1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Search results redirect malware or worse

Discussion in 'Virus & Other Malware Removal' started by brownie94, Jan 23, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. brownie94

    brownie94 Thread Starter

    Joined:
    Jan 21, 2012
    Messages:
    12
    I have had redirect malware before, and Malwarebytes got rid of it. This time I have also run Symantec AV, SuperAntispyware, Ad-Aware, Norton Power Eraser, TDSS Killer, and Hitman Pro, all to no avail. They found a few trojans, but the redirects persist.

    I did not have Symantec and Ad-Aware installed at the same time ... I was getting an ordinal 1109 error associated with it, so I replaced it with Ad-Aware. I am not getting that error anymore.

    In addition to the redirects, Firefox has been slow, producing repeated script errors, and freezing occasionally. The computer has also been making a ding-ding sound when I am not even using it or merely reading something, and it will not revive from Stand-by.

    I found a similar thread in this forum last month, but other than the anti-malware/AV programs I do not know what else to try. Any help would be much appreciated!

    Here are the requested logs:

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
    Processor: Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz, x86 Family 6 Model 15 Stepping 13
    Processor Count: 2
    RAM: 1013 Mb
    Graphics Card: Intel(R) G33/G31 Express Chipset Family, 128 Mb
    Hard Drives: C: Total - 234880 MB, Free - 182869 MB;
    Motherboard: Dell Inc., 0RY007
    Antivirus: Lavasoft Ad-Watch Live! Anti-Virus, Updated: Yes, On-Demand Scanner: Enabled


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:18:19 PM, on 1/21/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Elise\My Documents\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080229
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080229
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=dahlf4GdHyUl6WB-ZlmZUaiIo3s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL (file missing)
    O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL (file missing)
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
    O4 - HKLM\..\Run: [HornetMonitor] C:\Program Files\Common Files\Hornet\MntrHrnt.exe
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'Default user')
    O4 - Startup: Jacquie Lawson Advent Calendar.lnk = C:\Program Files\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: USB3Nw32 - USB3Nw32.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe


    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
    Run by Elise at 18:22:02 on 2012-01-21
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.91 [GMT -5:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    svchost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.aol.com/
    uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080229
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=dahlf4GdHyUl6WB-ZlmZUaiIo3s
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    uURLSearchHooks: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: BellSouth Toolbar: {4e7bd74f-2b8d-469e-8cbd-fd60bb9aae2e} - c:\progra~1\blstoo~1\BLSTOO~1.DLL
    BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: BellSouth Toolbar: {4e7bd74f-2b8d-469e-8cbd-fd60bb9aae2e} - c:\progra~1\blstoo~1\BLSTOO~1.DLL
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [<NO NAME>]
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
    mRun: [HornetMonitor] c:\program files\common files\hornet\MntrHrnt.exe
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
    dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
    dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
    StartupFolder: c:\docume~1\elise\startm~1\programs\startup\jacqui~1.lnk - c:\program files\jacquie lawson advent calendar\jacquie lawson advent calendar\Jacquie Lawson Advent Calendar.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{04B2E23E-8048-4DFD-9FC5-E0F9A5AC5530} : DhcpNameServer = 192.168.1.254
    Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: USB3Nw32 - USB3Nw32.dll
    AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\elise\application data\mozilla\firefox\profiles\hn5o8kq5.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=utf-8&rlz=1V2IPYX&q=
    FF - plugin: c:\documents and settings\elise\application data\mozilla\firefox\profiles\hn5o8kq5.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-1-16 64512]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152152]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
    S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2004-8-10 14336]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-12-23 15232]
    S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-01-21 21:13:29 -------- d-----w- c:\program files\Trend Micro
    2012-01-17 23:26:16 -------- d-----w- c:\documents and settings\elise\application data\Dell
    2012-01-17 23:25:56 -------- d-----w- c:\documents and settings\all users\application data\PCDr
    2012-01-16 23:24:46 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2012-01-16 20:11:36 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2012-01-16 19:32:17 -------- d-----w- c:\documents and settings\elise\local settings\application data\adaware
    2012-01-16 19:32:15 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
    2012-01-16 19:32:11 -------- d-----w- c:\program files\Toolbar Cleaner
    2012-01-16 19:31:54 -------- d-----w- c:\documents and settings\elise\application data\adawaretb
    2012-01-16 19:31:46 -------- d-----w- c:\program files\adawaretb
    2012-01-16 19:31:35 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2012-01-16 18:16:31 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-16 18:15:46 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
    2012-01-16 17:53:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-01-16 01:23:50 -------- d-----w- c:\documents and settings\elise\application data\SUPERAntiSpyware.com
    2012-01-16 01:21:44 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-16 01:21:44 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2012-01-15 23:39:58 -------- d-----w- c:\documents and settings\elise\local settings\application data\NPE
    2012-01-15 23:39:58 -------- d-----w- c:\documents and settings\all users\application data\Norton
    2012-01-12 00:39:27 -------- d-----w- C:\d8f497ccc924d1b6d0
    2012-01-09 14:57:40 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2012-01-09 14:57:40 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    2012-01-09 14:57:39 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    2012-01-09 14:57:39 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    .
    ==================== Find3M ====================
    .
    2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-12 17:08:16 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2008-03-16 21:25:38 21364592 ----a-w- c:\program files\aaw2007.exe
    2008-03-14 01:13:56 44504105 ----a-w- c:\program files\savman10_1_6_6010.exe
    .
    ============= FINISH: 18:24:58.42 ===============


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-21 21:48:10
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250310AS rev.3.ADA
    Running: w1puglyv.exe; Driver: C:\DOCUME~1\Elise\LOCALS~1\Temp\uwtyafow.sys


    ---- System - GMER 1.0.15 ----

    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764387E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7643BFE]
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA159640]

    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\WINDOWS\system32\DRIVERS\ctxusbm.sys suspicious PE modification
    ? C:\DOCUME~1\Elise\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F8000A
    .text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F9000A
    .text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F7000C

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)
    Device DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device A815CD20

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) AA0A2000-AA0B4000 (73728 bytes)

    ---- Processes - GMER 1.0.15 ----

    Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 1232

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\Elise\Cookies\PJYL2WP3.txt 527 bytes
    File C:\Documents and Settings\Elise\Local Settings\Temporary Internet Files\Content.IE5\3DWG9NV1\segments[1].json 0 bytes
    File C:\Documents and Settings\Elise\Local Settings\Temporary Internet Files\Content.IE5\4BOK8PKW\adsCAWZ7W6U.js 11877 bytes
    File C:\Documents and Settings\Elise\Local Settings\Temporary Internet Files\Content.IE5\69NIX6UR\log[2].txt 0 bytes
    File C:\Documents and Settings\Elise\Local Settings\Temporary Internet Files\Content.IE5\896NO3PE\google_com[1].txt 59182 bytes
    File C:\Documents and Settings\Elise\Local Settings\Temporary Internet Files\Content.IE5\9N36HOVK\corners_05_05_11[1].jpg 1361 bytes
    File C:\Documents and Settings\Elise\Local Settings\Temporary Internet Files\Content.IE5\9N36HOVK\35497bf7c65f0b87f55e03e37aa23f72[1].jpg 21015 bytes
    File C:\Documents and Settings\Elise\Local Settings\Temporary Internet Files\Content.IE5\9N36HOVK\dref=http%253A%252F%252Fwww.mevio[2].com%252Fepisode%252F299023%252Fadme-best-ads-of-week-5 1054 bytes
    File C:\Documents and Settings\Elise\Local Settings\Temporary Internet Files\Content.IE5\J9FHCK0V\Handler_v1[1].js 1321 bytes
    File C:\Documents and Settings\Elise\Local Settings\Temporary Internet Files\Content.IE5\J9FHCK0V\this-is-not-my-idea-of-fun[1].htm 58450 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493 0 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\bckfg.tmp 846 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\cfg.ini 207 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\keywords 231 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\L\odetmngk 65584 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\lsflt7.ver 5176 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\U\[email protected] 2048 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\U\[email protected] 224768 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\U\[email protected] 1024 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\U\[email protected] 11264 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\U\[email protected] 12800 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1088696493\U\[email protected] 77312 bytes
    File C:\WINDOWS\$NtUninstallKB28745$\1854569884 0 bytes

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi brownie94 and welcome..

    I'm DFW and I am going to try and help you with your Malware problem. Please observe the following points and rules while we work:
    • The fixes are specific to your problem and should only be used for this issue on this machine!.
    • The clean up process can take time. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.
    • Refrain from running self fixes as this will hinder the malware removal process.
    • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
    • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    • Some of the Logs we ask for can take some time to Analise, so please be patient
    • This may or may not, solve other issues you have with your machine.


    Before we start:
    Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer.
    However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system.
    Because of this, I advise you to backup any personal files and folders before you start.



    Please do not run any more scans or tools, while I go over your Logs.
     
  3. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi brownie94
    First off I see that you have FileZilla installed.

    Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe. You will be sharing files from uncertified sources, and these are often infected.
    The bad guys use P2P filesharing as a major conduit to spread their wares.

    NOTE: Under no circumstances should you use p2p filesharing while I am assisting you in ridding your computer of malware.
    My recommendation is you uninstall it.



    Your logs show you have a very infected machine, including a rootkit infection known as Zero Access. Some versions of this infection are very difficult to remove,
    and it is possible that your computer may not be able to connect to the Internet after we attempt to remove it.

    If that happens we will make all efforts to restore your connection, but can make no guarantee that you may not have to reformat your hard drive and re-install Windows to get connectivity back.

    As I've already stated above, I strongly recommend that you back up your personal files and folders before proceeding further.

    If you decide to proceed .....



    Download and Run ComboFix (by sUBs)

    Download ComboFix from here to your Desktop.

    Please visit this webpage for instructions for downloading and running ComboFix:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix.


    • You must download it to and run it from your Desktop
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, we must have this pre-installed on your machine before doing any malware removal.
      It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log. Please save that log to post in your next reply
    • Re-enable all the programs that were disabled during the running of ComboFix..

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
    This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper



    Please post back the Combofix log
     
  4. brownie94

    brownie94 Thread Starter

    Joined:
    Jan 21, 2012
    Messages:
    12
    Hi DFW,

    Thanks for your help! I have only used FileZilla for working on a website and not even that in ages, so I probably will uninstall it. Here is the ComboFix log:

    ComboFix 12-01-23.02 - Elise 01/24/2012 21:31:50.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.671 [GMT -5:00]
    Running from: c:\documents and settings\Elise\Desktop\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\aaw2007.exe
    c:\program files\INSTALL.LOG
    c:\program files\savman10_1_6_6010.exe
    c:\windows\$NtUninstallKB28745$\1088696493\@
    c:\windows\$NtUninstallKB28745$\1088696493\bckfg.tmp
    c:\windows\$NtUninstallKB28745$\1088696493\cfg.ini
    c:\windows\$NtUninstallKB28745$\1088696493\Desktop.ini
    c:\windows\$NtUninstallKB28745$\1088696493\keywords
    c:\windows\$NtUninstallKB28745$\1088696493\kwrd.dll
    c:\windows\$NtUninstallKB28745$\1088696493\L\odetmngk
    c:\windows\$NtUninstallKB28745$\1088696493\lsflt7.ver
    c:\windows\$NtUninstallKB28745$\1088696493\U\[email protected]
    c:\windows\$NtUninstallKB28745$\1088696493\U\[email protected]
    c:\windows\$NtUninstallKB28745$\1088696493\U\[email protected]
    c:\windows\$NtUninstallKB28745$\1088696493\U\[email protected]
    c:\windows\$NtUninstallKB28745$\1088696493\U\[email protected]
    c:\windows\$NtUninstallKB28745$\1088696493\U\[email protected]
    c:\windows\$NtUninstallKB28745$\1854569884
    c:\windows\system32\SET94.tmp
    c:\windows\system32\SET99.tmp
    c:\windows\$NtUninstallKB28745$ . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_6TO4
    -------\Service_6to4
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-21 21:13 . 2012-01-21 21:13 -------- d-----w- c:\program files\Trend Micro
    2012-01-21 12:17 . 2012-01-21 12:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\adawaretb
    2012-01-17 23:26 . 2012-01-17 23:26 -------- d-----w- c:\documents and settings\Elise\Application Data\Dell
    2012-01-17 23:25 . 2012-01-17 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
    2012-01-16 23:24 . 2012-01-16 20:11 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2012-01-16 20:11 . 2012-01-16 20:11 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2012-01-16 19:32 . 2012-01-16 19:34 -------- d-----w- c:\documents and settings\Elise\Local Settings\Application Data\adaware
    2012-01-16 19:32 . 2012-01-25 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
    2012-01-16 19:32 . 2012-01-16 19:32 -------- d-----w- c:\program files\Toolbar Cleaner
    2012-01-16 19:31 . 2012-01-16 19:32 -------- d-----w- c:\documents and settings\Elise\Application Data\adawaretb
    2012-01-16 19:31 . 2012-01-16 19:32 -------- d-----w- c:\program files\adawaretb
    2012-01-16 19:31 . 2011-12-23 12:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2012-01-16 18:16 . 2012-01-16 18:16 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-16 18:15 . 2012-01-16 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-01-16 17:54 . 2012-01-16 17:54 -------- d-----w- c:\program files\Common Files\Java
    2012-01-16 17:53 . 2011-11-10 08:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-01-16 01:23 . 2012-01-16 01:23 -------- d-----w- c:\documents and settings\Elise\Application Data\SUPERAntiSpyware.com
    2012-01-16 01:21 . 2012-01-16 01:27 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-16 01:21 . 2012-01-16 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-01-15 23:39 . 2012-01-16 00:18 -------- d-----w- c:\documents and settings\Elise\Local Settings\Application Data\NPE
    2012-01-15 23:39 . 2012-01-15 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2012-01-12 00:39 . 2012-01-12 00:39 -------- d-----w- C:\d8f497ccc924d1b6d0
    2012-01-12 00:27 . 2012-01-12 00:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2012-01-09 14:57 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2012-01-09 14:57 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-09 14:57 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-09 14:57 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-08 18:15 . 2012-01-08 18:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2012-01-08 17:40 . 2012-01-08 17:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 20:24 . 2011-01-13 01:46 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 21:57 . 2004-08-10 18:51 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2004-08-10 18:51 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2004-08-10 18:51 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-12 17:08 . 2011-05-12 23:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-10 10:54 . 2010-11-20 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-04 19:20 . 2004-08-10 18:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-10 18:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-03 15:28 . 2004-08-10 18:51 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2004-08-10 18:51 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 16:07 . 2004-08-10 18:51 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-10-12 20:33 . 2010-10-12 20:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2010-10-12 22:15 . 2010-10-12 22:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2010-10-12 20:37 . 2010-10-12 20:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2010-10-12 20:35 . 2010-10-12 20:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2010-10-12 20:34 . 2010-10-12 20:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2010-10-12 20:32 . 2010-10-12 20:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2010-10-12 20:35 . 2010-10-12 20:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2010-10-12 20:34 . 2010-10-12 20:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2010-07-14 16:42 . 2010-07-14 16:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2010-10-12 20:37 . 2010-10-12 20:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2011-12-21 07:24 . 2011-11-13 16:13 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
    .
    [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    2011-12-21 15:44 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
    .
    [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-16 4616064]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-29 1838592]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-09-01 1408872]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-14 197288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
    "adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
    "AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2012-01-16 654056]
    .
    c:\documents and settings\Elise\Start Menu\Programs\Startup\
    Jacquie Lawson Advent Calendar.lnk - c:\program files\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar.exe [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-29 24576]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
    WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\adawaretb\\dtUser.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/16/2012 2:31 PM 64512]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 3:22 PM 65584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 1:31 PM 98304]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:29 PM 135664]
    S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [8/10/2004 1:51 PM 14336]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:29 PM 135664]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/23/2011 7:12 AM 2152152]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    NecUsbSevice REG_MULTI_SZ NecUsb
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-25 c:\windows\Tasks\Ad-Aware Scan (Weekly AdAware Scan).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-23 20:10]
    .
    2012-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-23 20:10]
    .
    2012-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2012-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:28]
    .
    2012-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:28]
    .
    2012-01-17 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=dahlf4GdHyUl6WB-ZlmZUaiIo3s
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Elise\Application Data\Mozilla\Firefox\Profiles\hn5o8kq5.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=utf-8&rlz=1V2IPYX&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
    HKCU-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
    HKLM-Run-HornetMonitor - c:\program files\Common Files\Hornet\MntrHrnt.exe
    HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
    Notify-NavLogon - (no file)
    Notify-USB3Nw32 - USB3Nw32.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-24 21:48
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\documents and settings\Elise\Application Data\Western Digital\WD SmartWare\instances\3E73B1FB-7F76-4215-BA74-66957F762162\3e73b1fb-7f76-4215-ba74-66957f762162-preinq.db3-journal
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(716)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\l3codeca.acm
    .
    - - - - - - - > 'explorer.exe'(2984)
    c:\windows\system32\WININET.dll
    c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Drag-to-Disc\Shellex.dll
    c:\windows\system32\DLAAPI_W.DLL
    c:\windows\system32\CDRTC.DLL
    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\rundll32.exe
    c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Citrix\ICA Client\wfcrun32.exe
    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-24 21:54:10 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-25 02:54
    .
    Pre-Run: 193,825,239,040 bytes free
    Post-Run: 196,538,023,936 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 935376EF46A764C069590FD0E64AAC14
     
  5. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi brownie94

    You said you ran TDSSKiller, can you please post it's log, if you ran TDSSKiller more than once please
    post the first log, you will find it as below.

    C:\TDSSKiller.2.4.0.0_DD.MM.YYYY_HH.MM.SS_log.txt (where DD.MM.YYYY_HH.MM.SS are the date and time the tool was run)



    ComboFix - CFScript
    This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
    You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
    1. Please open Notepad and copy/paste all the text below... into the window:
      Code:
      DirLook::
      C:\d8f497ccc924d1b6d0
      
      Firefox::
      uInternet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=dahlf4GdHyUl6WB-ZlmZUaiIo3s
      FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
      FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
      
      
    2. Save it to your desktop as CFScript.txt
    3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
      *Only* when the 2 items above (Step 3) have been taken care of...
    4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
      [​IMG]
      This will cause ComboFix to run again.
      Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
      Do Not touch your computer when ComboFix is running!
    5. When finished ComboFix will create a log file... you can save this file to a convenient place.
    Please copy/paste the ComboFix log file in your next reply.




    Please download aswMBR and save it to your Desktop.

    • Double click aswMBR.exe to run it.
    • Click the Scan button.
    • After a short while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
    • Click OK > Exit.
    • Note: Do not attempt to fix anything at this stage!
    • Two files will be created, aswMBR.txt & a file named MBR.dat.
    • MBR.dat is a backup of the MBR(master boot record), do not delete it..
    • I strongly suggest you keep a copy of this backup stored on an external device.
    • Copy & Paste the contents of aswMBR.txt into your next reply.


    Please post back

    Any changed good or bad with your Computer ?

    TDSS Log
    Combofix Log
    aswMBR Log


    .
     
  6. brownie94

    brownie94 Thread Starter

    Joined:
    Jan 21, 2012
    Messages:
    12
    Hi DFW,

    Thanks again for your time. The computer seems to be better. The redirects ceased after I first ran ComboFix, at least for the few searches I tested, and I have not noticed any of the other symptoms I originally described. I just checked Stand-by and it revived normally, and it seems to be faster.

    I know TDSSKiller (and one or two of the other programs I ran on my own) flagged the Citrix driver that aswMBR says is infected. I skipped doing anything with it because I thought it was a legitimate file, and I use Citrix to access work remotely. Do I have to get rid of it, or can it be fixed?

    13:11:56.0162 4228 TDSS rootkit removing tool 2.7.2.0 Jan 14 2012 20:07:30
    13:11:56.0615 4228 ============================================================
    13:11:56.0615 4228 Current date / time: 2012/01/16 13:11:56.0615
    13:11:56.0615 4228 SystemInfo:
    13:11:56.0615 4228
    13:11:56.0615 4228 OS Version: 5.1.2600 ServicePack: 3.0
    13:11:56.0615 4228 Product type: Workstation
    13:11:56.0615 4228 ComputerName: ELISEA
    13:11:56.0615 4228 UserName: Elise
    13:11:56.0615 4228 Windows directory: C:\WINDOWS
    13:11:56.0615 4228 System windows directory: C:\WINDOWS
    13:11:56.0615 4228 Processor architecture: Intel x86
    13:11:56.0615 4228 Number of processors: 2
    13:11:56.0615 4228 Page size: 0x1000
    13:11:56.0615 4228 Boot type: Normal boot
    13:11:56.0615 4228 ============================================================
    13:12:01.0068 4228 Drive \Device\Harddisk0\DR0 - Size: 0x3A35294400, SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
    13:12:01.0130 4228 Initialize success
    13:12:18.0443 4296 ============================================================
    13:12:18.0443 4296 Scan started
    13:12:18.0443 4296 Mode: Manual;
    13:12:18.0443 4296 ============================================================
    13:12:18.0849 4296 Abiosdsk - ok
    13:12:18.0912 4296 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    13:12:18.0927 4296 abp480n5 - ok
    13:12:19.0021 4296 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    13:12:19.0130 4296 ACPI - ok
    13:12:19.0255 4296 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    13:12:19.0287 4296 ACPIEC - ok
    13:12:19.0349 4296 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    13:12:19.0396 4296 adpu160m - ok
    13:12:19.0459 4296 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    13:12:19.0521 4296 aec - ok
    13:12:19.0646 4296 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    13:12:19.0724 4296 AFD - ok
    13:12:19.0787 4296 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    13:12:19.0802 4296 agp440 - ok
    13:12:19.0880 4296 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    13:12:19.0896 4296 agpCPQ - ok
    13:12:19.0974 4296 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    13:12:19.0974 4296 Aha154x - ok
    13:12:20.0068 4296 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    13:12:20.0287 4296 aic78u2 - ok
    13:12:20.0334 4296 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    13:12:20.0365 4296 aic78xx - ok
    13:12:20.0443 4296 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    13:12:20.0490 4296 AliIde - ok
    13:12:20.0568 4296 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    13:12:20.0584 4296 alim1541 - ok
    13:12:20.0599 4296 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    13:12:20.0615 4296 amdagp - ok
    13:12:20.0740 4296 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    13:12:20.0755 4296 amsint - ok
    13:12:20.0834 4296 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    13:12:20.0849 4296 asc - ok
    13:12:20.0927 4296 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    13:12:20.0974 4296 asc3350p - ok
    13:12:21.0084 4296 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    13:12:21.0162 4296 asc3550 - ok
    13:12:21.0240 4296 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
    13:12:21.0302 4296 ASCTRM - ok
    13:12:21.0443 4296 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    13:12:21.0459 4296 AsyncMac - ok
    13:12:21.0490 4296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    13:12:21.0490 4296 atapi - ok
    13:12:21.0521 4296 Atdisk - ok
    13:12:21.0552 4296 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    13:12:21.0615 4296 Atmarpc - ok
    13:12:21.0677 4296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    13:12:21.0693 4296 audstub - ok
    13:12:21.0724 4296 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    13:12:21.0755 4296 Beep - ok
    13:12:21.0834 4296 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    13:12:21.0865 4296 cbidf - ok
    13:12:21.0896 4296 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    13:12:21.0896 4296 cbidf2k - ok
    13:12:21.0974 4296 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    13:12:22.0037 4296 cd20xrnt - ok
    13:12:22.0084 4296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    13:12:22.0084 4296 Cdaudio - ok
    13:12:22.0162 4296 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    13:12:22.0209 4296 Cdfs - ok
    13:12:22.0302 4296 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    13:12:22.0443 4296 Cdrom - ok
    13:12:22.0537 4296 Changer - ok
    13:12:22.0599 4296 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    13:12:22.0630 4296 CmdIde - ok
    13:12:22.0693 4296 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    13:12:22.0724 4296 Cpqarray - ok
    13:12:22.0771 4296 ctxusbm (fa6d9c439a1d11286d97bcfc27e7072f) C:\WINDOWS\system32\DRIVERS\ctxusbm.sys
    13:12:22.0834 4296 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ctxusbm.sys. Real md5: fa6d9c439a1d11286d97bcfc27e7072f, Fake md5: 9277c20cc1324bde548216b205ac64af
    13:12:22.0834 4296 ctxusbm ( ForgedFile.Multi.Generic ) - warning
    13:12:22.0834 4296 ctxusbm - detected ForgedFile.Multi.Generic (1)
    13:12:22.0959 4296 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    13:12:22.0974 4296 CVirtA - ok
    13:12:23.0052 4296 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    13:12:23.0068 4296 dac2w2k - ok
    13:12:23.0115 4296 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    13:12:23.0130 4296 dac960nt - ok
    13:12:23.0177 4296 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    13:12:23.0193 4296 Disk - ok
    13:12:23.0240 4296 DLABMFSM (0659e6e0a95564f958d9df7313f7701e) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
    13:12:23.0365 4296 DLABMFSM - ok
    13:12:23.0443 4296 DLABOIOM (8691c78908f0bd66170669db268369f2) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
    13:12:23.0474 4296 DLABOIOM - ok
    13:12:23.0552 4296 DLACDBHM (76167b5eb2dffc729edc36386876b40b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
    13:12:23.0599 4296 DLACDBHM - ok
    13:12:23.0693 4296 DLADResM (5615744a1056933b90e6ac54feb86f35) C:\WINDOWS\system32\DLA\DLADResM.SYS
    13:12:23.0771 4296 DLADResM - ok
    13:12:23.0834 4296 DLAIFS_M (1aeca2afa5005ce4a550cf8eb55a8c88) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
    13:12:23.0880 4296 DLAIFS_M - ok
    13:12:23.0927 4296 DLAOPIOM (840e7f6abb885c72b9ffddb022ef5b6d) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
    13:12:23.0990 4296 DLAOPIOM - ok
    13:12:24.0021 4296 DLAPoolM (0294d18731ac05da80132ce88f8a876b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
    13:12:24.0068 4296 DLAPoolM - ok
    13:12:24.0115 4296 DLARTL_M (91886fed52a3f9966207bce46cfd794f) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
    13:12:24.0162 4296 DLARTL_M - ok
    13:12:24.0209 4296 DLAUDFAM (cca4e121d599d7d1706a30f603731e59) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
    13:12:24.0302 4296 DLAUDFAM - ok
    13:12:24.0412 4296 DLAUDF_M (7dab85c33135df24419951da4e7d38e5) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
    13:12:24.0474 4296 DLAUDF_M - ok
    13:12:24.0584 4296 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    13:12:24.0646 4296 dmboot - ok
    13:12:24.0740 4296 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    13:12:24.0755 4296 dmio - ok
    13:12:24.0802 4296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    13:12:24.0818 4296 dmload - ok
    13:12:24.0880 4296 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    13:12:24.0896 4296 DMusic - ok
    13:12:24.0959 4296 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys
    13:12:25.0037 4296 DNE - ok
    13:12:25.0209 4296 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    13:12:25.0224 4296 dpti2o - ok
    13:12:25.0318 4296 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    13:12:25.0334 4296 drmkaud - ok
    13:12:25.0380 4296 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
    13:12:25.0459 4296 DRVMCDB - ok
    13:12:25.0599 4296 DRVNDDM (6e6ab29d3c06e64ce81feacda85394b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
    13:12:25.0662 4296 DRVNDDM - ok
    13:12:25.0755 4296 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    13:12:25.0771 4296 E100B - ok
    13:12:25.0802 4296 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
    13:12:25.0912 4296 e1express - ok
    13:12:26.0068 4296 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    13:12:26.0193 4296 eeCtrl - ok
    13:12:26.0334 4296 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    13:12:26.0443 4296 EraserUtilRebootDrv - ok
    13:12:26.0599 4296 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    13:12:26.0724 4296 Fastfat - ok
    13:12:26.0849 4296 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    13:12:26.0865 4296 Fdc - ok
    13:12:26.0896 4296 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    13:12:26.0912 4296 Fips - ok
    13:12:26.0943 4296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    13:12:26.0974 4296 Flpydisk - ok
    13:12:27.0021 4296 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    13:12:27.0052 4296 FltMgr - ok
    13:12:27.0099 4296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    13:12:27.0130 4296 Fs_Rec - ok
    13:12:27.0209 4296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    13:12:27.0240 4296 Ftdisk - ok
    13:12:27.0318 4296 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    13:12:27.0412 4296 GEARAspiWDM - ok
    13:12:27.0646 4296 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    13:12:27.0677 4296 Gpc - ok
    13:12:27.0802 4296 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    13:12:27.0834 4296 HDAudBus - ok
    13:12:27.0865 4296 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    13:12:27.0896 4296 HidUsb - ok
    13:12:27.0974 4296 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    13:12:27.0990 4296 hpn - ok
    13:12:28.0037 4296 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
    13:12:28.0099 4296 HSFHWBS2 - ok
    13:12:28.0146 4296 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    13:12:28.0209 4296 HSF_DP - ok
    13:12:28.0255 4296 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    13:12:28.0318 4296 HTTP - ok
    13:12:28.0615 4296 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    13:12:28.0646 4296 i2omgmt - ok
    13:12:28.0724 4296 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    13:12:28.0740 4296 i2omp - ok
    13:12:28.0771 4296 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    13:12:28.0802 4296 i8042prt - ok
    13:12:29.0005 4296 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    13:12:29.0209 4296 ialm - ok
    13:12:29.0240 4296 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\drivers\iaStor.sys
    13:12:29.0349 4296 iaStor - ok
    13:12:29.0474 4296 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    13:12:29.0521 4296 Imapi - ok
    13:12:29.0615 4296 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    13:12:29.0662 4296 ini910u - ok
    13:12:29.0849 4296 IntcAzAudAddService (17bbbabb21f86b650b2626045a9d016c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    13:12:30.0084 4296 IntcAzAudAddService - ok
    13:12:30.0224 4296 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    13:12:30.0240 4296 IntelIde - ok
    13:12:30.0318 4296 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    13:12:30.0349 4296 intelppm - ok
    13:12:30.0396 4296 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    13:12:30.0427 4296 Ip6Fw - ok
    13:12:30.0521 4296 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    13:12:30.0552 4296 IpFilterDriver - ok
    13:12:30.0615 4296 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    13:12:30.0630 4296 IpInIp - ok
    13:12:30.0709 4296 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    13:12:30.0896 4296 IpNat - ok
    13:12:31.0084 4296 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    13:12:31.0177 4296 IPSec - ok
    13:12:31.0318 4296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    13:12:31.0349 4296 IRENUM - ok
    13:12:31.0396 4296 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    13:12:31.0474 4296 isapnp - ok
    13:12:31.0615 4296 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    13:12:31.0630 4296 Kbdclass - ok
    13:12:31.0662 4296 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    13:12:31.0677 4296 kbdhid - ok
    13:12:31.0724 4296 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    13:12:31.0724 4296 kmixer - ok
    13:12:31.0787 4296 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    13:12:31.0802 4296 KSecDD - ok
    13:12:31.0818 4296 lbrtfdc - ok
    13:12:31.0943 4296 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    13:12:31.0990 4296 mdmxsdk - ok
    13:12:32.0021 4296 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    13:12:32.0021 4296 mnmdd - ok
    13:12:32.0084 4296 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    13:12:32.0099 4296 Modem - ok
    13:12:32.0115 4296 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    13:12:32.0162 4296 MODEMCSA - ok
    13:12:32.0240 4296 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    13:12:32.0287 4296 Mouclass - ok
    13:12:32.0365 4296 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    13:12:32.0365 4296 mouhid - ok
    13:12:32.0427 4296 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    13:12:32.0474 4296 MountMgr - ok
    13:12:32.0505 4296 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    13:12:32.0521 4296 mraid35x - ok
    13:12:32.0646 4296 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    13:12:32.0677 4296 MREMP50 - ok
    13:12:32.0677 4296 MREMP50a64 - ok
    13:12:32.0771 4296 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    13:12:32.0849 4296 MRESP50 - ok
    13:12:32.0959 4296 MRESP50a64 - ok
    13:12:33.0099 4296 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    13:12:33.0162 4296 MRxDAV - ok
    13:12:33.0224 4296 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    13:12:33.0318 4296 MRxSmb - ok
    13:12:33.0443 4296 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    13:12:33.0459 4296 Msfs - ok
    13:12:33.0505 4296 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    13:12:33.0521 4296 MSKSSRV - ok
    13:12:33.0568 4296 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    13:12:33.0584 4296 MSPCLOCK - ok
    13:12:33.0615 4296 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    13:12:33.0646 4296 MSPQM - ok
    13:12:33.0724 4296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    13:12:33.0755 4296 mssmbios - ok
    13:12:33.0849 4296 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    13:12:33.0880 4296 Mup - ok
    13:12:34.0068 4296 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120107.009\naveng.sys
    13:12:34.0130 4296 NAVENG - ok
    13:12:34.0224 4296 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120107.009\navex15.sys
    13:12:34.0349 4296 NAVEX15 - ok
    13:12:34.0505 4296 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    13:12:34.0693 4296 NDIS - ok
    13:12:34.0865 4296 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    13:12:34.0896 4296 NdisTapi - ok
    13:12:34.0974 4296 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    13:12:35.0005 4296 Ndisuio - ok
    13:12:35.0052 4296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    13:12:35.0146 4296 NdisWan - ok
    13:12:35.0287 4296 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    13:12:35.0302 4296 NDProxy - ok
    13:12:35.0349 4296 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    13:12:35.0396 4296 NetBIOS - ok
    13:12:35.0427 4296 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    13:12:35.0505 4296 NetBT - ok
    13:12:35.0615 4296 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    13:12:35.0646 4296 Npfs - ok
    13:12:35.0709 4296 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    13:12:35.0771 4296 Ntfs - ok
    13:12:35.0818 4296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    13:12:35.0818 4296 Null - ok
    13:12:35.0943 4296 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    13:12:36.0099 4296 nv - ok
    13:12:36.0240 4296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    13:12:36.0271 4296 NwlnkFlt - ok
    13:12:36.0318 4296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    13:12:36.0334 4296 NwlnkFwd - ok
    13:12:36.0412 4296 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    13:12:36.0443 4296 Parport - ok
    13:12:36.0474 4296 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    13:12:36.0505 4296 PartMgr - ok
    13:12:36.0568 4296 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    13:12:36.0599 4296 ParVdm - ok
    13:12:36.0677 4296 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    13:12:36.0724 4296 PCI - ok
    13:12:36.0880 4296 PCIDump - ok
    13:12:36.0959 4296 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    13:12:36.0990 4296 PCIIde - ok
    13:12:37.0005 4296 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    13:12:37.0037 4296 Pcmcia - ok
    13:12:37.0052 4296 PDCOMP - ok
    13:12:37.0052 4296 PDFRAME - ok
    13:12:37.0068 4296 PDRELI - ok
    13:12:37.0068 4296 PDRFRAME - ok
    13:12:37.0115 4296 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    13:12:37.0130 4296 perc2 - ok
    13:12:37.0177 4296 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    13:12:37.0193 4296 perc2hib - ok
    13:12:37.0255 4296 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    13:12:37.0318 4296 PptpMiniport - ok
    13:12:37.0334 4296 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    13:12:37.0380 4296 PSched - ok
    13:12:37.0412 4296 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    13:12:37.0427 4296 Ptilink - ok
    13:12:37.0474 4296 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    13:12:37.0537 4296 PxHelp20 - ok
    13:12:37.0662 4296 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    13:12:37.0677 4296 ql1080 - ok
    13:12:37.0709 4296 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    13:12:37.0771 4296 Ql10wnt - ok
    13:12:37.0834 4296 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    13:12:37.0849 4296 ql12160 - ok
    13:12:37.0896 4296 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    13:12:37.0912 4296 ql1240 - ok
    13:12:37.0974 4296 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    13:12:37.0990 4296 ql1280 - ok
    13:12:38.0021 4296 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    13:12:38.0052 4296 RasAcd - ok
    13:12:38.0084 4296 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    13:12:38.0099 4296 Rasl2tp - ok
    13:12:38.0115 4296 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    13:12:38.0193 4296 RasPppoe - ok
    13:12:38.0287 4296 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    13:12:38.0302 4296 Raspti - ok
    13:12:38.0365 4296 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    13:12:38.0380 4296 Rdbss - ok
    13:12:38.0412 4296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    13:12:38.0427 4296 RDPCDD - ok
    13:12:38.0474 4296 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    13:12:38.0490 4296 rdpdr - ok
    13:12:38.0568 4296 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    13:12:38.0630 4296 RDPWD - ok
    13:12:38.0724 4296 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    13:12:38.0802 4296 redbook - ok
    13:12:39.0037 4296 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    13:12:39.0084 4296 SASDIFSV - ok
    13:12:39.0209 4296 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    13:12:39.0271 4296 SASKUTIL - ok
    13:12:39.0380 4296 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
    13:12:39.0443 4296 SAVRT - ok
    13:12:39.0474 4296 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
    13:12:39.0552 4296 SAVRTPEL - ok
    13:12:39.0693 4296 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    13:12:39.0724 4296 Secdrv - ok
    13:12:39.0818 4296 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    13:12:39.0865 4296 serenum - ok
    13:12:39.0912 4296 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    13:12:39.0927 4296 Serial - ok
    13:12:39.0990 4296 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    13:12:39.0990 4296 Sfloppy - ok
    13:12:40.0037 4296 Simbad - ok
    13:12:40.0130 4296 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    13:12:40.0162 4296 sisagp - ok
    13:12:40.0224 4296 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    13:12:40.0240 4296 Sparrow - ok
    13:12:40.0349 4296 SPBBCDrv (ef9760a364d836a0ce6149ebdf71524d) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    13:12:40.0443 4296 SPBBCDrv - ok
    13:12:40.0584 4296 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    13:12:40.0615 4296 splitter - ok
    13:12:40.0693 4296 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    13:12:40.0724 4296 sr - ok
    13:12:40.0771 4296 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    13:12:40.0834 4296 Srv - ok
    13:12:40.0880 4296 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    13:12:40.0896 4296 swenum - ok
    13:12:40.0927 4296 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    13:12:40.0990 4296 swmidi - ok
    13:12:41.0130 4296 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    13:12:41.0130 4296 symc810 - ok
    13:12:41.0177 4296 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    13:12:41.0193 4296 symc8xx - ok
    13:12:41.0271 4296 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    13:12:41.0334 4296 SymEvent - ok
    13:12:41.0412 4296 SYMREDRV (7de45dfebb51e56d7c795bd0c2d7aef5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    13:12:41.0443 4296 SYMREDRV - ok
    13:12:41.0490 4296 SYMTDI (e1444c6095d67ca4ef6ba192cf7fa91a) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    13:12:41.0599 4296 SYMTDI - ok
    13:12:41.0693 4296 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    13:12:41.0724 4296 sym_hi - ok
    13:12:41.0724 4296 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    13:12:41.0755 4296 sym_u3 - ok
    13:12:41.0787 4296 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    13:12:41.0818 4296 sysaudio - ok
    13:12:41.0880 4296 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    13:12:41.0896 4296 Tcpip - ok
    13:12:41.0943 4296 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    13:12:41.0959 4296 TDPIPE - ok
    13:12:41.0974 4296 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    13:12:42.0021 4296 TDTCP - ok
    13:12:42.0052 4296 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    13:12:42.0115 4296 TermDD - ok
    13:12:42.0255 4296 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    13:12:42.0271 4296 TosIde - ok
    13:12:42.0365 4296 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    13:12:42.0380 4296 Udfs - ok
    13:12:42.0412 4296 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    13:12:42.0443 4296 ultra - ok
    13:12:42.0490 4296 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    13:12:42.0505 4296 Update - ok
    13:12:42.0568 4296 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
    13:12:42.0599 4296 USBAAPL - ok
    13:12:42.0630 4296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    13:12:42.0677 4296 usbccgp - ok
    13:12:42.0818 4296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    13:12:42.0865 4296 usbehci - ok
    13:12:43.0130 4296 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    13:12:43.0177 4296 usbhub - ok
    13:12:43.0271 4296 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    13:12:43.0302 4296 usbprint - ok
    13:12:43.0349 4296 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    13:12:43.0365 4296 usbscan - ok
    13:12:43.0396 4296 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    13:12:43.0412 4296 USBSTOR - ok
    13:12:43.0443 4296 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    13:12:43.0459 4296 usbuhci - ok
    13:12:43.0505 4296 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    13:12:43.0521 4296 VgaSave - ok
    13:12:43.0552 4296 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    13:12:43.0568 4296 viaagp - ok
    13:12:43.0599 4296 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    13:12:43.0615 4296 ViaIde - ok
    13:12:43.0677 4296 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    13:12:43.0709 4296 VolSnap - ok
    13:12:43.0755 4296 vsdatant - ok
    13:12:43.0818 4296 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    13:12:43.0849 4296 Wanarp - ok
    13:12:43.0896 4296 wanatw - ok
    13:12:44.0005 4296 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
    13:12:44.0005 4296 WDC_SAM - ok
    13:12:44.0021 4296 WDICA - ok
    13:12:44.0084 4296 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    13:12:44.0115 4296 wdmaud - ok
    13:12:44.0177 4296 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    13:12:44.0224 4296 winachsf - ok
    13:12:44.0287 4296 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    13:12:44.0318 4296 WudfPf - ok
    13:12:44.0412 4296 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    13:12:44.0427 4296 WudfRd - ok
    13:12:44.0474 4296 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0
    13:12:44.0490 4296 \Device\Harddisk0\DR0 - ok
    13:12:44.0521 4296 Boot (0x1200) (22c7e134a4be824268122d50b7e89534) \Device\Harddisk0\DR0\Partition0
    13:12:44.0521 4296 \Device\Harddisk0\DR0\Partition0 - ok
    13:12:44.0521 4296 ============================================================
    13:12:44.0521 4296 Scan finished
    13:12:44.0521 4296 ============================================================
    13:12:44.0537 4276 Detected object count: 1
    13:12:44.0537 4276 Actual detected object count: 1
    13:13:48.0396 4276 ctxusbm ( ForgedFile.Multi.Generic ) - skipped by user
    13:13:48.0396 4276 ctxusbm ( ForgedFile.Multi.Generic ) - User select action: Skip
    13:13:56.0552 4184 Deinitialize success


    ComboFix 12-01-23.02 - Elise 01/25/2012 20:48:55.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.672 [GMT -5:00]
    Running from: c:\documents and settings\Elise\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Elise\Desktop\CFScript.txt
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-26 to 2012-01-26 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-26 01:50 . 2012-01-26 01:50 -------- d-----w- c:\windows\LastGood
    2012-01-21 21:13 . 2012-01-21 21:13 -------- d-----w- c:\program files\Trend Micro
    2012-01-21 12:17 . 2012-01-21 12:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\adawaretb
    2012-01-17 23:26 . 2012-01-17 23:26 -------- d-----w- c:\documents and settings\Elise\Application Data\Dell
    2012-01-17 23:25 . 2012-01-17 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
    2012-01-16 23:24 . 2012-01-16 20:11 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2012-01-16 20:11 . 2012-01-16 20:11 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2012-01-16 19:32 . 2012-01-16 19:34 -------- d-----w- c:\documents and settings\Elise\Local Settings\Application Data\adaware
    2012-01-16 19:32 . 2012-01-25 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
    2012-01-16 19:32 . 2012-01-16 19:32 -------- d-----w- c:\program files\Toolbar Cleaner
    2012-01-16 19:31 . 2012-01-16 19:32 -------- d-----w- c:\documents and settings\Elise\Application Data\adawaretb
    2012-01-16 19:31 . 2012-01-16 19:32 -------- d-----w- c:\program files\adawaretb
    2012-01-16 19:31 . 2011-12-23 12:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2012-01-16 18:16 . 2012-01-16 18:16 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-16 18:15 . 2012-01-16 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-01-16 17:54 . 2012-01-16 17:54 -------- d-----w- c:\program files\Common Files\Java
    2012-01-16 17:53 . 2011-11-10 08:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-01-16 01:23 . 2012-01-16 01:23 -------- d-----w- c:\documents and settings\Elise\Application Data\SUPERAntiSpyware.com
    2012-01-16 01:21 . 2012-01-16 01:27 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-16 01:21 . 2012-01-16 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-01-15 23:39 . 2012-01-16 00:18 -------- d-----w- c:\documents and settings\Elise\Local Settings\Application Data\NPE
    2012-01-15 23:39 . 2012-01-15 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2012-01-12 00:39 . 2012-01-12 00:39 -------- d-----w- C:\d8f497ccc924d1b6d0
    2012-01-12 00:27 . 2012-01-12 00:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2012-01-09 14:57 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2012-01-09 14:57 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-09 14:57 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-09 14:57 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-08 18:15 . 2012-01-08 18:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2012-01-08 17:40 . 2012-01-08 17:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 20:24 . 2011-01-13 01:46 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 21:57 . 2004-08-10 18:51 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2004-08-10 18:51 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2004-08-10 18:51 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-12 17:08 . 2011-05-12 23:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-10 10:54 . 2010-11-20 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-04 19:20 . 2004-08-10 18:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-10 18:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-03 15:28 . 2004-08-10 18:51 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2004-08-10 18:51 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 16:07 . 2004-08-10 18:51 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-10-12 20:33 . 2010-10-12 20:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2010-10-12 22:15 . 2010-10-12 22:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2010-10-12 20:37 . 2010-10-12 20:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2010-10-12 20:35 . 2010-10-12 20:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2010-10-12 20:34 . 2010-10-12 20:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2010-10-12 20:32 . 2010-10-12 20:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2010-10-12 20:35 . 2010-10-12 20:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2010-10-12 20:34 . 2010-10-12 20:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2010-07-14 16:42 . 2010-07-14 16:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2010-10-12 20:37 . 2010-10-12 20:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2011-12-21 07:24 . 2011-11-13 16:13 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of C:\d8f497ccc924d1b6d0 ----
    .
    2012-01-12 00:39 . 2012-01-12 00:39 788 ---ha-w- c:\d8f497ccc924d1b6d0\$shtdwn$.req
    2011-12-25 10:41 . 2011-12-25 10:41 14112 ----a-w- c:\d8f497ccc924d1b6d0\3082\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 12064 ----a-w- c:\d8f497ccc924d1b6d0\2052\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\2070\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\1055\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\1049\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\1053\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 14112 ----a-w- c:\d8f497ccc924d1b6d0\1045\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\1046\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\1044\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 12576 ----a-w- c:\d8f497ccc924d1b6d0\1042\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\1043\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\1040\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 12576 ----a-w- c:\d8f497ccc924d1b6d0\1041\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13088 ----a-w- c:\d8f497ccc924d1b6d0\1037\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\1038\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 13600 ----a-w- c:\d8f497ccc924d1b6d0\1035\HotFixInstallerUI.dll
    2011-12-25 10:41 . 2011-12-25 10:41 14112 ----a-w- c:\d8f497ccc924d1b6d0\1036\HotFixInstallerUI.dll
    2011-12-25 10:40 . 2011-12-25 10:40 13600 ----a-w- c:\d8f497ccc924d1b6d0\1033\HotFixInstallerUI.dll
    2011-12-25 10:40 . 2011-12-25 10:40 14112 ----a-w- c:\d8f497ccc924d1b6d0\1031\HotFixInstallerUI.dll
    2011-12-25 10:40 . 2011-12-25 10:40 14112 ----a-w- c:\d8f497ccc924d1b6d0\1032\HotFixInstallerUI.dll
    2011-12-25 10:40 . 2011-12-25 10:40 13600 ----a-w- c:\d8f497ccc924d1b6d0\1029\HotFixInstallerUI.dll
    2011-12-25 10:40 . 2011-12-25 10:40 13600 ----a-w- c:\d8f497ccc924d1b6d0\1030\HotFixInstallerUI.dll
    2011-12-25 10:40 . 2011-12-25 10:40 12064 ----a-w- c:\d8f497ccc924d1b6d0\1028\HotFixInstallerUI.dll
    2011-12-25 10:40 . 2011-12-25 10:40 12064 ----a-w- c:\d8f497ccc924d1b6d0\3076\HotFixInstallerUI.dll
    2011-12-25 10:40 . 2011-12-25 10:40 13088 ----a-w- c:\d8f497ccc924d1b6d0\1025\HotFixInstallerUI.dll
    2011-12-25 10:40 . 2011-12-25 10:40 322840 ----a-w- c:\d8f497ccc924d1b6d0\HotFixInstaller.exe
    2011-12-25 10:40 . 2011-12-25 10:40 819200 ----a-w- c:\d8f497ccc924d1b6d0\NDP35SP1-KB2657424.msp
    2011-12-25 10:30 . 2011-12-25 10:30 78951 ----a-w- c:\d8f497ccc924d1b6d0\1032\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 100363 ----a-w- c:\d8f497ccc924d1b6d0\1033\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 75533 ----a-w- c:\d8f497ccc924d1b6d0\1035\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 127060 ----a-w- c:\d8f497ccc924d1b6d0\1036\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 59647 ----a-w- c:\d8f497ccc924d1b6d0\1037\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 67624 ----a-w- c:\d8f497ccc924d1b6d0\1038\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 115589 ----a-w- c:\d8f497ccc924d1b6d0\1040\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 104768 ----a-w- c:\d8f497ccc924d1b6d0\1041\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 147711 ----a-w- c:\d8f497ccc924d1b6d0\1042\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 76257 ----a-w- c:\d8f497ccc924d1b6d0\1043\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 73305 ----a-w- c:\d8f497ccc924d1b6d0\1044\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 73386 ----a-w- c:\d8f497ccc924d1b6d0\1045\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 97721 ----a-w- c:\d8f497ccc924d1b6d0\1046\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 141033 ----a-w- c:\d8f497ccc924d1b6d0\1049\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 76556 ----a-w- c:\d8f497ccc924d1b6d0\1053\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 77193 ----a-w- c:\d8f497ccc924d1b6d0\1055\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 102032 ----a-w- c:\d8f497ccc924d1b6d0\2052\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 76519 ----a-w- c:\d8f497ccc924d1b6d0\2070\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 94271 ----a-w- c:\d8f497ccc924d1b6d0\3082\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 15616 ----a-w- c:\d8f497ccc924d1b6d0\DHtmlHeader.html
    2011-12-25 10:30 . 2011-12-25 10:30 7306 ----a-w- c:\d8f497ccc924d1b6d0\header.bmp
    2011-12-25 10:30 . 2011-12-25 10:30 3580 ----a-w- c:\d8f497ccc924d1b6d0\ParameterInfo.xml
    2011-12-25 10:30 . 2011-12-25 10:30 110348 ----a-w- c:\d8f497ccc924d1b6d0\watermark.bmp
    2011-12-25 10:30 . 2011-12-25 10:30 76237 ----a-w- c:\d8f497ccc924d1b6d0\1025\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 37119 ----a-w- c:\d8f497ccc924d1b6d0\1028\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 74519 ----a-w- c:\d8f497ccc924d1b6d0\1029\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 76465 ----a-w- c:\d8f497ccc924d1b6d0\1030\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 116656 ----a-w- c:\d8f497ccc924d1b6d0\1031\eula.rtf
    2011-12-25 10:30 . 2011-12-25 10:30 37119 ----a-w- c:\d8f497ccc924d1b6d0\3076\eula.rtf
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_02.48.08 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-01-26 01:48 . 2012-01-26 01:48 16384 c:\windows\Temp\Perflib_Perfdata_770.dat
    + 2008-03-08 21:47 . 2012-01-25 23:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-03-08 21:47 . 2012-01-21 19:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-03-08 21:47 . 2012-01-25 23:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-03-08 21:47 . 2012-01-21 19:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2012-01-25 03:04 . 2012-01-25 23:20 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2008-03-08 21:47 . 2012-01-21 19:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
    .
    [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    2011-12-21 15:44 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
    .
    [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-16 4616064]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-29 1838592]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-09-01 1408872]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-14 197288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
    "adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
    "AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2012-01-16 654056]
    .
    c:\documents and settings\Elise\Start Menu\Programs\Startup\
    Jacquie Lawson Advent Calendar.lnk - c:\program files\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar.exe [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-29 24576]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
    WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\adawaretb\\dtUser.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/16/2012 2:31 PM 64512]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 3:22 PM 65584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 1:31 PM 98304]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:29 PM 135664]
    S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [8/10/2004 1:51 PM 14336]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:29 PM 135664]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/23/2011 7:12 AM 2152152]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    NecUsbSevice REG_MULTI_SZ NecUsb
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-26 c:\windows\Tasks\Ad-Aware Scan (Weekly AdAware Scan).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-23 20:10]
    .
    2012-01-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-23 20:10]
    .
    2012-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:28]
    .
    2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:28]
    .
    2012-01-17 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=dahlf4GdHyUl6WB-ZlmZUaiIo3s
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Elise\Application Data\Mozilla\Firefox\Profiles\hn5o8kq5.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=utf-8&rlz=1V2IPYX&q=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-25 20:56
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(720)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2012-01-25 20:58:09
    ComboFix-quarantined-files.txt 2012-01-26 01:58
    ComboFix2.txt 2012-01-25 02:54
    .
    Pre-Run: 196,580,421,632 bytes free
    Post-Run: 196,576,227,328 bytes free
    .
    - - End Of File - - CC515DDD2F8642C985262115A8F661B0


    aswMBR version 0.9.9.1509 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-25 21:10:33
    -----------------------------
    21:10:33.703 OS Version: Windows 5.1.2600 Service Pack 3
    21:10:33.703 Number of processors: 2 586 0xF0D
    21:10:33.703 ComputerName: ELISEA UserName: Elise
    21:10:34.781 Initialize success
    21:13:38.015 AVAST engine defs: 12012501
    21:14:03.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    21:14:03.078 Disk 0 Vendor: ST3250310AS 3.ADA Size: 238418MB BusType: 3
    21:14:03.093 Disk 0 MBR read successfully
    21:14:03.093 Disk 0 MBR scan
    21:14:03.093 Disk 0 unknown MBR code
    21:14:03.093 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
    21:14:03.109 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 234880 MB offset 96390
    21:14:03.140 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3482 MB offset 481130685
    21:14:03.140 Disk 0 scanning sectors +488263545
    21:14:03.187 Disk 0 scanning C:\WINDOWS\system32\drivers
    21:14:05.390 File: C:\WINDOWS\system32\drivers\ctxusbm.sys **INFECTED** Win32:Aluroot-B [Rtk]
    21:14:13.062 Disk 0 trace - called modules:
    21:14:13.078 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    21:14:13.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f17ab8]
    21:14:13.093 3 CLASSPNP.SYS[f7633fd7] -> nt!IofCallDriver -> \Device\00000064[0x86f19510]
    21:14:13.093 5 ACPI.sys[f74ca620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f73940]
    21:14:13.921 AVAST engine scan C:\WINDOWS
    21:14:31.703 AVAST engine scan C:\WINDOWS\system32
    21:16:03.656 AVAST engine scan C:\WINDOWS\system32\drivers
    21:16:06.453 File: C:\WINDOWS\system32\drivers\ctxusbm.sys **INFECTED** Win32:Aluroot-B [Rtk]
    21:16:18.906 AVAST engine scan C:\Documents and Settings\Elise
    21:26:28.187 AVAST engine scan C:\Documents and Settings\All Users
    21:29:47.515 Scan finished successfully
    21:49:33.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Elise\Desktop\MBR.dat"
    21:49:33.937 The log file has been saved successfully to "C:\Documents and Settings\Elise\Desktop\aswMBR.txt"
     
  7. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Citrix has been infected by the infection, don't do anything with it for the moment.

    You say that you use this computer to access work remotely, can you confirm, is this a
    company owned system or you personal Computer, I need to know so i can give you appropriate instructions
     
  8. brownie94

    brownie94 Thread Starter

    Joined:
    Jan 21, 2012
    Messages:
    12
    It is a personal computer. I just found the instructions for installing and configuring Citrix, so I am fine with uninstalling it if that is the easiest course.
     
  9. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi brownie94

    Ok if your sure you have no trouble getting it working again, as I do not have a clue setting up this software.

    Go to Add/remove and remove all Citrix entries listed,
    Then reboot your system, before you reinstall Citrix run the Combofix script below



    ComboFix - CFScript
    This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
    You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
    1. Please open Notepad and copy/paste all the text below... into the window:
      Code:
      Driver::
      ctxusbm
      
      File::
      C:\WINDOWS\system32\drivers\ctxusbm.sys
      
      
      
    2. Save it to your desktop as CFScript.txt
    3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
      *Only* when the 2 items above (Step 3) have been taken care of...
    4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
      [​IMG]
      This will cause ComboFix to run again.
      Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
      Do Not touch your computer when ComboFix is running!
    5. When finished ComboFix will create a log file... you can save this file to a convenient place.
    Please copy/paste the ComboFix log file in your next reply.


    Post the combofix log before you try and reinstall Citrix.
     
  10. brownie94

    brownie94 Thread Starter

    Joined:
    Jan 21, 2012
    Messages:
    12
    Hi DFW,

    The computer rebooted three times while running ComboxFix tonight. After the initial launch, it asked me if I wanted to download the latest version, and I said yes. Then after okaying the first reboot I left it alone awhile and returned to find it semi-frozen -- although the mouse would move, the screen only showed my background image and no icons or windows. I did not know what else to do other than manually reboot, and ComboFix did resume after that. Here is the log:

    ComboFix 12-01-26.03 - Elise 01/26/2012 21:16:50.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.669 [GMT -5:00]
    Running from: c:\documents and settings\Elise\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Elise\Desktop\CFScript.txt
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    FILE ::
    "c:\windows\system32\drivers\ctxusbm.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_CTXUSBM
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-21 21:13 . 2012-01-21 21:13 -------- d-----w- c:\program files\Trend Micro
    2012-01-21 12:17 . 2012-01-21 12:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\adawaretb
    2012-01-17 23:26 . 2012-01-17 23:26 -------- d-----w- c:\documents and settings\Elise\Application Data\Dell
    2012-01-17 23:25 . 2012-01-17 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
    2012-01-16 23:24 . 2012-01-16 20:11 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2012-01-16 20:11 . 2012-01-16 20:11 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2012-01-16 19:32 . 2012-01-16 19:34 -------- d-----w- c:\documents and settings\Elise\Local Settings\Application Data\adaware
    2012-01-16 19:32 . 2012-01-27 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
    2012-01-16 19:32 . 2012-01-16 19:32 -------- d-----w- c:\program files\Toolbar Cleaner
    2012-01-16 19:31 . 2012-01-16 19:32 -------- d-----w- c:\documents and settings\Elise\Application Data\adawaretb
    2012-01-16 19:31 . 2012-01-16 19:32 -------- d-----w- c:\program files\adawaretb
    2012-01-16 19:31 . 2011-12-23 12:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2012-01-16 18:16 . 2012-01-16 18:16 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-16 18:15 . 2012-01-16 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-01-16 17:54 . 2012-01-16 17:54 -------- d-----w- c:\program files\Common Files\Java
    2012-01-16 17:53 . 2011-11-10 08:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-01-16 01:23 . 2012-01-16 01:23 -------- d-----w- c:\documents and settings\Elise\Application Data\SUPERAntiSpyware.com
    2012-01-16 01:21 . 2012-01-16 01:27 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-16 01:21 . 2012-01-16 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-01-15 23:39 . 2012-01-16 00:18 -------- d-----w- c:\documents and settings\Elise\Local Settings\Application Data\NPE
    2012-01-15 23:39 . 2012-01-15 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2012-01-12 00:39 . 2012-01-12 00:39 -------- d-----w- C:\d8f497ccc924d1b6d0
    2012-01-12 00:27 . 2012-01-12 00:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2012-01-09 14:57 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2012-01-09 14:57 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-09 14:57 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-09 14:57 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-08 18:15 . 2012-01-08 18:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2012-01-08 17:40 . 2012-01-08 17:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 20:24 . 2011-01-13 01:46 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-25 21:57 . 2004-08-10 18:51 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2004-08-10 18:51 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2004-08-10 18:51 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21 . 2004-08-10 18:51 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2004-08-10 18:51 152064 ----a-w- c:\windows\system32\schannel.dll
    2011-11-12 17:08 . 2011-05-12 23:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-10 10:54 . 2010-11-20 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-04 19:20 . 2004-08-10 18:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-10 18:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-03 15:28 . 2004-08-10 18:51 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2004-08-10 18:51 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 16:07 . 2004-08-10 18:51 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-12-21 07:24 . 2011-11-13 16:13 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_02.48.08 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-01-27 02:25 . 2012-01-27 02:25 16384 c:\windows\Temp\Perflib_Perfdata_694.dat
    - 2008-03-08 21:47 . 2012-01-21 19:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-03-08 21:47 . 2012-01-26 23:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-03-08 21:47 . 2012-01-21 19:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-03-08 21:47 . 2012-01-26 23:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-03-08 21:47 . 2012-01-21 19:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2012-01-26 02:04 . 2012-01-26 23:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-12-16 12:30 . 2011-11-16 14:21 354816 c:\windows\system32\dllcache\winhttp.dll
    - 2008-12-16 12:30 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
    + 2008-12-05 06:54 . 2011-11-16 14:21 152064 c:\windows\system32\dllcache\schannel.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
    .
    [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    2011-12-21 15:44 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
    .
    [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-16 4616064]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-29 1838592]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-09-01 1408872]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-14 197288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
    "adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
    "AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2012-01-16 654056]
    .
    c:\documents and settings\Elise\Start Menu\Programs\Startup\
    Jacquie Lawson Advent Calendar.lnk - c:\program files\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar.exe [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-29 24576]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
    WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\adawaretb\\dtUser.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/16/2012 2:31 PM 64512]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 1:31 PM 98304]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:29 PM 135664]
    S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [8/10/2004 1:51 PM 14336]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:29 PM 135664]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/23/2011 7:12 AM 2152152]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    NecUsbSevice REG_MULTI_SZ NecUsb
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-27 c:\windows\Tasks\Ad-Aware Scan (Weekly AdAware Scan).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-23 20:10]
    .
    2012-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-23 20:10]
    .
    2012-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:28]
    .
    2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:28]
    .
    2012-01-17 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=dahlf4GdHyUl6WB-ZlmZUaiIo3s
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Elise\Application Data\Mozilla\Firefox\Profiles\hn5o8kq5.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=utf-8&rlz=1V2IPYX&q=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-26 21:26
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(720)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3540)
    c:\windows\system32\WININET.dll
    c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Drag-to-Disc\Shellex.dll
    c:\windows\system32\DLAAPI_W.DLL
    c:\windows\system32\CDRTC.DLL
    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-26 21:30:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-27 02:30
    ComboFix2.txt 2012-01-26 01:58
    ComboFix3.txt 2012-01-25 02:54
    .
    Pre-Run: 196,436,594,688 bytes free
    Post-Run: 196,538,609,664 bytes free
    .
    - - End Of File - - A342A6E4CD10A366E82E52F746664D3E
     
  11. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Combofix ran the fix ok, but we will have to keep a eye on it.

    If you have not done so already please reinstall Citrix, then run the tools below.


    TFC(Temp File Cleaner)

    • Please download TFC to your desktop,
    • Save any unsaved work. TFC will close all open application windows.
    • Double-click TFC.exe to run the program.
    • If prompted, click "Yes" to reboot.

    Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.



    Scan with aswMBR again


    • Double click aswMBR.exe to run it.
    • Click the Scan button.
    • After a short while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
    • Click OK > Exit.
    • Note: Do not attempt to fix anything at this stage!
    • Two files will be created, aswMBR.txt & a file named MBR.dat.
    • MBR.dat is a backup of the MBR(master boot record), do not delete it..
    • I strongly suggest you keep a copy of this backup stored on an external device.
    • Copy & Paste the contents of aswMBR.txt into your next reply.






    Update Malwarebytes Anti-Malware and run a scan.

    • Open Malwarebytes Anti-Malware.
    • Click on the update tab, then click update.
    • If an update is found, it will download and install the latest version. A shield symbol will show on the desktop icon while it is updating, and will disappear when it's done.
    • If necessary, start Malwarebytes Anti-Malware again.
    • Next click on Perform Quick Scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • If it found any malware items, check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
    • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents. The logs are listed and named by time/date stamp.




    Run a ESET online scan

    You can use either Internet Explorer or Mozilla FireFox for this scan.

    • First please Disable any Antivirus you have active, as shown in This topic.
    • Note: Don't forget to re-enable it after the scan.
    • Next hold down Control then click on the following link to open a new window to ESET online scannner
    • Select the option YES, I accept the Terms of Use then click on Start.
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on Start.
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
    • Now click on Finish.
    • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    • Copy and paste that log as a reply to this topic.




    Post back

    aswMBR Log
    Malwarebytes Log
    ESET online scan Log
     
  12. brownie94

    brownie94 Thread Starter

    Joined:
    Jan 21, 2012
    Messages:
    12
    Hi DFW.

    No problems this time. Here are the logs:

    aswMBR version 0.9.9.1509 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-27 21:09:06
    -----------------------------
    21:09:06.687 OS Version: Windows 5.1.2600 Service Pack 3
    21:09:06.687 Number of processors: 2 586 0xF0D
    21:09:06.687 ComputerName: ELISEA UserName: Elise
    21:09:09.031 Initialize success
    21:11:57.406 AVAST engine defs: 12012701
    21:13:24.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    21:13:24.093 Disk 0 Vendor: ST3250310AS 3.ADA Size: 238418MB BusType: 3
    21:13:24.109 Disk 0 MBR read successfully
    21:13:24.109 Disk 0 MBR scan
    21:13:24.140 Disk 0 unknown MBR code
    21:13:24.156 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
    21:13:24.156 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 234880 MB offset 96390
    21:13:24.187 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3482 MB offset 481130685
    21:13:24.203 Disk 0 scanning sectors +488263545
    21:13:24.250 Disk 0 scanning C:\WINDOWS\system32\drivers
    21:13:34.156 Service scanning
    21:13:35.750 Modules scanning
    21:13:42.953 Disk 0 trace - called modules:
    21:13:42.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
    21:13:42.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f8bab8]
    21:13:42.984 3 CLASSPNP.SYS[f7633fd7] -> nt!IofCallDriver -> \Device\00000065[0x86f1e510]
    21:13:42.984 5 ACPI.sys[f74ca620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f80940]
    21:13:43.687 AVAST engine scan C:\WINDOWS
    21:14:04.812 AVAST engine scan C:\WINDOWS\system32
    21:15:40.265 AVAST engine scan C:\WINDOWS\system32\drivers
    21:15:57.343 AVAST engine scan C:\Documents and Settings\Elise
    21:25:50.937 AVAST engine scan C:\Documents and Settings\All Users
    21:29:07.750 Scan finished successfully
    21:29:25.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Elise\Desktop\MBR.dat"
    21:29:25.703 The log file has been saved successfully to "C:\Documents and Settings\Elise\Desktop\aswMBR.txt"


    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.27.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Elise :: ELISEA [administrator]

    1/27/2012 9:32:35 PM
    mbam-log-2012-01-27 (21-32-35).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 176561
    Time elapsed: 5 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    [email protected] as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=179e07302b6617448ce639f7305b99cd
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2012-01-28 06:23:24
    # local_time=2012-01-28 01:23:24 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 508090 508090 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=88813
    # found=37
    # cleaned=0
    # scan_time=3723
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP236\A0024353.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP237\A0024382.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP237\A0024430.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP237\A0024447.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0024479.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP240\A0024505.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP241\A0025505.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP242\A0025562.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP242\A0025581.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP242\A0026581.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP243\A0026935.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP244\A0027001.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP244\A0028001.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP244\A0029001.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP244\A0029025.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP245\A0030025.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP245\A0030044.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP246\A0030176.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP246\A0030194.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP248\A0030689.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP250\A0030724.dll probably a variant of Win32/Adware.BHO.MegaSearch application (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP250\A0030731.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP250\A0031731.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP250\A0032731.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP252\A0033008.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP252\A0033024.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP253\A0033064.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP253\A0033080.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP253\A0033097.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP254\A0034097.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP256\A0034130.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP256\A0034157.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP257\A0034185.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP258\A0034242.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP258\A0034260.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP260\A0034624.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP260\A0035003.sys a variant of Win32/Rootkit.Kryptik.HQ trojan (unable to clean) 00000000000000000000000000000000 I
     
  13. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi brownie94

    The items found in the eset log are only items in system restore, we will remove them shortly.


    I think we are almost there just a few items to check, how are things your end, is your system
    running OK and you have no problems with any programs.




    I see that you are using Adaware for your anti-virus, I would suggest that you replace this with MSE or Avast, they
    are both proven to provide good free trouble free cover, but its up to you, If you do decide to change then download which one
    you pick, then remove Adaware, reboot, then install new anti virus.

    Pick and install only one.

    Free anti-virus software for Windows
    1) avast! Home Edition
    2)Microsoft Security Essentials




    Java SE Runtime Environment (JRE).

    Please download from HERE

    • Find Java SE 7u2.
    • Click the Download JRE button to the right.
    • Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 7 License Agreement.
    • Click the Continue button.
    • Click on the filename under Windows Offline Installation and save it to your desktop.
    • Close all active windows.
    • Install the program.




    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      ping.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


    Please post back Systemlook log, also run HijackThis again and post the log



    -
     
  14. brownie94

    brownie94 Thread Starter

    Joined:
    Jan 21, 2012
    Messages:
    12
    Hi DFW,

    My programs all seem to be working okay, and the computer is definitely faster than it has been in awhile.

    I downloaded the version of Java you suggested, but now I have two versions: 6u30 and 7u2. Do I really need them both, or can I uninstall 6u30?

    Also, could any of this malware have infected the external hard drive I use for backups or my ipod Touch? I just noticed some odd behaviors with games on the ipod, which until the last few weeks I had not hooked up to my computer in months.

    Here are the logs:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 21:05 on 30/01/2012 by Elise
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "ping.exe"
    C:\i386\ping.exe --a---- 17920 bytes [22:34 12/03/2008] [11:00 04/08/2004] 62B84D99295346AF5A3B1A9C3BDE04AB
    C:\WINDOWS\$NtServicePackUninstall$\ping.exe -----c- 17920 bytes [00:48 24/09/2008] [11:00 04/08/2004] 62B84D99295346AF5A3B1A9C3BDE04AB
    C:\WINDOWS\ServicePackFiles\i386\ping.exe ------- 17920 bytes [22:56 20/08/2008] [00:12 14/04/2008] 66CDF02D86C9F0B4300EE981A614D296
    C:\WINDOWS\system32\ping.exe --a---- 17920 bytes [18:51 10/08/2004] [00:12 14/04/2008] 66CDF02D86C9F0B4300EE981A614D296

    -= EOF =-

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:24:54 PM, on 1/30/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Elise\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080229
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=dahlf4GdHyUl6WB-ZlmZUaiIo3s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL (file missing)
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL (file missing)
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'Default user')
    O4 - Startup: Jacquie Lawson Advent Calendar.lnk = C:\Program Files\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

    --
    End of file - 14848 bytes
     
  15. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi

    Sorry I should have said, yes you do need to uninstall the old version of java.

    It is not possible for this infection to infect a iphone, but we will check your external drive for any malware



    Open up Hijackthis
    Click on do a system scan only.
    Place a checkmark next to these lines(if still present)

    O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL (file missing)
    O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL (file missing)
    O4 - HKUS\S-1-5-18\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'Default user')


    Then close all windows except Hijackthis and click Fix Checked


    Next, please connect your external hard drive and turn it on if needed.
    Open my computer and find the external drive
    Right click on the drive and select scan with Malwarebytes Anti-Malware


    Please post back the Malwarebytes log and a new HijackThis Log



    -
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1037810

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice