142$\250873514\cfg.ini
c:\windows\$NtUninstallKB2142$\250873514\Desktop.ini
c:\windows\$NtUninstallKB2142$\250873514\keywords
c:\windows\$NtUninstallKB2142$\250873514\kwrd.dll
c:\windows\$NtUninstallKB2142$\250873514\L\fomtmfeh
c:\windows\$NtUninstallKB2142$\250873514\lsflt7.ver
c:\windows\$NtUninstallKB2142$\250873514\U\00000001.@
c:\windows\$NtUninstallKB2142$\250873514\U\00000002.@
c:\windows\$NtUninstallKB2142$\250873514\U\00000004.@
c:\windows\$NtUninstallKB2142$\250873514\U\80000000.@
c:\windows\$NtUninstallKB2142$\250873514\U\80000004.@
c:\windows\$NtUninstallKB2142$\250873514\U\80000032.@
c:\windows\$NtUninstallKB2142$\3333447090
c:\windows\$NtUninstallKB63393$
c:\windows\$NtUninstallKB63393$\250873514\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB63393$\250873514\L\fomtmfeh
c:\windows\$NtUninstallKB63393$\250873514\loader.tlb
c:\windows\$NtUninstallKB63393$\250873514\U\$000000c0
c:\windows\$NtUninstallKB63393$\250873514\U\$000000cb
c:\windows\$NtUninstallKB63393$\250873514\U\@00000001
c:\windows\$NtUninstallKB63393$\250873514\U\@000000c0
c:\windows\$NtUninstallKB63393$\250873514\U\@000000cb
c:\windows\$NtUninstallKB63393$\250873514\U\@000000cf
c:\windows\$NtUninstallKB63393$\250873514\U\@80000000
c:\windows\$NtUninstallKB63393$\250873514\U\@800000c0
c:\windows\$NtUninstallKB63393$\250873514\U\@800000cb
c:\windows\$NtUninstallKB63393$\250873514\U\@800000cf
c:\windows\$NtUninstallKB63393$\804955471
c:\windows\bwUnin-7.2.0.137-8876480SL.exe
c:\windows\system32\asizowuv.ini
c:\windows\system32\bmf.cs
c:\windows\system32\c_00405.nl_
c:\windows\system32\c_00405.nls
c:\windows\system32\ccs.so
c:\windows\system32\eNnmmnnn.ini
c:\windows\system32\ho.ln
c:\windows\system32\ko.o
c:\windows\system32\mn.n
c:\windows\system32\ufidisav.ini
c:\windows\system32\ukivojum.ini
c:\windows\system32\yinrlvod.ini
.
Infected copy of c:\windows\system32\drivers\csc.sys was found and disinfected
Restored copy from - The cat found it

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe . . . is infected!!
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\Ati2evxx.exe . . . is infected!!
c:\windows\system32\Ati2evxx.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\progra~1\AVG\AVG8\avgwdsvc.exe . . . is infected!!
c:\progra~1\AVG\AVG8\avgwdsvc.exe . . . was deleted!! You should re-install the program it pertains to
.
.
c:\program files\VentSrv\ventrilo_svc.exe . . . is infected!!
c:\program files\VentSrv\ventrilo_svc.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CLBDRIVER
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2011-11-28 22:46 . 2011-11-28 22:53 -------- d-----w- c:\users\user\AppData\Local\temp
2011-11-28 22:46 . 2011-11-28 22:46 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-11-28 22:46 . 2011-11-28 22:46 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-11-28 22:46 . 2011-11-28 22:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-28 21:59 . 2008-01-19 05:28 350720 ----a-w- c:\windows\system32\drivers\csc.sys
2011-11-25 13:03 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77D6E7F1-BECA-43D0-97A8-438E431E8850}\mpengine.dll
2011-11-07 04:30 . 2011-11-07 04:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 22:00 . 2010-03-29 21:59 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-01-19 . 67E506B75BD5326A3EC7B70BD014DFB6 . 6144 . . [6.0.6001.18000] . . c:\windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6001.18000_none_c420a153079d485b\beep.sys
[7] 2006-11-02 . AC3DD1708B22761EBD7CBE14DCC3B5D7 . 6144 . . [6.0.6000.16386] . . c:\windows\System32\beep.sys
.
c:\windows\System32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-18 98393]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-18 688217]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 544768]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-05-31 1177368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-18 185896]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-03-30 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-30 08:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3263878486-2184788633-2282676407-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [x]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
R3 dqkiugcqmm;dqkiugcqmm;c:\program files\Mozilla Firefox2\dqkiugcqmm.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-03-30 12872]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-25 239168]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2008-05-31 96520]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-03-30 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-03-30 66632]
S3 rt61x86;Gigabyte RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2009-06-10 335872]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\134mu3pb.default\
FF - prefs.js: browser.startup.homepage - www.teamliquid.net
FF - prefs.js: network.proxy.type - 0
FF - Ext: Move Media Player: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox47\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox47\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-PokerStars - c:\program files\PokerStars\PokerStarsUninstall.exe
AddRemove-PokerStars.net - c:\program files\PokerStars.NET\PokerStarsUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-28 17:52
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\windows\sm56hlpr.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\RacAgent.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\lpksetup.exe
.
**************************************************************************
.
Completion time: 2011-11-28 18:05:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-28 23:03
.
Pre-Run: 4,073,295,872 bytes free
Post-Run: 4,023,263,232 bytes free
.
- - End Of File - - 1FDBE6F35476E5F87ABBDC9CEFABD7F9

ComboFix 11-11-28.02 - user 11/28/2011 21:16:20.2.1 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.2047.1416 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-29 )))))))))))))))))))))))))))))))
.
.
2011-11-29 02:46 . 2011-11-29 02:46 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-11-29 02:46 . 2011-11-29 02:46 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-11-29 02:46 . 2011-11-29 02:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-28 22:46 . 2011-11-29 02:46 -------- d-----w- c:\users\user\AppData\Local\temp
2011-11-28 21:59 . 2008-01-19 05:28 350720 ----a-w- c:\windows\system32\drivers\csc.sys
2011-11-25 13:03 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77D6E7F1-BECA-43D0-97A8-438E431E8850}\mpengine.dll
2011-11-07 04:30 . 2011-11-07 04:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 22:00 . 2010-03-29 21:59 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-18 98393]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-18 688217]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 544768]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-05-31 1177368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-18 185896]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-03-30 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-30 08:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3263878486-2184788633-2282676407-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [x]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
R3 dqkiugcqmm;dqkiugcqmm;c:\program files\Mozilla Firefox2\dqkiugcqmm.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-03-30 12872]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-25 239168]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2008-05-31 96520]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-03-30 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-03-30 66632]
S3 rt61x86;Gigabyte RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2009-06-10 335872]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\134mu3pb.default\
FF - prefs.js: browser.startup.homepage - www.teamliquid.net
FF - prefs.js: network.proxy.type - 0
FF - Ext: Move Media Player: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox47\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox47\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-28 21:46
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: Hitachi_HTS541616J9AT00 rev.SB4OA70H -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-2
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x8483FCA1]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x58; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85d2590b; SUB DWORD [EBP-0x4], 0x85d25113; PUSH EDI; CALL 0xffffffffffffdedd; }
1 ntkrnlpa!IofCallDriver[0x81C27F3B] -> \Device\Harddisk0\DR0[0x84818660]
3 nt[0x81CB07E2] -> ntkrnlpa!IofCallDriver[0x81C27F3B] -> [0x84818E50]
5 PCTCore[0x8076C099] -> ntkrnlpa!IofCallDriver[0x81C27F3B] -> [0x83E60870]
7 acpi[0x8023232A] -> ntkrnlpa!IofCallDriver[0x81C27F3B] -> [0x847C98B8]
[0x847E31E8] -> IRP_MJ_CREATE -> 0x8483FCA1
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-2 -> \??\IDE#DiskHitachi_HTS541616J9AT00_________________SB4OA70H#5&2087e683&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8483F8C3
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-11-28 21:55:08
ComboFix-quarantined-files.txt 2011-11-29 02:53
ComboFix2.txt 2011-11-28 23:05
.
Pre-Run: 4,056,989,696 bytes free
Post-Run: 4,026,953,728 bytes free
.
- - End Of File - - A4B4176241AA089922D4656FCFD41E88

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-28 22:19:12
-----------------------------
22:19:12.909 OS Version: Windows 6.0.6000
22:19:12.909 Number of processors: 1 586 0x2402
22:19:12.912 ComputerName: USER-PC UserName: user
22:19:39.918 Initialize success
22:19:56.683 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort2
22:19:56.699 Disk 0 Vendor: Hitachi_HTS541616J9AT00 SB4OA70H Size: 152627MB BusType: 3
22:19:56.714 Device \Device\Ide\IdeDeviceP2T0L0-2 -> \??\IDE#DiskHitachi_HTS541616J9AT00_________________SB4OA70H#5&2087e683&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
22:19:56.714 Device \Driver\atapi -> DriverStartIo 8483f8c3
22:19:57.839 Disk 0 MBR read successfully
22:19:57.855 Disk 0 MBR scan
22:19:57.871 Disk 0 Windows VISTA default MBR code
22:19:57.886 Disk 0 scanning sectors +312578048
22:19:58.011 Disk 0 scanning C:\Windows\system32\drivers
22:20:02.980 File: C:\Windows\system32\drivers\atapi.sys TDL3 **ROOTKIT**
22:20:14.324 Service scanning
22:20:27.074 Modules scanning
22:20:49.730 Disk 0 trace - called modules:
22:20:49.777 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x8483fca1]<<
22:20:50.308 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84818830]
22:20:50.324 3 ntkrnlpa.exe[81cb07e2] -> nt!IofCallDriver -> [0x847e2730]
22:20:50.355 5 PCTCore.sys[8076c099] -> nt!IofCallDriver -> [0x83e60870]
22:20:50.371 7 acpi.sys[8023232a] -> nt!IofCallDriver -> [0x847c98b8]
22:20:50.402 [0x85409a18] -> IRP_MJ_CREATE -> 0x8483fca1
22:20:50.418 Scan finished successfully
22:30:42.043 Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\MBR.dat"
22:30:42.058 The log file has been saved successfully to "C:\Users\user\Desktop\aswMBR.txt"

#7
Essexboy

Posted 29 November 2011 - 01:50 PM

GeekU Moderator

Retired Staff
69,964 posts

Good call as aswMBR cannot cure TDL3 - but I know a programme that can. First we will kill the remaining driver

If you should get that error again after running Combofix, then just reboot to release the registry

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Mozilla Firefox2\dqkiugcqmm.sys

Driver::
dqkiugcqmm

Save this as CFScript.txt, in the same location as ComboFix.exe
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

#8
drewdreworld

Posted 29 November 2011 - 06:49 PM

Member

Topic Starter
Member
90 posts

ComboFix 11-11-28.02 - user 11/29/2011 15:36:37.3.1 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.2047.1422 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
* Created a new restore point
.
FILE ::
"c:\program files\Mozilla Firefox2\dqkiugcqmm.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DQKIUGCQMM
-------\Service_dqkiugcqmm
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-29 )))))))))))))))))))))))))))))))
.
.
2011-11-29 21:06 . 2011-11-29 21:06 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-11-29 21:06 . 2011-11-29 21:06 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-11-29 21:06 . 2011-11-29 21:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-29 02:55 . 2011-11-29 21:12 -------- d-----w- c:\users\user\AppData\Local\temp
2011-11-28 21:59 . 2008-01-19 05:28 350720 ----a-w- c:\windows\system32\drivers\csc.sys
2011-11-25 13:03 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77D6E7F1-BECA-43D0-97A8-438E431E8850}\mpengine.dll
2011-11-07 04:30 . 2011-11-07 04:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 22:00 . 2010-03-29 21:59 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-18 98393]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-18 688217]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 544768]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-05-31 1177368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-18 185896]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-03-30 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-30 08:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3263878486-2184788633-2282676407-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [x]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-03-30 12872]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-25 239168]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2008-05-31 96520]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-03-30 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-03-30 66632]
S3 rt61x86;Gigabyte RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2009-06-10 335872]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\134mu3pb.default\
FF - prefs.js: browser.startup.homepage - www.teamliquid.net
FF - prefs.js: network.proxy.type - 0
FF - Ext: Move Media Player: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox47\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox47\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-29 16:12
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\sm56hlpr.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\scrnsave.scr
.
**************************************************************************
.
Completion time: 2011-11-29 16:22:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-29 21:20
ComboFix2.txt 2011-11-29 02:55
ComboFix3.txt 2011-11-28 23:05
.
Pre-Run: 4,019,077,120 bytes free
Post-Run: 3,985,260,544 bytes free
.
- - End Of File - - 3B4766A4E9D1A6EEF0A40A15C40D88B8

18:50:26.0122 3792 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
18:50:26.0313 3792 ============================================================
18:50:26.0313 3792 Current date / time: 2011/11/29 18:50:26.0313
18:50:26.0313 3792 SystemInfo:
18:50:26.0313 3792
18:50:26.0313 3792 OS Version: 6.0.6000 ServicePack: 0.0
18:50:26.0313 3792 Product type: Workstation
18:50:26.0314 3792 ComputerName: USER-PC
18:50:26.0314 3792 UserName: user
18:50:26.0314 3792 Windows directory: C:\Windows
18:50:26.0315 3792 System windows directory: C:\Windows
18:50:26.0315 3792 Processor architecture: Intel x86
18:50:26.0315 3792 Number of processors: 1
18:50:26.0315 3792 Page size: 0x1000
18:50:26.0315 3792 Boot type: Normal boot
18:50:26.0315 3792 ============================================================
18:50:27.0581 3792 Initialize success
18:50:48.0118 1648 ============================================================
18:50:48.0118 1648 Scan started
18:50:48.0118 1648 Mode: Manual; SigCheck; TDLFS;
18:50:48.0118 1648 ============================================================
18:50:48.0840 1648 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
18:50:49.0114 1648 ACPI - ok
18:50:49.0220 1648 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
18:50:49.0261 1648 adp94xx - ok
18:50:49.0320 1648 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
18:50:49.0350 1648 adpahci - ok
18:50:49.0485 1648 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
18:50:49.0506 1648 adpu160m - ok
18:50:49.0555 1648 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
18:50:49.0579 1648 adpu320 - ok
18:50:49.0673 1648 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
18:50:49.0838 1648 AFD - ok
18:50:49.0996 1648 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
18:50:50.0015 1648 agp440 - ok
18:50:50.0070 1648 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
18:50:50.0090 1648 aic78xx - ok
18:50:50.0152 1648 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
18:50:50.0170 1648 aliide - ok
18:50:50.0315 1648 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
18:50:50.0335 1648 amdagp - ok
18:50:50.0380 1648 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
18:50:50.0399 1648 amdide - ok
18:50:50.0450 1648 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
18:50:50.0576 1648 AmdK7 - ok
18:50:50.0699 1648 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\Windows\system32\DRIVERS\amdk8.sys
18:50:50.0765 1648 AmdK8 - ok
18:50:50.0974 1648 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
18:50:50.0997 1648 arc - ok
18:50:51.0041 1648 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
18:50:51.0064 1648 arcsas - ok
18:50:51.0164 1648 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
18:50:51.0306 1648 AsyncMac - ok
18:50:51.0441 1648 atapi (281dd9c4847e33a99d870d6b27706a70) C:\Windows\system32\drivers\atapi.sys
18:50:51.0442 1648 Suspicious file (Forged): C:\Windows\system32\drivers\atapi.sys. Real md5: 281dd9c4847e33a99d870d6b27706a70, Fake md5: b35cfcef838382ab6490b321c87edf17
18:50:51.0443 1648 atapi ( Rootkit.Win32.TDSS.tdl3 ) - infected
18:50:51.0444 1648 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
18:50:51.0710 1648 atikmdag (a23efb72057fed7128eb558866055fdf) C:\Windows\system32\DRIVERS\atikmdag.sys
18:50:52.0022 1648 atikmdag - ok
18:50:52.0264 1648 AvgLdx86 (2903d25016f12415834d4ec88901d258) C:\Windows\System32\Drivers\avgldx86.sys
18:50:52.0342 1648 AvgLdx86 - ok
18:50:52.0408 1648 AvgMfx86 (1068d68bb3180e16b32985e329e474cd) C:\Windows\System32\Drivers\avgmfx86.sys
18:50:52.0422 1648 AvgMfx86 - ok
18:50:52.0573 1648 Beep - ok
18:50:52.0647 1648 blbdrive - ok
18:50:52.0711 1648 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
18:50:52.0869 1648 bowser - ok
18:50:53.0020 1648 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
18:50:53.0194 1648 BrFiltLo - ok
18:50:53.0319 1648 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
18:50:53.0392 1648 BrFiltUp - ok
18:50:53.0474 1648 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
18:50:53.0608 1648 Brserid - ok
18:50:53.0738 1648 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
18:50:53.0886 1648 BrSerWdm - ok
18:50:54.0103 1648 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
18:50:54.0236 1648 BrUsbMdm - ok
18:50:54.0388 1648 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
18:50:54.0521 1648 BrUsbSer - ok
18:50:54.0659 1648 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
18:50:54.0799 1648 BTHMODEM - ok
18:50:54.0975 1648 catchme - ok
18:50:55.0126 1648 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
18:50:55.0261 1648 cdfs - ok
18:50:55.0317 1648 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
18:50:55.0457 1648 cdrom - ok
18:50:55.0599 1648 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
18:50:55.0731 1648 circlass - ok
18:50:55.0848 1648 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
18:50:55.0888 1648 CLFS - ok
18:50:56.0047 1648 CmBatt (ed97ad3df1b9005989eaf149bf06c821) C:\Windows\system32\DRIVERS\CmBatt.sys
18:50:56.0113 1648 CmBatt - ok
18:50:56.0182 1648 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
18:50:56.0200 1648 cmdide - ok
18:50:56.0320 1648 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\DRIVERS\compbatt.sys
18:50:56.0338 1648 Compbatt - ok
18:50:56.0541 1648 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
18:50:56.0559 1648 crcdisk - ok
18:50:56.0657 1648 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
18:50:56.0786 1648 Crusoe - ok
18:50:56.0892 1648 CSC (9a5434125c3dfe42393de4bbb791bd19) C:\Windows\system32\drivers\csc.sys
18:50:56.0944 1648 CSC - ok
18:50:57.0191 1648 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
18:50:57.0213 1648 disk - ok
18:50:57.0339 1648 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
18:50:57.0476 1648 drmkaud - ok
18:50:57.0626 1648 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys
18:50:57.0718 1648 DXGKrnl - ok
18:50:57.0877 1648 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
18:50:58.0021 1648 E1G60 - ok
18:50:58.0153 1648 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
18:50:58.0177 1648 Ecache - ok
18:50:58.0368 1648 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
18:50:58.0402 1648 elxstor - ok
18:50:58.0525 1648 ENTECH (fd9fc82f134b1c91004ffc76a5ae494b) C:\Windows\system32\DRIVERS\ENTECH.sys
18:50:58.0546 1648 ENTECH ( UnsignedFile.Multi.Generic ) - warning
18:50:58.0547 1648 ENTECH - detected UnsignedFile.Multi.Generic (1)
18:50:58.0714 1648 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
18:50:58.0869 1648 fastfat - ok
18:50:58.0947 1648 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
18:50:59.0081 1648 fdc - ok
18:50:59.0230 1648 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
18:50:59.0252 1648 FileInfo - ok
18:50:59.0316 1648 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
18:50:59.0451 1648 Filetrace - ok
18:50:59.0579 1648 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
18:50:59.0701 1648 flpydisk - ok
18:50:59.0758 1648 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
18:50:59.0794 1648 FltMgr - ok
18:50:59.0877 1648 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
18:50:59.0926 1648 Fs_Rec - ok
18:51:00.0052 1648 fvevol (06a1cf72fbe3b50035fbff428c8d84b4) C:\Windows\system32\DRIVERS\fvevol.sys
18:51:00.0076 1648 fvevol - ok
18:51:00.0122 1648 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\DRIVERS\gagp30kx.sys
18:51:00.0143 1648 gagp30kx - ok
18:51:00.0222 1648 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
18:51:00.0237 1648 GEARAspiWDM - ok
18:51:00.0447 1648 HDAudBus (5fd053f305b77ebe97f284b20d89dc1c) C:\Windows\system32\drivers\hdaudbus.sys
18:51:00.0587 1648 HDAudBus - ok
18:51:00.0629 1648 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
18:51:00.0751 1648 HidBth - ok
18:51:00.0809 1648 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
18:51:00.0942 1648 HidIr - ok
18:51:01.0086 1648 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys
18:51:01.0221 1648 HidUsb - ok
18:51:01.0291 1648 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
18:51:01.0310 1648 HpCISSs - ok
18:51:01.0415 1648 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys
18:51:01.0500 1648 HTTP - ok
18:51:01.0633 1648 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
18:51:01.0651 1648 i2omp - ok
18:51:01.0761 1648 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
18:51:01.0816 1648 i8042prt - ok
18:51:01.0955 1648 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
18:51:01.0984 1648 iaStorV - ok
18:51:02.0109 1648 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
18:51:02.0129 1648 iirsp - ok
18:51:02.0323 1648 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
18:51:02.0342 1648 intelide - ok
18:51:02.0425 1648 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
18:51:02.0548 1648 intelppm - ok
18:51:02.0759 1648 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
18:51:02.0874 1648 IpFilterDriver - ok
18:51:02.0991 1648 IpInIp - ok
18:51:03.0043 1648 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
18:51:03.0167 1648 IPMIDRV - ok
18:51:03.0230 1648 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
18:51:03.0379 1648 IPNAT - ok
18:51:03.0519 1648 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
18:51:03.0654 1648 IRENUM - ok
18:51:03.0711 1648 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
18:51:03.0732 1648 isapnp - ok
18:51:03.0780 1648 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
18:51:03.0805 1648 iScsiPrt - ok
18:51:03.0851 1648 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
18:51:03.0871 1648 iteatapi - ok
18:51:04.0054 1648 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
18:51:04.0077 1648 iteraid - ok
18:51:04.0162 1648 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
18:51:04.0182 1648 kbdclass - ok
18:51:04.0257 1648 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
18:51:04.0295 1648 kbdhid - ok
18:51:04.0432 1648 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
18:51:04.0489 1648 KSecDD - ok
18:51:04.0746 1648 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
18:51:04.0880 1648 lltdio - ok
18:51:05.0077 1648 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
18:51:05.0096 1648 LSI_FC - ok
18:51:05.0174 1648 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
18:51:05.0194 1648 LSI_SAS - ok
18:51:05.0265 1648 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
18:51:05.0288 1648 LSI_SCSI - ok
18:51:05.0336 1648 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
18:51:05.0459 1648 luafv - ok
18:51:05.0694 1648 LVRS (a1857fbb9b4930eeb2fd92386c45c529) C:\Windows\system32\DRIVERS\lvrs.sys
18:51:05.0724 1648 LVRS - ok
18:51:06.0054 1648 LVUVC (3703406af0726badd24c5e552493e5b1) C:\Windows\system32\DRIVERS\lvuvc.sys
18:51:06.0436 1648 LVUVC - ok
18:51:06.0656 1648 MBAMSwissArmy - ok
18:51:06.0781 1648 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
18:51:06.0799 1648 megasas - ok
18:51:06.0885 1648 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
18:51:07.0019 1648 Modem - ok
18:51:07.0147 1648 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
18:51:07.0206 1648 monitor - ok
18:51:07.0342 1648 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
18:51:07.0365 1648 mouclass - ok
18:51:07.0433 1648 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
18:51:07.0474 1648 mouhid - ok
18:51:07.0529 1648 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
18:51:07.0548 1648 MountMgr - ok
18:51:07.0659 1648 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
18:51:07.0679 1648 mpio - ok
18:51:07.0753 1648 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
18:51:07.0804 1648 mpsdrv - ok
18:51:07.0880 1648 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
18:51:07.0899 1648 Mraid35x - ok
18:51:08.0026 1648 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
18:51:08.0086 1648 MRxDAV - ok
18:51:08.0158 1648 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
18:51:08.0207 1648 mrxsmb - ok
18:51:08.0325 1648 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
18:51:08.0385 1648 mrxsmb10 - ok
18:51:08.0430 1648 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
18:51:08.0480 1648 mrxsmb20 - ok
18:51:08.0547 1648 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
18:51:08.0565 1648 msahci - ok
18:51:08.0742 1648 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
18:51:08.0762 1648 msdsm - ok
18:51:08.0897 1648 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
18:51:09.0030 1648 Msfs - ok
18:51:09.0103 1648 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys
18:51:09.0120 1648 msisadrv - ok
18:51:09.0239 1648 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
18:51:09.0367 1648 MSKSSRV - ok
18:51:09.0597 1648 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
18:51:09.0729 1648 MSPCLOCK - ok
18:51:09.0824 1648 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
18:51:09.0957 1648 MSPQM - ok
18:51:10.0003 1648 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
18:51:10.0031 1648 MsRPC - ok
18:51:10.0087 1648 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys
18:51:10.0108 1648 mssmbios - ok
18:51:10.0166 1648 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
18:51:10.0291 1648 MSTEE - ok
18:51:10.0339 1648 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
18:51:10.0359 1648 Mup - ok
18:51:10.0585 1648 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
18:51:10.0626 1648 NativeWifiP - ok
18:51:10.0769 1648 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
18:51:10.0812 1648 NDIS - ok
18:51:10.0963 1648 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
18:51:11.0022 1648 NdisTapi - ok
18:51:11.0087 1648 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
18:51:11.0216 1648 Ndisuio - ok
18:51:11.0276 1648 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
18:51:11.0424 1648 NdisWan - ok
18:51:11.0619 1648 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
18:51:11.0658 1648 NDProxy - ok
18:51:11.0786 1648 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
18:51:11.0909 1648 NetBIOS - ok
18:51:11.0994 1648 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
18:51:12.0142 1648 netbt - ok
18:51:12.0294 1648 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
18:51:12.0316 1648 nfrd960 - ok
18:51:12.0398 1648 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
18:51:12.0524 1648 Npfs - ok
18:51:12.0656 1648 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
18:51:12.0770 1648 nsiproxy - ok
18:51:12.0899 1648 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
18:51:12.0973 1648 Ntfs - ok
18:51:13.0168 1648 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
18:51:13.0279 1648 ntrigdigi - ok
18:51:13.0425 1648 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
18:51:13.0537 1648 Null - ok
18:51:13.0601 1648 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
18:51:13.0622 1648 nvraid - ok
18:51:13.0667 1648 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
18:51:13.0687 1648 nvstor - ok
18:51:13.0734 1648 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
18:51:13.0756 1648 nv_agp - ok
18:51:13.0819 1648 NwlnkFlt - ok
18:51:13.0889 1648 NwlnkFwd - ok
18:51:13.0982 1648 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
18:51:14.0123 1648 ohci1394 - ok
18:51:14.0271 1648 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
18:51:14.0412 1648 Parport - ok
18:51:14.0479 1648 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
18:51:14.0501 1648 partmgr - ok
18:51:14.0551 1648 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
18:51:14.0684 1648 Parvdm - ok
18:51:14.0871 1648 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys
18:51:14.0904 1648 pci - ok
18:51:14.0961 1648 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
18:51:14.0979 1648 pciide - ok
18:51:15.0028 1648 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
18:51:15.0056 1648 pcmcia - ok
18:51:15.0160 1648 PCTCore (6ef125721a9f1f7dbf3229786f7decd0) C:\Windows\system32\drivers\PCTCore.sys
18:51:15.0188 1648 PCTCore - ok
18:51:15.0450 1648 pctDS (f820b4c61d1e591325b679d479d4eea4) C:\Windows\system32\drivers\pctDS.sys
18:51:15.0494 1648 pctDS - ok
18:51:15.0748 1648 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
18:51:15.0899 1648 PEAUTH - ok
18:51:16.0250 1648 PptpMiniport (6c359ac71d7b550a0d41f9db4563ce05) C:\Windows\system32\DRIVERS\raspptp.sys
18:51:16.0391 1648 PptpMiniport - ok
18:51:16.0587 1648 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
18:51:16.0704 1648 Processor - ok
18:51:17.0140 1648 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
18:51:17.0186 1648 PSched - ok
18:51:17.0513 1648 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
18:51:17.0580 1648 ql2300 - ok
18:51:17.0964 1648 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
18:51:17.0985 1648 ql40xx - ok
18:51:18.0370 1648 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
18:51:18.0504 1648 QWAVEdrv - ok
18:51:18.0889 1648 R300 (a23efb72057fed7128eb558866055fdf) C:\Windows\system32\DRIVERS\atikmdag.sys
18:51:19.0123 1648 R300 - ok
18:51:19.0322 1648 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
18:51:19.0453 1648 RasAcd - ok
18:51:19.0866 1648 Rasl2tp (88587dd843e2059848995b407b67f6cf) C:\Windows\system32\DRIVERS\rasl2tp.sys
18:51:19.0994 1648 Rasl2tp - ok
18:51:20.0090 1648 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
18:51:20.0226 1648 RasPppoe - ok
18:51:20.0344 1648 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
18:51:20.0502 1648 rdbss - ok
18:51:20.0540 1648 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
18:51:20.0704 1648 RDPCDD - ok
18:51:20.0774 1648 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\DRIVERS\rdpdr.sys
18:51:20.0918 1648 rdpdr - ok
18:51:21.0101 1648 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
18:51:21.0233 1648 RDPENCDD - ok
18:51:21.0401 1648 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
18:51:21.0558 1648 RDPWD - ok
18:51:21.0671 1648 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
18:51:21.0805 1648 rspndr - ok
18:51:22.0098 1648 RT61 (581e74880aeb1dba1cb5ac8e6e6c0a69) C:\Windows\system32\DRIVERS\RT61.sys
18:51:22.0164 1648 RT61 - ok
18:51:22.0312 1648 rt61x86 (dd0bacc94b640abd17901557814e0bff) C:\Windows\system32\DRIVERS\netr61.sys
18:51:22.0408 1648 rt61x86 - ok
18:51:22.0792 1648 RTL8169 (283392af1860ecdb5e0f8ebd7f3d72df) C:\Windows\system32\DRIVERS\Rtlh86.sys
18:51:22.0959 1648 RTL8169 - ok
18:51:23.0241 1648 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
18:51:23.0279 1648 SASDIFSV - ok
18:51:23.0384 1648 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
18:51:23.0398 1648 SASENUM - ok
18:51:23.0440 1648 SASKUTIL (67d2688756dd304af655349baad82bff) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
18:51:23.0458 1648 SASKUTIL - ok
18:51:23.0894 1648 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
18:51:23.0915 1648 sbp2port - ok
18:51:24.0205 1648 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
18:51:24.0330 1648 secdrv - ok
18:51:24.0640 1648 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
18:51:24.0752 1648 Serenum - ok
18:51:24.0901 1648 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
18:51:25.0046 1648 Serial - ok
18:51:25.0420 1648 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
18:51:25.0467 1648 sermouse - ok
18:51:25.0875 1648 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
18:51:26.0023 1648 sffdisk - ok
18:51:26.0283 1648 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
18:51:26.0419 1648 sffp_mmc - ok
18:51:26.0508 1648 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
18:51:26.0642 1648 sffp_sd - ok
18:51:26.0997 1648 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
18:51:27.0157 1648 sfloppy - ok
18:51:27.0341 1648 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
18:51:27.0372 1648 SiSRaid2 - ok
18:51:27.0439 1648 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
18:51:27.0459 1648 SiSRaid4 - ok
18:51:27.0532 1648 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
18:51:27.0673 1648 Smb - ok
18:51:27.0821 1648 smserial (9168d5b5d7f149523a38de4a19e7e0e0) C:\Windows\system32\DRIVERS\smserial.sys
18:51:27.0966 1648 smserial - ok
18:51:28.0243 1648 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
18:51:28.0262 1648 spldr - ok
18:51:28.0507 1648 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
18:51:28.0568 1648 srv - ok
18:51:28.0756 1648 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
18:51:28.0822 1648 srv2 - ok
18:51:29.0110 1648 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
18:51:29.0167 1648 srvnet - ok
18:51:29.0492 1648 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys
18:51:29.0511 1648 swenum - ok
18:51:29.0637 1648 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
18:51:29.0702 1648 Symc8xx - ok
18:51:29.0977 1648 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
18:51:30.0022 1648 Sym_hi - ok
18:51:30.0136 1648 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
18:51:30.0173 1648 Sym_u3 - ok
18:51:30.0387 1648 SynTP (59e9d90d6373f8ad4e3ebd0ecdedd35e) C:\Windows\system32\DRIVERS\SynTP.sys
18:51:30.0475 1648 SynTP - ok
18:51:31.0059 1648 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
18:51:31.0157 1648 Tcpip - ok
18:51:31.0472 1648 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
18:51:31.0531 1648 Tcpip6 - ok
18:51:31.0916 1648 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
18:51:32.0058 1648 tcpipreg - ok
18:51:32.0217 1648 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
18:51:32.0388 1648 TDPIPE - ok
18:51:32.0827 1648 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
18:51:32.0974 1648 TDTCP - ok
18:51:33.0305 1648 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
18:51:33.0473 1648 tdx - ok
18:51:33.0635 1648 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys
18:51:33.0677 1648 TermDD - ok
18:51:34.0065 1648 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
18:51:34.0245 1648 tssecsrv - ok
18:51:34.0552 1648 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
18:51:34.0628 1648 tunmp - ok
18:51:34.0761 1648 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
18:51:34.0836 1648 tunnel - ok
18:51:35.0282 1648 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
18:51:35.0302 1648 uagp35 - ok
18:51:35.0606 1648 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
18:51:35.0780 1648 udfs - ok
18:51:36.0376 1648 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
18:51:36.0397 1648 uliagpkx - ok
18:51:36.0617 1648 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
18:51:36.0644 1648 uliahci - ok
18:51:36.0858 1648 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
18:51:36.0878 1648 UlSata - ok
18:51:37.0383 1648 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
18:51:37.0407 1648 ulsata2 - ok
18:51:37.0563 1648 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
18:51:37.0728 1648 umbus - ok
18:51:37.0881 1648 UMPass (08ea9c0247f391af4d4a16885a1c159d) C:\Windows\system32\DRIVERS\umpass.sys
18:51:38.0005 1648 UMPass - ok
18:51:38.0199 1648 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
18:51:38.0267 1648 USBAAPL - ok
18:51:38.0363 1648 usbaudio (f6bf998ae33e3fb6c7d27f0560f1173f) C:\Windows\system32\drivers\usbaudio.sys
18:51:38.0531 1648 usbaudio - ok
18:51:38.0702 1648 usbccgp (b0ba9caffe9b0555ec0317f30cb79cd2) C:\Windows\system32\DRIVERS\usbccgp.sys
18:51:38.0773 1648 usbccgp - ok
18:51:38.0871 1648 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
18:51:39.0015 1648 usbcir - ok
18:51:39.0462 1648 usbehci (c9fcd05b0a80ea08c2768e5a279b14de) C:\Windows\system32\DRIVERS\usbehci.sys
18:51:39.0514 1648 usbehci - ok
18:51:39.0572 1648 usbhub (5e44f7d957f7560da06bfe6b84b58a35) C:\Windows\system32\DRIVERS\usbhub.sys
18:51:39.0620 1648 usbhub - ok
18:51:39.0675 1648 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
18:51:39.0804 1648 usbohci - ok
18:51:40.0448 1648 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys
18:51:40.0631 1648 usbprint - ok
18:51:40.0901 1648 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:51:40.0950 1648 USBSTOR - ok
18:51:41.0358 1648 usbuhci (d864735b0bfcb65440960a0b7cc1a38d) C:\Windows\system32\DRIVERS\usbuhci.sys
18:51:41.0400 1648 usbuhci - ok
18:51:41.0561 1648 usbvideo (0a6b81f01bc86399482e27e6fda7b33b) C:\Windows\system32\Drivers\usbvideo.sys
18:51:41.0712 1648 usbvideo - ok
18:51:41.0954 1648 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
18:51:42.0087 1648 vga - ok
18:51:42.0205 1648 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
18:51:42.0354 1648 VgaSave - ok
18:51:42.0666 1648 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
18:51:42.0687 1648 viaagp - ok
18:51:42.0966 1648 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
18:51:43.0094 1648 ViaC7 - ok
18:51:43.0605 1648 viaide (48c9b50cddd51a205f7aa1639b3d4822) C:\Windows\system32\drivers\viaide.sys
18:51:43.0624 1648 viaide - ok
18:51:43.0753 1648 VIAudio (178a48f413453c99a59a7d3eb5f23524) C:\Windows\system32\drivers\ac97via.sys
18:51:43.0868 1648 VIAudio - ok
18:51:44.0219 1648 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys
18:51:44.0237 1648 volmgr - ok
18:51:44.0643 1648 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
18:51:44.0676 1648 volmgrx - ok
18:51:45.0336 1648 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
18:51:45.0381 1648 volsnap - ok
18:51:45.0674 1648 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
18:51:45.0695 1648 vsmraid - ok
18:51:46.0193 1648 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
18:51:46.0318 1648 WacomPen - ok
18:51:46.0735 1648 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
18:51:46.0778 1648 Wanarp - ok
18:51:46.0817 1648 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
18:51:46.0847 1648 Wanarpv6 - ok
18:51:47.0236 1648 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
18:51:47.0278 1648 Wd - ok
18:51:47.0581 1648 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
18:51:47.0704 1648 Wdf01000 - ok
18:51:48.0173 1648 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
18:51:48.0351 1648 WmiAcpi - ok
18:51:48.0944 1648 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
18:51:49.0100 1648 WpdUsb - ok
18:51:49.0619 1648 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
18:51:49.0792 1648 ws2ifsl - ok
18:51:50.0348 1648 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
18:51:50.0509 1648 WUDFRd - ok
18:51:50.0624 1648 xnacc (69d5c58a3a03f86196db66ee95435652) C:\Windows\system32\DRIVERS\xnacc.sys
18:51:50.0768 1648 xnacc - ok
18:51:50.0831 1648 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
18:51:50.0927 1648 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
18:51:50.0927 1648 \Device\Harddisk0\DR0 - detected TDSS File System (1)
18:51:50.0942 1648 Boot (0x1200) (28727e05a316f8241aa38d5068f81ea0) \Device\Harddisk0\DR0\Partition0
18:51:50.0944 1648 \Device\Harddisk0\DR0\Partition0 - ok
18:51:51.0003 1648 Boot (0x1200) (f6f017a9dd40c2b73a927b4fc26e3df9) \Device\Harddisk0\DR0\Partition1
18:51:51.0088 1648 \Device\Harddisk0\DR0\Partition1 - ok
18:51:51.0095 1648 ============================================================
18:51:51.0095 1648 Scan finished
18:51:51.0095 1648 ============================================================
18:51:51.0123 3192 Detected object count: 3
18:51:51.0124 3192 Actual detected object count: 3
18:53:21.0839 3192 Backup copy found, using it..
18:53:21.0863 3192 C:\Windows\system32\drivers\atapi.sys - will be cured on reboot
18:53:21.0864 3192 atapi ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
18:53:21.0871 3192 ENTECH ( UnsignedFile.Multi.Generic ) - skipped by user
18:53:21.0872 3192 ENTECH ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:53:21.0889 3192 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
18:53:21.0889 3192 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
18:53:28.0058 4064 Deinitialize success

#9
Essexboy

Posted 30 November 2011 - 01:21 PM

GeekU Moderator

Retired Staff
69,964 posts

How is the computer behaving now

Run Malwarebytes and update.

Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

#10
drewdreworld

Posted 30 November 2011 - 05:56 PM

Member

Topic Starter
Member
90 posts

The computer seems clean =D I've been able to post from the computer we were working on the past post or two (I forgot to mention that sorry =( ). no hijacker it seems. MBAM turned up no infections! Want to see the log? Thank you soooooo so so so much for helping me!!

#11
Essexboy

Posted 01 December 2011 - 01:39 PM

GeekU Moderator

Retired Staff
69,964 posts

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands
[resethosts]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
Follow the prompts on the screen
A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

SPRING CLEAN

To manually create a new Restore Point

Go to Control Panel and select System
Select System
On the left select System Protection and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

GoStart > All programs > Accessories > system tools
Right click Disc cleanup and select run as administrator
Select Your main drive and accept the warning if you get one
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:

#12
Essexboy

Posted 03 December 2011 - 02:52 PM

GeekU Moderator

Retired Staff
69,964 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.