Member Avatar for cathy crossbuck

Hi, Running Windows XP, Service Pack 3, Internet Explorer 8. When I do a Google Search and click on a destination it gets redirected. I have run numerous scans and virus checks. After cleaning my computer, it still redirects. I tried running the tasks in your 'do this first' post and also tried some other things (running Ad-Aware, Fix-It Utilities 11 - deleted them when they didn't fix the problem before trying something else; emptying prefetch file, etc.) Below are the log files from the 'do this first' tasks:

(Thanks in advance! Any help will be appreciated. I am not an advanced computer user and I am trying to avoid having to reinstall Windows. Just doing this much was a challenge!)

MALWARE BYTES:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6176

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/26/2011 2:36:51 PM
mbam-log-2011-03-26 (14-36-51).txt

Scan type: Full scan (C:\|)
Objects scanned: 179715
Time elapsed: 29 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\udagesagubi.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Drecosuyeg (Trojan.Hiloti) -> Value: Drecosuyeg -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\udagesagubi.dll (Trojan.Hiloti) -> Delete on reboot.

GMER ONE AND TWO:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-26 13:54:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST980813AS rev.3.ADB
Running: 8gpbct0w.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\agkyyfob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86ED127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86ED127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86ED127F
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST980813AS______________________________3.ADB___#5&1f698b3f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-26 14:02:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST980813AS rev.3.ADB
Running: 8gpbct0w.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\agkyyfob.sys


---- System - GMER 1.0.15 ----

SSDT A010F76E ZwCreateKey
SSDT A010F764 ZwCreateThread
SSDT A010F773 ZwDeleteKey
SSDT A010F77D ZwDeleteValueKey
SSDT A010F782 ZwLoadKey
SSDT A010F750 ZwOpenProcess
SSDT A010F755 ZwOpenThread
SSDT A010F78C ZwReplaceKey
SSDT A010F787 ZwRestoreKey
SSDT A010F778 ZwSetValueKey

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86ED127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86ED127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86ED127F
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST980813AS______________________________3.ADB___#5&1f698b3f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016414d263a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001641747b30 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001641b0b1e2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016414d263a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641747b30 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641b0b1e2 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016414d263a
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641747b30
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641b0b1e2

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

DDS TEXT FILE:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 14:41:39.10 on Sat 03/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.372 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Apoint\Apntex.exe
svchost.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\User\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.survivaltopics.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0401.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-20 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-20 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-20 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-20 61960]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-2 136176]
.
=============== Created Last 30 ================
.
2011-03-26 02:07:35 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-26 02:07:35 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-23 20:18:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-23 20:18:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-23 01:08:32 0 ----a-w- c:\windows\Ymesab.bin
2011-03-23 01:08:30 -------- d-----w- c:\docume~1\user\locals~1\applic~1\{8D1FF118-5344-4CBF-9A26-26E3B2DCAC1C}
2011-03-12 16:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST980813AS rev.3.ADB -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86ED5439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86edb7d0]; MOV EAX, [0x86edb84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86FD1AB8]
3 CLASSPNP[0xF760EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007d[0x86F6AF18]
5 ACPI[0xF7495620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86FD5D98]
\Driver\atapi[0x86F63910] -> IRP_MJ_CREATE -> 0x86ED5439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST980813AS______________________________3.ADB___#5&1f698b3f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86ED527F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:43:57.50 ===============

DDS ATTACH (attached zip file)

Attach.zip (3.62 KB)
  • 2 Contributors
  • 14 Replies
  • 199 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by jholland1964
Member Avatar for jholland1964

Hi and welcome to daniweb. You have a rootkit infection. You need to do the following:
Please read carefully and follow these steps.

* Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
* Extract its contents to your desktop.
* Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

* If an infected file is detected, the default action will be Cure, click on Continue.

* If a suspicious file is detected, the default action will be Skip, click on Continue.

* It may ask you to reboot the computer to complete the process. Click on Reboot Now.

* If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
* If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Member Avatar for cathy crossbuck

Thanks! That was quick. It found a malicious object and sucessfully removed it.

2011/03/26 22:05:48.0734 5876 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/26 22:05:48.0953 5876 ================================================================================
2011/03/26 22:05:48.0953 5876 SystemInfo:
2011/03/26 22:05:48.0953 5876
2011/03/26 22:05:48.0953 5876 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/26 22:05:48.0953 5876 Product type: Workstation
2011/03/26 22:05:48.0953 5876 ComputerName: USER-8E19CF174C
2011/03/26 22:05:48.0953 5876 UserName: User
2011/03/26 22:05:48.0953 5876 Windows directory: C:\WINDOWS
2011/03/26 22:05:48.0953 5876 System windows directory: C:\WINDOWS
2011/03/26 22:05:48.0953 5876 Processor architecture: Intel x86
2011/03/26 22:05:48.0953 5876 Number of processors: 2
2011/03/26 22:05:48.0953 5876 Page size: 0x1000
2011/03/26 22:05:48.0953 5876 Boot type: Normal boot
2011/03/26 22:05:48.0953 5876 ================================================================================
2011/03/26 22:05:49.0359 5876 Initialize success
2011/03/26 22:05:57.0765 5996 ================================================================================
2011/03/26 22:05:57.0765 5996 Scan started
2011/03/26 22:05:57.0765 5996 Mode: Manual;
2011/03/26 22:05:57.0765 5996 ================================================================================
2011/03/26 22:05:58.0562 5996 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/26 22:05:58.0609 5996 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/26 22:05:58.0687 5996 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/26 22:05:58.0781 5996 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/26 22:05:59.0046 5996 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/03/26 22:05:59.0265 5996 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/26 22:05:59.0312 5996 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/26 22:05:59.0437 5996 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/26 22:05:59.0531 5996 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/26 22:05:59.0656 5996 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/03/26 22:05:59.0687 5996 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/03/26 22:05:59.0734 5996 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/03/26 22:05:59.0812 5996 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/03/26 22:05:59.0968 5996 BCM43XX (345d38f298368dd6b0df5c4f37457a22) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/03/26 22:06:00.0109 5996 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/26 22:06:00.0171 5996 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/03/26 22:06:00.0203 5996 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/03/26 22:06:00.0265 5996 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/03/26 22:06:00.0343 5996 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/03/26 22:06:00.0453 5996 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/26 22:06:00.0562 5996 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/26 22:06:00.0656 5996 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/26 22:06:00.0687 5996 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/26 22:06:00.0750 5996 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/03/26 22:06:00.0859 5996 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/03/26 22:06:00.0937 5996 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/03/26 22:06:01.0093 5996 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/26 22:06:01.0218 5996 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/26 22:06:01.0343 5996 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/26 22:06:01.0421 5996 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/26 22:06:01.0515 5996 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/26 22:06:01.0578 5996 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/26 22:06:01.0718 5996 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
2011/03/26 22:06:01.0859 5996 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/26 22:06:01.0890 5996 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/26 22:06:01.0937 5996 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/26 22:06:01.0984 5996 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/26 22:06:02.0062 5996 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/26 22:06:02.0125 5996 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/26 22:06:02.0156 5996 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/26 22:06:02.0234 5996 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/26 22:06:02.0312 5996 guardian2 (c0bdab85f3e8b2138c513255e2bcc4d8) C:\WINDOWS\system32\Drivers\oz776.sys
2011/03/26 22:06:02.0359 5996 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/26 22:06:02.0421 5996 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/26 22:06:02.0593 5996 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
2011/03/26 22:06:02.0703 5996 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
2011/03/26 22:06:02.0796 5996 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/26 22:06:02.0921 5996 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/26 22:06:03.0187 5996 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/03/26 22:06:03.0546 5996 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/26 22:06:03.0671 5996 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/26 22:06:03.0703 5996 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/26 22:06:03.0750 5996 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/26 22:06:03.0812 5996 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/26 22:06:03.0843 5996 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/26 22:06:03.0875 5996 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/26 22:06:03.0921 5996 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/26 22:06:03.0968 5996 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/26 22:06:04.0062 5996 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/03/26 22:06:04.0093 5996 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/26 22:06:04.0140 5996 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/26 22:06:04.0187 5996 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/26 22:06:04.0250 5996 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/26 22:06:04.0375 5996 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/03/26 22:06:04.0468 5996 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/26 22:06:04.0546 5996 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/26 22:06:04.0593 5996 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/26 22:06:04.0656 5996 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/26 22:06:04.0718 5996 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/26 22:06:04.0812 5996 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/26 22:06:04.0921 5996 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/26 22:06:04.0984 5996 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/26 22:06:05.0031 5996 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/26 22:06:05.0078 5996 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/26 22:06:05.0125 5996 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/26 22:06:05.0171 5996 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/26 22:06:05.0218 5996 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/26 22:06:05.0281 5996 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/26 22:06:05.0328 5996 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/26 22:06:05.0359 5996 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/26 22:06:05.0406 5996 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/26 22:06:05.0484 5996 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/26 22:06:05.0546 5996 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/26 22:06:05.0593 5996 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/26 22:06:05.0796 5996 NETw5x32 (90f7fad201e62732cbe6625b07e4c8f1) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/03/26 22:06:06.0062 5996 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/26 22:06:06.0093 5996 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/26 22:06:06.0203 5996 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/26 22:06:06.0437 5996 nv (0390b9368ea20dfb9e416a520b28a555) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/26 22:06:06.0859 5996 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/26 22:06:06.0890 5996 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/26 22:06:06.0984 5996 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/26 22:06:07.0031 5996 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/26 22:06:07.0078 5996 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/26 22:06:07.0171 5996 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/26 22:06:07.0296 5996 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/26 22:06:07.0328 5996 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/03/26 22:06:07.0578 5996 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/26 22:06:07.0609 5996 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/26 22:06:07.0640 5996 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/26 22:06:07.0812 5996 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/26 22:06:07.0875 5996 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/26 22:06:07.0921 5996 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/26 22:06:07.0937 5996 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/26 22:06:07.0984 5996 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/26 22:06:08.0046 5996 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/26 22:06:08.0125 5996 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/26 22:06:08.0218 5996 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/26 22:06:08.0296 5996 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/26 22:06:08.0437 5996 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys
2011/03/26 22:06:08.0671 5996 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/03/26 22:06:08.0984 5996 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/03/26 22:06:09.0296 5996 SBRE (c1ae5d1f53285d79a0b73a62af20734f) C:\WINDOWS\system32\drivers\SBREdrv.sys
2011/03/26 22:06:09.0531 5996 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/26 22:06:09.0828 5996 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/26 22:06:09.0875 5996 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/26 22:06:09.0937 5996 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/26 22:06:10.0031 5996 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/26 22:06:10.0093 5996 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/26 22:06:10.0140 5996 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/26 22:06:10.0218 5996 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/03/26 22:06:10.0328 5996 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2011/03/26 22:06:10.0484 5996 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/03/26 22:06:10.0531 5996 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/26 22:06:10.0578 5996 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/26 22:06:10.0796 5996 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/26 22:06:10.0890 5996 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/26 22:06:10.0968 5996 TcUsb (5ca437a08509fb7ecf843480fc1232e2) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/03/26 22:06:11.0015 5996 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/26 22:06:11.0046 5996 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/26 22:06:11.0078 5996 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/26 22:06:11.0187 5996 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/26 22:06:11.0281 5996 ULCDRHlp (a4e07da3ae2078bd96e84d4baa07b71d) C:\WINDOWS\system32\Drivers\ULCDRHlp.sys
2011/03/26 22:06:11.0375 5996 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/26 22:06:11.0484 5996 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/26 22:06:11.0515 5996 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/26 22:06:11.0578 5996 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/26 22:06:11.0656 5996 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/26 22:06:11.0734 5996 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/26 22:06:11.0765 5996 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/26 22:06:11.0796 5996 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/26 22:06:11.0812 5996 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/26 22:06:11.0843 5996 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/26 22:06:11.0890 5996 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/26 22:06:11.0953 5996 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/26 22:06:12.0062 5996 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2011/03/26 22:06:12.0171 5996 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/03/26 22:06:12.0250 5996 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/26 22:06:12.0250 5996 ================================================================================
2011/03/26 22:06:12.0250 5996 Scan finished
2011/03/26 22:06:12.0250 5996 ================================================================================
2011/03/26 22:06:12.0265 5988 Detected object count: 1
2011/03/26 22:06:34.0265 5988 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/26 22:06:34.0265 5988 \HardDisk0 - ok
2011/03/26 22:06:34.0265 5988 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/26 22:06:45.0578 5844 Deinitialize success

Member Avatar for jholland1964

Cathy, that only removed the rootkit, there likely are more infected files on there. Even though MBA-M had removed some the rootkit would likely have brought in more that it would not allow MBA-M to clean at that time or others which could not be found by MBA-M

Now do the following:
Please download ComboFix by sUBs from
http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..
• Then post back here with that log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Edited by jholland1964 because: n/a
Member Avatar for cathy crossbuck

OK, I guess I will admit to my screw up first. When I went to the link for combofix, I clicked on the wrong link. I clicked on the green download box. It is under the heading combofix and doesn't say it is something else. It was Registry Reviver. I downloaded, but wasn't sure about it, so I went to the page and clicked for the info next to the download box and it still talked about combofix so I ran it. It doesn't seem to have hurt anything (it removed 25 of 137 things - I didn't want to pay for anything), but when I didn't have a combofix.txt file I knew for sure I had done the wrong thing. Sigh. I hope it didn't do any harm. I subsequently ran combofix and below is the combofix.txt file:

ComboFix 11-03-26.02 - User 03/27/2011 13:46:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.444 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Local Settings\Application Data\{8D1FF118-5344-4CBF-9A26-26E3B2DCAC1C}
c:\documents and settings\User\Local Settings\Application Data\{8D1FF118-5344-4CBF-9A26-26E3B2DCAC1C}\chrome.manifest
c:\documents and settings\User\Local Settings\Application Data\{8D1FF118-5344-4CBF-9A26-26E3B2DCAC1C}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{8D1FF118-5344-4CBF-9A26-26E3B2DCAC1C}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{8D1FF118-5344-4CBF-9A26-26E3B2DCAC1C}\install.rdf
c:\webupdater\WebUpdater.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))
.
.
2011-03-27 17:29 . 2011-03-27 17:29 -------- d-----w- c:\documents and settings\User\Application Data\Reviversoft
2011-03-27 17:28 . 2011-03-27 17:28 -------- d-----w- c:\program files\Reviversoft
2011-03-27 17:28 . 2011-03-16 17:28 16704 ----a-w- c:\windows\system32\roboot.exe
2011-03-26 22:51 . 2011-03-26 22:51 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-26 22:48 . 2011-03-26 22:48 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Sunbelt Software
2011-03-26 22:45 . 2011-03-26 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-03-26 22:45 . 2011-03-26 22:45 -------- d-----w- c:\program files\Lavasoft
2011-03-26 20:27 . 2011-03-26 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avanquest
2011-03-26 20:24 . 2011-03-26 21:30 -------- d-----w- c:\documents and settings\User\Application Data\Avanquest
2011-03-26 20:23 . 2011-03-26 21:30 -------- d-----w- c:\program files\Common Files\AntiVirus
2011-03-26 20:22 . 2011-03-26 20:22 -------- d-----w- c:\program files\Avanquest
2011-03-26 02:07 . 2011-03-26 02:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-23 20:18 . 2011-03-26 00:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-23 20:18 . 2011-03-26 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-23 17:49 . 2011-03-23 17:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-23 04:47 . 2011-03-23 04:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-23 02:12 . 2011-03-23 02:12 -------- d--h--w- c:\documents and settings\LocalService\Application Data\GTek
2011-03-23 01:08 . 2011-03-26 04:15 0 ----a-w- c:\windows\Ymesab.bin
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-18 13:23 . 2010-04-20 15:24 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-05-03 17:13 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-05-03 17:13 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 10:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-04 39408]
"Registry Reviver"="c:\program files\Reviversoft\Registry Reviver\RegistryReviver.exe" [2011-03-16 1736000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-04 68592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2008-02-22 1626112]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-05-21 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-05-21 1202448]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-18 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/26/2011 6:51 PM 98392]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/20/2010 11:24 AM 135336]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2010 8:24 AM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-02 12:24]
.
2011-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-02 12:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.survivaltopics.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
AddRemove-The Weather Channel Desktop 6 - c:\program files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 13:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2011-03-27 13:53:15
ComboFix-quarantined-files.txt 2011-03-27 17:53
.
Pre-Run: 71,142,277,120 bytes free
Post-Run: 71,282,278,400 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A45F70FD60838DA5F2E99D2161012E67

Member Avatar for jholland1964

Well, the Registry Reviver is most definitely NOT a good program, in fact it is considered Rogue Software. You said it removed some files, it didn't happen to produce a log or do a backup did it?
At least you ran combofix AFTER installing it and not before, but it put itself into the registry when it installed so we're going to have to get rid of it also.

Go to Add/Remove and Uninstall it immediately.

Also I have another question, in the Combofix log Avanquest AntiVirus shows as being installed yesterday.

Why? You all ready had Avira, which is one of the top av programs available today why did you install another antivirus program and one which certainly is much lower ranked? While Avira, or most anti-virus programs, do not stop a rootkit, Avira is one, if configured correctly will at least FIND a rootkit. Most rootkits do require special tools for removal, anti-virus programs usually don't remove them but Avira would certainly scan for them if configured to do so and would then give notification if one was found. I honestly don't know much about Avanquest except I haven't seen it on the lists of Top Ten av programs and I don't believe it is free but a paid program only. The only listings I have found say Free to try, meaning this is temporarily free and after a certain amount of time the program will expire and cease to work unless it is paid for.

Avanquest definitely did NOT show in previous logs.

The combofix logs also show that you also installed AdAware and Spybot yesterday. SpyBot is fine, AdAware, while not a bad program is just not what it used to be and is somewhat redundant if you have SpyBot on there.

Edited by jholland1964 because: n/a
Member Avatar for cathy crossbuck

I am chastised and hanging my head in shame. I have removed Registry Reviver. It makes me curious why the sites with the good stuff have the bad stuff so prominently at the top...

Yes, I installed Avanquest yesterday. Yes, I use Avira. Avira is my preferred Anti-Virus. Over the last several days, I tried a variety of programs to see if they would find things not previously found. I did the stuff in your 'do this before you post' and then I ran Avanquest and when it did not solve the problem, I removed it. Same with AdAware and Spybot. I tried both, and removed both. Then I gave up and asked for help, using the logs already on file.

I did not run anything after running TDSKiller last night, until today's adventure with Registry Retriever and Combobox.

This computer has Avira for anti-virus and Malwarebytes for malware.

Does the Combobox log suggest my system is ok or do I need to run something else as well now?

I was interested that Combobox said Microsoft Windows recovery console was not installed or needed updates (I selected yes to fix). Is that related to why there were no restore points? I have found on a number of occasions that when one of the family computers has been infected with something malicious that the restore points have been wiped. Is there some way to protect the restore points?

Member Avatar for jholland1964

>>>I am chastised and hanging my head in shame.

Hey, not really your fault and no need to be ashammed, happens to people all the time. I agree totally with what you say here...
>>>It makes me curious why the sites with the good stuff have the bad stuff so prominently at the top...It happens a lot to people. One way to avoid that is use AdBlock on the browser, then those ads like that, and that is what those things are, ads. Then they don't even show.
Now we go forward;
We wouldn't recommend something that would not be compatible with your system so no worries there, but Combofix is a one time only tool, it isn't something you keep on the system.
We will remove that shortly.

The Recovery Console offered by combofix is really optional and not required.
Recovery Console and system restore are not the same thing. If a Windows XP-based computer does not start correctly or if it does not start at all, you may be able to use the Windows Recovery Console to help you recover the system software. It really is very limited though.

System Restore is entirely different. System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it.
System Restore will NOT uninstall a program, INCLUDING an infection. In fact if you have installed a program and find you don't want it if you use System Restore it may leave you with much of the program but it just won't be listed in Add/Remove, making it much harder to uninstall. This also holds true for an infection. If you would try to go back to a time BEFORE the infection entered your computer, and you would really have to almost know the exact minute it came onto the computer, then all you would do is make it harder to remove. The infected files may not be listed anymore but likely would still be there but harder to remove. System Restore is meant to restore from very RECENT changes like just day or two, not weeks.
System Restore only keeps the points for a short time, depending on how much disk space you have allotted for it. Once that space is filled up then old points are deleted. I keep my System Restore very small, gives me more disk space and also that way I don't have weeks and weeks of old restore points. I wouldn't want them anyway.

I would like you to UPDATE MBA-M, do a Full Scan with it and have it Remove Everything it finds. Reboot. Post back here with the log, even if it shows clean, I need to see it.

Then do this:
Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer or Firefox to complete this scan and you will need to allow an Active X to be installed.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back with that log too.
Judy

Edited by jholland1964 because: n/a
Member Avatar for cathy crossbuck

Here is the MBA-M log. Next step to follow...

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6186

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/27/2011 5:14:28 PM
mbam-log-2011-03-27 (17-14-28).txt

Scan type: Full scan (C:\|)
Objects scanned: 182699
Time elapsed: 28 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Member Avatar for cathy crossbuck

Here is the ESet Online Scanner log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=39b443246d0f454eba76b8fe6f7e6861
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-27 09:57:52
# local_time=2011-03-27 05:57:52 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775141 100 93 0 37679578 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=45324
# found=30
# cleaned=30
# scan_time=1284
C:\Documents and Settings\User\Desktop\RegistryReviverSetup.exe a variant of Win32/RegistryReviver application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP10\A0019913.rbf a variant of Win32/Kryptik.FNT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020709.exe a variant of Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020710.exe Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020711.dll probably a variant of Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020716.dll a variant of Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020736.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020738.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020740.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020742.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020744.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020746.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020748.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020750.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020752.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020754.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020758.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020760.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020762.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020764.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020766.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020768.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020770.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020774.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020776.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020778.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020780.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020782.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020784.ini Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D00FE68-F6F1-47E4-9A72-E001A683FE5B}\RP13\A0020804.exe a variant of Win32/RegistryReviver application (deleted - quarantined) 00000000000000000000000000000000 C

Member Avatar for jholland1964

Good, got rid of that RegistryReviver and look at the files removed from System Restore.
Ok, let's remove combofix:
Uninstall Combofix:
Go Start > Run
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK.
Restart computer.
Your installed programs list doesn't show any Java installed, it shows a Java Updater, which is useless really but no Java.
You do need Java to view many websites correctly.
Go to this site and install the most recent version

http://www.java.com/en/download/index.jsp

Then;
You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.
Also reduce the size to about 5% by moving the slider so that the size is reduced.

I would also recommend that you add this superb protection program
SpywareBlaster
from Javacool
SpywareBlaster doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites.

Download, install, update, Enable All protection and close the program. Manually check for updates every couple weeks and when there is an update follow the procedure above. This program really offers top notch FREE protection in addition to your other programs and it is compatible with all other security programs.
If all is well think you are good to go, unless you have other questions or other concerns.
Judy

Edited by jholland1964 because: n/a
Member Avatar for cathy crossbuck

I have followed the above steps.

The restore tab was already check marked 'shut down', so I unchecked it and reduced the size.

Oddly, I have a new icon on the desktop for Internet Explorer. I am not sure when that appeared. I only just noticed it after doing everything else. The new icon does not have the shortcut symbol on it. The icon I had been using was a shortcut icon. Can I delete the extra one? (If it was a shortcut I probably wouldn't ask.)

In one of your previous replies, you mentioned an add blocker. What do you recommend?

I appreciate your help getting this cleaned up. I will watch it for a few days and let you know how it goes. Thanks again.

Member Avatar for jholland1964

You can delete the extra IE icon, you would only need one. Here is the Adblock for IE
http://simple-adblock.com/

You might consider Firefox, it is a more secure browser, slightly different from IE but generally faster, easily configured. I have used it for years, rarely use IE anymore unless I have to use it. http://www.mozilla.com/en-US/firefox/new/

You do need to make certain you have proper security settings for IE. You want to be certain that 3rd party cookies are blocked, those are ones that are from ads on a web page and you don't want those, you only want the ones from the site you are visiting.
In IE go to Tools, Internet Options, Privacy, Advanced button. Make sure there is a dot in Allow 1st party cookies and a dot in the Don't Allow 3rd Party cookies and a check mark in allow session cookies.
Ok, your way out.

commented: Great step-by-step help through this thread. Thanks! +1
Member Avatar for cathy crossbuck

Thank you. This was very helpful and I am up, running and getting where I need to go. I appreciate all the extra tips as well.

Member Avatar for jholland1964

Happy I could help.
Judy

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.