Sign in to follow this  
zubbs1

Unknown Infection Cannot Run Adaware

Recommended Posts

Last night I got infected. Something was displaying on my screen that I had massive system failures (software and hardware) and wanted me to click on it to scan them. I couldn't close this, and couldn't open task manager. I booted my system into safe mode and did a system restore. That particular issue is gone, but now I cannot run Adaware. I also cannot click an internet link without it redirecting to all kinds of places that prompt to install software. Lastly, two entries for internet explorer keep appearing on task manager, yet I don't use I.E., I use firefox.


I was able to get a hijack this analysis which is below. I'm not quite sure where to start, since I usually start with a full scan from adaware....


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:36:25 PM, on 6/21/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\stsystra.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Iomega Home Storage Manager] C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - [url="http://support.dell.com/systemprofiler/DellSystemLite.CAB"]http://support.dell.com/systemprofiler/DellSystemLite.CAB[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab"]http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E6C8804-6D69-48FF-B483-ECE97608240E}: NameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5472037-1C81-4BC4-97B1-6E3B99270DEC}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E6C8804-6D69-48FF-B483-ECE97608240E}: NameServer = 192.168.1.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E6C8804-6D69-48FF-B483-ECE97608240E}: NameServer = 192.168.1.254
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - PowerUp Software, LLC - C:\Program Files\Pinnacle Game Profiler\pinnacle_updater.exe

--
End of file - 7923 bytes


I greatly appreciate the help on this! Edited by zubbs1

Share this post


Link to post
Share on other sites
Hi zubbs1,

Please, follow the instructions in the topic [url="http://www.lavasoftsupport.com/index.php?showtopic=30823"]Read This Before You Post![/url] if possible.

Do you remember the name of the fake program that reported all the failures?

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127707' date='Jun 21 2011, 05:25 PM']Hi zubbs1,

Please, follow the instructions in the topic [url="http://www.lavasoftsupport.com/index.php?showtopic=30823"]Read This Before You Post![/url] if possible.

Do you remember the name of the fake program that reported all the failures?[/quote]

Sorry, I don't recall the name of the program.

Here are the OTL Scan Results:


OTL.TXT

OTL logfile created on: 6/21/2011 10:20:03 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\Zubba\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 76.41% Memory free
4.00 Gb Paging File | 3.36 Gb Available in Paging File | 84.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 142.24 Gb Total Space | 36.90 Gb Free Space | 25.94% Space Free | Partition Type: NTFS
Drive T: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive U: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive V: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive W: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive X: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive Y: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive Z: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS

Computer Name: GALILEO | User Name: Zubba | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color="#E56717"]========== Processes (SafeList) ==========[/color]

PRC - C:\Users\Zubba\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe (Logitech, Inc.)
PRC - C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
PRC - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
PRC - C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
PRC - C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe (Iomega Corporation)
PRC - C:\Windows\stsystra.exe (SigmaTel, Inc.)


[color="#E56717"]========== Modules (SafeList) ==========[/color]

MOD - C:\Users\Zubba\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll (Microsoft Corporation)


[color="#E56717"]========== Win32 Services (SafeList) ==========[/color]

SRV - (ACDaemon) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (PinnacleUpdateSvc) -- C:\Program Files\Pinnacle Game Profiler\pinnacle_updater.exe (PowerUp Software, LLC)
SRV - (LBTServ) -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


[color="#E56717"]========== Driver Services (SafeList) ==========[/color]

DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (LUsbFilt) -- C:\Windows\System32\drivers\LUsbFilt.sys (Logitech, Inc.)
DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (SCDEmu) -- C:\Windows\System32\drivers\scdemu.sys (PowerISO Computing, Inc.)
DRV - (netw5v32) Intel® -- C:\Windows\System32\drivers\netw5v32.sys (Intel Corporation)
DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (STHDA) -- C:\Windows\System32\drivers\sthda.sys (SigmaTel, Inc.)


[color="#E56717"]========== Standard Registry (SafeList) ==========[/color]


[color="#E56717"]========== Internet Explorer ==========[/color]


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [url="http://www.msn.com/"]http://www.msn.com/[/url]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 52 01 99 57 1D F7 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[color="#E56717"]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: [email protected]:1.20.0.66

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/21 00:22:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/21 08:38:48 | 000,000,000 | ---D | M]

[2011/01/06 23:20:22 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Zubba\AppData\Roaming\Mozilla\Extensions
[2011/06/21 00:14:11 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Zubba\AppData\Roaming\Mozilla\Firefox\Profiles\4faghf6q.default\extensions
[2011/06/21 00:22:56 | 000,000,000 | ---D | M] (Разпознаване на устройство Logitech) -- C:\Users\Zubba\AppData\Roaming\Mozilla\Firefox\Profiles\4faghf6q.default\extensions\[email protected]
[2011/06/21 00:12:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/21 00:22:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\USERS\ZUBBA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\4FAGHF6Q.DEFAULT\EXTENSIONS\[email protected]
[2011/04/28 20:16:17 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2009/08/14 12:33:22 | 000,070,488 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2009/08/14 12:33:30 | 000,091,480 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2009/08/14 12:33:26 | 000,020,824 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2007/03/16 17:33:48 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2007/03/16 17:33:48 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2007/03/16 17:33:50 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2011/06/09 21:46:26 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol400.dll
[2011/06/09 21:46:26 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol500.dll
[2011/03/18 13:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2011/01/07 10:55:21 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/08/14 12:35:40 | 000,427,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2011/03/18 13:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2009/08/14 12:33:22 | 000,023,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll
[2010/01/01 03:00:00 | 000,002,252 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/06/10 16:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll (BitComet)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [Iomega Home Storage Manager] C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe (Iomega Corporation)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10l_ActiveX.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Download all links using BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: Download all videos using BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: Download link using &BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O10 - NameSpace_Catalog5\Catalog_Entries00000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [url="http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab"]http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[/url] (Java Plug-in 1.6.0_23)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} [url="http://support.dell.com/systemprofiler/DellSystemLite.CAB"]http://support.dell.com/systemprofiler/DellSystemLite.CAB[/url] (DellSystemLite.Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [url="http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab"]http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[/url] (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [url="http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab"]http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[/url] (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [url="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab"]http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab[/url] (Shockwave Flash Object)
O20 - AppInit_DLLs: (acaptuser32.dll) - C:\Windows\System32\acaptuser32.dll (Adobe Systems Incorporated)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | -H-- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

[color="#E56717"]========== Files/Folders - Created Within 30 Days ==========[/color]

[2011/06/21 21:22:42 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Users\Zubba\Desktop\OTL.exe
[2011/06/21 13:28:26 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2011/06/21 13:14:47 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/21 13:14:47 | 000,000,000 | ---D | C] -- C:\Users\Zubba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/06/21 08:40:53 | 000,022,872 | R--- | C] (Adobe Systems Inc.) -- C:\Windows\System32\AdobePDFUI.dll
[2011/06/21 08:39:40 | 000,112,056 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\acaptuser32.dll
[2011/06/21 08:25:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/06/21 08:25:21 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/06/21 08:25:20 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/06/09 21:46:26 | 000,000,000 | ---D | C] -- C:\Users\Zubba\AppData\Roaming\Catalina Marketing Corp
[2011/06/09 21:46:23 | 000,000,000 | ---D | C] -- C:\Users\Zubba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp
[2011/06/09 21:44:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
[2011/06/09 21:44:55 | 000,000,000 | ---D | C] -- C:\Program Files\Coupons
[2011/05/24 20:44:01 | 000,027,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\Diskdump.sys
[2011/05/24 00:26:19 | 000,000,000 | -H-D | C] -- C:\ProgramData\Symantec
[2011/05/24 00:26:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2011/05/24 00:26:13 | 000,000,000 | -H-D | C] -- C:\ProgramData\NortonInstaller
[2011/05/23 21:27:58 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/23 20:27:49 | 003,967,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/05/23 20:27:49 | 003,912,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/05/23 20:27:47 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\poqexec.exe

[color="#E56717"]========== Files - Modified Within 30 Days ==========[/color]

[2011/06/21 21:22:45 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Zubba\Desktop\OTL.exe
[2011/06/21 14:33:42 | 000,019,520 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/21 14:33:42 | 000,019,520 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/21 14:26:46 | 000,000,054 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2011/06/21 14:26:46 | 000,000,039 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2011/06/21 14:26:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/21 14:26:09 | 1609,383,936 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/21 13:14:47 | 000,002,963 | ---- | M] () -- C:\Users\Zubba\Desktop\HiJackThis.lnk
[2011/06/21 12:57:33 | 001,402,880 | ---- | M] () -- C:\Users\Zubba\Desktop\HiJackThis.msi
[2011/06/21 08:47:23 | 000,627,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/21 08:47:23 | 000,107,366 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/21 08:21:16 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/21 00:24:59 | 000,119,296 | ---- | M] () -- C:\Windows\System32\zlib.dll
[2011/06/20 23:51:56 | 000,000,240 | -H-- | M] () -- C:\ProgramData\~30072568
[2011/06/20 23:51:56 | 000,000,168 | -H-- | M] () -- C:\ProgramData\~30072568r
[2011/06/20 23:51:34 | 000,000,336 | -H-- | M] () -- C:\ProgramData\30072568
[2011/06/19 04:47:18 | 002,122,054 | -H-- | M] () -- C:\Users\Zubba\Desktop\IMG_0616.JPG
[2011/05/24 19:14:10 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe

[color="#E56717"]========== Files Created - No Company Name ==========[/color]

[2011/06/21 13:14:47 | 000,002,963 | ---- | C] () -- C:\Users\Zubba\Desktop\HiJackThis.lnk
[2011/06/21 12:57:30 | 001,402,880 | ---- | C] () -- C:\Users\Zubba\Desktop\HiJackThis.msi
[2011/06/21 08:27:25 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/20 23:51:56 | 000,000,240 | -H-- | C] () -- C:\ProgramData\~30072568
[2011/06/20 23:51:56 | 000,000,168 | -H-- | C] () -- C:\ProgramData\~30072568r
[2011/06/20 23:51:34 | 000,000,336 | -H-- | C] () -- C:\ProgramData\30072568
[2011/06/19 04:47:18 | 002,122,054 | -H-- | C] () -- C:\Users\Zubba\Desktop\IMG_0616.JPG
[2011/04/13 09:07:49 | 000,000,000 | ---- | C] () -- C:\Windows\AoADVDRipper.INI
[2011/04/13 09:07:40 | 000,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2011/04/13 09:07:40 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2011/04/12 15:51:45 | 000,007,616 | -H-- | C] () -- C:\Users\Zubba\AppData\Local\Resmon.ResmonCfg
[2011/03/24 16:28:06 | 000,000,054 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2011/03/24 16:28:06 | 000,000,039 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2011/02/20 21:12:24 | 000,000,590 | ---- | C] () -- C:\Windows\entpack.ini
[2011/02/11 12:00:31 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/01/07 11:36:08 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2011/01/07 11:13:37 | 000,119,296 | ---- | C] () -- C:\Windows\System32\zlib.dll
[2011/01/07 11:13:37 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ADsSecurity.dll
[2011/01/07 11:13:37 | 000,036,864 | ---- | C] () -- C:\Windows\System32\dxinputdll.dll
[2011/01/06 20:42:37 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/07/13 23:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 23:33:53 | 000,410,408 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 21:05:48 | 000,627,082 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 21:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 21:05:48 | 000,107,366 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 21:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 21:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 21:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 18:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2008/12/01 23:46:12 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/12/01 23:08:40 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/10/30 17:45:42 | 000,180,720 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

[color="#E56717"]========== LOP Check ==========[/color]

[2011/06/21 00:14:01 | 000,000,000 | ---D | M] -- C:\Users\Zubba\AppData\Roaming\BSplayer PRO
[2011/06/21 00:22:55 | 000,000,000 | ---D | M] -- C:\Users\Zubba\AppData\Roaming\Catalina Marketing Corp
[2011/06/21 00:22:55 | 000,000,000 | ---D | M] -- C:\Users\Zubba\AppData\Roaming\ICAClient
[2011/01/13 15:47:01 | 000,000,000 | -H-D | M] -- C:\Users\Zubba\AppData\Roaming\Leadertech
[2011/01/07 14:06:46 | 000,000,000 | -H-D | M] -- C:\Users\Zubba\AppData\Roaming\Mount&Blade Warband
[2011/01/07 14:10:35 | 000,000,000 | -H-D | M] -- C:\Users\Zubba\AppData\Roaming\PowerUp Software
[2011/06/21 00:22:56 | 000,000,000 | ---D | M] -- C:\Users\Zubba\AppData\Roaming\ProtectDISC
[2011/01/07 11:27:52 | 000,000,000 | -H-D | M] -- C:\Users\Zubba\AppData\Roaming\Skinux
[2011/06/21 00:22:56 | 000,000,000 | ---D | M] -- C:\Users\Zubba\AppData\Roaming\Stella
[2011/01/12 19:57:34 | 000,000,000 | -H-D | M] -- C:\Users\Zubba\AppData\Roaming\Temp
[2011/05/10 11:45:18 | 000,000,000 | -H-D | M] -- C:\Users\Zubba\AppData\Roaming\tixati
[2009/07/13 23:53:46 | 000,016,086 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[color="#E56717"]========== Purity Check ==========[/color]



[color="#E56717"]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 200 bytes -> C:\ProgramData\TEMP:30FD0CBD
@Alternate Data Stream - 128 bytes -> C:\Windows\System32\zlib.dll:SummaryInformation
@Alternate Data Stream - 128 bytes -> C:\Windows\System32\zlib.dll:DocumentSummaryInformation

< End of report >


Extras.txt

OTL Extras logfile created on: 6/21/2011 10:20:03 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\Zubba\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 76.41% Memory free
4.00 Gb Paging File | 3.36 Gb Available in Paging File | 84.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 142.24 Gb Total Space | 36.90 Gb Free Space | 25.94% Space Free | Partition Type: NTFS
Drive T: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive U: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive V: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive W: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive X: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive Y: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS
Drive Z: | 927.44 Gb Total Space | 27.93 Gb Free Space | 3.01% Space Free | Partition Type: NTFS

Computer Name: GALILEO | User Name: Zubba | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color="#E56717"]========== Extra Registry (SafeList) ==========[/color]


[color="#E56717"]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color="#E56717"]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color="#E56717"]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[color="#E56717"]========== Firewall Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[color="#E56717"]========== Authorized Applications List ==========[/color]


[color="#E56717"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(tm) 6 Update 23
"{2B818257-E6C7-4841-8C29-C5C9A982BCE5}" = RICOH Media Driver ver.2.07.01.04
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{49BF48CC-ABB6-4795-9B35-B5DE005D8612}" = Pinnacle Game Profiler
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7E6066E6-8B5B-4100-B0FA-1D9E9B663CBA}" = iTunes
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}_945" = Adobe Acrobat 9.4.5 - CPSID_83708
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{C08E4323-261D-4B2F-8F24-CDB26E2AA081}" = Iomega Home Storage Manager
"{C0B165DC-F037-483F-B1C9-D89D91529CEB}" = Citrix XenApp Web Plugin
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Center
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AoA DVD Ripper_is1" = AoA DVD Ripper
"BitComet" = BitComet 0.77
"BSPlayerp" = BS.Player PRO
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MobilityDotNET" = DH Mobility Modder.NET
"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
"PowerISO" = PowerISO
"sp6" = Logitech SetPoint 6.20
"Stella_is1" = Stella 3.3
"tixati" = Tixati
"WinRAR archiver" = WinRAR archiver
"Xvid_is1" = Xvid 1.1.3 final uninstall

[color="#E56717"]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 6/21/2011 2:13:41 PM | Computer Name = Galileo | Source = Bonjour Service | ID = 100
Description = Client application bug: DNSServiceResolve(KodakESP5200+4321._pdl-datastream._tcp.local.)
active for over two minutes. This places considerable burden on the network.

Error - 6/21/2011 2:13:41 PM | Computer Name = Galileo | Source = Bonjour Service | ID = 100
Description = Client application bug: DNSServiceResolve(KodakESP5200+4321._scanner._tcp.local.)
active for over two minutes. This places considerable burden on the network.

Error - 6/21/2011 2:13:41 PM | Computer Name = Galileo | Source = Bonjour Service | ID = 100
Description = Client application bug: DNSServiceResolve(KodakESP5200+4321._smb._tcp.local.)
active for over two minutes. This places considerable burden on the network.

Error - 6/21/2011 2:24:19 PM | Computer Name = Galileo | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL".
Dependent
Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 6/21/2011 2:24:19 PM | Computer Name = Galileo | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL".
Dependent
Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 6/21/2011 2:44:17 PM | Computer Name = Galileo | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL".
Dependent
Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 6/21/2011 2:44:17 PM | Computer Name = Galileo | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL".
Dependent
Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 6/21/2011 3:29:11 PM | Computer Name = Galileo | Source = Bonjour Service | ID = 100
Description = Client application bug: DNSServiceResolve(KodakESP5200+4321._pdl-datastream._tcp.local.)
active for over two minutes. This places considerable burden on the network.

Error - 6/21/2011 3:29:11 PM | Computer Name = Galileo | Source = Bonjour Service | ID = 100
Description = Client application bug: DNSServiceResolve(KodakESP5200+4321._scanner._tcp.local.)
active for over two minutes. This places considerable burden on the network.

Error - 6/21/2011 3:29:11 PM | Computer Name = Galileo | Source = Bonjour Service | ID = 100
Description = Client application bug: DNSServiceResolve(KodakESP5200+4321._smb._tcp.local.)
active for over two minutes. This places considerable burden on the network.

[ Media Center Events ]
Error - 2/11/2011 1:12:02 PM | Computer Name = Galileo | Source = Microsoft-Windows-Media Center Extender | ID = 543
Description =

Error - 2/11/2011 1:13:24 PM | Computer Name = Galileo | Source = Microsoft-Windows-Media Center Extender | ID = 544
Description =

Error - 2/11/2011 1:13:48 PM | Computer Name = Galileo | Source = Microsoft-Windows-Media Center Extender | ID = 544
Description =

[ System Events ]
Error - 6/21/2011 1:39:28 PM | Computer Name = Galileo | Source = Service Control Manager | ID = 7001
Description = The PnP-X IP Bus Enumerator service depends on the Function Discovery
Provider Host service which failed to start because of the following error: %%1068

Error - 6/21/2011 1:57:11 PM | Computer Name = Galileo | Source = DCOM | ID = 10005
Description =

Error - 6/21/2011 1:57:11 PM | Computer Name = Galileo | Source = DCOM | ID = 10005
Description =

Error - 6/21/2011 1:57:40 PM | Computer Name = Galileo | Source = DCOM | ID = 10005
Description =

Error - 6/21/2011 2:11:12 PM | Computer Name = Galileo | Source = Service Control Manager | ID = 7034
Description = The PinnacleUpdate Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 6/21/2011 2:11:41 PM | Computer Name = Galileo | Source = WMPNetworkSvc | ID = 866314
Description =

Error - 6/21/2011 2:11:41 PM | Computer Name = Galileo | Source = WMPNetworkSvc | ID = 866314
Description =

Error - 6/21/2011 3:26:37 PM | Computer Name = Galileo | Source = Service Control Manager | ID = 7034
Description = The PinnacleUpdate Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 6/21/2011 3:27:00 PM | Computer Name = Galileo | Source = WMPNetworkSvc | ID = 866314
Description =

Error - 6/21/2011 3:27:00 PM | Computer Name = Galileo | Source = WMPNetworkSvc | ID = 866314
Description =


< End of report >


Thank you.

Share this post


Link to post
Share on other sites
1.
Save TDSSKiller on the Desktop:
[url="http://support.kaspersky.com/downloads/utils/tdsskiller.zip"]http://support.kaspersky.com/downloads/utils/tdsskiller.zip[/url]

Right-click and select [b]Extract all[/b]. Remember the location of the extracted file.
Turn off all programs.
Run the program TDSSKiller.exe which is the file you extracted.

Click on [b]Start Scan[/b].

If any threats are found select [b]Cure [/b]and click [b]Continue[/b]. If [b]Cure [/b]isn't available select [b]Skip. [/b]Do NOT select Quarantine or Delete.
The computer might need a restart.

Paste the content of the TDSSKiller log which is located in the folder C:\ with the name TDSSKiller followed by version and time.
Restart the computer.

2.
Please, follow the instructions on [url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url] for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127721' date='Jun 22 2011, 06:34 AM']1.
Save TDSSKiller on the Desktop:
[url="http://support.kaspersky.com/downloads/utils/tdsskiller.zip"]http://support.kaspersky.com/downloads/utils/tdsskiller.zip[/url]

Right-click and select [b]Extract all[/b]. Remember the location of the extracted file.
Turn off all programs.
Run the program TDSSKiller.exe which is the file you extracted.

Click on [b]Start Scan[/b].

If any threats are found select [b]Cure [/b]and click [b]Continue[/b]. If [b]Cure [/b]isn't available select [b]Skip. [/b]Do NOT select Quarantine or Delete.
The computer might need a restart.

Paste the content of the TDSSKiller log which is located in the folder C:\ with the name TDSSKiller followed by version and time.
Restart the computer.

2.
Please, follow the instructions on [url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url] for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.[/quote]

I installed tdsskiller, but could not run the program. Double clicking or hitting enter on it does nothing. I even restarted and restarted in safe mode, and it didn't work. So I skipped to combofix. After running combofix, I still could not run tdsskiller. Here is the combofix report:

ComboFix 11-06-21.08 - Zubba 06/22/2011 8:15.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2046.1397 [GMT -5:00]
Running from: c:\users\Zubba\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
.
.
2011-06-22 13:12 . 2011-06-22 13:12 -------- d-----w- C:\32788R22FWJFW
2011-06-21 18:28 . 2011-06-21 18:44 -------- d-----w- c:\programdata\SecTaskMan
2011-06-21 18:14 . 2011-06-21 18:14 388096 ----a-r- c:\users\Zubba\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-21 18:14 . 2011-06-21 18:14 -------- d-----w- c:\program files\Trend Micro
2011-06-21 13:46 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1D9B499E-49F5-43D0-81C4-A435592D5544}\mpengine.dll
2011-06-21 13:45 . 2011-04-25 04:31 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-21 13:45 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-21 13:45 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-21 13:45 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-21 13:45 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-21 13:45 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-21 13:45 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-21 13:44 . 2011-04-27 02:17 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-21 13:44 . 2011-04-27 02:17 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-21 13:44 . 2011-04-27 02:17 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-21 13:40 . 2009-08-20 05:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-06-21 13:39 . 2010-09-23 00:47 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2011-06-21 13:38 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-21 13:25 . 2011-06-21 13:25 -------- d-----w- c:\program files\iPod
2011-06-21 13:25 . 2011-06-21 13:25 -------- d-----w- c:\program files\iTunes
2011-06-10 02:46 . 2011-06-21 05:22 -------- d-----w- c:\users\Zubba\AppData\Roaming\Catalina Marketing Corp
2011-06-10 02:46 . 2011-06-10 02:46 466944 ----a-w- c:\program files\Mozilla Firefox\plugins\NPcol500.dll
2011-06-10 02:46 . 2011-06-10 02:46 466944 ----a-w- c:\program files\Mozilla Firefox\plugins\NPcol400.dll
2011-06-10 02:46 . 2011-06-10 02:46 525856 ----a-w- c:\users\Zubba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2011-06-10 02:44 . 2011-06-21 05:22 -------- d-----w- c:\program files\Coupons
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-05-25 01:44 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-24 05:26 . 2011-05-24 05:26 -------- d--h--w- c:\programdata\Symantec
2011-05-24 05:26 . 2011-06-21 05:22 -------- d-----w- c:\programdata\Norton
2011-05-24 02:27 . 2011-06-21 13:21 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-24 01:27 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-24 01:27 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-24 01:27 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-22 13:10 . 2011-01-07 16:13 119296 ----a-w- c:\windows\system32\zlib.dll
2011-05-25 00:14 . 2011-01-07 02:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-19 05:20 . 2011-04-19 05:20 159080 ---ha-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-08-14 17:33 . 2009-08-14 17:33 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-08-14 17:33 . 2009-08-14 17:33 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-08-14 17:33 . 2009-08-14 17:33 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-08-14 17:33 . 2009-08-14 17:33 20824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-08-14 17:34 . 2009-08-14 17:34 206160 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-08-14 17:33 . 2009-08-14 17:33 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-08-14 17:33 . 2009-08-14 17:33 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:33 . 2007-03-16 22:33 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:33 . 2007-03-16 22:33 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:33 . 2007-03-16 22:33 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-08-14 16:50 . 2009-08-14 16:50 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-08-14 17:33 . 2009-08-14 17:33 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-04-29 01:16 . 2011-03-23 17:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iomega Home Storage Manager"="c:\program files\Iomega\Home Storage Manager\Iomega Discovery.exe" [2009-10-27 152936]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-08 528832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2011-06-08 669936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-06-08 1036104]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links using BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Download all videos using BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Download link using &BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{2E6C8804-6D69-48FF-B483-ECE97608240E}: NameServer = 192.168.1.254
TCP: Interfaces\{C5472037-1C81-4BC4-97B1-6E3B99270DEC}: NameServer = 192.168.1.254
FF - ProfilePath - c:\users\Zubba\AppData\Roaming\Mozilla\Firefox\Profiles\4faghf6q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Conime - c:\windows\system32\conime.exe
AddRemove-MobilityDotNET - c:\program files\MobilityDotNET\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-22 08:23:14
ComboFix-quarantined-files.txt 2011-06-22 13:23
.
Pre-Run: 43,289,300,992 bytes free
Post-Run: 43,587,694,592 bytes free
.
- - End Of File - - 4EDDDAC8E5D61E9B7C212741A79FEE1E


Thank you.

Share this post


Link to post
Share on other sites
Then we try another program instead of TDSSKiller.

Please, download GMER from the following location and save it to your desktop.:
[url="http://www2.gmer.net/download.php"]http://www2.gmer.net/download.php[/url]
It will be randomly named so write down the name so you remember what it is.

Disconnect from the Internet.
Turn off all programs, including antivirus and similar programs.
How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]

Start Gmer.
It will perform a quick scan.
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system, click NO.

Configuration of Gmer:
In the right panel, uncheck the following:

* IAT/EAT
* Files
* Drives/Partitions other than C:\
* Show All (don't miss this one)

Click the Scan button & wait for it to finish.

When finished click on the Save button.
Select your desktop as destination folder and in the File name field enter "Gmer.log".
Restart computer and make sure your antivirus program is running again.
Paste the content of Gmer.log in your post.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127723' date='Jun 22 2011, 08:54 AM']Then we try another program instead of TDSSKiller.

Please, download GMER from the following location and save it to your desktop.:
[url="http://www2.gmer.net/download.php"]http://www2.gmer.net/download.php[/url]
It will be randomly named so write down the name so you remember what it is.

Disconnect from the Internet.
Turn off all programs, including antivirus and similar programs.
How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]

Start Gmer.
It will perform a quick scan.
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system, click NO.

Configuration of Gmer:
In the right panel, uncheck the following:

* IAT/EAT
* Files
* Drives/Partitions other than C:\
* Show All (don't miss this one)

Click the Scan button & wait for it to finish.

When finished click on the Save button.
Select your desktop as destination folder and in the File name field enter "Gmer.log".
Restart computer and make sure your antivirus program is running again.
Paste the content of Gmer.log in your post.[/quote]


Here is the GMER report:

GMER 1.0.15.15640 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-06-22 10:44:55
Windows 6.1.7601 Service Pack 1
Running: hsvhuxd8.exe; Driver: C:\Users\Zubba\AppData\Local\Temp\pwtdqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82A53339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A8CD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E212000, 0x23097E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2424] USER32.dll!CreateWindowExW 75A5EC7C 5 Bytes JMP 6C623834 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] USER32.dll!DialogBoxParamW 75A73B9B 5 Bytes JMP 6C557F59 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] USER32.dll!DialogBoxIndirectParamW 75A83B7F 5 Bytes JMP 6C75DCD8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] USER32.dll!DialogBoxParamA 75A9CF42 5 Bytes JMP 6C75DC75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] USER32.dll!DialogBoxIndirectParamA 75A9D274 5 Bytes JMP 6C75DD3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] USER32.dll!MessageBoxIndirectA 75AAE869 5 Bytes JMP 6C75DC0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] USER32.dll!MessageBoxIndirectW 75AAE963 5 Bytes JMP 6C75DB9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] USER32.dll!MessageBoxExA 75AAE9C9 5 Bytes JMP 6C75DB3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] USER32.dll!MessageBoxExW 75AAE9ED 5 Bytes JMP 6C75DADB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] WININET.dll!HttpAddRequestHeadersA 75D5DCD2 5 Bytes JMP 00486A90
.text C:\Program Files\Internet Explorer\iexplore.exe[2424] WININET.dll!HttpAddRequestHeadersW 75D64FAE 5 Bytes JMP 00486C90
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!CallNextHookEx 75A5ABE1 5 Bytes JMP 6C593C96 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!UnhookWindowsHookEx 75A5ADF9 5 Bytes JMP 6C64D963 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!SetWindowsHookExW 75A5E30C 5 Bytes JMP 6C5E7DF9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!CreateWindowExW 75A5EC7C 5 Bytes JMP 6C623834 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxParamW 75A73B9B 5 Bytes JMP 6C557F59 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxIndirectParamW 75A83B7F 5 Bytes JMP 6C75DCD8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxParamA 75A9CF42 5 Bytes JMP 6C75DC75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxIndirectParamA 75A9D274 5 Bytes JMP 6C75DD3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxIndirectA 75AAE869 5 Bytes JMP 6C75DC0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxIndirectW 75AAE963 5 Bytes JMP 6C75DB9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxExA 75AAE9C9 5 Bytes JMP 6C75DB3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxExW 75AAE9ED 5 Bytes JMP 6C75DADB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] ole32.dll!OleLoadFromStream 75BE6143 5 Bytes JMP 6C75E036 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] ole32.dll!CoCreateInstance 75C29D0B 5 Bytes JMP 6C6233C2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] WININET.dll!HttpAddRequestHeadersA 75D5DCD2 5 Bytes JMP 00516A90
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] WININET.dll!HttpAddRequestHeadersW 75D64FAE 5 Bytes JMP 00516C90
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] WS2_32.dll!closesocket 76BF3918 5 Bytes JMP 0064000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] WS2_32.dll!getaddrinfo 76BF4296 5 Bytes JMP 00AC000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] WS2_32.dll!recv 76BF6B0E 5 Bytes JMP 0062000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] WS2_32.dll!connect 76BF6BDD 5 Bytes JMP 0063000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] WS2_32.dll!send 76BF6F01 5 Bytes JMP 0065000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3292] WS2_32.dll!gethostbyname 76C07673 5 Bytes JMP 0066000A

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device0000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:260] 85870E7A
Thread System [4:264] 85873008

---- EOF - GMER 1.0.15 ----


Thank You.

Share this post


Link to post
Share on other sites
Please, remove TDSSKiller and download it once more. Before you run it you should rename the file (right-click on the file and select 'Rename') to 'zubbs1tk.com'. Run it as I described before.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127730' date='Jun 22 2011, 06:08 PM']Please, remove TDSSKiller and download it once more. Before you run it you should rename the file (right-click on the file and select 'Rename') to 'zubbs1tk.com'. Run it as I described before.[/quote]

No luck. It did the exact same thing (nothing) as last time. I again booted into safe mode and that didn't change anything.

Share this post


Link to post
Share on other sites
1.
Save Rootkit Unhooker on the Desktop: [url="http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar"]http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar[/url]
Unpack the program. If you don't have any unpacking program for rar files you can fetch 7-zip. [url="http://www.7-zip.org/"]http://www.7-zip.org/[/url]

Remove the internet connection . Turn off all programs you can see including firewall and antivirus program.
How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]

Double-click on Rootkit Unhooker to start it.
Select the [b]Report [/b]tab and click on [b]Scan[/b].
Check [b]Drivers, Stealth, Files[/b] and [b]Code Hooks[/b], but uncheck the other options.
Click on [b]OK[/b].
Wait until the scanner is finished and then select [b]File - Save Report[/b]. Save the report somewhere where you can finde it, for exampel on the desktop. Click on [b]Close[/b].

Open the saved report in Notepad and paste the content in your answer.

Note! If there is a warning "Rootkit Unhooker has detected a parasite..." ignore it.

2.
Save [url="http://ad13.geekstogo.com/MBRCheck.exe"]MBRCheck.exe[/url] by a_d_13 on the desktop.
Run the program.
Wait until the program is finished or the text "Enter 'Y' and hit ENTER for more options, or 'N' to exit:" is displayed. In the latter case press 'N' followed by Enter.
The program creates a log file on the desktop and its name is MBRCheckxxxxxx.txt where xxxxxx is the time. Open the log in Notepad by double-clicking the log and then paste its content into your answer.

God Night!

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127733' date='Jun 22 2011, 06:34 PM']1.
Save Rootkit Unhooker on the Desktop: [url="http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar"]http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar[/url]
Unpack the program. If you don't have any unpacking program for rar files you can fetch 7-zip. [url="http://www.7-zip.org/"]http://www.7-zip.org/[/url]

Remove the internet connection . Turn off all programs you can see including firewall and antivirus program.
How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]

Double-click on Rootkit Unhooker to start it.
Select the [b]Report [/b]tab and click on [b]Scan[/b].
Check [b]Drivers, Stealth, Files[/b] and [b]Code Hooks[/b], but uncheck the other options.
Click on [b]OK[/b].
Wait until the scanner is finished and then select [b]File - Save Report[/b]. Save the report somewhere where you can finde it, for exampel on the desktop. Click on [b]Close[/b].

Open the saved report in Notepad and paste the content in your answer.

Note! If there is a warning "Rootkit Unhooker has detected a parasite..." ignore it.

2.
Save [url="http://ad13.geekstogo.com/MBRCheck.exe"]MBRCheck.exe[/url] by a_d_13 on the desktop.
Run the program.
Wait until the program is finished or the text "Enter 'Y' and hit ENTER for more options, or 'N' to exit:" is displayed. In the latter case press 'N' followed by Enter.
The program creates a log file on the desktop and its name is MBRCheckxxxxxx.txt where xxxxxx is the time. Open the log in Notepad by double-clicking the log and then paste its content into your answer.

God Night![/quote]

Rookit Scan:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7601 (Service Pack 1)
Number of processors #2
==============================================
>Drivers
==============================================
0x8E20A000 C:\Windows\system32\DRIVERS\atikmdag.sys 6193152 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x8E824000 C:\Windows\system32\DRIVERS\netw5v32.sys 4272128 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x82A4C000 C:\Windows\system32\ntkrnlpa.exe 4268032 bytes (Microsoft Corporation, NT Kernel & System)
0x82A4C000 PnpManager 4268032 bytes
0x82A4C000 RAW 4268032 bytes
0x82A4C000 WMIxWDM 4268032 bytes
0x93E10000 Win32k 2416640 bytes
0x93E10000 C:\Windows\System32\win32k.sys 2416640 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8900D000 C:\Windows\System32\drivers\tcpip.sys 1351680 bytes (Microsoft Corporation, TCP/IP Driver)
0x88C22000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x9360D000 C:\Windows\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0x93217000 C:\Windows\system32\DRIVERS\VSTDPV3.SYS 1056768 bytes (Conexant Systems, Inc., HSF_DP driver)
0x8DE02000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x88E19000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x93319000 C:\Windows\system32\DRIVERS\VSTCNXT3.SYS 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x88910000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0x96C29000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8EE72000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x88830000 C:\Windows\system32\mcupdate_GenuineIntel.dll 544768 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x88A16000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x88D8F000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x8CA6D000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8ED18000 C:\Windows\system32\DRIVERS\rixdptsk.sys 335872 bytes (REDC, RICOH XD SM Driver)
0x96D92000 C:\Windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0x96CF8000 C:\Windows\System32\DRIVERS\srv2.sys 327680 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8EC42000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x88B57000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x88A95000 C:\Windows\system32\drivers\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x8EE09000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x8DF81000 C:\Windows\system32\drivers\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x888CE000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x8CB5F000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x89188000 C:\Windows\system32\drivers\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x88ED0000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x93765000 C:\Windows\system32\DRIVERS\VSTAZL3.SYS 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x8EF45000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8DEB9000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x82A15000 ACPI_HAL 225280 bytes
0x82A15000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x889BB000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8DF3F000 C:\Windows\system32\drivers\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x88F43000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x8CAC7000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x96D60000 C:\Windows\System32\Drivers\RDPWD.SYS 204800 bytes (Microsoft Corporation, RDP Terminal Stack Driver)
0x89157000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x9371D000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8ECAD000 C:\Windows\system32\drivers\1394ohci.sys 184320 bytes (Microsoft Corporation, 1394 OpenHCI Driver)
0x891CF000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x88D51000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8EFB3000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x88AEE000 C:\Windows\system32\drivers\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x88F86000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x88F0E000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x88BD6000 C:\Windows\system32\drivers\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x8EF22000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x8E800000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x96CCA000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x8CA00000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x88800000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x88FDD000 C:\Windows\system32\drivers\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x8DEF2000 C:\Windows\system32\drivers\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8CB00000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x940A0000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x8DFD6000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8EF80000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x88FAB000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x8EEF7000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x9374C000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x8ECDA000 C:\Windows\system32\drivers\sdbus.sys 102400 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0x8CBC0000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8ED6A000 C:\Windows\system32\drivers\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
0x8EDC1000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x8EDE4000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8DF11000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8DF28000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8CA4A000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x937B3000 C:\Windows\system32\drivers\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x88BB7000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x8ED04000 C:\Windows\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0x937CA000 C:\Windows\system32\drivers\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x88D7C000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x8EE5F000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8CB2D000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8EDAF000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x8CBE6000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x8EF10000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8EC9C000 C:\Windows\system32\DRIVERS\bcm4sbxp.sys 69632 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0x88F75000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x937A2000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x889EF000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8DFC5000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x88B23000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x888B5000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8ECF3000 C:\Windows\system32\DRIVERS\rimmptsk.sys 69632 bytes (REDC, RICOH SD/MMC Driver)
0x8CB40000 C:\Windows\system32\drivers\termdd.sys 69632 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x88FC5000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x88F33000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x8EE4F000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x88B47000 C:\Windows\system32\drivers\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x8EC8D000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8CBD8000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x8CB1F000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8CA3C000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x88BA9000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x88DEC000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x8CB51000 C:\Windows\System32\Drivers\SCDEmu.SYS 57344 bytes (PowerISO Computing, Inc., PowerISO Virtual Drive)
0x8DF73000 C:\Windows\system32\drivers\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x88A87000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x8EDA2000 C:\Windows\system32\drivers\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x933E5000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8ED8F000 C:\Windows\system32\drivers\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x933CE000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8ED82000 C:\Windows\system32\drivers\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0x96CEB000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x96D53000 C:\Windows\System32\DRIVERS\tssecsrv.sys 53248 bytes (Microsoft Corporation, TS Security Filter Driver)
0x88C15000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8CBB4000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x8CA61000 C:\Windows\system32\DRIVERS\TDI.SYS 49152 bytes (Microsoft Corporation, TDI Wrapper)
0x88C09000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x88B3C000 C:\Windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
0x933F2000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x9320B000 C:\Windows\system32\drivers\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x93600000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x937EC000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8CA31000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8EDD9000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x96D48000 C:\Windows\system32\drivers\tdtcp.sys 45056 bytes (Microsoft Corporation, TCP Transport Driver)
0x8EC37000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x88B18000 C:\Windows\system32\drivers\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x933DB000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8CBAA000 C:\Windows\system32\drivers\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8CBA0000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x96CC0000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x88A00000 C:\Windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x88BCD000 C:\Windows\system32\drivers\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x93200000 C:\Windows\System32\Drivers\dump_atapi.sys 36864 bytes
0x88C00000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x96DE4000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x94070000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8CA21000 C:\Windows\system32\drivers\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x88ADD000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x888C6000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x88B34000 C:\Windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
0x89000000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80BA8000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x937E4000 C:\Windows\system32\DRIVERS\LHidFilt.Sys 32768 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0x937F7000 C:\Windows\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0x88AE6000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x88E0E000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x88A09000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x88821000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x891C7000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x88E07000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x937DD000 C:\Windows\system32\drivers\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x88BA2000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x88E00000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8CAF9000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x8ED9C000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x8CA2A000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x8EDFC000 C:\Windows\system32\drivers\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x93209000 C:\Windows\system32\drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x8586BA91 Unknown page with executable code, 1391 bytes
0x01FD0000 Hidden Image-->Inkjet.Localization.dll [ EPROCESS 0x873A4030 ] PID: 496, 143360 bytes
0x042C0000 Hidden Image-->Inkjet.Hardware.dll [ EPROCESS 0x873A4030 ] PID: 496, 176128 bytes
0x89188000 WARNING: Virus alike driver modification [volsnap.sys], 258048 bytes
0x8586A288 Unknown page with executable code, 3448 bytes
0x8586C191 Unknown page with executable code, 3695 bytes
0x02110000 Hidden Image-->Inkjet.Statistics.dll [ EPROCESS 0x873A4030 ] PID: 496, 53248 bytes
0x04320000 Hidden Image-->Inkjet.DeviceSettings.dll [ EPROCESS 0x873A4030 ] PID: 496, 53248 bytes
0x8586EE7A Unknown thread object [ ETHREAD 0x85B4AB40 ] TID: 260, 600 bytes
0x85871008 Unknown thread object [ ETHREAD 0x85B4A868 ] TID: 264, 600 bytes
0x858700DE Unknown thread object [ ETHREAD 0x85B4A590 ] , 600 bytes
0x8586EB45 Unknown thread object [ ETHREAD 0x85B4A2B8 ] , 600 bytes
0xA3435F2E Unknown thread object [ ETHREAD 0x84BB6D48 ] , 600 bytes
0x01190000 Hidden Image-->Inkjet.Diagnostics.dll [ EPROCESS 0x873A4030 ] PID: 496, 61440 bytes
0x01120000 Hidden Image-->Inkjet.Automation.dll [ EPROCESS 0x873A4030 ] PID: 496, 77824 bytes
0x85870CDC Unknown page with executable code, 804 bytes
0x02130000 Hidden Image-->Inkjet.Utilities.dll [ EPROCESS 0x873A4030 ] PID: 496, 86016 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F661960C-D3E8-4DC9-92FC-B23BE829702F}
!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_0647B28B.exe_b217e08772dd371ab53b15574b980e44fd12d13_cab_112b01d6\Report.wer
!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_0647B28B.exe_b217e08772dd371ab53b15574b980e44fd12d13_cab_112b01d6\WER1C9.tmp.mdmp
!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_0647B28B.exe_b217e08772dd371ab53b15574b980e44fd12d13_cab_112b01d6\WERAE.tmp.WERInternalMetadata.xml
!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_0647B28B.exe_b217e08772dd371ab53b15574b980e44fd12d13_cab_112b01d6\WERBF.tmp.hdmp
!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_0647B28B.exe_b217e08772dd371ab53b15574b980e44fd12d13_cab_112b01d6\WERFD15.tmp.appcompat.txt
!-->[Hidden] C:\Qoobox\BackEnv\AppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cache.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cookies.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Desktop.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Favorites.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\History.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalAppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalSettings.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Music.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\NetHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Personal.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Pictures.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\PrintHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Programs.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Recent.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SendTo.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SetPath.bat
!-->[Hidden] C:\Qoobox\BackEnv\StartMenu.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\StartUp.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SysPath.dat
!-->[Hidden] C:\Qoobox\BackEnv\Templates.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\VikPev00
!-->[Hidden] C:\Users\Zubba\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LTTJNGE\h86PL2bQV5DOO5YSyx-es-2VyKsyVUF6EJBEeAPjxNNlzdPgin-nFhFapkqxNdjHqoy3trdBXayzbUP2SgVr-TSbMfp36kyHYI2Olxj20vE2zZU0tf_iu92aPILGxiHGsW7-DgFG_Hi2lGU--TFFdBPJY[1].gif]
!-->[Hidden] C:\Users\Zubba\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8H9XW6P\URwPfVXTeTI4ci7PNovQaaus6WwG-9q0oBQalXDQxnlu2y1TVkM8uzDWAmLAodbvocASg70nUl5ONbYaH1u3XOfAItxr0t7WewmLX4h0PodYnB0Zx7c6lXmbRjodAdgZAGK2yZeKXKpv9uHZmbv1F8JkY[1].jpg]
!-->[Hidden] C:\Users\Zubba\AppData\Local\Temp\~DF396ED189F4E53A7C.TMP::$DATA
!-->[Hidden] C:\Users\Zubba\AppData\Local\Temp\~DFA300266F2D5717EA.TMP
!-->[Hidden] C:\Users\Zubba\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
!-->[Hidden] C:\Windows\temp\MpCmdRun.log
==============================================
>Hooks
==============================================
[2388]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x77B7EC7C-->00000000 [ieframe.dll]
[2388]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x77BBD274-->00000000 [ieframe.dll]
[2388]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x77BA3B7F-->00000000 [ieframe.dll]
[2388]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x77BBCF42-->00000000 [ieframe.dll]
[2388]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x77B93B9B-->00000000 [ieframe.dll]
[2388]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x77BCE9C9-->00000000 [ieframe.dll]
[2388]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x77BCE9ED-->00000000 [ieframe.dll]
[2388]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x77BCE869-->00000000 [ieframe.dll]
[2388]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x77BCE963-->00000000 [ieframe.dll]
[2388]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - RelativeJump 0x7740DCD2-->00000000 [unknown_code_page]
[2388]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersW, Type: Inline - RelativeJump 0x77414FAE-->00000000 [unknown_code_page]
[3296]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x77B7ABE1-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x77B7EC7C-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x77BBD274-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x77BA3B7F-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x77BBCF42-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x77B93B9B-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x77BCE9C9-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x77BCE9ED-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x77BCE869-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x77BCE963-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x77B7E30C-->00000000 [ieframe.dll]
[3296]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x77B7ADF9-->00000000 [ieframe.dll]
[3296]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - RelativeJump 0x7740DCD2-->00000000 [unknown_code_page]
[3296]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersW, Type: Inline - RelativeJump 0x77414FAE-->00000000 [unknown_code_page]
[3296]iexplore.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x77223918-->00000000 [unknown_code_page]
[3296]iexplore.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x77226BDD-->00000000 [unknown_code_page]
[3296]iexplore.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump 0x77224296-->00000000 [unknown_code_page]
[3296]iexplore.exe-->ws2_32.dll-->gethostbyname, Type: Inline - RelativeJump 0x77237673-->00000000 [unknown_code_page]
[3296]iexplore.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x77226B0E-->00000000 [unknown_code_page]
[3296]iexplore.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x77226F01-->00000000 [unknown_code_page]



MBRCheck Scan:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: MM061
Logical Drives Mask: 0x03f8001c

Kernel Drivers (total 162):
0x82A4C000 \SystemRoot\system32\ntkrnlpa.exe
0x82A15000 \SystemRoot\system32\halmacpi.dll
0x80BA8000 \SystemRoot\system32\kdcom.dll
0x88830000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x888B5000 \SystemRoot\system32\PSHED.dll
0x888C6000 \SystemRoot\system32\BOOTVID.dll
0x888CE000 \SystemRoot\system32\CLFS.SYS
0x88910000 \SystemRoot\system32\CI.dll
0x88A16000 \SystemRoot\system32\drivers\Wdf01000.sys
0x88A87000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x88A95000 \SystemRoot\system32\drivers\ACPI.sys
0x88ADD000 \SystemRoot\system32\drivers\WMILIB.SYS
0x88AE6000 \SystemRoot\system32\drivers\msisadrv.sys
0x88AEE000 \SystemRoot\system32\drivers\pci.sys
0x88B18000 \SystemRoot\system32\drivers\vdrvroot.sys
0x88B23000 \SystemRoot\System32\drivers\partmgr.sys
0x88B34000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x88B3C000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x88B47000 \SystemRoot\system32\drivers\volmgr.sys
0x88B57000 \SystemRoot\System32\drivers\volmgrx.sys
0x88BA2000 \SystemRoot\system32\drivers\intelide.sys
0x88BA9000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x88BB7000 \SystemRoot\System32\drivers\mountmgr.sys
0x88BCD000 \SystemRoot\system32\drivers\atapi.sys
0x88BD6000 \SystemRoot\system32\drivers\ataport.SYS
0x88A00000 \SystemRoot\system32\drivers\amdxata.sys
0x889BB000 \SystemRoot\system32\drivers\fltmgr.sys
0x889EF000 \SystemRoot\system32\drivers\fileinfo.sys
0x88C22000 \SystemRoot\System32\Drivers\Ntfs.sys
0x88D51000 \SystemRoot\System32\Drivers\msrpc.sys
0x88D7C000 \SystemRoot\System32\Drivers\ksecdd.sys
0x88D8F000 \SystemRoot\System32\Drivers\cng.sys
0x88DEC000 \SystemRoot\System32\drivers\pcw.sys
0x88C00000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x88E19000 \SystemRoot\system32\drivers\ndis.sys
0x88ED0000 \SystemRoot\system32\drivers\NETIO.SYS
0x88F0E000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8900D000 \SystemRoot\System32\drivers\tcpip.sys
0x89157000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x89188000 \SystemRoot\system32\drivers\volsnap.sys
0x891C7000 \SystemRoot\System32\Drivers\spldr.sys
0x891CF000 \SystemRoot\System32\drivers\rdyboost.sys
0x88F33000 \SystemRoot\System32\Drivers\mup.sys
0x89000000 \SystemRoot\System32\drivers\hwpolicy.sys
0x88F43000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x88F75000 \SystemRoot\system32\DRIVERS\disk.sys
0x88F86000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x88FDD000 \SystemRoot\system32\drivers\cdrom.sys
0x88E00000 \SystemRoot\System32\Drivers\Null.SYS
0x88E07000 \SystemRoot\System32\Drivers\Beep.SYS
0x88C09000 \SystemRoot\System32\drivers\vga.sys
0x88800000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x88C15000 \SystemRoot\System32\drivers\watchdog.sys
0x88E0E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x88A09000 \SystemRoot\system32\drivers\rdpencdd.sys
0x88821000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8CA31000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8CA3C000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8CA4A000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8CA61000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8CA6D000 \SystemRoot\system32\drivers\afd.sys
0x8CAC7000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8CAF9000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8CB00000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8CB1F000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8CB2D000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8CB40000 \SystemRoot\system32\drivers\termdd.sys
0x8CB51000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0x8CB5F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8CBA0000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8CBAA000 \SystemRoot\system32\drivers\mssmbios.sys
0x8CBB4000 \SystemRoot\System32\drivers\discache.sys
0x8CBC0000 \SystemRoot\System32\Drivers\dfsc.sys
0x8CBD8000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8CA00000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8CBE6000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8CA21000 \SystemRoot\system32\drivers\wmiacpi.sys
0x8CA2A000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8E20A000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x8DE02000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8DEB9000 \SystemRoot\System32\drivers\dxgmms1.sys
0x8DEF2000 \SystemRoot\system32\drivers\HDAudBus.sys
0x8E824000 \SystemRoot\system32\DRIVERS\netw5v32.sys
0x8EC37000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8EC42000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8EC8D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8EC9C000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0x8ECAD000 \SystemRoot\system32\drivers\1394ohci.sys
0x8ECDA000 \SystemRoot\system32\drivers\sdbus.sys
0x8ECF3000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x8ED04000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x8ED18000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x8ED6A000 \SystemRoot\system32\drivers\i8042prt.sys
0x8ED82000 \SystemRoot\system32\drivers\mouclass.sys
0x8ED8F000 \SystemRoot\system32\drivers\kbdclass.sys
0x8ED9C000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8EDA2000 \SystemRoot\system32\drivers\CompositeBus.sys
0x8EDAF000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8EDC1000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8EDD9000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8E800000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8EDE4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8DF11000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8DF28000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8EDFC000 \SystemRoot\system32\drivers\swenum.sys
0x8DF3F000 \SystemRoot\system32\drivers\ks.sys
0x8DF73000 \SystemRoot\system32\drivers\umbus.sys
0x8DF81000 \SystemRoot\system32\drivers\usbhub.sys
0x8DFC5000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9360D000 \SystemRoot\system32\drivers\sthda.sys
0x9371D000 \SystemRoot\system32\drivers\portcls.sys
0x9374C000 \SystemRoot\system32\drivers\drmk.sys
0x93765000 \SystemRoot\system32\DRIVERS\VSTAZL3.SYS
0x93217000 \SystemRoot\system32\DRIVERS\VSTDPV3.SYS
0x93319000 \SystemRoot\system32\DRIVERS\VSTCNXT3.SYS
0x933CE000 \SystemRoot\system32\drivers\modem.sys
0x93E10000 \SystemRoot\System32\win32k.sys
0x933DB000 \SystemRoot\System32\drivers\Dxapi.sys
0x933E5000 \SystemRoot\System32\Drivers\crashdmp.sys
0x933F2000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x93200000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x937A2000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x937B3000 \SystemRoot\system32\drivers\usbccgp.sys
0x93209000 \SystemRoot\system32\drivers\USBD.SYS
0x9320B000 \SystemRoot\system32\drivers\hidusb.sys
0x937CA000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0x937DD000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x937E4000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0x937EC000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x937F7000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0x93600000 \SystemRoot\system32\DRIVERS\monitor.sys
0x94070000 \SystemRoot\System32\TSDDD.dll
0x940A0000 \SystemRoot\System32\cdd.dll
0x8DFD6000 \SystemRoot\system32\drivers\luafv.sys
0x88FAB000 \SystemRoot\system32\drivers\WudfPf.sys
0x88FC5000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8EE09000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8EE4F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8EE5F000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8EE72000 \SystemRoot\system32\drivers\HTTP.sys
0x8EEF7000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8EF10000 \SystemRoot\System32\drivers\mpsdrv.sys
0x8EF22000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8EF45000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x8EF80000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x96C29000 \SystemRoot\system32\drivers\peauth.sys
0x96CC0000 \SystemRoot\System32\Drivers\secdrv.SYS
0x96CCA000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x96CEB000 \SystemRoot\System32\drivers\tcpipreg.sys
0x96CF8000 \SystemRoot\System32\DRIVERS\srv2.sys
0x96D48000 \SystemRoot\system32\drivers\tdtcp.sys
0x96D53000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0x96D60000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x96D92000 \SystemRoot\System32\DRIVERS\srv.sys
0x8EFB3000 \SystemRoot\System32\Drivers\fastfat.SYS
0x77A10000 \Windows\System32\ntdll.dll
0x480B0000 \Windows\System32\smss.exe
0x77C50000 \Windows\System32\apisetschema.dll
0x00AE0000 \Windows\System32\autochk.exe
0x77B70000 \Windows\System32\user32.dll
0x77B60000 \Windows\System32\lpk.dll
0x77810000 \Windows\System32\iertutil.dll

Processes (total 52):
0 System Idle Process
4 System
380 C:\Windows\System32\smss.exe
504 csrss.exe
580 C:\Windows\System32\wininit.exe
592 csrss.exe
628 C:\Windows\System32\services.exe
668 C:\Windows\System32\winlogon.exe
688 C:\Windows\System32\lsass.exe
696 C:\Windows\System32\lsm.exe
812 C:\Windows\System32\svchost.exe
892 C:\Windows\System32\svchost.exe
940 C:\Windows\System32\Ati2evxx.exe
1036 C:\Windows\System32\svchost.exe
1072 C:\Windows\System32\svchost.exe
1100 C:\Windows\System32\svchost.exe
1224 C:\Windows\System32\svchost.exe
1308 C:\Windows\System32\svchost.exe
1424 C:\Windows\System32\Ati2evxx.exe
1656 C:\Windows\System32\spoolsv.exe
1688 C:\Windows\System32\svchost.exe
1804 C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
1828 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1860 C:\Windows\System32\dwm.exe
1884 C:\Windows\explorer.exe
2000 C:\Program Files\Bonjour\mDNSResponder.exe
112 C:\Windows\System32\svchost.exe
496 C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
756 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
1980 C:\Windows\System32\svchost.exe
2508 C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe
2520 C:\Program Files\PowerISO\PWRISOVM.EXE
2532 C:\Windows\stsystra.exe
2556 C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
2564 C:\Program Files\Logitech\SetPointP\SetPoint.exe
2600 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
2648 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
2696 C:\Program Files\iTunes\iTunesHelper.exe
3200 C:\Windows\System32\svchost.exe
3336 C:\Windows\System32\SearchIndexer.exe
3456 C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
3840 C:\Program Files\Windows Media Player\wmpnetwk.exe
3024 C:\Program Files\iPod\bin\iPodService.exe
3880 C:\Windows\System32\svchost.exe
3912 C:\Windows\System32\svchost.exe
44924 C:\Windows\System32\audiodg.exe
44220 C:\Windows\System32\SearchProtocolHost.exe
44500 C:\Windows\System32\SearchFilterHost.exe
44572 C:\Program Files\Internet Explorer\iexplore.exe
44640 C:\Program Files\Internet Explorer\iexplore.exe
44384 C:\Users\Zubba\Desktop\MBRCheck.exe
44852 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHM160JI, Rev: AD100-12

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!


I'll be away for about 24 hours or so, and then I'll be back to check this.
Thank You so much for your help.

Share this post


Link to post
Share on other sites
Save SystemLook on the desktop from one of these linkes:
[url="http://jpshortstuff.247fixes.com/SystemLook.exe"]http://jpshortstuff.247fixes.com/SystemLook.exe[/url]
[url="http://images.malwareremoval.com/jpshortstuff/SystemLook.exe"]http://images.malwareremoval.com/jpshortstuff/SystemLook.exe[/url]

Double-click on SystemLook file to run it.

Copy all lines in the box
[code]&#58;filefind
VolSnap.sys[/code]
and paste in the big text field in SýstemLook.
Click on the Look button to start the search.
When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127746' date='Jun 23 2011, 11:21 AM']Save SystemLook on the desktop from one of these linkes:
[url="http://jpshortstuff.247fixes.com/SystemLook.exe"]http://jpshortstuff.247fixes.com/SystemLook.exe[/url]
[url="http://images.malwareremoval.com/jpshortstuff/SystemLook.exe"]http://images.malwareremoval.com/jpshortstuff/SystemLook.exe[/url]

Double-click on SystemLook file to run it.

Copy all lines in the box
[code]&#58;filefind
VolSnap.sys[/code]
and paste in the big text field in SýstemLook.
Click on the Look button to start the search.
When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.[/quote]

I was away from my computer for 24 hours. During that time, something emerged or installed itself? When I returned, I had Win7 Antispyware 2012 window on the forefront saying I had trojan-bnk.win32.keylogger.gen infection and wanting me to activate win7antispyware 2012 to fix it. The only thing I could do was click 'continue unprotected'. When trying to load firefox, it defaults to a screen that says it is a dangerous page and there is nothing I can do to continue to that page. Every program I try to start gets a popup saying it is infected and corrupted. A scan starts itself saying basically every executable program has a different malware type of infection. When I looked at my task manager, csrss.exe is running (which I don't recall seeing before), and when I try to end it, it only gives me the option to 'cancel' or to check a box to save all progress and then a button becomes available to shut down my computer.
Even safe mode had the same exact thing.



I had no alternative but to do a system restore that was created by combofix. I don't know where that leaves me with any progress we were making, but I went ahead and followed the most recent instructions:









Sytemlook report:
SystemLook 04.09.10 by jpshortstuff
Log created at 09:04 on 24/06/2011 by Zubba
Administrator - Elevation successful

========== filefind ==========

Searching for "VolSnap.sys"
C:\Windows\System32\drivers\volsnap.sys --a---- 245632 bytes [12:28 15/03/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7
C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys --a---- 245632 bytes [12:28 15/03/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys --a---- 245328 bytes [23:11 13/07/2009] [01:19 14/07/2009] 58DF9D2481A56EDDE167E51B334D44FD
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys --a---- 245632 bytes [12:28 15/03/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7

-= EOF =- Edited by zubbs1

Share this post


Link to post
Share on other sites
Then it is best that you remove the ComboFix you have and download the latest version by using the same link as before. Follow the instructions to run it again.

PS. Turn off your computer when you aren't using it and connect it only to internet when necessary.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127762' date='Jun 24 2011, 05:51 PM']Then it is best that you remove the ComboFix you have and download the latest version by using the same link as before. Follow the instructions to run it again.

PS. Turn off your computer when you aren't using it and connect it only to internet when necessary.[/quote]

Ok, here is the new combofix report:

ComboFix 11-06-24.02 - Zubba 06/24/2011 20:29:46.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2046.1311 [GMT -5:00]
Running from: c:\users\Zubba\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-05-25 to 2011-06-25 )))))))))))))))))))))))))))))))
.
.
2011-06-25 01:35 . 2011-06-25 01:35 -------- d-----w- c:\users\Mcx1-GALILEO\AppData\Local\temp
2011-06-25 01:35 . 2011-06-25 01:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-21 18:28 . 2011-06-21 18:44 -------- d-----w- c:\programdata\SecTaskMan
2011-06-21 18:14 . 2011-06-21 18:14 388096 ----a-r- c:\users\Zubba\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-21 18:14 . 2011-06-21 18:14 -------- d-----w- c:\program files\Trend Micro
2011-06-21 13:46 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1D9B499E-49F5-43D0-81C4-A435592D5544}\mpengine.dll
2011-06-21 13:45 . 2011-04-25 04:31 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-21 13:45 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-21 13:45 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-21 13:45 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-21 13:45 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-21 13:45 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-21 13:45 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-21 13:44 . 2011-04-27 02:17 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-21 13:44 . 2011-04-27 02:17 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-21 13:44 . 2011-04-27 02:17 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-21 13:40 . 2009-08-20 05:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-06-21 13:39 . 2010-09-23 00:47 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2011-06-21 13:38 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-21 13:25 . 2011-06-21 13:25 -------- d-----w- c:\program files\iPod
2011-06-21 13:25 . 2011-06-21 13:25 -------- d-----w- c:\program files\iTunes
2011-06-10 02:46 . 2011-06-21 05:22 -------- d-----w- c:\users\Zubba\AppData\Roaming\Catalina Marketing Corp
2011-06-10 02:46 . 2011-06-10 02:46 466944 ----a-w- c:\program files\Mozilla Firefox\plugins\NPcol500.dll
2011-06-10 02:46 . 2011-06-10 02:46 466944 ----a-w- c:\program files\Mozilla Firefox\plugins\NPcol400.dll
2011-06-10 02:46 . 2011-06-10 02:46 525856 ----a-w- c:\users\Zubba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2011-06-10 02:44 . 2011-06-21 05:22 -------- d-----w- c:\program files\Coupons
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-24 14:02 . 2011-01-07 16:13 119296 ----a-w- c:\windows\system32\zlib.dll
2011-06-21 13:21 . 2011-05-24 02:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 00:14 . 2011-01-07 02:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-22 19:14 . 2011-05-25 01:44 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-19 05:20 . 2011-04-19 05:20 159080 ---ha-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
2011-04-09 06:02 . 2011-05-24 01:27 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:02 . 2011-05-24 01:27 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-24 01:27 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-08-14 17:33 . 2009-08-14 17:33 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-08-14 17:33 . 2009-08-14 17:33 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-08-14 17:33 . 2009-08-14 17:33 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-08-14 17:33 . 2009-08-14 17:33 20824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-08-14 17:34 . 2009-08-14 17:34 206160 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-08-14 17:33 . 2009-08-14 17:33 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-08-14 17:33 . 2009-08-14 17:33 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:33 . 2007-03-16 22:33 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:33 . 2007-03-16 22:33 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:33 . 2007-03-16 22:33 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-08-14 16:50 . 2009-08-14 16:50 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-08-14 17:33 . 2009-08-14 17:33 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-04-29 01:16 . 2011-03-23 17:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iomega Home Storage Manager"="c:\program files\Iomega\Home Storage Manager\Iomega Discovery.exe" [2009-10-27 152936]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-08 528832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2011-06-08 669936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
c:\windows\system32\conime.exe [BU]
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-06-08 1036104]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links using BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Download all videos using BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Download link using &BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{2E6C8804-6D69-48FF-B483-ECE97608240E}: NameServer = 192.168.1.254
TCP: Interfaces\{C5472037-1C81-4BC4-97B1-6E3B99270DEC}: NameServer = 192.168.1.254
FF - ProfilePath - c:\users\Zubba\AppData\Roaming\Mozilla\Firefox\Profiles\4faghf6q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-24 20:37:00
ComboFix-quarantined-files.txt 2011-06-25 01:36
ComboFix2.txt 2011-06-22 13:23
.
Pre-Run: 42,467,557,376 bytes free
Post-Run: 42,464,395,264 bytes free
.
- - End Of File - - 5F213A16238B2B36BCB47D1EA8058396

Share this post


Link to post
Share on other sites
Start Notepad and paste the content of the box (3 rows) into Notepad.
[code]@ECHO OFF
copy /y C&#58;\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys C&#58;\Windows\System32\drivers\volsnap.sys_new
DEL %0[/code]
In the file menu select [b]Save as[/b].
Change the file format to [b]All files[/b] and enter the file name [b]fix.bat[/b] before saving the file.

Right-click fix.bat and select [b]Run as administrator[/b].
Check that you have a file C:\Windows\System32\drivers\volsnap.sys_new.
If not, inform me and don't continue with the following instructions in this post.

Restart the computer and by following the guide [url="http://www.sevenforums.com/tutorials/668-system-recovery-options.html"]http://www.sevenforums.com/tutorials/668-s...ry-options.html[/url] reach "System Recovery Options" menu. In that menu you select [b]Commando Prompt[/b].

Type these two commands (press Enter key after each command):

copy C:\Windows\System32\drivers\volsnap.sys C:\Windows\System32\drivers\volsnap.sys_old
copy C:\Windows\System32\drivers\volsnap.sys_new C:\Windows\System32\drivers\volsnap.sys

If you get any error messages write them down exactly.

Close Command Prompt window and click [b]Restart [/b]button in "System Recovery Options" window.

When you are back in Windows run Gmer, see instructions above, and post its log.
Restart the computer, run ComboFix in the usual way and post that log, too.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127776' date='Jun 25 2011, 08:49 AM']Start Notepad and paste the content of the box (3 rows) into Notepad.
[code]@ECHO OFF
copy /y C&#58;\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys C&#58;\Windows\System32\drivers\volsnap.sys_new
DEL %0[/code]
In the file menu select [b]Save as[/b].
Change the file format to [b]All files[/b] and enter the file name [b]fix.bat[/b] before saving the file.

Right-click fix.bat and select [b]Run as administrator[/b].
Check that you have a file C:\Windows\System32\drivers\volsnap.sys_new.
If not, inform me and don't continue with the following instructions in this post.

Restart the computer and by following the guide [url="http://www.sevenforums.com/tutorials/668-system-recovery-options.html"]http://www.sevenforums.com/tutorials/668-s...ry-options.html[/url] reach "System Recovery Options" menu. In that menu you select [b]Commando Prompt[/b].

Type these two commands (press Enter key after each command):

copy C:\Windows\System32\drivers\volsnap.sys C:\Windows\System32\drivers\volsnap.sys_old
copy C:\Windows\System32\drivers\volsnap.sys_new C:\Windows\System32\drivers\volsnap.sys

If you get any error messages write them down exactly.

Close Command Prompt window and click [b]Restart [/b]button in "System Recovery Options" window.

When you are back in Windows run Gmer, see instructions above, and post its log.
Restart the computer, run ComboFix in the usual way and post that log, too.[/quote]

Ok, I was able to find the file, and able to copy the two files around in the window recovery command prompt. I ran GMER and restarted then ran Combofix. After running combofix I plugged back in the internet cable and tried to start firefox. I received an error message:
C:\program files\mozilla firefox\firefox.exe
Illegal operation attempted on registry key that has been marked for deletion

I restarted the computer, and was able to start firefox. Not sure if this is important/relevant, but every time I run firefox after a reboot, it asks me if I want to make firefox my default browser. So far I've always clicked yes.







Gmer Report:

GMER 1.0.15.15640 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-06-25 20:37:06
Windows 6.1.7601 Service Pack 1
Running: oyfjbdtu.exe; Driver: C:\Users\Zubba\AppData\Local\Temp\pwtdqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82A8E339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AC7D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E00A000, 0x23097E, 0xE8000020]
PAGE spsys.sys![email protected]@3PADA + 4F90 A143C000 85 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys![email protected]@3PADA + 4FE6 A143C056 61 Bytes [A1, 5E, C3, 8B, FF, 55, 8B, ...]
PAGE spsys.sys![email protected]@3PADA + 5024 A143C094 142 Bytes [A1, FF, 25, 80, 21, 43, A1, ...]
PAGE spsys.sys![email protected]@3PADA + 50B3 A143C123 629 Bytes [75, 43, A1, FE, 05, 34, 75, ...]
PAGE spsys.sys![email protected]@3PADA + 5329 A143C399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE ...

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device0000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Combofix Report:

ComboFix 11-06-24.02 - Zubba 06/25/2011 20:40:43.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2046.1415 [GMT -5:00]
Running from: c:\users\Zubba\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 )))))))))))))))))))))))))))))))
.
.
2011-06-26 01:55 . 2011-06-26 01:55 -------- d-----w- c:\users\Mcx1-GALILEO\AppData\Local\temp
2011-06-26 01:55 . 2011-06-26 01:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-21 18:28 . 2011-06-21 18:44 -------- d-----w- c:\programdata\SecTaskMan
2011-06-21 18:14 . 2011-06-21 18:14 388096 ----a-r- c:\users\Zubba\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-21 18:14 . 2011-06-21 18:14 -------- d-----w- c:\program files\Trend Micro
2011-06-21 13:46 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1D9B499E-49F5-43D0-81C4-A435592D5544}\mpengine.dll
2011-06-21 13:45 . 2011-04-25 04:31 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-21 13:45 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-21 13:45 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-21 13:45 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-21 13:45 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-21 13:45 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-21 13:45 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-21 13:44 . 2011-04-27 02:17 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-21 13:44 . 2011-04-27 02:17 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-21 13:44 . 2011-04-27 02:17 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-21 13:40 . 2009-08-20 05:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-06-21 13:39 . 2010-09-23 00:47 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2011-06-21 13:38 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-21 13:25 . 2011-06-21 13:25 -------- d-----w- c:\program files\iPod
2011-06-21 13:25 . 2011-06-21 13:25 -------- d-----w- c:\program files\iTunes
2011-06-10 02:46 . 2011-06-21 05:22 -------- d-----w- c:\users\Zubba\AppData\Roaming\Catalina Marketing Corp
2011-06-10 02:46 . 2011-06-10 02:46 466944 ----a-w- c:\program files\Mozilla Firefox\plugins\NPcol500.dll
2011-06-10 02:46 . 2011-06-10 02:46 466944 ----a-w- c:\program files\Mozilla Firefox\plugins\NPcol400.dll
2011-06-10 02:46 . 2011-06-10 02:46 525856 ----a-w- c:\users\Zubba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2011-06-10 02:44 . 2011-06-21 05:22 -------- d-----w- c:\program files\Coupons
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-25 09:41 . 2011-01-07 16:13 119296 ----a-w- c:\windows\system32\zlib.dll
2011-06-21 13:21 . 2011-05-24 02:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 00:14 . 2011-01-07 02:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-22 19:14 . 2011-05-25 01:44 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-19 05:20 . 2011-04-19 05:20 159080 ---ha-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
2011-04-09 06:02 . 2011-05-24 01:27 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:02 . 2011-05-24 01:27 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-24 01:27 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-08-14 17:33 . 2009-08-14 17:33 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-08-14 17:33 . 2009-08-14 17:33 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-08-14 17:33 . 2009-08-14 17:33 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-08-14 17:33 . 2009-08-14 17:33 20824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-08-14 17:34 . 2009-08-14 17:34 206160 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-08-14 17:33 . 2009-08-14 17:33 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-08-14 17:33 . 2009-08-14 17:33 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:33 . 2007-03-16 22:33 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:33 . 2007-03-16 22:33 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:33 . 2007-03-16 22:33 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-08-14 16:50 . 2009-08-14 16:50 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-08-14 17:33 . 2009-08-14 17:33 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-04-29 01:16 . 2011-03-23 17:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iomega Home Storage Manager"="c:\program files\Iomega\Home Storage Manager\Iomega Discovery.exe" [2009-10-27 152936]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-08 528832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2011-06-08 669936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
c:\windows\system32\conime.exe [BU]
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-06-08 1036104]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links using BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Download all videos using BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Download link using &BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{2E6C8804-6D69-48FF-B483-ECE97608240E}: NameServer = 192.168.1.254
TCP: Interfaces\{C5472037-1C81-4BC4-97B1-6E3B99270DEC}: NameServer = 192.168.1.254
FF - ProfilePath - c:\users\Zubba\AppData\Roaming\Mozilla\Firefox\Profiles\4faghf6q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-25 20:57:25
ComboFix-quarantined-files.txt 2011-06-26 01:57
ComboFix2.txt 2011-06-25 01:37
ComboFix3.txt 2011-06-22 13:23
.
Pre-Run: 42,156,167,168 bytes free
Post-Run: 42,127,708,160 bytes free
.
- - End Of File - - F143C8B004B55B79204DCC00DAC583B7



Thank you! Edited by zubbs1

Share this post


Link to post
Share on other sites
Nice! :)

Regarding the settings for default browser, check these pages:
[url="http://windows.microsoft.com/en-US/windows7/Change-your-default-web-browser"]http://windows.microsoft.com/en-US/windows...ult-web-browser[/url]
[url="http://kb.mozillazine.org/Default_browser"]http://kb.mozillazine.org/Default_browser[/url]

Is it possible to run Ad-Aware now? If not, try to reinstall it.

Run an online scan with Eset [url="http://www.eset.com/onlinescan/"]http://www.eset.com/onlinescan/[/url]
To shorten the scanning time disable your antivirus program while scanning.

Un-check "Remove found threats"
Check "Scan Archives"

Click "Advanced Settings"
Check:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Scan

When the scan completes the log file C:\Program\Eset\Eset Online Scanner\log.txt is created. Open it in Notepad and paste its content in your answer.

Any remaining issues?

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127788' date='Jun 26 2011, 02:20 AM']Nice! :)

Regarding the settings for default browser, check these pages:
[url="http://windows.microsoft.com/en-US/windows7/Change-your-default-web-browser"]http://windows.microsoft.com/en-US/windows...ult-web-browser[/url]
[url="http://kb.mozillazine.org/Default_browser"]http://kb.mozillazine.org/Default_browser[/url]

Is it possible to run Ad-Aware now? If not, try to reinstall it.

Run an online scan with Eset [url="http://www.eset.com/onlinescan/"]http://www.eset.com/onlinescan/[/url]
To shorten the scanning time disable your antivirus program while scanning.

Un-check "Remove found threats"
Check "Scan Archives"

Click "Advanced Settings"
Check:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Scan

When the scan completes the log file C:\Program\Eset\Eset Online Scanner\log.txt is created. Open it in Notepad and paste its content in your answer.

Any remaining issues?[/quote]

I couldn't start adaware, so I uninstalled and reinstalled. It autoupdated the definitions. When it started, it immediately went to window saying my adaware license has expired. I never had a license, I used the free version. I wants me to enter a serial number, or click a green button "renew now". I closed it.

I ran the Eset program and here is its logfile:

[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=1678abe78c121445b55302c62a95bf3e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-26 11:50:41
# local_time=2011-06-26 06:50:41 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 0 60627250 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=102144
# found=5
# cleaned=0
# scan_time=6582
C:\Users\Zubba\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\3864325d-2356bd80 a variant of Win32/Kryptik.PKN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Zubba\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\597da3c5-3d7466c4 a variant of Win32/Kryptik.PMC trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Zubba\Desktop\Installers\LogitechDrivers.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Zubba\Desktop\Installers\ms office 2k3\Office2003.iso probably a variant of Win32/Agent.CNVAOQK trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\drivers\volsnap.sys_old Win32/Olmasco.E trojan (unable to clean) 00000000000000000000000000000000 I



I don't have any popups, and the internet explorer pair that always ran is not running anymore in task manager. Crss.exe is still running, is this something important to windows, or is it part of the infection?

I'll await more instructions.

Thank you.

Share this post


Link to post
Share on other sites
Your are welcome :)

Are you sure that you downloaded the free version and not the Pro version (TrialPay)?
[url="http://download.cnet.com/Ad-Aware-Free-Internet-Security/3000-8022_4-10045910.html"]http://download.cnet.com/Ad-Aware-Free-Int...4-10045910.html[/url]

C:\Users\Zubba\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\3864325d-2356bd80 a variant of Win32/Kryptik.PKN trojan (unable to clean)
C:\Users\Zubba\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\597da3c5-3d7466c4 a variant of Win32/Kryptik.PMC trojan (unable to clean)
It means that you probably have visited bad web pages that tried to infect the computer. Those files will be removed during the final clean-up.

C:\Users\Zubba\Desktop\Installers\LogitechDrivers.exe Win32/Toolbar.Zugo application (unable to clean)
Program with bad toolbar. Is the program really from Logitech?

Do you mean csrss.exe? That is a normal Windows process.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127805' date='Jun 26 2011, 07:20 PM']Your are welcome :)

Are you sure that you downloaded the free version and not the Pro version (TrialPay)?
[url="http://download.cnet.com/Ad-Aware-Free-Internet-Security/3000-8022_4-10045910.html"]http://download.cnet.com/Ad-Aware-Free-Int...4-10045910.html[/url]

C:\Users\Zubba\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\3864325d-2356bd80 a variant of Win32/Kryptik.PKN trojan (unable to clean)
C:\Users\Zubba\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\597da3c5-3d7466c4 a variant of Win32/Kryptik.PMC trojan (unable to clean)
It means that you probably have visited bad web pages that tried to infect the computer. Those files will be removed during the final clean-up.

C:\Users\Zubba\Desktop\Installers\LogitechDrivers.exe Win32/Toolbar.Zugo application (unable to clean)
Program with bad toolbar. Is the program really from Logitech?

Do you mean csrss.exe? That is a normal Windows process.[/quote]

Yes csrss.exe, ok good to know it isn't a problem. As far as I know, that is a proper driver for my logitech wireless mouse.


I have no idea what is going on with adaware. I used your link, which is the same installer that I used earlier today. I uninstalled the previous install, and installed again. When it finishes, it gives an error message that adaware unexpectedly shut down and wants to know if I want to send in a report (like what windows xp used to do for a program that quit working). Then adaware starts running and immediately a window tells me that my registration has expired. It won't let me actually run a scan or anything, it just makes me enter a serial, which I don't have. Why is it doing this? I have never had trouble installing programs, and adaware has never acted like this before... Edited by zubbs1

Share this post


Link to post
Share on other sites
[quote]As far as I know, that is a proper driver for my logitech wireless mouse.[/quote]Take care when you install it and uncheck any toolbars.

See the topic [url="http://www.lavasoftsupport.com/index.php?showtopic=31227&view=findpost&p=127148"]http://www.lavasoftsupport.com/index.php?s...st&p=127148[/url] for the license problem.

Any more problems to solve before the final clean-up?

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127831' date='Jun 27 2011, 08:38 AM']Take care when you install it and uncheck any toolbars.

See the topic [url="http://www.lavasoftsupport.com/index.php?showtopic=31227&view=findpost&p=127148"]http://www.lavasoftsupport.com/index.php?s...st&p=127148[/url] for the license problem.

Any more problems to solve before the final clean-up?[/quote]

Ok, the license problem you stated was the issue. I removed that folder and reinstalled, and was able to run an adaware scan. The system is running much better now. I'll post the adaware log, but I think I'm ready for the final stages now.

ADAWARE Logfile:

Logfile created: 6/27/2011 21:56:35
Ad-Aware version: 9.0.6
Extended engine: 3
Extended engine version: 3.1.2770
User performing scan: Zubba

*********************** Definitions database information ***********************
Lavasoft definition file: 150.468
Genotype definition file version: 2011/06/21 10:10:24
Extended engine definition file: 9713.0

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 118132
Objects detected: 92


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 4
Folders.........: 0
LSPs............: 0
Cookies.........: 88
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *real* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408817 Family ID: 0
Description: *247realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408945 Family ID: 0
Description: *realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409139 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *adbrite* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409218 Family ID: 0
Description: *addynamix* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409026 Family ID: 0
Description: *.lycos* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408930 Family ID: 0
Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0
Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0
Description: *adserv* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408921 Family ID: 0
Description: *adserver* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408737 Family ID: 0
Description: *adtech* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409018 Family ID: 0
Description: *adserve* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409020 Family ID: 0
Description: *advertis* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409017 Family ID: 0
Description: *apmebf* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409163 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0
Description: *casalemedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409152 Family ID: 0
Description: *trafficmp* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408787 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *fastclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408869 Family ID: 0
Description: *gamers* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409301 Family ID: 0
Description: *insightexpressai* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409259 Family ID: 0
Description: *kontera* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409363 Family ID: 0
Description: *mediaplex* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408991 Family ID: 0
Description: *pro-market* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408823 Family ID: 0
Description: *questionmarket* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408819 Family ID: 0
Description: *klo* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408848 Family ID: 0
Description: *server.iad.liveperson* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409131 Family ID: 0
Description: *specificclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408807 Family ID: 0
Description: *statcounter* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409185 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *adbrite* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409218 Family ID: 0
Description: *.bridgetrack* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409095 Family ID: 0
Description: *advertis* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409017 Family ID: 0
Description: *apmebf* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409163 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *fastclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408869 Family ID: 0
Description: *kontera* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409363 Family ID: 0
Description: *mediaplex* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408991 Family ID: 0
Description: *specificclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408807 Family ID: 0
Description: *tacoda* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409123 Family ID: 0
Description: *trafficmp* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408787 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0
Description: *adserv* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408921 Family ID: 0
Description: *real* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408817 Family ID: 0
Description: *247realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408945 Family ID: 0
Description: *realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409139 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *adbrite* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409218 Family ID: 0
Description: *addynamix* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409026 Family ID: 0
Description: *.lycos* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408930 Family ID: 0
Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0
Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0
Description: *adserv* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408921 Family ID: 0
Description: *adserver* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408737 Family ID: 0
Description: *adtech* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409018 Family ID: 0
Description: *adserve* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409020 Family ID: 0
Description: *advertis* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409017 Family ID: 0
Description: *apmebf* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409163 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0
Description: *casalemedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409152 Family ID: 0
Description: *trafficmp* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408787 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *fastclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408869 Family ID: 0
Description: *gamers* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409301 Family ID: 0
Description: *insightexpressai* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409259 Family ID: 0
Description: *kontera* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409363 Family ID: 0
Description: *mediaplex* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408991 Family ID: 0
Description: *pro-market* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408823 Family ID: 0
Description: *questionmarket* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408819 Family ID: 0
Description: *klo* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408848 Family ID: 0
Description: *server.iad.liveperson* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409131 Family ID: 0
Description: *specificclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408807 Family ID: 0
Description: *statcounter* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409185 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0

Quarantined items:
Description: c:\users\zubba\desktop\installers\logitechdrivers.exe Family Name: Win32.Toolbar.Zugo[1497] Engine: 1 Clean status: Success Item ID: 0 Family ID: 0 MD5: 824a5f98d60619774973b9762a5aec9d
Description: c:\users\zubba\appdata\locallow\sun\java\deployment\cache\6.0\29\3864325d-2356bd80 Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 2 Family ID: 0 MD5: 66b998294c6331a2345c363657e0cf62
Description: c:\users\zubba\appdata\locallow\sun\java\deployment\cache\6.0\5\597da3c5-3d7466c4 Family Name: Win32.Hoax.Expproc Engine: 1 Clean status: Success Item ID: 0 Family ID: 5860717 MD5: 4a87e6ef051c57c1ce18dca885b18997
Description: c:\windows\system32\drivers\volsnap.sys_old Family Name: Trojan.Win32.TDLSys.a (v) Engine: 3 Clean status: Success Item ID: 4 Family ID: 0 MD5: ab6532bf1c2519efcec5b8c04d8dc407

Scan and cleaning complete: Finished correctly after 9928 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: folderstoscan, enabled:1, value: C:\
ID: useantivirus, enabled:1, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: N/A

Scheduled scan settings:
ID: bootup, enabled:1, value: bootup
ID: time, enabled:1, value: Mon Jun 27 22:02:34 2011
ID: frequency, enabled:1, value: once, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:1, value: Daily 1
ID: time, enabled:1, value: Mon Jun 27 20:15:00 2011
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily2, enabled:1, value: Daily 2
ID: time, enabled:1, value: Mon Jun 27 02:15:00 2011
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily3, enabled:1, value: Daily 3
ID: time, enabled:1, value: Mon Jun 27 08:15:00 2011
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily4, enabled:1, value: Daily 4
ID: time, enabled:1, value: Mon Jun 27 14:15:00 2011
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Mon Jun 27 20:15:00 2011
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: true
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:1, value: true
ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant
ID: layers, enabled:1
ID: useantivirus, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: maintainbackup, enabled:1, value: true
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: onaccessprotection, enabled:1, value: true
ID: registryprotection, enabled:1, value: true
ID: networkprotection, enabled:1, value: true


****************************** System information ******************************
Computer name: GALILEO
Processor name: Genuine Intel® CPU T2050 @ 1.60GHz
Processor identifier: x86 Family 6 Model 14 Stepping 8
Processor speed: ~1596MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3592, number of processors 2, processor features: [MMX,SSE,SSE2,SSE3]
Physical memory available: 1274712064 bytes
Physical memory total: 2145849344 bytes
Virtual memory available: 1890619392 bytes
Virtual memory total: 2147352576 bytes
Memory load: 40%
Microsoft Service Pack 1 (build 7601)
Windows startup mode:

Running processes:
PID: 360 name: C:\Windows\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 484 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 560 name: C:\Windows\System32\wininit.exe owner: SYSTEM domain: NT AUTHORITY
PID: 572 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 608 name: C:\Windows\System32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 648 name: C:\Windows\System32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 660 name: C:\Windows\System32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 668 name: C:\Windows\System32\lsm.exe owner: SYSTEM domain: NT AUTHORITY
PID: 792 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 872 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 928 name: C:\Windows\System32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1004 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1044 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1088 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1224 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1324 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1420 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1432 name: C:\Windows\System32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1596 name: C:\Windows\System32\dwm.exe owner: Zubba domain: Galileo
PID: 1620 name: C:\Windows\explorer.exe owner: Zubba domain: Galileo
PID: 1716 name: C:\Windows\System32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1756 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1844 name: C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1876 name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1908 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1952 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1992 name: C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2036 name: C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 732 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2348 name: C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe owner: Zubba domain: Galileo
PID: 2416 name: C:\Windows\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2484 name: C:\Program Files\PowerISO\PWRISOVM.EXE owner: Zubba domain: Galileo
PID: 2496 name: C:\Windows\stsystra.exe owner: Zubba domain: Galileo
PID: 2524 name: C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe owner: Zubba domain: Galileo
PID: 2768 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 3000 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3124 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Zubba domain: Galileo
PID: 3168 name: C:\Program Files\Logitech\SetPointP\SetPoint.exe owner: Zubba domain: Galileo
PID: 3184 name: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe owner: Zubba domain: Galileo
PID: 3196 name: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe owner: Zubba domain: Galileo
PID: 3228 name: C:\Program Files\iTunes\iTunesHelper.exe owner: Zubba domain: Galileo
PID: 3440 name: C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe owner: Zubba domain: Galileo
PID: 3536 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3560 name: C:\Windows\System32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3956 name: C:\Program Files\Windows Media Player\wmpnetwk.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 2520 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2464 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Zubba domain: Galileo
PID: 680 name: C:\Windows\System32\sppsvc.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1232 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

Startup items:
Name: AutoLaunch
imagepath: C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly
Name: Iomega Home Storage Manager
imagepath: C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe
Name: PWRISOVM.EXE
imagepath: C:\Program Files\PowerISO\PWRISOVM.EXE
Name: SigmatelSysTrayApp
imagepath: stsystra.exe
Name: QuickTime Task
imagepath: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
Name: Adobe ARM
imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Name: EKIJ5000StatusMonitor
imagepath: C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
Name: EvtMgr6
imagepath: C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
Name: Adobe Acrobat Speed Launcher
imagepath: "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
Name: Acrobat Assistant 8.0
imagepath: "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
Name: iTunesHelper
imagepath: "C:\Program Files\iTunes\iTunesHelper.exe"
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name:
imagepath: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: AdobeARMservice
displayname: Adobe Acrobat Update Service
Name: Apple Mobile Device
displayname: Apple Mobile Device
Name: Ati External Event Utility
displayname: Ati External Event Utility
Name: AudioEndpointBuilder
displayname: Windows Audio Endpoint Builder
Name: Audiosrv
displayname: Windows Audio
Name: BFE
displayname: Base Filtering Engine
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Bonjour Service
displayname: Bonjour Service
Name: Browser
displayname: Computer Browser
Name: CertPropSvc
displayname: Certificate Propagation
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: DPS
displayname: Diagnostic Policy Service
Name: EapHost
displayname: Extensible Authentication Protocol
Name: eventlog
displayname: Windows Event Log
Name: EventSystem
displayname: COM+ Event System
Name: fdPHost
displayname: Function Discovery Provider Host
Name: FDResPub
displayname: Function Discovery Resource Publication
Name: FontCache
displayname: Windows Font Cache Service
Name: gpsvc
displayname: Group Policy Client
Name: hidserv
displayname: Human Interface Device Access
Name: HomeGroupListener
displayname: HomeGroup Listener
Name: HomeGroupProvider
displayname: HomeGroup Provider
Name: IKEEXT
displayname: IKE and AuthIP IPsec Keying Modules
Name: IPBusEnum
displayname: PnP-X IP Bus Enumerator
Name: iphlpsvc
displayname: IP Helper
Name: iPod Service
displayname: iPod Service
Name: KeyIso
displayname: CNG Key Isolation
Name: Kodak AiO Network Discovery Service
displayname: Kodak AiO Network Discovery Service
Name: LanmanServer
displayname: Server
Name: LanmanWorkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: lmhosts
displayname: TCP/IP NetBIOS Helper
Name: Mcx2Svc
displayname: Media Center Extender Service
Name: MDM
displayname: Machine Debug Manager
Name: MMCSS
displayname: Multimedia Class Scheduler
Name: MpsSvc
displayname: Windows Firewall
Name: Netman
displayname: Network Connections
Name: netprofm
displayname: Network List Service
Name: NlaSvc
displayname: Network Location Awareness
Name: nsi
displayname: Network Store Interface Service
Name: p2pimsvc
displayname: Peer Networking Identity Manager
Name: p2psvc
displayname: Peer Networking Grouping
Name: PcaSvc
displayname: Program Compatibility Assistant Service
Name: PlugPlay
displayname: Plug and Play
Name: PNRPsvc
displayname: Peer Name Resolution Protocol
Name: PolicyAgent
displayname: IPsec Policy Agent
Name: Power
displayname: Power
Name: ProfSvc
displayname: User Profile Service
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcEptMapper
displayname: RPC Endpoint Mapper
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification Service
Name: SessionEnv
displayname: Remote Desktop Configuration
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: sppsvc
displayname: Software Protection
Name: SSDPSRV
displayname: SSDP Discovery
Name: SstpSvc
displayname: Secure Socket Tunneling Protocol Service
Name: StiSvc
displayname: Windows Image Acquisition (WIA)
Name: SysMain
displayname: Superfetch
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Remote Desktop Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: upnphost
displayname: UPnP Device Host
Name: UxSms
displayname: Desktop Window Manager Session Manager
Name: WdiServiceHost
displayname: Diagnostic Service Host
Name: WdiSystemHost
displayname: Diagnostic System Host
Name: WinDefend
displayname: Windows Defender
Name: WinHttpAutoProxySvc
displayname: WinHTTP Web Proxy Auto-Discovery Service
Name: Winmgmt
displayname: Windows Management Instrumentation
Name: Wlansvc
displayname: WLAN AutoConfig
Name: WMPNetworkSvc
displayname: Windows Media Player Network Sharing Service
Name: wscsvc
displayname: Security Center
Name: WSearch
displayname: Windows Search
Name: wuauserv
displayname: Windows Update
Name: wudfsvc
displayname: Windows Driver Foundation - User-mode Driver Framework

Share this post


Link to post
Share on other sites
Looks good :D

Time for final clean-up.

[u]1. Removal of all system restore points since they might be infected.[/u]
XP:
Create a new system restore point:
[b]Start - Programs - Accessories - System Tools - System Restore[/b]
Choose [b]Create a Restore Point[/b] and then click [b]Next[/b]. Give the R.P. a name, then click [b]Create[/b].

Remove all old restore points by running Disk Cleanup.
[b]Start - Run[/b] and type: [b]Cleanmgr[/b]
Click [b]Ok[/b]. Disk Cleanup will scan your files for several minutes, then open.
Select the [b]More Options [/b]tab, and then click the [b]Clean up[/b] button under System Restore.
Click [b]Ok [/b]and then [b]Yes [/b]twice.

Vista and WIndows 7:
Create a new system restore point by following [url="http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/"]http://www.howtogeek.com/howto/windows-vis...system-restore/[/url]
Remove all old restore points by following [url="http://bertk.mvps.org/html/diskcleanupv.html"]http://bertk.mvps.org/html/diskcleanupv.html[/url] (Vista) or [url="http://www.sevenforums.com/tutorials/818-disk-cleanup-open-use.html"]http://www.sevenforums.com/tutorials/818-d...p-open-use.html[/url] (Windows 7).

[u]2. Removal of tools[/u]
[u]a. [/u]Press Windows-key + R
Copy and paste this line:
ComboFix /Uninstall

Note the space before /
Click on OK.

[u]b. [/u]Close all programs.
Start OTL program.
Click the [b]CleanUp[/b]! button.
Select [b]Yes[/b] when asked "Begin cleanup process".
If you are asked to reboot, select [b]Yes[/b].
If any logs remain on the computer you can remove them.
Any tools left?

[u]3. Improve the security in the computer[/u]
It is very important to keep Windows and all programs updated, for example there is an old version of Java with known security issues that makes it easy to infect the computer. To help you with that you can use the program [url="http://secunia.com/vulnerability_scanning/personal/"]Secunia Personal Software Inspector (PSI)[/url].

Read what Blade81 writes in the post [url="http://www.lavasoftsupport.com/index.php?showtopic=30610&view=findpost&p=124337"]http://www.lavasoftsupport.com/index.php?s...st&p=124337[/url] from the header "Make your Internet Explorer more secure" and downwards.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='127886' date='Jun 28 2011, 06:48 AM']Looks good :D

Time for final clean-up.

[u]1. Removal of all system restore points since they might be infected.[/u]
XP:
Create a new system restore point:
[b]Start - Programs - Accessories - System Tools - System Restore[/b]
Choose [b]Create a Restore Point[/b] and then click [b]Next[/b]. Give the R.P. a name, then click [b]Create[/b].

Remove all old restore points by running Disk Cleanup.
[b]Start - Run[/b] and type: [b]Cleanmgr[/b]
Click [b]Ok[/b]. Disk Cleanup will scan your files for several minutes, then open.
Select the [b]More Options [/b]tab, and then click the [b]Clean up[/b] button under System Restore.
Click [b]Ok [/b]and then [b]Yes [/b]twice.

Vista and WIndows 7:
Create a new system restore point by following [url="http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/"]http://www.howtogeek.com/howto/windows-vis...system-restore/[/url]
Remove all old restore points by following [url="http://bertk.mvps.org/html/diskcleanupv.html"]http://bertk.mvps.org/html/diskcleanupv.html[/url] (Vista) or [url="http://www.sevenforums.com/tutorials/818-disk-cleanup-open-use.html"]http://www.sevenforums.com/tutorials/818-d...p-open-use.html[/url] (Windows 7).

[u]2. Removal of tools[/u]
[u]a. [/u]Press Windows-key + R
Copy and paste this line:
ComboFix /Uninstall

Note the space before /
Click on OK.

[u]b. [/u]Close all programs.
Start OTL program.
Click the [b]CleanUp[/b]! button.
Select [b]Yes[/b] when asked "Begin cleanup process".
If you are asked to reboot, select [b]Yes[/b].
If any logs remain on the computer you can remove them.
Any tools left?

[u]3. Improve the security in the computer[/u]
It is very important to keep Windows and all programs updated, for example there is an old version of Java with known security issues that makes it easy to infect the computer. To help you with that you can use the program [url="http://secunia.com/vulnerability_scanning/personal/"]Secunia Personal Software Inspector (PSI)[/url].

Read what Blade81 writes in the post [url="http://www.lavasoftsupport.com/index.php?showtopic=30610&view=findpost&p=124337"]http://www.lavasoftsupport.com/index.php?s...st&p=124337[/url] from the header "Make your Internet Explorer more secure" and downwards.[/quote]


Ok all things done.


Thank you so much for your time and patience. I really appreciate all your help.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this