HijackThis Log File

Jon.h1 · January 10, 2011

After running every spyware\virus\malware checker I can think of my partners computer is still behaving as if it has a rootkit - redirecting web sites, false virus alerts etc. it often shuts down with no warning or just hangs. It is also running very slow.

I followed the instructions in the 'steps before posting your log' post.

Ad-Aware 2010 came up with no problems.

The GMER scanner runs so far and then the computer crashes at the same point each time - I managed to save a partial log file which I've pasted below, followed by the HijackThis Log. I would really appreciate some advice. Thanks. Jon.

GMER 1.0.15.15530 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-01-10 20:28:22
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD1200BEVS-22UST0 rev.01.01A01
Running: j79r1b39.exe; Driver: C:\Users\leigh\AppData\Local\Temp\uwroapod.sys

---- System - GMER 1.0.15 ----

SSDT 89FB7F80 ZwOpenProcess
SSDT 89FB7F85 ZwOpenThread

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[748] ntdll.dll!NtProtectVirtualMemory 7710FD74 5 Bytes JMP 00ED000A
.text C:\Windows\Explorer.EXE[748] ntdll.dll!NtWriteVirtualMemory 771106F4 5 Bytes JMP 00EE000A
.text C:\Windows\Explorer.EXE[748] ntdll.dll!KiUserExceptionDispatcher 77110E88 5 Bytes JMP 0057000A
.text C:\Windows\system32\svchost.exe[1136] ntdll.dll!NtProtectVirtualMemory 7710FD74 5 Bytes JMP 002B000A
.text C:\Windows\system32\svchost.exe[1136] ntdll.dll!NtWriteVirtualMemory 771106F4 5 Bytes JMP 0081000A
.text C:\Windows\system32\svchost.exe[1136] ntdll.dll!KiUserExceptionDispatcher 77110E88 5 Bytes JMP 002A000A
.text C:\Windows\system32\svchost.exe[1136] ole32.dll!CoCreateInstance 75D7DD8F 5 Bytes JMP 0086000A
.text C:\Windows\system32\svchost.exe[1136] USER32.dll!GetCursorPos 7615C664 5 Bytes JMP 01F0000A
.text C:\Windows\system32\wuauclt.exe[3508] ntdll.dll!NtProtectVirtualMemory 7710FD74 5 Bytes JMP 0014000A
.text C:\Windows\system32\wuauclt.exe[3508] ntdll.dll!NtWriteVirtualMemory 771106F4 5 Bytes JMP 0015000A
.text C:\Windows\system32\wuauclt.exe[3508] ntdll.dll!KiUserExceptionDispatcher 77110E88 5 Bytes JMP 0012000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\SearchProtocolHost.exe[2432] @ C:\Windows\system32\ole32.dll [USER32.dll!DialogBoxParamW] [6D64D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\SearchProtocolHost.exe[2432] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW] [6D64D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\SearchProtocolHost.exe[2432] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DialogBoxParamW] [6D64D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\SearchProtocolHost.exe[2432] @ C:\Windows\system32\WININET.dll [USER32.dll!DialogBoxParamW] [6D64D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Device\Ide\IdeDeviceP1T0L0-1 -> \??\IDE#DiskWDC_WD1200BEVS-22UST0___________________01.01A01#5&18c0e30f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\[email protected] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0731a1de
Reg HKLM\SOFTWARE\Classes\CLSID\{51E2427C-8584-07B7-23DE47D3A7EA0FAE}\{FE4DB2DE-8B1B-C18C-3FBFE7B17663DE6A}\{D7759A44-051C-D7DE-9FB52EA4C570BE7C}
Reg HKLM\SOFTWARE\Classes\CLSID\{51E2427C-8584-07B7-23DE47D3A7EA0FAE}\{FE4DB2DE-8B1B-C18C-3FBFE7B17663DE6A}\{D7759A44-051C-D7DE-9FB52EA4C570BE7C}@XOGCPEUPGZA3BTOUPKIJ6FJXTE1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{75C78964-9FAD-014A-8CC7FBADED2C52DF}\{536ADE09-4683-F194-E6EBF180967FA049}\{3462E639-3971-056E-531C3527F72CD4AF}
Reg HKLM\SOFTWARE\Classes\CLSID\{75C78964-9FAD-014A-8CC7FBADED2C52DF}\{536ADE09-4683-F194-E6EBF180967FA049}\{3462E639-3971-056E-531C3527F72CD4AF}@XOGCPEUPGZA3BTOUPKIJ6FJXTE1 0x01 0x00 0x01 0x00 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 234441392 (+255): rootkit-like behavior;

---------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:14:06, on 10/01/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://www.thetechguys.com/welcome"]http://www.thetechguys.com/welcome[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.google.co.uk/"]http://www.google.co.uk/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [googletalk] C:\Users\leigh\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Reminder_MUI] C:\Applications\oem\Reminder\Reminder_MUI.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Users\leigh\Desktop\WH GBP Casino.lnk (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Users\leigh\Desktop\WH GBP Casino.lnk (HKCU)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - [url="http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab"]http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url="http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab"]http://download.bitdefender.com/resources/...can8/oscan8.cab[/url]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: REOMDB - Unknown owner - C:\Users\leigh\AppData\Local\Temp\REOMDB.exe (file missing)
O23 - Service: TTQ - Unknown owner - C:\Users\leigh\AppData\Local\Temp\TTQ.exe (file missing)
O23 - Service: UD - Unknown owner - C:\Users\leigh\AppData\Local\Temp\UD.exe (file missing)

--
End of file - 7412 bytes

blade81 · January 11, 2011

Hi,

Download DDS and save it to your desktop from [url="http://download.bleepingcomputer.com/sUBs/dds.com"][b][color="seagreen"]here[/color][/b][/url] or [url="http://download.bleepingcomputer.com/sUBs/dds.scr"][b][color="seagreen"]here[/color][/b][/url] or [url="http://www.forospyware.com/sUBs/dds"][b][color="seagreen"]here[/color][/b][/url].
Disable any script blocker, and then double click [b]dds file [/b]to run the tool. [list]
[*]When done, DDS will open two (2) logs: [list=1]
[*] DDS.txt
[*] Attach.txt
[/list]
[*]Save both reports to your desktop. Post them back to your topic.
[/list]

Jon.h1 · January 11, 2011

DDS (Ver_10-12-12.02) - NTFSx86
Run by leigh at 9:39:05.62 on 11/01/2011
Internet Explorer: 7.0.6000.16982
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.893.119 [GMT 0:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\leigh\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\leigh\Desktop\dds.com
C:\Windows\system32\taskeng.exe
C:\Windows\system32\lpremove.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://www.thetechguys.com/welcome
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [googletalk] c:\users\leigh\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Reminder_MUI] c:\applications\oem\reminder\Reminder_MUI.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\leigh\appdata\roaming\mozilla\firefox\profiles\bf2zla78.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-3 61960]

=============== Created Last 30 ================

2011-01-10 21:00:10 388096 ----a-r- c:\users\leigh\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-01-10 21:00:01 -------- d-----w- c:\program files\Trend Micro
2011-01-10 16:29:47 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-10 16:29:42 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-10 16:27:22 -------- d-----w- c:\users\leigh\appdata\local\Sunbelt Software
2011-01-10 16:25:57 -------- dc-h--w- c:\progra~2\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-10 16:24:49 -------- d-----w- c:\program files\Lavasoft
2011-01-10 15:43:53 -------- d-----w- C:\_OTM
2011-01-07 16:00:37 -------- d-----w- c:\users\leigh\appdata\roaming\Malwarebytes
2011-01-07 16:00:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 16:00:15 -------- d-----w- c:\progra~2\Malwarebytes
2011-01-07 16:00:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 16:00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-03 20:18:35 -------- d-----w- c:\progra~2\Alwil Software
2011-01-03 18:49:30 -------- d-----w- c:\program files\Sophos
2011-01-03 16:22:42 -------- d-----w- c:\users\leigh\appdata\roaming\Avira
2011-01-03 15:20:31 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-03 15:20:23 -------- d-----w- c:\program files\Avira
2011-01-03 15:20:23 -------- d-----w- c:\progra~2\Avira
2011-01-03 14:19:27 11278816 ----a-w- c:\users\leigh\appdata\roaming\microsoft\windows\templates\IS360Setup.exe
2011-01-03 14:18:43 -------- d-----w- c:\users\leigh\appdata\roaming\IObit
2011-01-03 14:18:42 -------- d-----w- c:\program files\IObit
2011-01-03 07:22:27 0 ----a-w- c:\users\leigh\appdata\local\Isapogagimogoyin.bin
2011-01-03 07:22:25 -------- d-----w- c:\users\leigh\appdata\local\{A98CB7FE-C5D6-416F-90BF-85B762E35516}
2011-01-03 07:20:23 -------- d-----w- c:\progra~2\cIjPo06511
2010-12-13 14:17:26 -------- d-----w- c:\progra~2\MFAData
2010-12-13 13:21:10 378368 ----a-w- c:\windows\system32\winhttp.dll

==================== Find3M ====================

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Windows 6.0.6000 Disk: WDC_WD1200BEVS-22UST0 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-1

device: opened successfully
user: MBR read successfully

Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-1 -> \??\IDE#DiskWDC_WD1200BEVS-22UST0___________________01.01A01#5&18c0e30f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel

============= FINISH: 9:48:28.90 ===============

blade81 · January 11, 2011

Hi,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:[list]
[*] Run Spybot-S&D in [b]Advanced Mode[/b]
[*] If it is not already set to do this, go to the [b]Mode[/b] menu
select [b]
Advanced Mode
[/b]
[*] On the left hand side, click on [b]Tools[/b]
[*] Then click on the [b]Resident[/b] icon in the list
[*] Uncheck [b]
Resident TeaTimer
[/b] and [b]OK[/b] any prompts.
[*] Restart your computer
[/list]

Please visit this webpage for download links, and instructions for running ComboFix tool:

[url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url]

[color="Blue"]Please ensure you read this guide carefully first.[/color]

Please continue as follows:
[list=1]
[*][b]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix[/b], [url="http://www.bleepingcomputer.com/forums/topic114351.html"]link[/url]
Remember to re-enable them afterwards.

[*]Click [b]Yes[/b] to allow ComboFix to continue scanning for malware.
[/list]
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

[b]C:\ComboFix.txt
New dds log.[/b]

[color="#ff0000"][b]A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.[/b][/color]

Jon.h1 · January 11, 2011

Hi - had some problems - will talk you through what I did:

Disabled Teatimer and closed all programs.

Downloaded and ran ComboFix from desktop as per instructions on bleepingcomputer. Got a message saying I had to un-install AVG before it could run (which I didn't think I still had installed - all I could find was an AVG folder in Program Files which I deleted).

Anyway, ran ComboFix again and the green loading status bar moved along until just before the end and then I got the dreaded flash of the blue screen and the computer restarted.

Tried a couple more times with the same result and on the 4th attempt eventually got it to run.

Then got message:

"ComboFix has detected the presence of rootkit activity and needs to reboot the machine"

After reboot ComboFix then ran on startup (before desktop loaded) - ran through process until it started scanning for infected files reached about "completed stage_3" when scanning and then crashed and restarted computer.

It created a C:ComboFix.txt file but it isn't a file just a shortcut link to "my computer".

Tried the whole process again with same result.

Anyway, I'm a bit out of my depth so didn't want to try anything else until I get some advice.

Any suggestions?

Thanks.

blade81 · January 12, 2011

Hi,

1. Download [url="http://support.kaspersky.com/downloads/utils/tdsskiller.zip"]TDSSKiller[/url] and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Jon.h1 · January 12, 2011

2011/01/12 11:05:52.0756 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/12 11:05:52.0756 ================================================================================
2011/01/12 11:05:52.0756 SystemInfo:
2011/01/12 11:05:52.0756
2011/01/12 11:05:52.0756 OS Version: 6.0.6000 ServicePack: 0.0
2011/01/12 11:05:52.0756 Product type: Workstation
2011/01/12 11:05:52.0756 ComputerName: LEIGH-PC
2011/01/12 11:05:52.0756 UserName: leigh
2011/01/12 11:05:52.0756 Windows directory: C:\Windows
2011/01/12 11:05:52.0756 System windows directory: C:\Windows
2011/01/12 11:05:52.0756 Processor architecture: Intel x86
2011/01/12 11:05:52.0756 Number of processors: 2
2011/01/12 11:05:52.0756 Page size: 0x1000
2011/01/12 11:05:52.0756 Boot type: Normal boot
2011/01/12 11:05:52.0756 ================================================================================
2011/01/12 11:05:53.0756 Initialize success
2011/01/12 11:06:00.0599 ================================================================================
2011/01/12 11:06:00.0599 Scan started
2011/01/12 11:06:00.0599 Mode: Manual;
2011/01/12 11:06:00.0599 ================================================================================
2011/01/12 11:06:02.0568 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
2011/01/12 11:06:02.0662 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/01/12 11:06:02.0787 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/01/12 11:06:02.0912 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/01/12 11:06:02.0990 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/01/12 11:06:03.0131 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
2011/01/12 11:06:03.0256 AgereSoftModem (5d97943c128ed756d1b0a08302c1b1f8) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/01/12 11:06:03.0412 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/01/12 11:06:03.0506 aliide (cc373bbc3fd0605b87cd14bd14ddeb77) C:\Windows\system32\drivers\aliide.sys
2011/01/12 11:06:03.0568 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/01/12 11:06:03.0646 amdide (4838c4620d501ae2c009d337ccaddc63) C:\Windows\system32\drivers\amdide.sys
2011/01/12 11:06:03.0724 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/01/12 11:06:03.0803 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/01/12 11:06:03.0943 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/01/12 11:06:04.0037 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/01/12 11:06:04.0115 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/01/12 11:06:04.0193 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys
2011/01/12 11:06:04.0303 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/01/12 11:06:04.0381 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\Windows\system32\DRIVERS\avipbb.sys
2011/01/12 11:06:04.0474 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
2011/01/12 11:06:04.0631 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
2011/01/12 11:06:04.0709 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/01/12 11:06:04.0787 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/01/12 11:06:04.0881 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/01/12 11:06:04.0943 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/01/12 11:06:04.0990 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/01/12 11:06:05.0053 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/01/12 11:06:05.0115 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/01/12 11:06:05.0334 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
2011/01/12 11:06:05.0459 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
2011/01/12 11:06:05.0568 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/01/12 11:06:05.0693 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
2011/01/12 11:06:05.0803 CmBatt (ed97ad3df1b9005989eaf149bf06c821) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/01/12 11:06:05.0912 cmdide (e7fd00f9016e3ca48c0d2a65602032ca) C:\Windows\system32\drivers\cmdide.sys
2011/01/12 11:06:05.0990 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/01/12 11:06:06.0084 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/01/12 11:06:06.0131 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/01/12 11:06:06.0271 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
2011/01/12 11:06:06.0396 CVPNDRVA (1c2999966f0f36aa44eaecbee70cf770) C:\Windows\system32\Drivers\CVPNDRVA.sys
2011/01/12 11:06:06.0537 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
2011/01/12 11:06:06.0631 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
2011/01/12 11:06:06.0740 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\Windows\system32\DRIVERS\dne2000.sys
2011/01/12 11:06:06.0849 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
2011/01/12 11:06:06.0943 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/01/12 11:06:07.0021 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/01/12 11:06:07.0115 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
2011/01/12 11:06:07.0240 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/01/12 11:06:07.0490 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
2011/01/12 11:06:07.0615 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/01/12 11:06:07.0724 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
2011/01/12 11:06:07.0818 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
2011/01/12 11:06:07.0896 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/01/12 11:06:07.0959 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
2011/01/12 11:06:08.0068 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
2011/01/12 11:06:08.0131 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/01/12 11:06:08.0287 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/01/12 11:06:08.0334 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/01/12 11:06:08.0396 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/01/12 11:06:08.0459 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/01/12 11:06:08.0553 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys
2011/01/12 11:06:08.0615 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/01/12 11:06:08.0724 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys
2011/01/12 11:06:08.0818 hwdatacard (63b3eff36272787619c1e773ed581693) C:\Windows\system32\DRIVERS\ewusbmdm.sys
2011/01/12 11:06:08.0912 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/01/12 11:06:08.0974 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/01/12 11:06:09.0099 ialm (496db78e6a0c4c44023d9a92b4a7ac31) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/01/12 11:06:09.0224 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/01/12 11:06:09.0303 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/01/12 11:06:09.0506 IntcAzAudAddService (97cac2a7e92ffcb30c15101ab002ed30) C:\Windows\system32\drivers\RTKVHDA.sys
2011/01/12 11:06:09.0662 intelide (988981c840084f480ba9e3319cebde1b) C:\Windows\system32\drivers\intelide.sys
2011/01/12 11:06:09.0756 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2011/01/12 11:06:09.0834 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/01/12 11:06:09.0943 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/01/12 11:06:10.0021 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
2011/01/12 11:06:10.0099 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
2011/01/12 11:06:10.0162 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/01/12 11:06:10.0240 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/01/12 11:06:10.0303 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/01/12 11:06:10.0381 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/01/12 11:06:10.0459 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/01/12 11:06:10.0537 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/01/12 11:06:10.0631 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
2011/01/12 11:06:10.0818 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\Windows\system32\DRIVERS\Lbd.sys
2011/01/12 11:06:10.0928 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
2011/01/12 11:06:11.0006 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/01/12 11:06:11.0068 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/01/12 11:06:11.0146 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/01/12 11:06:11.0209 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
2011/01/12 11:06:11.0287 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/01/12 11:06:11.0412 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
2011/01/12 11:06:11.0490 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
2011/01/12 11:06:11.0537 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
2011/01/12 11:06:11.0631 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
2011/01/12 11:06:11.0693 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
2011/01/12 11:06:11.0771 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/01/12 11:06:11.0849 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
2011/01/12 11:06:11.0959 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/01/12 11:06:12.0021 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
2011/01/12 11:06:12.0115 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/01/12 11:06:12.0209 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/01/12 11:06:12.0334 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/01/12 11:06:12.0396 msahci (b2efb263600314babcf9dadb1cbba994) C:\Windows\system32\drivers\msahci.sys
2011/01/12 11:06:12.0490 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/01/12 11:06:12.0631 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
2011/01/12 11:06:12.0709 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys
2011/01/12 11:06:12.0818 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
2011/01/12 11:06:12.0881 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/01/12 11:06:12.0928 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
2011/01/12 11:06:12.0990 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
2011/01/12 11:06:13.0068 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/01/12 11:06:13.0131 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
2011/01/12 11:06:13.0224 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
2011/01/12 11:06:13.0303 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
2011/01/12 11:06:13.0381 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
2011/01/12 11:06:13.0443 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/01/12 11:06:13.0490 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/01/12 11:06:13.0568 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/01/12 11:06:13.0662 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
2011/01/12 11:06:13.0740 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
2011/01/12 11:06:13.0834 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
2011/01/12 11:06:14.0021 NETw3v32 (a15f219208843a5a210c8cb391384453) C:\Windows\system32\DRIVERS\NETw3v32.sys
2011/01/12 11:06:14.0209 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/01/12 11:06:14.0303 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
2011/01/12 11:06:14.0396 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
2011/01/12 11:06:14.0553 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
2011/01/12 11:06:14.0709 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/01/12 11:06:14.0803 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
2011/01/12 11:06:14.0881 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/01/12 11:06:14.0943 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/01/12 11:06:15.0006 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/01/12 11:06:15.0162 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/01/12 11:06:15.0303 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/01/12 11:06:15.0381 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
2011/01/12 11:06:15.0474 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/01/12 11:06:15.0568 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys
2011/01/12 11:06:15.0631 pciide (caba65e9c41cd2900d4c92d4f825c5f8) C:\Windows\system32\drivers\pciide.sys
2011/01/12 11:06:15.0709 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/01/12 11:06:15.0818 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/01/12 11:06:16.0053 PptpMiniport (c04dec5ace67c5247b150c4223970bb7) C:\Windows\system32\DRIVERS\raspptp.sys
2011/01/12 11:06:16.0131 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/01/12 11:06:16.0224 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
2011/01/12 11:06:16.0334 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/01/12 11:06:16.0459 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/01/12 11:06:16.0553 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
2011/01/12 11:06:16.0631 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
2011/01/12 11:06:16.0724 Rasl2tp (68b0019fee429ec49d29017af937e482) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/01/12 11:06:16.0803 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/01/12 11:06:16.0881 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
2011/01/12 11:06:16.0974 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/01/12 11:06:17.0131 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/01/12 11:06:17.0178 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
2011/01/12 11:06:17.0271 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
2011/01/12 11:06:17.0459 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
2011/01/12 11:06:17.0506 RTL8169 (283392af1860ecdb5e0f8ebd7f3d72df) C:\Windows\system32\DRIVERS\Rtlh86.sys
2011/01/12 11:06:17.0615 RTL8187B (2a1b48904504830f3f7bae5fd59cd370) C:\Windows\system32\DRIVERS\RTL8187B.sys
2011/01/12 11:06:17.0693 RTSTOR (104aff6574fa811de7f2da4a18eeb63c) C:\Windows\system32\drivers\RTSTOR.SYS
2011/01/12 11:06:17.0771 s217bus (0266151de3f36429f6ac3c4b28085061) C:\Windows\system32\DRIVERS\s217bus.sys
2011/01/12 11:06:17.0881 s217mdfl (a43c0af0e46be7ef0c7e8ccf0f058600) C:\Windows\system32\DRIVERS\s217mdfl.sys
2011/01/12 11:06:17.0959 s217mdm (005f5ded1ed8f8a9d2399d765ead20f1) C:\Windows\system32\DRIVERS\s217mdm.sys
2011/01/12 11:06:18.0037 s217mgmt (de9562ad0c91e1857d11f65a91ee1a47) C:\Windows\system32\DRIVERS\s217mgmt.sys
2011/01/12 11:06:18.0146 s217nd5 (11cc5d7f992799e7e75d018e9c018563) C:\Windows\system32\DRIVERS\s217nd5.sys
2011/01/12 11:06:18.0240 s217obex (0f9f4045799afb66b85eef999d0609ec) C:\Windows\system32\DRIVERS\s217obex.sys
2011/01/12 11:06:18.0334 s217unic (1c91e1023f07b6407d84b5a43537d984) C:\Windows\system32\DRIVERS\s217unic.sys
2011/01/12 11:06:18.0396 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/01/12 11:06:18.0537 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/01/12 11:06:18.0631 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/01/12 11:06:18.0709 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/01/12 11:06:18.0803 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
2011/01/12 11:06:18.0928 sffdisk (51cf56aa8bcc241f134b420b8f850406) C:\Windows\system32\drivers\sffdisk.sys
2011/01/12 11:06:19.0006 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
2011/01/12 11:06:19.0084 sffp_sd (8b08cab1267b2c377883fc9e56981f90) C:\Windows\system32\drivers\sffp_sd.sys
2011/01/12 11:06:19.0162 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/01/12 11:06:19.0287 SiS6350 (456b6f04b620d473347a90b2772d3da0) C:\Windows\system32\DRIVERS\SISGRKMD.sys
2011/01/12 11:06:19.0381 SISAGP (df1af7f5f1ec7800b3ac398acc06c754) C:\Windows\system32\DRIVERS\SISAGPX.sys
2011/01/12 11:06:19.0459 SiSGbeLH (f3c4c6c4daf2212ac905475ed0f0fb1b) C:\Windows\system32\DRIVERS\SiSGB6.sys
2011/01/12 11:06:19.0537 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/01/12 11:06:19.0615 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/01/12 11:06:19.0724 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
2011/01/12 11:06:19.0834 smserial (c8a58fc905c9184fa70e37f71060c64d) C:\Windows\system32\DRIVERS\smserial.sys
2011/01/12 11:06:20.0412 SNP2STD (ecc9293ffa708e0bb552fe9a84d6a300) C:\Windows\system32\DRIVERS\snp2sxp.sys
2011/01/12 11:06:23.0131 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
2011/01/12 11:06:23.0271 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
2011/01/12 11:06:23.0365 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
2011/01/12 11:06:23.0474 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
2011/01/12 11:06:23.0599 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
2011/01/12 11:06:23.0740 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys
2011/01/12 11:06:23.0834 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/01/12 11:06:23.0912 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/01/12 11:06:23.0990 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/01/12 11:06:24.0131 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
2011/01/12 11:06:24.0256 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
2011/01/12 11:06:24.0318 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
2011/01/12 11:06:24.0396 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
2011/01/12 11:06:24.0443 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
2011/01/12 11:06:24.0537 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
2011/01/12 11:06:24.0631 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys
2011/01/12 11:06:24.0787 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/01/12 11:06:24.0896 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
2011/01/12 11:06:24.0959 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
2011/01/12 11:06:25.0037 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\DRIVERS\uagp35.sys
2011/01/12 11:06:25.0115 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
2011/01/12 11:06:25.0256 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/01/12 11:06:25.0349 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/01/12 11:06:25.0443 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/01/12 11:06:25.0521 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/01/12 11:06:25.0599 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
2011/01/12 11:06:25.0724 usbaudio (f6bf998ae33e3fb6c7d27f0560f1173f) C:\Windows\system32\drivers\usbaudio.sys
2011/01/12 11:06:25.0834 usbccgp (b0ba9caffe9b0555ec0317f30cb79cd2) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/01/12 11:06:25.0896 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/01/12 11:06:25.0959 usbehci (c9fcd05b0a80ea08c2768e5a279b14de) C:\Windows\system32\DRIVERS\usbehci.sys
2011/01/12 11:06:26.0037 usbhub (5e44f7d957f7560da06bfe6b84b58a35) C:\Windows\system32\DRIVERS\usbhub.sys
2011/01/12 11:06:26.0099 usbohci (9333e482a173938788cbde8f81ec52fb) C:\Windows\system32\DRIVERS\usbohci.sys
2011/01/12 11:06:26.0178 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys
2011/01/12 11:06:26.0256 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/01/12 11:06:26.0318 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/01/12 11:06:26.0443 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/01/12 11:06:26.0506 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
2011/01/12 11:06:26.0584 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/01/12 11:06:26.0678 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/01/12 11:06:26.0740 viaide (48c9b50cddd51a205f7aa1639b3d4822) C:\Windows\system32\drivers\viaide.sys
2011/01/12 11:06:26.0818 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys
2011/01/12 11:06:26.0896 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
2011/01/12 11:06:26.0990 volsnap (11ef6c1caef76b685233450a126125d6) C:\Windows\system32\drivers\volsnap.sys
2011/01/12 11:06:27.0084 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/01/12 11:06:27.0209 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/01/12 11:06:27.0271 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/01/12 11:06:27.0334 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/01/12 11:06:27.0428 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/01/12 11:06:27.0521 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
2011/01/12 11:06:27.0849 WmiAcpi (17eac0d023a65fa9b02114cc2baacad5) C:\Windows\system32\drivers\wmiacpi.sys
2011/01/12 11:06:28.0006 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/01/12 11:06:28.0068 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
2011/01/12 11:06:28.0193 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/01/12 11:06:28.0318 ZTEusbmdm6k (3e854b8cf8eb41bfc763e9c90d2b9b24) C:\Windows\system32\DRIVERS\ZTEusbmdm6k.sys
2011/01/12 11:06:28.0412 ZTEusbnmea (3e854b8cf8eb41bfc763e9c90d2b9b24) C:\Windows\system32\DRIVERS\ZTEusbnmea.sys
2011/01/12 11:06:28.0474 ZTEusbser6k (3e854b8cf8eb41bfc763e9c90d2b9b24) C:\Windows\system32\DRIVERS\ZTEusbser6k.sys
2011/01/12 11:06:28.0615 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/12 11:06:28.0615 ================================================================================
2011/01/12 11:06:28.0631 Scan finished
2011/01/12 11:06:28.0631 ================================================================================
2011/01/12 11:06:28.0662 Detected object count: 1
2011/01/12 11:07:55.0006 \HardDisk0 - will be cured after reboot
2011/01/12 11:07:55.0021 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/12 11:08:07.0959 Deinitialize success

blade81 · January 12, 2011

Good. Please try to run ComboFix now.

Jon.h1 · January 12, 2011

Great - took a couple of attempts as kept crashing computer but here is ComboFix Log along with new DDS logs:

ComboFix 11-01-11.03 - leigh 12/01/2011 16:50:20.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.893.346 [GMT 0:00]
Running from: c:\users\leigh\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\leigh\AppData\Local\{A98CB7FE-C5D6-416F-90BF-85B762E35516}
c:\users\leigh\AppData\Local\{A98CB7FE-C5D6-416F-90BF-85B762E35516}\chrome\content\overlay.xul
c:\users\leigh\AppData\Local\{A98CB7FE-C5D6-416F-90BF-85B762E35516}\install.rdf
c:\windows\system\vdremote.dll
c:\windows\system\vdsvrlnk.dll

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2010-12-12 to 2011-01-12 )))))))))))))))))))))))))))))))
.

2011-01-12 17:01 . 2011-01-12 17:17 -------- d-----w- c:\users\leigh\AppData\Local\temp
2011-01-12 17:01 . 2011-01-12 17:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-12 17:01 . 2011-01-12 17:01 -------- d-----w- c:\users\alan\AppData\Local\temp
2011-01-10 21:00 . 2011-01-10 21:00 388096 ----a-r- c:\users\leigh\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-10 21:00 . 2011-01-10 21:00 -------- d-----w- c:\program files\Trend Micro
2011-01-10 16:29 . 2011-01-10 16:29 -------- dc----w- c:\windows\system32\DRVSTORE
2011-01-10 16:29 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-10 16:29 . 2011-01-10 16:29 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-10 16:27 . 2011-01-10 16:27 -------- d-----w- c:\users\leigh\AppData\Local\Sunbelt Software
2011-01-10 16:25 . 2011-01-10 16:26 -------- dc-h--w- c:\programdata\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-10 16:24 . 2011-01-10 16:29 -------- d-----w- c:\programdata\Lavasoft
2011-01-10 16:24 . 2011-01-10 16:24 -------- d-----w- c:\program files\Lavasoft
2011-01-10 16:11 . 2011-01-10 16:12 -------- d-----w- c:\program files\ERUNT
2011-01-10 15:43 . 2011-01-10 15:43 -------- d-----w- C:\_OTM
2011-01-07 16:00 . 2011-01-07 16:00 -------- d-----w- c:\users\leigh\AppData\Roaming\Malwarebytes
2011-01-07 16:00 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 16:00 . 2011-01-07 16:00 -------- d-----w- c:\programdata\Malwarebytes
2011-01-07 16:00 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 16:00 . 2011-01-07 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-03 20:18 . 2011-01-03 22:37 -------- d-----w- c:\programdata\Alwil Software
2011-01-03 20:18 . 2011-01-03 20:18 -------- d-----w- c:\program files\Alwil Software
2011-01-03 18:49 . 2011-01-03 18:49 -------- d-----w- c:\program files\Sophos
2011-01-03 16:22 . 2011-01-03 16:22 -------- d-----w- c:\users\leigh\AppData\Roaming\Avira
2011-01-03 15:30 . 2011-01-03 15:30 -------- d-----w- c:\users\alan\AppData\Roaming\Avira
2011-01-03 15:20 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-03 15:20 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-03 15:20 . 2011-01-03 15:20 -------- d-----w- c:\programdata\Avira
2011-01-03 15:20 . 2011-01-03 15:20 -------- d-----w- c:\program files\Avira
2011-01-03 15:05 . 2011-01-03 15:05 -------- d-----w- c:\windows\BDOSCAN8
2011-01-03 14:53 . 2011-01-03 14:55 -------- d-----w- c:\program files\Windows Live Safety Center
2011-01-03 14:19 . 2011-01-03 14:20 11278816 ----a-w- c:\users\leigh\AppData\Roaming\Microsoft\Windows\Templates\IS360Setup.exe
2011-01-03 14:18 . 2011-01-03 14:18 -------- d-----w- c:\users\leigh\AppData\Roaming\IObit
2011-01-03 14:18 . 2011-01-03 14:18 -------- d-----w- c:\program files\IObit
2011-01-03 14:10 . 2011-01-03 14:10 -------- d-----w- c:\windows\Sun
2011-01-03 14:07 . 2011-01-03 14:07 -------- d-----w- c:\users\alan\AppData\Roaming\CyberLink
2011-01-03 07:22 . 2011-01-03 07:22 0 ----a-w- c:\users\leigh\AppData\Local\Isapogagimogoyin.bin
2011-01-03 07:20 . 2011-01-03 07:20 -------- d-----w- c:\programdata\cIjPo06511

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-09 00:38 . 2010-12-09 00:38 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-15 1232896]
"googletalk"="c:\users\leigh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Reminder_MUI"="c:\applications\oem\Reminder\Reminder_MUI.exe" [2008-01-10 1081344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\users\alan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [N/A]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^leigh^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\leigh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^leigh^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\leigh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 10:02 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-03-29 14:41 222128 ----a-w- c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder_MUI]
2008-01-10 11:46 1081344 ----a-w- c:\applications\OEM\Reminder\Reminder_MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-08-09 19:26 4702208 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-08-11 17:46 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-08-03 13:22 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
2005-08-13 10:16 348160 ----a-w- c:\windows\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-11-20 15:29 356352 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpareMessaging]
2007-11-28 16:43 42824 ----a-w- c:\program files\Spare Messaging\MessagingApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-01 00:10 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GShortCut]
2007-07-26 22:07 202024 ----a-w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-03 136176]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\DFDD.tmp [x]
R3 REOMDB;REOMDB;c:\users\leigh\AppData\Local\Temp\REOMDB.exe [x]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-08-07 283136]
R3 TTQ;TTQ;c:\users\leigh\AppData\Local\Temp\TTQ.exe [x]
R3 UD;UD;c:\users\leigh\AppData\Local\Temp\UD.exe [x]
R4 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\TDSupportApp\cdrom_mon.exe [2007-10-06 81920]
R4 Gruss Software Ltd: Betting Assistant update permissions manager. 30256.;Gruss Software Ltd: Betting Assistant update permissions manager. 30256.;c:\program files\Betting Assistant\AUClient.exe [2008-01-09 622592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-12-03 1389400]
S3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [2007-08-24 452096]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [2007-01-22 46592]

.
Contents of the 'Scheduled Tasks' folder

2011-01-12 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2011-01-03 16:19]

2011-01-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2011-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-03 20:19]

2011-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-03 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\leigh\AppData\Roaming\Mozilla\Firefox\Profiles\bf2zla78.default\
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SiSTray - %ProgramFiles%\SiS VGA Utilities\SiSTray.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
"ServiceDll"="%SystemRoot%\System32\gpsvc.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Gruss Software Ltd: Betting Assistant update permissions manager. 30256.]

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\DFDD.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Kontiki\KService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-01-12 17:28:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-12 17:27

Pre-Run: 57,864,732,672 bytes free
Post-Run: 58,126,036,992 bytes free

- - End Of File - - 0F8B56AAF1684DD1604F294849658515

DDS (Ver_10-12-12.02) - NTFSx86
Run by leigh at 17:59:26.85 on 12/01/2011
Internet Explorer: 7.0.6000.16982
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.893.318 [GMT 0:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\leigh\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [googletalk] c:\users\leigh\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Reminder_MUI] c:\applications\oem\reminder\Reminder_MUI.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\leigh\appdata\roaming\mozilla\firefox\profiles\bf2zla78.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-10 64288]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-3 61960]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2008-2-27 452096]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2008-2-27 46592]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-2-27 283136]

=============== Created Last 30 ================

2011-01-12 17:28:17 -------- d-----w- c:\users\leigh\appdata\local\temp
2011-01-12 17:17:06 -------- d-sh--w- C:\$RECYCLE.BIN
2011-01-11 20:42:45 89088 ----a-w- c:\windows\MBR.exe
2011-01-11 20:42:44 98816 ----a-w- c:\windows\sed.exe
2011-01-11 20:42:44 256512 ----a-w- c:\windows\PEV.exe
2011-01-11 20:42:44 161792 ----a-w- c:\windows\SWREG.exe
2011-01-10 21:00:10 388096 ----a-r- c:\users\leigh\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-01-10 21:00:01 -------- d-----w- c:\program files\Trend Micro
2011-01-10 16:29:47 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-10 16:29:42 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-10 16:27:22 -------- d-----w- c:\users\leigh\appdata\local\Sunbelt Software
2011-01-10 16:25:57 -------- dc-h--w- c:\progra~2\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-10 16:24:49 -------- d-----w- c:\program files\Lavasoft
2011-01-10 15:43:53 -------- d-----w- C:\_OTM
2011-01-07 16:00:37 -------- d-----w- c:\users\leigh\appdata\roaming\Malwarebytes
2011-01-07 16:00:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 16:00:15 -------- d-----w- c:\progra~2\Malwarebytes
2011-01-07 16:00:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 16:00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-03 20:18:35 -------- d-----w- c:\progra~2\Alwil Software
2011-01-03 18:49:30 -------- d-----w- c:\program files\Sophos
2011-01-03 16:22:42 -------- d-----w- c:\users\leigh\appdata\roaming\Avira
2011-01-03 15:20:31 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-03 15:20:23 -------- d-----w- c:\program files\Avira
2011-01-03 15:20:23 -------- d-----w- c:\progra~2\Avira
2011-01-03 14:19:27 11278816 ----a-w- c:\users\leigh\appdata\roaming\microsoft\windows\templates\IS360Setup.exe
2011-01-03 14:18:43 -------- d-----w- c:\users\leigh\appdata\roaming\IObit
2011-01-03 14:18:42 -------- d-----w- c:\program files\IObit
2011-01-03 07:22:27 0 ----a-w- c:\users\leigh\appdata\local\Isapogagimogoyin.bin
2011-01-03 07:20:23 -------- d-----w- c:\progra~2\cIjPo06511

==================== Find3M ====================

============= FINISH: 18:05:10.93 ===============

blade81 · January 13, 2011

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

[code]Driver::
TTQ
UD
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
Ignore::
c:\windows\system\vdremote.dll
c:\windows\system\vdsvrlnk.dll
DeQuarantine::
c:\qoobox\quarantine\c\windows\system\vdremote.dll.vir
c:\qoobox\quarantine\c\windows\system\vdsvrlnk.dll.vir
File::
c:\users\leigh\AppData\Local\Isapogagimogoyin.bin
c:\users\leigh\AppData\Local\Temp\TTQ.exe
c:\users\leigh\AppData\Local\Temp\UD.exe
Folder::
c:\programdata\cIjPo06511[/code]

Save this as
CFScript

[color="#ff0000"][b]A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.[/b][/color]

[img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img]

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

[b]Uninstall old Adobe Reader versions[/b] and get the latest one (9.4 + 9.4.1 update or Adobe Reader X if offered) [url="http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows"]here[/url] or get Foxit Reader [url="http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm"]here[/url]. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced [url="http://pdfreaders.org/"]here[/url].

[b][color="blue"]Your Java is out of date.[/color][/b] Older versions have vulnerabilities that malware can use to infect your system. [b]Please follow these steps to remove older version Java components and update to the latest version...[/b]

[b][color="blue"]Updating Java:[/color][/b][list]
[*]Download the latest version of [b][url="http://java.sun.com/javase/downloads/index.jsp"]Java Runtime Environment (JRE) 6 Update 23[/url][/b].
[*]Click the
[b]Download[/b]
button to the right.
[*]Select Windows on platform combobox and check the box that says:
[b][i]Accept[/b] License Agreement[/i]. Click continue.

[*]The page will refresh.
[*]Click on the link to download [i]Windows Offline Installation[/i] with or without Multi-language and save to your desktop.
[*]Close any programs you may have running - especially your web browser.
[*]Go to [b]Start[/b] > [b]Control Panel[/b] double-click on [b]Add/Remove[/b] programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the [b]Remove[/b] or [b]Change/Remove[/b] button.
[*]Repeat as many times as necessary to remove each Java versions.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on [b]jre-6u23-windows-i586-p.exe[/b] to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
[/list]

* Go [url="http://www.eset.eu/online-scanner"][color="red"][b][u]here[/u][/b][/color][/url] to run an online scanner from ESET.[list]
[*][color="red"][b]Note:[/b][/color] You will need to use [color="blue"][b]Internet explorer[/b][/color] for this scan
[*]Tick the box next to [b]YES, I accept the Terms of Use.[/b]
[*]Click [b]Start[/b]
[*]When asked, allow the activex control to install
[*]Click [b]Start[/b]
[*]Make sure that the option [b]Remove found threats[/b] is UNchecked.
[*]Click [b]Scan[/b]
[*]Wait for the scan to finish.
[/list]

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Jon.h1 · January 13, 2011

Hi - sorry that took a while - computer has been running very slow - took all day to update Java and Adobe! Also let it do Windows update when it started it - previously everytime it ran it failed. O forgot to say needed to power off when rebooting as it hangs when clossing down - did happen occasionally but now have to do it every time.

ESET results:

C:\Applications\Tools\AOL\stdnet_updater.exe probably a variant of Win32/StartPage.LWOOMNQ trojan
C:\Applications\Tools\AOL\comps\acs\acssetup.exe probably a variant of Win32/StartPage.LWOOMNQ trojan
C:\Windows\FixCamera.exe a variant of Win32/KillProc.A application

ComboFix 11-01-12.03 - leigh 13/01/2011 9:20.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.893.183 [GMT 0:00]
Running from: c:\users\leigh\Desktop\ComboFix.exe
Command switches used :: c:\users\leigh\Desktop\CFScript.txt

FILE ::
"c:\users\leigh\AppData\Local\Isapogagimogoyin.bin"
"c:\users\leigh\AppData\Local\Temp\TTQ.exe"
"c:\users\leigh\AppData\Local\Temp\UD.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\cIjPo06511
c:\programdata\cIjPo06511\cIjPo06511
c:\users\leigh\AppData\Local\Isapogagimogoyin.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TTQ
-------\Service_UD

((((((((((((((((((((((((( Files Created from 2010-12-13 to 2011-01-13 )))))))))))))))))))))))))))))))
.

2011-01-13 09:36 . 2011-01-13 09:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-13 09:36 . 2011-01-13 09:51 -------- d-----w- c:\users\leigh\AppData\Local\temp
2011-01-13 09:36 . 2011-01-13 09:36 -------- d-----w- c:\users\alan\AppData\Local\temp
2011-01-13 09:20 . 2011-01-13 09:20 25088 ----a-w- c:\windows\system\vdsvrlnk.dll
2011-01-13 09:19 . 2011-01-13 09:19 31232 ----a-w- c:\windows\system\vdremote.dll
2011-01-12 18:54 . 2010-11-16 12:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4C53A56B-B09D-44B0-9308-E5E8D8E4A8BF}\mpengine.dll
2011-01-10 21:00 . 2011-01-10 21:00 388096 ----a-r- c:\users\leigh\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-10 21:00 . 2011-01-10 21:00 -------- d-----w- c:\program files\Trend Micro
2011-01-10 16:29 . 2011-01-10 16:29 -------- dc----w- c:\windows\system32\DRVSTORE
2011-01-10 16:29 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-10 16:29 . 2011-01-10 16:29 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-10 16:27 . 2011-01-10 16:27 -------- d-----w- c:\users\leigh\AppData\Local\Sunbelt Software
2011-01-10 16:25 . 2011-01-10 16:26 -------- dc-h--w- c:\programdata\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-10 16:24 . 2011-01-10 16:29 -------- d-----w- c:\programdata\Lavasoft
2011-01-10 16:24 . 2011-01-10 16:24 -------- d-----w- c:\program files\Lavasoft
2011-01-10 16:11 . 2011-01-10 16:12 -------- d-----w- c:\program files\ERUNT
2011-01-10 15:43 . 2011-01-10 15:43 -------- d-----w- C:\_OTM
2011-01-07 16:00 . 2011-01-07 16:00 -------- d-----w- c:\users\leigh\AppData\Roaming\Malwarebytes
2011-01-07 16:00 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 16:00 . 2011-01-07 16:00 -------- d-----w- c:\programdata\Malwarebytes
2011-01-07 16:00 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 16:00 . 2011-01-07 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-03 20:18 . 2011-01-03 22:37 -------- d-----w- c:\programdata\Alwil Software
2011-01-03 20:18 . 2011-01-03 20:18 -------- d-----w- c:\program files\Alwil Software
2011-01-03 18:49 . 2011-01-03 18:49 -------- d-----w- c:\program files\Sophos
2011-01-03 16:22 . 2011-01-03 16:22 -------- d-----w- c:\users\leigh\AppData\Roaming\Avira
2011-01-03 15:30 . 2011-01-03 15:30 -------- d-----w- c:\users\alan\AppData\Roaming\Avira
2011-01-03 15:20 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-03 15:20 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-03 15:20 . 2011-01-03 15:20 -------- d-----w- c:\programdata\Avira
2011-01-03 15:20 . 2011-01-03 15:20 -------- d-----w- c:\program files\Avira
2011-01-03 15:05 . 2011-01-03 15:05 -------- d-----w- c:\windows\BDOSCAN8
2011-01-03 14:53 . 2011-01-03 14:55 -------- d-----w- c:\program files\Windows Live Safety Center
2011-01-03 14:19 . 2011-01-03 14:20 11278816 ----a-w- c:\users\leigh\AppData\Roaming\Microsoft\Windows\Templates\IS360Setup.exe
2011-01-03 14:18 . 2011-01-03 14:18 -------- d-----w- c:\users\leigh\AppData\Roaming\IObit
2011-01-03 14:18 . 2011-01-03 14:18 -------- d-----w- c:\program files\IObit
2011-01-03 14:10 . 2011-01-03 14:10 -------- d-----w- c:\windows\Sun
2011-01-03 14:07 . 2011-01-03 14:07 -------- d-----w- c:\users\alan\AppData\Roaming\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-09 00:38 . 2010-12-09 00:38 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-10-19 10:41 . 2009-10-05 00:40 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-15 1232896]
"googletalk"="c:\users\leigh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Reminder_MUI"="c:\applications\oem\Reminder\Reminder_MUI.exe" [2008-01-10 1081344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\users\alan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [N/A]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^leigh^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\leigh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^leigh^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\leigh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 10:02 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-03-29 14:41 222128 ----a-w- c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder_MUI]
2008-01-10 11:46 1081344 ----a-w- c:\applications\OEM\Reminder\Reminder_MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-08-09 19:26 4702208 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-08-11 17:46 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-08-03 13:22 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
2005-08-13 10:16 348160 ----a-w- c:\windows\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-11-20 15:29 356352 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpareMessaging]
2007-11-28 16:43 42824 ----a-w- c:\program files\Spare Messaging\MessagingApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-01 00:10 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GShortCut]
2007-07-26 22:07 202024 ----a-w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-03 136176]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-12-03 15264]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\DFDD.tmp [x]
R3 REOMDB;REOMDB;c:\users\leigh\AppData\Local\Temp\REOMDB.exe [x]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-08-07 283136]
R4 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\TDSupportApp\cdrom_mon.exe [2007-10-06 81920]
R4 Gruss Software Ltd: Betting Assistant update permissions manager. 30256.;Gruss Software Ltd: Betting Assistant update permissions manager. 30256.;c:\program files\Betting Assistant\AUClient.exe [2008-01-09 622592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-12-03 1389400]
S3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [2007-08-24 452096]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [2007-01-22 46592]

.
Contents of the 'Scheduled Tasks' folder

2011-01-13 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2011-01-03 16:19]

2011-01-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-03 20:19]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-03 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\leigh\AppData\Roaming\Mozilla\Firefox\Profiles\bf2zla78.default\
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
"ServiceDll"="%SystemRoot%\System32\gpsvc.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Gruss Software Ltd: Betting Assistant update permissions manager. 30256.]

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\DFDD.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Kontiki\KService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-01-13 10:09:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-13 10:08
ComboFix2.txt 2011-01-12 17:28
C:\DeQuarantine.txt

Pre-Run: 58,226,774,016 bytes free
Post-Run: 57,967,218,688 bytes free

- - End Of File - - F39C35F2E1D80F9CDB4060780522D338

Also produced this file:

c:\qoobox\quarantine\c\windows\system\vdremote.dll.vir -> c:\windows\system\vdremote.dll ( 31232 bytes )
c:\qoobox\quarantine\c\windows\system\vdsvrlnk.dll.vir -> c:\windows\system\vdsvrlnk.dll ( 25088 bytes )

DDS (Ver_10-12-12.02) - NTFSx86
Run by leigh at 20:30:24.97 on 13/01/2011
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.893.210 [GMT 0:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Users\leigh\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [googletalk] c:\users\leigh\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Reminder_MUI] c:\applications\oem\reminder\Reminder_MUI.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\leigh\appdata\roaming\mozilla\firefox\profiles\bf2zla78.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-10 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-3 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-3 61960]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2008-2-27 452096]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2008-2-27 46592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-3 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
S3 REOMDB;REOMDB;c:\users\leigh\appdata\local\temp\reomdb.exe --> c:\users\leigh\appdata\local\temp\REOMDB.exe [?]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-2-27 283136]
S4 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\tdsupportapp\cdrom_mon.exe [2008-6-18 81920]
S4 Gruss Software Ltd: Betting Assistant update permissions manager. 30256.;Gruss Software Ltd: Betting Assistant update permissions manager. 30256.;c:\program files\betting assistant\auclient.exe -permissionmanagerrun --> c:\program files\betting assistant\AUClient.exe -PermissionManagerRun [?]

=============== Created Last 30 ================

2011-01-13 19:07:55 -------- d-----w- c:\program files\ESET
2011-01-13 19:02:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-13 19:02:12 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-01-13 12:04:26 -------- d-----w- c:\users\leigh\Tracing
2011-01-13 12:03:31 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2011-01-13 11:37:31 -------- d-----w- c:\program files\Microsoft
2011-01-13 11:37:15 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-01-13 11:35:45 484632 ----a-w- c:\program files\common files\windows live\.cache\3f7d0a71cbb316\DXSETUP.exe
2011-01-13 11:35:44 74520 ----a-w- c:\program files\common files\windows live\.cache\3f7d0a71cbb316\DSETUP.dll
2011-01-13 11:35:44 1670936 ----a-w- c:\program files\common files\windows live\.cache\3f7d0a71cbb316\dsetup32.dll
2011-01-13 11:31:37 -------- d-----w- c:\program files\common files\Windows Live
2011-01-13 10:09:37 -------- d-----w- c:\users\leigh\appdata\local\temp
2011-01-13 09:50:42 -------- d-sh--w- C:\$RECYCLE.BIN
2011-01-13 09:20:00 25088 ----a-w- c:\windows\system\vdsvrlnk.dll
2011-01-13 09:19:58 31232 ----a-w- c:\windows\system\vdremote.dll
2011-01-12 18:54:09 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4c53a56b-b09d-44b0-9308-e5e8d8e4a8bf}\mpengine.dll
2011-01-11 20:42:45 89088 ----a-w- c:\windows\MBR.exe
2011-01-11 20:42:44 98816 ----a-w- c:\windows\sed.exe
2011-01-11 20:42:44 256512 ----a-w- c:\windows\PEV.exe
2011-01-11 20:42:44 161792 ----a-w- c:\windows\SWREG.exe
2011-01-10 21:00:10 388096 ----a-r- c:\users\leigh\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-01-10 21:00:01 -------- d-----w- c:\program files\Trend Micro
2011-01-10 16:29:47 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-10 16:29:42 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-10 16:27:22 -------- d-----w- c:\users\leigh\appdata\local\Sunbelt Software
2011-01-10 16:25:57 -------- dc-h--w- c:\progra~2\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-10 16:24:49 -------- d-----w- c:\program files\Lavasoft
2011-01-10 15:43:53 -------- d-----w- C:\_OTM
2011-01-07 16:00:37 -------- d-----w- c:\users\leigh\appdata\roaming\Malwarebytes
2011-01-07 16:00:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 16:00:15 -------- d-----w- c:\progra~2\Malwarebytes
2011-01-07 16:00:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 16:00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-03 20:18:35 -------- d-----w- c:\progra~2\Alwil Software
2011-01-03 18:49:30 -------- d-----w- c:\program files\Sophos
2011-01-03 16:22:42 -------- d-----w- c:\users\leigh\appdata\roaming\Avira
2011-01-03 15:20:31 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-03 15:20:23 -------- d-----w- c:\program files\Avira
2011-01-03 15:20:23 -------- d-----w- c:\progra~2\Avira
2011-01-03 14:19:27 11278816 ----a-w- c:\users\leigh\appdata\roaming\microsoft\windows\templates\IS360Setup.exe
2011-01-03 14:18:43 -------- d-----w- c:\users\leigh\appdata\roaming\IObit
2011-01-03 14:18:42 -------- d-----w- c:\program files\IObit

==================== Find3M ====================

2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 20:32:19.47 ===============

blade81 · January 14, 2011

[quote]sorry that took a while - computer has been running very slow - took all day to update Java and Adobe! Also let it do Windows update when it started it - previously everytime it ran it failed. O forgot to say needed to power off when rebooting as it hangs when clossing down - did happen occasionally but now have to do it every time.[/quote]
One thing that could help, and also highly advisable thing, is to install available updates. System doesn't have service packs for Vista installed, right?

Jon.h1 · January 14, 2011

Hi - yes you are right no service packs - I will make sure he leaves automatic updates on in future! Am installing them now - judging by the speed of installing anything on this computer I may be some time (1% per 10min at current rate!!)

blade81 · January 15, 2011

Ok. Let's see fresh dds logs after updates have been installed.

Jon.h1 · January 17, 2011

Microsoft update installed a couple of security patches OK and then all weekend trying to install servicepack 1 - downloads OK but won't install - after a couple of hours it says 'can't install service pack reverting changes' and then takes a few more hours to undo all the changes. Tried a couple of times with no success. Any ideas?

blade81 · January 17, 2011

Hi,

Do you recall if those updates you installed first were released after service pack 1? Did you install all updates with release date earlier than sp1?

Jon.h1 · January 18, 2011

Hi - I just let it run automatic updates as I assumed it would load them in the correct order. I've copied below all the last updates from the 'view update history' window. Not sure why it lists a number of 'service pack 1' updates as successful! (I've looked in 'computer' 'properties' to make sure it isn't listed. In 'new updates are available' it still lists the next update to be installed as service pack 1.

Security Update for Microsoft Office Publisher 2003 (KB2284695)

Installation date: ‎12/‎01/‎2011 18:51

Installation status: Successful

Security Update for Microsoft Office 2007 System (KB2288931)

Installation date: ‎12/‎01/‎2011 18:52

Installation status: Successful

Update for Microsoft Office Outlook 2003 Junk Email Filter (KB2466074)

Installation date: ‎12/‎01/‎2011 18:52

Installation status: Successful

Security Update for Microsoft Office 2003 (KB2289163)

Installation date: ‎12/‎01/‎2011 18:52

Installation status: Successful

Security Update for Microsoft Works 9 (KB2431831)

Installation date: ‎12/‎01/‎2011 18:54

Installation status: Successful

Definition Update for Windows Defender - KB915597 (Definition 1.95.3662.0)

Installation date: ‎12/‎01/‎2011 18:54

Installation status: Successful

Update for Microsoft Office Outlook 2003 (KB2449798)

Installation date: ‎12/‎01/‎2011 18:55

Installation status: Successful

Windows Malicious Software Removal Tool - January 2011 (KB890830)

Installation date: ‎12/‎01/‎2011 18:57

Installation status: Successful

Update for Microsoft Silverlight (KB2477244)

Installation date: ‎13/‎01/‎2011 11:31

Installation status: Successful

Windows Live Essentials

Installation date: ‎13/‎01/‎2011 12:04

Installation status: Successful

Update for Windows Vista (KB955430)

Installation date: ‎13/‎01/‎2011 12:48

Installation status: Successful

Definition Update for Windows Defender - KB915597 (Definition 1.95.3914.0)

Installation date: ‎14/‎01/‎2011 20:58

Installation status: Successful

Windows Vista Service Pack 1 (KB936330)

Installation date: ‎14/‎01/‎2011 22:06

Installation status: Failed

Error details: Code 81000101

Windows Vista Service Pack 1 (KB936330)

Installation date: ‎14/‎01/‎2011 22:32

Installation status: Failed

Error details: Code 80010108

Windows Vista Service Pack 1 (KB936330)

Installation date: ‎15/‎01/‎2011 00:34

Installation status: Successful

Windows Vista Service Pack 1 (KB936330)

Installation date: ‎15/‎01/‎2011 16:34

Installation status: Successful

Definition Update for Windows Defender - KB915597 (Definition 1.95.4180.0)

Installation date: ‎18/‎01/‎2011 12:07

Installation status: Successful

blade81 · January 20, 2011

Hi,

Please try troubleshooting steps in [url="http://support.microsoft.com/kb/947366"]this article[/url].

Jon.h1 · January 22, 2011

Hi - completed all the troubleshooting steps in the article with no success.

I also tried msconfig to turn off all programs and all non-windows services and used task manager to stop any processes that weren't obviously important before running.

Since running the stand alone package for the service pack on final restart (after it reverts changes) I now get the error code: 0x800F0826 ('Indicates a previous update has failed to install and thus preventing further installations of updates').

Looking for information on this error it looks like a lot of people have this when trying to install SP1. There was a post on microsoft suggesting changing the startup type from manual to automatic for 'windows event collector' and 'windows module installer' services - which I also tried.

Looking at the updates history it looks like Vista updates have been failing for months (although other updates such as for MS office were mainly installed successfully). Earlier in the history some of the first windows vista updates failed with the error code 80246005 - although I'm not sure if that has anything to do with it? (Unfortunately, as his computer still worked as normal, he didn't think these failed updates were important!)

It only lists SP1 as the next update to install in 'automatic updates' so should I try and reinstall some of those earlier failed updates manually - although I'm not quite sure where to start?

Thanks for all your help - I know this is getting a bit beyond the scope of this forum now.

blade81 · January 22, 2011

Hi,

Let's uninstall ComboFix at this point:[list]
[*]Click START then RUN
[*]Now copy-paste [b]Combofix /uninstall[/b] in the runbox and click OK
[/list]
Since Windows Update issues are not my strongest area I recommend to post at [url="http://social.answers.microsoft.com/Forums/en-US/vistawu/threads"]Microsoft forums[/url]. People there can likely give better assistance in this kind of issue than I'm able to give.

CeciliaB · January 23, 2011

The thread [url="http://social.technet.microsoft.com/Forums/en/itprovistasp/thread/14c2c509-2935-494f-a202-b811d25a665f"]http://social.technet.microsoft.com/Forums...02-b811d25a665f[/url] has some tips regarding the error 0x800F0826 when installing SP1 and some information from Microsoft: [url="http://windows.microsoft.com/en-US/windows-vista/Windows-Update-error-800f0826"]http://windows.microsoft.com/en-US/windows...-error-800f0826[/url]

blade81 · January 23, 2011

You may try those links Cecilia provided. If no help then better post at that MS forum I linked in my previous post.

Jon.h1 · January 31, 2011

Hi, thanks for all your help - tried the links from Cecilia with no success - looks like I need to do a 'destructive recovery' - have copied the answer from the windows update forum below - seems a little extreme but I guess if that is the only sure way!

"Support for Vista Gold (no Service Packs) ended on Tuesday, 13 April 2010. Your partner's computer is now nine months behind on critical security updates and should NOT be connected to the internet or any local networks (i.e., other computers) in its current state!

Back-up any personal data (none of which should be considered 100% trustworthy at this point) then format the HDD & do a clean install of Windows. Please note that a Repair Install (AKA in-place upgrade) will NOT fix this!

NOTE: If your computer didn't come with a set of disks, there will be a hidden Recovery partition (not to be confused with System Restore) you would use to do the clean install (AKA a "destructive recovery").

After the clean install, you will have the equivalent of a "new computer" so take care of EVERYTHING on the following page BEFORE otherwise connecting the machine to the internet or a local network (i.e., other computers) AND BEFORE connecting a flash drive, SDCard, or any other external drive to the computer:

4 steps to help protect your new computer before you go online
[url="http://www.microsoft.com/security/pypc.aspx"]http://www.microsoft.com/security/pypc.aspx[/url]

Tip: After getting the computer fully-patched, download/install KB971029 manually before connecting any external drive to the computer: [url="http://support.microsoft.com/kb/971029"]http://support.microsoft.com/kb/971029[/url]

VERY IMPORTANT!! => Any Norton or McAfee free-trial that came preinstalled on the computer when you bought it will be reinstalled (but invalid) when Windows is reinstalled. You MUST uninstall the free-trial AND download/run the appropriate removal tool BEFORE installing any updates, Windows Service Packs or IE upgrades AND BEFORE installing your new anti-virus application (e.g., Microsoft Security Essentials - free).

Norton Removal Tool
[url="ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe"]ftp://ftp.symantec.com/public/english_us_...emoval_Tool.exe[/url]

McAfee Consumer Products Removal Tool
[url="http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe"]http://download.mcafee.com/products/licens...atches/MCPR.exe[/url]

If these procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a local, reputable and independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft

blade81 · February 1, 2011

Hi,

Yes, that seems to be the _best_ solution.

Jon.h1 · February 2, 2011

Hi, more problems I'm afraid - although I'm not sure if this is linked to my previous infection problems at all?

The laptop is an e-system 1201 and from what I've been told it has a recovery partition on the hard drive. I can get into the advanced boot options on start-up but when I select 'Repair your computer' the hard drive flashes for a bit and then it just restarts.

There is a TechGuys icon which gives the option to create a recovery DVD so I thought maybe I could boot off that and see if I get the option to do a destructive recovery - unfortunately although I can read a DVD/CD I can't write to one - or even format one - either a CD or DVD RW. When I try the process starts and then just hangs.

Also having problems trying to access a USB memory stick - and a USB mouse hasn't worked for some time.

Just wondering if you had any ideas? Thanks.

Welcome to adaware forum

HijackThis Log File

Recommended Posts

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3

Share this post

Link to post

Share on other sites

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3

Share this post

Link to post

Share on other sites

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3

Share this post

Link to post

Share on other sites

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3

Share this post

Link to post

Share on other sites

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3

Share this post

Link to post

Share on other sites

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3

Share this post

Link to post

Share on other sites

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3

Share this post

Link to post

Share on other sites

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3

Share this post

Link to post

Share on other sites

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3

Share this post

Link to post

Share on other sites

Jon.h1 0

Share this post

Link to post

Share on other sites

blade81 3