# ZA problem



## valis (Sep 24, 2004)

hola.....got a friend of mine who has picked up some sort of rootkit. Combofix in safe mode states it's ZA that has injected itself into the tcp/ip stack. Anytime I boot in normal mode I get the usual voices and 'your machine is spamming and you could lose your ISP over this' warning, but it never boots all the way to where I can run _anything_. Once I got as far as to run rkill and then had mobility with the rig, but now I cannot even get to that point.

Anyone know of any ways to at least get the machine to boot regularly, or is there some work I can do in safe mode w/networking? He's a pretty good friend, and this is one of those rigs I generally work on for free......

Again, I can get to safe mode with networking, so pretty sure I can get here if necessary (the machine is at my workplace) so if necessary I can run some diags on it in safe mode...

thanks,

v


----------



## etaf (Oct 2, 2003)

probably no help as this is in the golden shield forum 
is ZA zone alarm - or should I get my coat  

have you tried removing ZA? is it an old version ?
also tcp/ip reset

maybe worth running Fabar Service Scanner to see the services

*------------------------------------------------------------------------*
*Services - Fabar Service Scanner, free*

We would like to see some status information for each of the services on the PC goto

http://www.technibble.com/fabar-service-scanner/

and download the free scanner tool

Theres a Direct link to the program here
http://download.bleepingcomputer.com/farbar/FSS.exe

Now "double click" on the downloaded file to run the scanner , the scanner program will now open

tick *all* the options. and then click on *scan*

the scan results will open automatically in a seperate window in the notepad program.

Now all you need to do is copy and paste those results to a reply here
to do that:
From the notepad menu - choose *Edit* - *Select all* 
all the text will be highlighted
Next
From the notepad menu - choose *Edit* - *Copy*
Now go back to the forum - reply and then right click in the reply box and *paste*

if you have any issues. A log file called FSS.txt will be created in the same directory as the program is run from.

*------------------------------------------------------------------------*
*------------------------------------------------------------------------*

*TCP/IP stack repair options for use with Vista/Windows 7*

Start, Programs\Accessories and *right click on Command Prompt, select "Run as Administrator" *to open a command prompt.

_Note: Type only the text in *bold* for the following commands._

Reset WINSOCK entries to installation defaults: *netsh winsock reset catalog*

Reset IPv4 TCP/IP stack to installation defaults. *netsh int ipv4 reset reset.log*
and press enter

Reset IPv6 TCP/IP stack to installation defaults. *netsh int ipv6 reset reset.log*
and press enter

Reboot the machine.

If you receive the message 
*The requested operation requires elevation.*
Then please open the command prompt as administrator - as requested above 
Start, Programs\Accessories and *right click on Command Prompt, select "Run as Administrator" *to open a command prompt.

Please note and post back - if you receive the message 
*Access is Denied*

Post back the results here - we need to know these commands worked correctly
rightclick in the box
select all
enter
control key + C key - to copy
then reply here and 
control key + V to paste

*------------------------------------------------------------------------*

*TCP/IP stack repair options for use with Windows XP with SP2/SP3*

*S*tart, *R*un, *CMD* to open a command prompt:

In the command prompt window that opens, type type the following commands:

_Note: Type only the text in *bold* for the following commands._

Reset TCP/IP stack to installation defaults, type: *netsh int ip reset reset.log*
and press enter

Reset WINSOCK entries to installation defaults, type: *netsh winsock reset catalog*
and press enter

Reboot the machine.

Please note and post back - if you receive the message 
*Access is Denied*

Post back the results here 
rightclick in the box
select all
enter
control key + C key - to copy
then reply here and 
control key + V to paste
*------------------------------------------------------------------------*


----------



## valis (Sep 24, 2004)

left in here on purpose.......should probably move it to the virus thread, however....... I'll do that next.

ZA means get your raincoat; zero access rootkit.

again, I need to stress that safe mode with networking is about all I get to........you want me to run those tests in safe mode?


----------



## etaf (Oct 2, 2003)

could try the tcp/ip reset - but i have my coat, scarf and hat on and walking out the door , quicky


----------



## valis (Sep 24, 2004)

nice try bub......yer in it now.


----------



## valis (Sep 24, 2004)

seriously, though, is there anything I can do in safe mode to enable me to do _anything_ in regular mode?


----------



## etaf (Oct 2, 2003)




----------



## etaf (Oct 2, 2003)

> seriously, though, is there anything I can do in safe mode to enable me to do anything in regular mode?


 dont know really - you could try the tcp/ip resets

and then delete all the post here - not helping and just clogs up the post


----------



## valis (Sep 24, 2004)

is that a 'no' or a 'no way in hades am I helping you with this mess' look?


----------



## valis (Sep 24, 2004)

already moved it to the virus forum, hondo......


----------



## valis (Sep 24, 2004)

when I say it's doa in regular mode, it's exactly that.........cannot do a single thing. I need to find a way to get combofix to run at boot or some such in order to do anything in regular mode.


----------



## Cookiegal (Aug 27, 2003)

What's the OS Tim?


----------



## valis (Sep 24, 2004)

xp sp3


----------



## valis (Sep 24, 2004)

and thanks, Karen........


----------



## Cookiegal (Aug 27, 2003)

Can you try running ComboFix again in Safe Mode?


----------



## valis (Sep 24, 2004)

I had let it run for an hour......should I let it run longer? I got the reco console installed, and that was when combofix told me it was a ZA rootkit......


----------



## valis (Sep 24, 2004)

let CF run for 9.5 hours yesterday in safe mode, nada.....is this a nuke and pave about now?


----------



## Cookiegal (Aug 27, 2003)

No, not yet.

Please go  here and download the *TDSSKiller.exe* to your desktop.

Double-click to TDSSKiller.exe on your desktop to run it.
Click on *Start Scan*
As we don't want to fix anything yet, if any malicious objects are detected, *do NOT select Cure* but select *Skip* instead.
It will produce a log once it finishes in the root drive which should look like this example:

C:\TDSSKiller.<version_date_time>log.txt

Please copy and paste the contents of that log in your next reply.


----------



## valis (Sep 24, 2004)

safe mode, or normal mode? remember, normal mode is pretty much not an option currently.


----------



## Cookiegal (Aug 27, 2003)

Whatever mode you can get to. 

It doesn't need networking capabilities (other than to download the program but you can just transfer it over).


----------



## valis (Sep 24, 2004)

ran tds, got combofix to run in safe mode, it stated it needed to reboot, let it reboot into normal mode, dunno if it's hung or not, (cf screen is up stating cf is preparing to run) will give it 30 minutes and then reboot back into safe and try again.......

I got the rkill info if you want it.


----------



## valis (Sep 24, 2004)

okay, CF is running in normal mode.....only up to phase 3 currently, will keep you updated.


----------



## valis (Sep 24, 2004)

CF is still running, but here's what TDS found in safe mode.


----------



## Cookiegal (Aug 27, 2003)

Wait a bit longer for ComboFix but if it won't complete then run TDSSKiller again and cure everything it finds this time.


----------



## valis (Sep 24, 2004)

cf finished.......log attached. 

Now what? I will be away from this rig in about 3 hours until monday, so no huge rush....Chris is just extremely grateful that we are taking the time to work on it. 100+ karma points for ya, Karen.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- Run and then copy and paste the following the following command to change permissions and then and click OK:

*cmd /c swxcacls "c:\windows\$NtUninstallKB55466$" /reset /q*

You will see the black DOS-type window open briefly and then close.

Then:

Open Notepad and copy and paste the text in the code box below into it:


```
Folder::
c:\windows\$NtUninstallKB55466$
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Then run TDSSKiller again and let it cure anything it finds and post that log.


----------



## Cookiegal (Aug 27, 2003)

Are you able to connect with the computer yet?


----------



## Cookiegal (Aug 27, 2003)

If it can connect, I'd like to check a file:

Please go to *VirusTotal* and upload the following file for scanning.

Click *Browse*
Copy and paste the contents of the following code box into the text box next to *File name:* then click *Open* 

```
c:\windows\system32\iRThJCO.com_
```

Click *Send File*
If confronted with two options, choose *Reanalyse file now*
Wait for the scan to finish and then copy and paste the URL from your browser address bar in your next reply please.

If it still can't connect then please run this:

You will need to transfer this small program to the infected computer via USB flash drive.

Please download *Farbar Service Scanner* and transfer it to the desktop of the computer with the issue.
Make sure only the following option is checked:
*Internet Services*

Press "*Scan*".
It will create a log (FSS.txt) in the same directory the tool is run (which should be on the desktop.)
Please copy and paste the log to your reply.


----------



## valis (Sep 24, 2004)

/me trots down to the other end of the building.

Let you know shortly, Karen.........:up:


----------



## Cookiegal (Aug 27, 2003)

Must have trotted right out of the building.


----------



## valis (Sep 24, 2004)

couldn't get online after several reboots, ip release, etc....didn't do the netsh stuff as just ran out of time. Attached is the cf and rkill logs. The rkill was run AFTER the last CF reboot in an attempt to get online......doubt I'll get a chance to work on this more today, plan for Lundi?


----------



## valis (Sep 24, 2004)

btw, is KB55466 legit or is that the indicator?


----------



## Cookiegal (Aug 27, 2003)

It's not legit, it's the rootkit.


----------



## Cookiegal (Aug 27, 2003)

Can you run Farbar before you go?


----------



## valis (Sep 24, 2004)

nope, can't get to the internet on that rig......I'll run it monday AM.

Thanks a zillion, Karen.......owe you big on this one, as does Chris........:up:


----------



## Cookiegal (Aug 27, 2003)

I'm pretty sure what has to be done but Farbar will tell us for sure.

À lundi mon ami.


----------



## valis (Sep 24, 2004)

mercy buckets, mon cherie......


----------



## valis (Sep 24, 2004)

farbar results below:

******************************
Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 09-04-2012 at 07:02:02
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-04 05:00] - [2008-04-13 14:21] - 0162816 ____A () E60F81BC7C76D6EB28F5816311B971B6

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) 
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****


----------



## Cookiegal (Aug 27, 2003)

OK so we need to replace the patched netbt.sys file with a clean copy.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:filefind
netbt.*
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## valis (Sep 24, 2004)

nada.

SystemLook 30.07.11 by jpshortstuff
Log created at 07:29 on 09/04/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for " netbt.*"
No files found.

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Alright, please try again with this script:


```
:filefind
netbt.sys
```


----------



## valis (Sep 24, 2004)

SystemLook 30.07.11 by jpshortstuff
Log created at 08:10 on 09/04/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys	---h-c- 162816 bytes	[20:06 17/08/2008]	[10:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\ServicePackFiles\i386\netbt.sys	---h-c- 162816 bytes	[18:04 17/08/2008]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\drivers\netbt.sys	--a---- 162816 bytes	[10:00 04/08/2004]	[19:21 13/04/2008] E60F81BC7C76D6EB28F5816311B971B6

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
FCopy::
C:\WINDOWS\ServicePackFiles\i386\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. If it doesn't reboot after the fix is complete, reboot manually please. Then post the contents of Combofix.txt in your next reply and let me know if you can connect to the Internet.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## valis (Sep 24, 2004)

CF contents below.

*************************
ComboFix 12-04-04.02 - Administrator 04/09/2012 8:41.3.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\netbt.sys --> c:\windows\system32\drivers\netbt.sys
.
((((((((((((((((((((((((( Files Created from 2012-03-09 to 2012-04-09 )))))))))))))))))))))))))))))))
.
.
2012-04-09 13:47 . 2012-04-09 13:47	56200	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\offreg.dll
2012-04-09 13:46 . 2012-04-09 13:46	29904	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\MpKsl17f1f22d.sys
2012-04-06 18:05 . 2008-04-13 19:15	64512	----a-w-	c:\windows\system32\drivers\Serial.sys
2012-04-05 15:43 . 2011-07-15 13:29	457856	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2012-04-05 15:41 . 2008-04-14 00:11	792064	----a-w-	c:\windows\system32\comres.dll
2012-04-04 18:20 . 2012-04-04 18:20 --------	dc-h--w-	c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-04 15:59 . 2012-03-14 00:15	6582328	-c-ha-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\mpengine.dll
2012-04-04 15:58 . 2012-01-31 12:44	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-04-04 15:56 . 2012-04-04 15:57	--------	dc-h--w-	c:\program files\Microsoft Security Client
2012-03-21 05:31 . 2012-03-21 05:31	592824	---ha-w-	c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-21 05:31 . 2012-03-21 05:31	44472	---ha-w-	c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-06 13:19 . 2008-04-22 19:38	57600	----a-w-	c:\windows\system32\drivers\redbook.sys
2012-02-03 09:22 . 2004-08-04 10:00	1860096	---ha-w-	c:\windows\system32\win32k.sys
2012-03-21 05:31 . 2011-05-07 04:43	97208	---ha-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-07-12 20480]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-4-22 114688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-7-11 450560]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 02:59	937920	-c-ha-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57	40368	-c-ha-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 17:48	58656	-c-ha-w-	c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 18:25	202560	---ha-w-	c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 21:33	421160	-c-ha-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38	421888	-c-ha-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S1 MpKsl17f1f22d;MpKsl17f1f22d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\MpKsl17f1f22d.sys [2012-04-09 29904]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL17F1F22D
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService	REG_MULTI_SZ HPSLPSVC
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-04-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.25.25
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3008668&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Productivity 3.1 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3008668&SearchSource=13
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-09 08:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-436374069-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(800)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2012-04-09 08:55:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-09 13:55
ComboFix2.txt 2012-04-06 18:18
ComboFix3.txt 2012-04-06 15:01
.
Pre-Run: 23,585,140,736 bytes free
Post-Run: 23,621,132,288 bytes free
.
- - End Of File - - A57C284ADC3DE9F18FD94B94CBCF9922


----------



## valis (Sep 24, 2004)

as it's in reduced functionality mode, you wish I should d/l a fresh copy and re-run that?


----------



## Cookiegal (Aug 27, 2003)

Yes please. It doesn't look like it worked. Drag the current one to the Recycle Bin and download the latest version.


----------



## valis (Sep 24, 2004)

roger that.......back shortly.


----------



## Cookiegal (Aug 27, 2003)

10-4.


----------



## valis (Sep 24, 2004)

aaaaaaaaaaand here's the new one, roger wilco over and out. 

ComboFix 12-04-09.02 - Administrator 04/09/2012 9:21.4.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\netbt.sys --> c:\windows\system32\drivers\netbt.sys
.
((((((((((((((((((((((((( Files Created from 2012-03-09 to 2012-04-09 )))))))))))))))))))))))))))))))
.
.
2012-04-09 13:47 . 2012-04-09 13:47	56200	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\offreg.dll
2012-04-09 13:46 . 2012-04-09 13:46	29904	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\MpKsl17f1f22d.sys
2012-04-06 18:05 . 2008-04-13 19:15	64512	-c--a-w-	c:\windows\system32\dllcache\serial.sys
2012-04-06 18:05 . 2008-04-13 19:15	64512	----a-w-	c:\windows\system32\drivers\Serial.sys
2012-04-05 15:43 . 2011-07-15 13:29	457856	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2012-04-05 15:41 . 2008-04-14 00:11	792064	----a-w-	c:\windows\system32\comres.dll
2012-04-04 18:20 . 2012-04-04 18:20	--------	dc-h--w-	c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-04 15:59 . 2012-03-14 00:15	6582328	-c-ha-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\mpengine.dll
2012-04-04 15:58 . 2012-01-31 12:44	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-04-04 15:56 . 2012-04-04 15:57	--------	dc-h--w-	c:\program files\Microsoft Security Client
2012-03-21 05:31 . 2012-03-21 05:31	592824	---ha-w-	c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-21 05:31 . 2012-03-21 05:31	44472	---ha-w-	c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-06 13:19 . 2008-04-22 19:38	57600	----a-w-	c:\windows\system32\drivers\redbook.sys
2012-02-03 09:22 . 2004-08-04 10:00	1860096	---ha-w-	c:\windows\system32\win32k.sys
2012-03-21 05:31 . 2011-05-07 04:43	97208	---ha-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-07-12 20480]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-4-22 114688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-7-11 450560]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 02:59	937920	-c-ha-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57	40368	-c-ha-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 17:48	58656	-c-ha-w-	c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 18:25	202560	---ha-w-	c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 21:33	421160	-c-ha-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38	421888	-c-ha-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S1 MpKsl17f1f22d;MpKsl17f1f22d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\MpKsl17f1f22d.sys [2012-04-09 29904]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL17F1F22D
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService	REG_MULTI_SZ HPSLPSVC
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-04-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.25.25
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3008668&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Productivity 3.1 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3008668&SearchSource=13
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-09 09:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-436374069-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3784)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-09 09:32:09
ComboFix-quarantined-files.txt 2012-04-09 14:32
ComboFix2.txt 2012-04-09 13:55
ComboFix3.txt 2012-04-06 18:18
ComboFix4.txt 2012-04-06 15:01
.
Pre-Run: 23,585,456,128 bytes free
Post-Run: 23,596,347,392 bytes free
.
- - End Of File - - 5EF46821BD237FF9B85E9B67BB9F338B


----------



## Cookiegal (Aug 27, 2003)

Are you able to connect now?


----------



## valis (Sep 24, 2004)

dunno.....give me about 20 minutes, got some work stuff to knock out.......

thanks, Karen.


----------



## Cookiegal (Aug 27, 2003)

No problema.


----------



## valis (Sep 24, 2004)

gonna be a bit......they are having an IT conf in the room I have to use (long story) to work on NON-work rigs......can't imagine it will be more than an hour or two, tops.

thanks again, Karen.


----------



## Cookiegal (Aug 27, 2003)

Whenever you can to it is fine. It's a miserable, rainy day here so I'll be around.


----------



## valis (Sep 24, 2004)

nope, cannot get to the internet.......'rpc server is unavailable'......


----------



## Cookiegal (Aug 27, 2003)

Please run Farbar again.


----------



## valis (Sep 24, 2004)

roger that........back shortly.


----------



## valis (Sep 24, 2004)

searched for both of them, listed below in order.

:filefind
netbt.sys

SystemLook 30.07.11 by jpshortstuff
Log created at 12:08 on 09/04/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys	---h-c- 162816 bytes	[20:06 17/08/2008]	[10:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\ServicePackFiles\i386\netbt.sys	-----c- 162816 bytes	[18:04 17/08/2008]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\dllcache\netbt.sys	--a--c- 162816 bytes	[10:00 04/08/2004]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\drivers\netbt.sys	--a---- 162816 bytes	[10:00 04/08/2004]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D

-= EOF =-

:filefind
netbt.*

SystemLook 30.07.11 by jpshortstuff
Log created at 12:07 on 09/04/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.*"
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir	--a---- 162816 bytes	[10:00 04/08/2004]	[19:21 13/04/2008] E60F81BC7C76D6EB28F5816311B971B6
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys	---h-c- 162816 bytes	[20:06 17/08/2008]	[10:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\ServicePackFiles\i386\netbt.sys	-----c- 162816 bytes	[18:04 17/08/2008]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\dllcache\netbt.sys	--a--c- 162816 bytes	[10:00 04/08/2004]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\drivers\netbt.svs	--a---- 162816 bytes	[16:26 04/04/2012]	[19:21 13/04/2008] 64FF53D7ACED86548176E7280CBB0D5F
C:\WINDOWS\system32\drivers\netbt.sys	--a---- 162816 bytes	[10:00 04/08/2004]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Sorry, I wanted you to run a new scan with Farbar so we can see what may be blocking things now.


----------



## valis (Sep 24, 2004)

whups, guess that's what you meant by 'farbar'.......

brb.......


----------



## valis (Sep 24, 2004)

et voila.

Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 09-04-2012 at 12:36:42
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) 
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****


----------



## Cookiegal (Aug 27, 2003)

Did you reboot after replacing the netby.sys file?


----------



## Cookiegal (Aug 27, 2003)

Try starting the DHCP Client service.


----------



## valis (Sep 24, 2004)

okey doke.....back shortly.


----------



## valis (Sep 24, 2004)

connected at the problem machine......some weird stuff with IE redirecting at first.....any logs you want to see?


----------



## Cookiegal (Aug 27, 2003)

Please go to the following link and download and run TDSSKiller:

http://support.kaspersky.com/viruses/solutions?qid=208280684

Allow it cure anything if prompted.

Please post the log back here.


----------



## valis (Sep 24, 2004)

found nada.....want me to change the parameters to anything?


----------



## Cookiegal (Aug 27, 2003)

No, that's fine. Are you still getting redirects?

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool (Vista/Windows 7 users - right click to run as administrator) and allow it to download the Avast database.

Click *Scan*.

Upon completion of the scan, click *Save log* then save it to your desktop and post that log in your next reply for review. 
*Note - do NOT attempt any Fix yet. *


----------



## valis (Sep 24, 2004)

it's not so much a redirect as 'this page has been recovered'........which was happening a ton right before the rootkit got full control.....back shortly.


----------



## Cookiegal (Aug 27, 2003)

I have to take Brandy out for a walk so I'll check back later. In the meantime, you can also do this if you wish to save some time.

Download *OTL* to your Desktop. 

Double-click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. 
Click the Quick Scan button. Do not change any settings unless otherwise instructed. The scan won't take long. 
When the scan completes, it will open two Notepad windows called *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL. 
Please copy and paste the contents of both of these files here in your next reply.


----------



## valis (Sep 24, 2004)

scanning now, will check it in 20 or so........btw, you guys have the _coolest_ damn toys I've ever seen.


----------



## valis (Sep 24, 2004)

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-09 13:53:34
-----------------------------
13:53:34.184 OS Version: Windows 5.1.2600 Service Pack 3
13:53:34.184 Number of processors: 1 586 0x304
13:53:34.184 ComputerName: HOME-B3392EFE51 UserName: Administrator
13:53:34.840 Initialize success
13:56:08.996 AVAST engine defs: 12040901
13:56:15.731 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:56:15.731 Disk 0 Vendor: ST340014A 8.16 Size: 38146MB BusType: 3
13:56:15.746 Disk 0 MBR read successfully
13:56:15.746 Disk 0 MBR scan
13:56:15.793 Disk 0 Windows XP default MBR code
13:56:15.809 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38138 MB offset 63
13:56:15.871 Disk 0 scanning sectors +78108030
13:56:15.949 Disk 0 scanning C:\WINDOWS\system32\drivers
13:56:48.793 Service scanning
13:57:08.996 Service MpKsl17f1f22d c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\MpKsl17f1f22d.sys **LOCKED** 32
13:57:34.184 Modules scanning
13:57:44.715 Disk 0 trace - called modules:
13:57:44.731 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
13:57:45.246 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87fcbab8]
13:57:45.246 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87f4ad98]
13:57:45.512 AVAST engine scan C:\WINDOWS
13:58:05.215 AVAST engine scan C:\WINDOWS\system32
14:03:39.184 AVAST engine scan C:\WINDOWS\system32\drivers
14:04:15.840 AVAST engine scan C:\Documents and Settings\Administrator
14:29:25.793 AVAST engine scan C:\Documents and Settings\All Users
14:31:19.715 Scan finished successfully
14:48:11.918 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
14:48:11.934 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


----------



## Cookiegal (Aug 27, 2003)

Yeah, we do, don't we? 

That report shows everything is fine.

Please post the OTL log.

How's the system behaving?


----------



## valis (Sep 24, 2004)

hadn't started the OTL scan as the other hadn't finished.......let me go get that running.......


----------



## valis (Sep 24, 2004)

odd......getting a MS error stating that OTL has encountered a problem and needs to close, and asking if I want to send the debugging report.....downloaded it again and gave it a generic name and it still happened......


----------



## Cookiegal (Aug 27, 2003)

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items, Drivers32, NetSvcs, SafeBoot Minimal and EventViewer logs (Last 10 errors)
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## valis (Sep 24, 2004)

il n'est pas un poisson sur la bibliotheque.

back in a minute.


----------



## valis (Sep 24, 2004)

attached.


----------



## valis (Sep 24, 2004)

good lord......when you post back, can you tell me what the heck you were looking for in that log?


----------



## Cookiegal (Aug 27, 2003)

valis said:


> il n'est pas un poisson sur la bibliotheque.


Poisson avril?


----------



## valis (Sep 24, 2004)

Da........


----------



## Cookiegal (Aug 27, 2003)

valis said:


> good lord......when you post back, can you tell me what the heck you were looking for in that log?


Anything that shouldn't be there. 

And there are some remnants.

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill All Processes]
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  Jl1rL5.dat -> C:\Documents and Settings\All Users\Application Data\Jl1rL5.dat
NY ->  System Check.lnk -> C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
NY ->  6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY ->  Jl1rL5.dat -> C:\Documents and Settings\All Users\Application Data\Jl1rL5.dat
NY ->  System Check.lnk -> C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[Files/Folders - Unicode - All]
NY -> C:\WINDOWS\System32\com?epl.dll -> C:\WINDOWS\System32\com&#498;epl.dll
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
```


----------



## valis (Sep 24, 2004)

uno momento......mon chapeau de tantes ressemble à un grand ananas.

back shortly.......


----------



## Cookiegal (Aug 27, 2003)

Tim are you still there. Wait please


----------



## valis (Sep 24, 2004)

yup.......getting a very weird runtime error.


----------



## valis (Sep 24, 2004)

and I did not click 'run fix' btw.


----------



## Cookiegal (Aug 27, 2003)

I noticed there were a lot of hidden files and this one does that so wanted you to run this first.

Please download * Unhide* and save it to your desktop. Double-click the *Unhide.exe* icon on your desktop and allow the program to run. This program will remove the hidden attribute from all the files on your hard drives, some of which were set by malware. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

This may take some time so please be patient and wait for it to finish.

Then after that you can run the OTS fix please.


----------



## valis (Sep 24, 2004)

link no workee.


----------



## Cookiegal (Aug 27, 2003)

Sorry....

http://download.bleepingcomputer.com/grinler/unhide.exe


----------



## valis (Sep 24, 2004)

that tool could come in handy.......


----------



## Cookiegal (Aug 27, 2003)

Yup, it's neat alright. 

Can you run the OTS fix now?


----------



## valis (Sep 24, 2004)

it's, um, running.......but it kicked out a plethora of errors stating to run chkdsk.....is this normal, and how long should I run it for?

I have to start the server maintenance in 10 or so minutes (nice 15 hour day today) so should I kill it if it's still running at that time?


----------



## Cookiegal (Aug 27, 2003)

You can stop it from running. We can continue tomorrow. Let's see what errors are being generated in the Event Viewer.

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.

Also, please run ComboFix again and post the new log.


----------



## valis (Sep 24, 2004)

All Processes Killed
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\All Users\Application Data\Jl1rL5.dat moved successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk moved successfully.
C:\WINDOWS\003047_.tmp deleted successfully.
C:\WINDOWS\SET29.tmp deleted successfully.
C:\WINDOWS\SET2A.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
[Files - No Company Name]
File C:\Documents and Settings\All Users\Application Data\Jl1rL5.dat not found!
File C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk not found!
[Files/Folders - Unicode - All]
File move failed. C:\WINDOWS\System32\comǲepl.dll scheduled to be moved on reboot.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 54503130 bytes
->Temporary Internet Files folder emptied: 62571264 bytes
->Java cache emptied: 23844415 bytes
->FireFox cache emptied: 741320938 bytes
->Google Chrome cache emptied: 350851685 bytes
->Apple Safari cache emptied: 184252416 bytes
->Flash cache emptied: 3095468 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 16204 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33579 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 9502889 bytes

Total Files Cleaned = 1,364.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator
->Java cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.47.2 fix logfile created on 04092012_180752

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\System32\comǲepl.dll scheduled to be moved on reboot.
C:\WINDOWS\temp\HPSLPSVC0000.log moved successfully.

Registry entries deleted on Reboot...


----------



## valis (Sep 24, 2004)

got a LOT of weird error messages trying to connect to the internet......just posted what I had, started MSE on a full scan, and killed the monitor..........


----------



## Cookiegal (Aug 27, 2003)

Please post the errors and the new ComboFix scan results.


----------



## valis (Sep 24, 2004)

um....don't think you told me to run a CF pass.......I'm just running an MSE, will check it tomorrow.....hip-deep in router config now, but that's probably more than you wanted to know.......


----------



## Cookiegal (Aug 27, 2003)

valis said:


> um....*don't think you told me to run a CF pass*.......I'm just running an MSE, will check it tomorrow.....hip-deep in router config now, but that's probably more than you wanted to know.......


Yup, post no. 93.


----------



## valis (Sep 24, 2004)

Never saw that Karen........my bad.......was too busy watching error flash up......

I'll run it tomorrow am and go from there........thanks again for all your assistance on this.........


----------



## Cookiegal (Aug 27, 2003)

Sounds good to me. :up:


----------



## valis (Sep 24, 2004)

CF text......running a bit smoother, btw.....

ComboFix 12-04-09.02 - Administrator 04/10/2012 7:15.5.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Administrator\Local Settings\temp\IadHide4.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
.
.
2012-04-10 12:29 . 2012-04-10 12:29	56200	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B815F629-2BBB-4583-9C26-E38CC7151A6C}\offreg.dll
2012-04-10 12:25 . 2012-04-10 12:25	--------	d-----w-	C:\found.000
2012-04-09 23:29 . 2012-03-14 00:15	6582328	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-09 23:28 . 2012-03-14 00:15	6582328	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B815F629-2BBB-4583-9C26-E38CC7151A6C}\mpengine.dll
2012-04-09 23:07 . 2012-04-09 23:07	--------	dc----w-	C:\_OTS
2012-04-06 18:05 . 2008-04-13 19:15	64512	----a-w-	c:\windows\system32\drivers\Serial.sys
2012-04-05 15:43 . 2011-07-15 13:29	457856	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2012-04-05 15:41 . 2008-04-14 00:11	792064	----a-w-	c:\windows\system32\comres.dll
2012-04-04 18:20 . 2012-04-04 18:20	--------	dc----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-04 15:58 . 2012-01-31 12:44	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-04-04 15:56 . 2012-04-04 15:57	--------	dc----w-	c:\program files\Microsoft Security Client
2012-03-21 05:31 . 2012-03-21 05:31	592824	----a-w-	c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-21 05:31 . 2012-03-21 05:31	44472	----a-w-	c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-06 13:19 . 2008-04-22 19:38	57600	----a-w-	c:\windows\system32\drivers\redbook.sys
2012-02-03 09:22 . 2004-08-04 10:00	1860096	----a-w-	c:\windows\system32\win32k.sys
2012-03-21 05:31 . 2011-05-07 04:43	97208	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-07-12 20480]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-4-22 114688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-7-11 450560]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 02:59	937920	-c--a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57	40368	-c--a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 17:48	58656	-c--a-w-	c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 18:25	202560	----a-w-	c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 21:33	421160	-c--a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38	421888	-c--a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService	REG_MULTI_SZ HPSLPSVC
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-04-10 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.25.25
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3008668&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Productivity 3.1 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3008668&SearchSource=13
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-10 07:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-436374069-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(608)
c:\windows\system32\WININET.dll
c:\docume~1\ADMINI~1\LOCALS~1\Temp\IadHide4.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2012-04-10 07:37:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-10 12:36
ComboFix2.txt 2012-04-09 14:32
ComboFix3.txt 2012-04-09 13:55
ComboFix4.txt 2012-04-06 18:18
ComboFix5.txt 2012-04-10 12:13
.
Pre-Run: 24,384,200,704 bytes free
Post-Run: 24,502,792,192 bytes free
.
- - End Of File - - C3EA185B8705D470A4EDDC78614D3969


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.

Also, please post the errors I asked for in post no. 93.


----------



## valis (Sep 24, 2004)

post 93........

Event Type:	Error
Event Source:	SecurityCenter
Event Category:	None
Event ID:	1802
Date: 4/10/2012
Time: 7:28:22 AM
User: N/A
Computer:	HOME-B3392EFE51
Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0e 10 04 80 ...

Event Type:	Error
Event Source:	MPSampleSubmission
Event Category:	None
Event ID:	5000
Date: 4/9/2012
Time: 8:20:58 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8402.0, P4 0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 70 00 74 00 65 00 m.p.t.e.
0008: 6c 00 65 00 6d 00 65 00 l.e.m.e.
0010: 74 00 72 00 79 00 2c 00 t.r.y.,.
0018: 20 00 30 00 2c 00 20 00 .0.,. .
0020: 6d 00 6f 00 61 00 63 00 m.o.a.c.
0028: 63 00 61 00 70 00 61 00 c.a.p.a.
0030: 62 00 69 00 6c 00 69 00 b.i.l.i.
0038: 74 00 79 00 2c 00 20 00 t.y.,. .
0040: 33 00 2e 00 30 00 2e 00 3...0...
0048: 38 00 34 00 30 00 32 00 8.4.0.2.
0050: 2e 00 30 00 2c 00 20 00 ..0.,. .
0058: 30 00 2c 00 20 00 30 00 0.,. .0.
0060: 2c 00 20 00 75 00 6e 00 ,. .u.n.
0068: 73 00 70 00 65 00 63 00 s.p.e.c.
0070: 69 00 66 00 69 00 65 00 i.f.i.e.
0078: 64 00 2c 00 20 00 75 00 d.,. .u.
0080: 6e 00 73 00 70 00 65 00 n.s.p.e.
0088: 63 00 69 00 66 00 69 00 c.i.f.i.
0090: 65 00 64 00 2c 00 20 00 e.d.,. .
0098: 4e 00 49 00 4c 00 2c 00 N.I.L.,.
00a0: 20 00 4e 00 49 00 4c 00 .N.I.L.
00a8: 20 00 4e 00 49 00 4c 00 .N.I.L.
00b0: 0d 00 0a 00 ....

Event Type:	Error
Event Source:	MPSampleSubmission
Event Category:	None
Event ID:	5000
Date: 4/9/2012
Time: 6:41:46 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 3.0.8402.0, P3 timeout, P4 1.1.8202.0, P5 fixed, P6 1 _ 2048, P7 5 _ not boot, P8 NIL, P9 NIL, P10 NIL.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 70 00 74 00 65 00 m.p.t.e.
0008: 6c 00 65 00 6d 00 65 00 l.e.m.e.
0010: 74 00 72 00 79 00 2c 00 t.r.y.,.
0018: 20 00 6d 00 69 00 63 00 .m.i.c.
0020: 72 00 6f 00 73 00 6f 00 r.o.s.o.
0028: 66 00 74 00 20 00 73 00 f.t. .s.
0030: 65 00 63 00 75 00 72 00 e.c.u.r.
0038: 69 00 74 00 79 00 20 00 i.t.y. .
0040: 65 00 73 00 73 00 65 00 e.s.s.e.
0048: 6e 00 74 00 69 00 61 00 n.t.i.a.
0050: 6c 00 73 00 20 00 28 00 l.s. .(.
0058: 65 00 64 00 62 00 34 00 e.d.b.4.
0060: 66 00 61 00 32 00 33 00 f.a.2.3.
0068: 2d 00 35 00 33 00 62 00 -.5.3.b.
0070: 38 00 2d 00 34 00 61 00 8.-.4.a.
0078: 66 00 61 00 2d 00 38 00 f.a.-.8.
0080: 63 00 35 00 64 00 2d 00 c.5.d.-.
0088: 39 00 39 00 37 00 35 00 9.9.7.5.
0090: 32 00 63 00 63 00 61 00 2.c.c.a.
0098: 37 00 30 00 39 00 34 00 7.0.9.4.
00a0: 29 00 2c 00 20 00 33 00 ).,. .3.
00a8: 2e 00 30 00 2e 00 38 00 ..0...8.
00b0: 34 00 30 00 32 00 2e 00 4.0.2...
00b8: 30 00 2c 00 20 00 74 00 0.,. .t.
00c0: 69 00 6d 00 65 00 6f 00 i.m.e.o.
00c8: 75 00 74 00 2c 00 20 00 u.t.,. .
00d0: 31 00 2e 00 31 00 2e 00 1...1...
00d8: 38 00 32 00 30 00 32 00 8.2.0.2.
00e0: 2e 00 30 00 2c 00 20 00 ..0.,. .
00e8: 66 00 69 00 78 00 65 00 f.i.x.e.
00f0: 64 00 2c 00 20 00 31 00 d.,. .1.
00f8: 20 00 5f 00 20 00 32 00 ._. .2.
0100: 30 00 34 00 38 00 2c 00 0.4.8.,.
0108: 20 00 35 00 20 00 5f 00 .5. ._.
0110: 20 00 6e 00 6f 00 74 00 .n.o.t.
0118: 20 00 62 00 6f 00 6f 00 .b.o.o.
0120: 74 00 2c 00 20 00 4e 00 t.,. .N.
0128: 49 00 4c 00 2c 00 20 00 I.L.,. .
0130: 4e 00 49 00 4c 00 20 00 N.I.L. .
0138: 4e 00 49 00 4c 00 0d 00 N.I.L...
0140: 0a 00 ..

Event Type:	Error
Event Source:	SecurityCenter
Event Category:	None
Event ID:	1802
Date: 4/9/2012
Time: 6:17:50 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0e 10 04 80 ...

Event Type:	Error
Event Source:	MPSampleSubmission
Event Category:	None
Event ID:	5000
Date: 4/9/2012
Time: 6:03:23 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 3.0.8402.0, P3 timeout, P4 1.1.8202.0, P5 fixed, P6 1 _ 2048, P7 5 _ not boot, P8 NIL, P9 NIL, P10 NIL.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 70 00 74 00 65 00 m.p.t.e.
0008: 6c 00 65 00 6d 00 65 00 l.e.m.e.
0010: 74 00 72 00 79 00 2c 00 t.r.y.,.
0018: 20 00 6d 00 69 00 63 00 .m.i.c.
0020: 72 00 6f 00 73 00 6f 00 r.o.s.o.
0028: 66 00 74 00 20 00 73 00 f.t. .s.
0030: 65 00 63 00 75 00 72 00 e.c.u.r.
0038: 69 00 74 00 79 00 20 00 i.t.y. .
0040: 65 00 73 00 73 00 65 00 e.s.s.e.
0048: 6e 00 74 00 69 00 61 00 n.t.i.a.
0050: 6c 00 73 00 20 00 28 00 l.s. .(.
0058: 65 00 64 00 62 00 34 00 e.d.b.4.
0060: 66 00 61 00 32 00 33 00 f.a.2.3.
0068: 2d 00 35 00 33 00 62 00 -.5.3.b.
0070: 38 00 2d 00 34 00 61 00 8.-.4.a.
0078: 66 00 61 00 2d 00 38 00 f.a.-.8.
0080: 63 00 35 00 64 00 2d 00 c.5.d.-.
0088: 39 00 39 00 37 00 35 00 9.9.7.5.
0090: 32 00 63 00 63 00 61 00 2.c.c.a.
0098: 37 00 30 00 39 00 34 00 7.0.9.4.
00a0: 29 00 2c 00 20 00 33 00 ).,. .3.
00a8: 2e 00 30 00 2e 00 38 00 ..0...8.
00b0: 34 00 30 00 32 00 2e 00 4.0.2...
00b8: 30 00 2c 00 20 00 74 00 0.,. .t.
00c0: 69 00 6d 00 65 00 6f 00 i.m.e.o.
00c8: 75 00 74 00 2c 00 20 00 u.t.,. .
00d0: 31 00 2e 00 31 00 2e 00 1...1...
00d8: 38 00 32 00 30 00 32 00 8.2.0.2.
00e0: 2e 00 30 00 2c 00 20 00 ..0.,. .
00e8: 66 00 69 00 78 00 65 00 f.i.x.e.
00f0: 64 00 2c 00 20 00 31 00 d.,. .1.
00f8: 20 00 5f 00 20 00 32 00 ._. .2.
0100: 30 00 34 00 38 00 2c 00 0.4.8.,.
0108: 20 00 35 00 20 00 5f 00 .5. ._.
0110: 20 00 6e 00 6f 00 74 00 .n.o.t.
0118: 20 00 62 00 6f 00 6f 00 .b.o.o.
0120: 74 00 2c 00 20 00 4e 00 t.,. .N.
0128: 49 00 4c 00 2c 00 20 00 I.L.,. .
0130: 4e 00 49 00 4c 00 20 00 N.I.L. .
0138: 4e 00 49 00 4c 00 0d 00 N.I.L...
0140: 0a 00 ..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 4/9/2012
Time: 3:02:25 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Faulting application otl2.exe, version 3.2.39.2, faulting module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6f 74 6c ure otl
0018: 32 2e 65 78 65 20 33 2e 2.exe 3.
0020: 32 2e 33 39 2e 32 20 69 2.39.2 i
0028: 6e 20 6b 65 72 6e 65 6c n kernel
0030: 33 32 2e 64 6c 6c 20 35 32.dll 5
0038: 2e 31 2e 32 36 30 30 2e .1.2600.
0040: 35 37 38 31 20 61 74 20 5781 at 
0048: 6f 66 66 73 65 74 20 30 offset 0
0050: 30 30 31 32 61 66 62 0d 0012afb.
0058: 0a .

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 4/9/2012
Time: 3:01:28 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Faulting application otl.exe, version 3.2.39.2, faulting module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6f 74 6c ure otl
0018: 2e 65 78 65 20 33 2e 32 .exe 3.2
0020: 2e 33 39 2e 32 20 69 6e .39.2 in
0028: 20 6b 65 72 6e 65 6c 33 kernel3
0030: 32 2e 64 6c 6c 20 35 2e 2.dll 5.
0038: 31 2e 32 36 30 30 2e 35 1.2600.5
0040: 37 38 31 20 61 74 20 6f 781 at o
0048: 66 66 73 65 74 20 30 30 ffset 00
0050: 30 31 32 61 66 62 0d 0a 012afb..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 4/9/2012
Time: 1:22:50 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18854, fault address 0x00209f9c.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 38 2e 30 2e 36 30 e 8.0.60
0028: 30 31 2e 31 38 37 30 32 01.18702
0030: 20 69 6e 20 6d 73 68 74 in msht
0038: 6d 6c 2e 64 6c 6c 20 38 ml.dll 8
0040: 2e 30 2e 36 30 30 31 2e .0.6001.
0048: 31 38 38 35 34 20 61 74 18854 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 32 30 39 66 39 63 00209f9c
0060: 0d 0a ..

Event Type:	Error
Event Source:	MPSampleSubmission
Event Category:	None
Event ID:	5000
Date: 4/9/2012
Time: 12:56:50 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 3.0.8402.0, P3 timeout, P4 1.1.8202.0, P5 fixed, P6 1 _ 2048, P7 5 _ not boot, P8 NIL, P9 NIL, P10 NIL.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 70 00 74 00 65 00 m.p.t.e.
0008: 6c 00 65 00 6d 00 65 00 l.e.m.e.
0010: 74 00 72 00 79 00 2c 00 t.r.y.,.
0018: 20 00 6d 00 69 00 63 00 .m.i.c.
0020: 72 00 6f 00 73 00 6f 00 r.o.s.o.
0028: 66 00 74 00 20 00 73 00 f.t. .s.
0030: 65 00 63 00 75 00 72 00 e.c.u.r.
0038: 69 00 74 00 79 00 20 00 i.t.y. .
0040: 65 00 73 00 73 00 65 00 e.s.s.e.
0048: 6e 00 74 00 69 00 61 00 n.t.i.a.
0050: 6c 00 73 00 20 00 28 00 l.s. .(.
0058: 65 00 64 00 62 00 34 00 e.d.b.4.
0060: 66 00 61 00 32 00 33 00 f.a.2.3.
0068: 2d 00 35 00 33 00 62 00 -.5.3.b.
0070: 38 00 2d 00 34 00 61 00 8.-.4.a.
0078: 66 00 61 00 2d 00 38 00 f.a.-.8.
0080: 63 00 35 00 64 00 2d 00 c.5.d.-.
0088: 39 00 39 00 37 00 35 00 9.9.7.5.
0090: 32 00 63 00 63 00 61 00 2.c.c.a.
0098: 37 00 30 00 39 00 34 00 7.0.9.4.
00a0: 29 00 2c 00 20 00 33 00 ).,. .3.
00a8: 2e 00 30 00 2e 00 38 00 ..0...8.
00b0: 34 00 30 00 32 00 2e 00 4.0.2...
00b8: 30 00 2c 00 20 00 74 00 0.,. .t.
00c0: 69 00 6d 00 65 00 6f 00 i.m.e.o.
00c8: 75 00 74 00 2c 00 20 00 u.t.,. .
00d0: 31 00 2e 00 31 00 2e 00 1...1...
00d8: 38 00 32 00 30 00 32 00 8.2.0.2.
00e0: 2e 00 30 00 2c 00 20 00 ..0.,. .
00e8: 66 00 69 00 78 00 65 00 f.i.x.e.
00f0: 64 00 2c 00 20 00 31 00 d.,. .1.
00f8: 20 00 5f 00 20 00 32 00 ._. .2.
0100: 30 00 34 00 38 00 2c 00 0.4.8.,.
0108: 20 00 35 00 20 00 5f 00 .5. ._.
0110: 20 00 6e 00 6f 00 74 00 .n.o.t.
0118: 20 00 62 00 6f 00 6f 00 .b.o.o.
0120: 74 00 2c 00 20 00 4e 00 t.,. .N.
0128: 49 00 4c 00 2c 00 20 00 I.L.,. .
0130: 4e 00 49 00 4c 00 20 00 N.I.L. .
0138: 4e 00 49 00 4c 00 0d 00 N.I.L...
0140: 0a 00 ..

Event Type:	Error
Event Source:	MPSampleSubmission
Event Category:	None
Event ID:	5000
Date: 4/9/2012
Time: 11:53:56 AM
User: N/A
Computer:	HOME-B3392EFE51
Description:
EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 3.0.8402.0, P3 timeout, P4 1.1.8202.0, P5 fixed, P6 1 _ 2048, P7 5 _ not boot, P8 NIL, P9 NIL, P10 NIL.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 70 00 74 00 65 00 m.p.t.e.
0008: 6c 00 65 00 6d 00 65 00 l.e.m.e.
0010: 74 00 72 00 79 00 2c 00 t.r.y.,.
0018: 20 00 6d 00 69 00 63 00 .m.i.c.
0020: 72 00 6f 00 73 00 6f 00 r.o.s.o.
0028: 66 00 74 00 20 00 73 00 f.t. .s.
0030: 65 00 63 00 75 00 72 00 e.c.u.r.
0038: 69 00 74 00 79 00 20 00 i.t.y. .
0040: 65 00 73 00 73 00 65 00 e.s.s.e.
0048: 6e 00 74 00 69 00 61 00 n.t.i.a.
0050: 6c 00 73 00 20 00 28 00 l.s. .(.
0058: 65 00 64 00 62 00 34 00 e.d.b.4.
0060: 66 00 61 00 32 00 33 00 f.a.2.3.
0068: 2d 00 35 00 33 00 62 00 -.5.3.b.
0070: 38 00 2d 00 34 00 61 00 8.-.4.a.
0078: 66 00 61 00 2d 00 38 00 f.a.-.8.
0080: 63 00 35 00 64 00 2d 00 c.5.d.-.
0088: 39 00 39 00 37 00 35 00 9.9.7.5.
0090: 32 00 63 00 63 00 61 00 2.c.c.a.
0098: 37 00 30 00 39 00 34 00 7.0.9.4.
00a0: 29 00 2c 00 20 00 33 00 ).,. .3.
00a8: 2e 00 30 00 2e 00 38 00 ..0...8.
00b0: 34 00 30 00 32 00 2e 00 4.0.2...
00b8: 30 00 2c 00 20 00 74 00 0.,. .t.
00c0: 69 00 6d 00 65 00 6f 00 i.m.e.o.
00c8: 75 00 74 00 2c 00 20 00 u.t.,. .
00d0: 31 00 2e 00 31 00 2e 00 1...1...
00d8: 38 00 32 00 30 00 32 00 8.2.0.2.
00e0: 2e 00 30 00 2c 00 20 00 ..0.,. .
00e8: 66 00 69 00 78 00 65 00 f.i.x.e.
00f0: 64 00 2c 00 20 00 31 00 d.,. .1.
00f8: 20 00 5f 00 20 00 32 00 ._. .2.
0100: 30 00 34 00 38 00 2c 00 0.4.8.,.
0108: 20 00 35 00 20 00 5f 00 .5. ._.
0110: 20 00 6e 00 6f 00 74 00 .n.o.t.
0118: 20 00 62 00 6f 00 6f 00 .b.o.o.
0120: 74 00 2c 00 20 00 4e 00 t.,. .N.
0128: 49 00 4c 00 2c 00 20 00 I.L.,. .
0130: 4e 00 49 00 4c 00 20 00 N.I.L. .
0138: 4e 00 49 00 4c 00 0d 00 N.I.L...
0140: 0a 00 ..


----------



## valis (Sep 24, 2004)

that was app, let me hit system real quick:

Event Type:	Error
Event Source:	Workstation
Event Category:	None
Event ID:	5727
Date: 4/10/2012
Time: 7:27:03 AM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Could not load RDR device driver.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 34 00 00 c0 4..À

Event Type:	Error
Event Source:	Workstation
Event Category:	None
Event ID:	5727
Date: 4/9/2012
Time: 6:15:14 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Could not load RDR device driver.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 34 00 00 c0 4..À

Event Type:	Error
Event Source:	Ntfs
Event Category:	Disk 
Event ID:	55
Date: 4/9/2012
Time: 6:07:55 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 06 00 00 00 02 00 4e 00 ......N.
0008: 02 00 00 00 37 00 04 c0 ....7..À
0010: 00 00 00 00 32 00 00 c0 ....2..À
0018: 18 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type:	Error
Event Source:	Microsoft Antimalware
Event Category:	None
Event ID:	2001
Date: 4/9/2012
Time: 8:55:45 AM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Microsoft Antimalware has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.123.1079.0
Update Source: Microsoft Update Server
Update Stage: Search
Source Path: http://www.microsoft.com
Signature Type: AntiVirus
Update Type: Full
User: NT AUTHORITY\SYSTEM
Current Engine Version: 
Previous Engine Version: 1.1.8202.0
Error code: 0x8024402c
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Workstation
Event Category:	None
Event ID:	5727
Date: 4/9/2012
Time: 8:45:01 AM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Could not load MRxSmb device driver.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 00 00 c0 3..À

Event Type:	Error
Event Source:	Windows Update Agent
Event Category:	Software Sync 
Event ID:	16
Date: 4/9/2012
Time: 7:00:46 AM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 69 6e 33 32 48 52 65 Win32HRe
0008: 73 75 6c 74 3d 30 78 30 sult=0x0
0010: 30 30 30 30 30 30 30 20 0000000 
0018: 55 70 64 61 74 65 49 44 UpdateID
0020: 3d 7b 30 30 30 30 30 30 ={000000
0028: 30 30 2d 30 30 30 30 2d 00-0000-
0030: 30 30 30 30 2d 30 30 30 0000-000
0038: 30 2d 30 30 30 30 30 30 0-000000
0040: 30 30 30 30 30 30 7d 20 000000} 
0048: 52 65 76 69 73 69 6f 6e Revision
0050: 4e 75 6d 62 65 72 3d 30 Number=0
0058: 20 00 .

I tried to keep the dupes out.....onto the HJT part.


----------



## valis (Sep 24, 2004)

and here's a pic of that random error message I get from IE.....there's still something wacky with this rig......got this trying to d/l HJT.


----------



## valis (Sep 24, 2004)

here's that IE error. Had to install hjt from a thumbdrive, couldn't get to the site.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 4/10/2012
Time: 10:53:04 AM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18854, fault address 0x00209f9c.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 38 2e 30 2e 36 30 e 8.0.60
0028: 30 31 2e 31 38 37 30 32 01.18702
0030: 20 69 6e 20 6d 73 68 74 in msht
0038: 6d 6c 2e 64 6c 6c 20 38 ml.dll 8
0040: 2e 30 2e 36 30 30 31 2e .0.6001.
0048: 31 38 38 35 34 20 61 74 18854 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 32 30 39 66 39 63 00209f9c
0060: 0d 0a ..


----------



## valis (Sep 24, 2004)

32 Bit HP CIO Components Installer
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.3.1
Adobe Shockwave Player 11.6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Canon Camera Access Library
Canon Camera Support Core Library
Canon Digital Camera Solution Disk 34 Software Starter Guide
Canon Direct Print User Guide
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PowerShot A470 Camera User Guide
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Comcast High-Speed Internet Install Wizard
Comcast Toolbar
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Desktop Doctor
Google Chrome
Google Earth
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 13.0
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510n-z
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPDiagnosticAlert
Instant Play Keyboard Express
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD
iPhone Configuration Utility
iTunes
Java(TM) 6 Update 29
LiveUpdate 2.0 (Symantec Corporation)
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox 11.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Coach Player
OCR Software by I.R.I.S. 13.0
OGA Notifier 2.0.0048.0
QuickTime
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shop for HP Supplies
SoundMAX
Spybot - Search & Destroy 1.3
swMSM
Symantec AntiVirus
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinZip


----------



## Cookiegal (Aug 27, 2003)

Please run the following on-line scanner. Note that you must use Internet Explorer to perform the scan.

Note: If you're running a 64-bit system you have to choose the 32-bit option in IE. To do that, go to the Start Menu and right-click the Internet Explorer (32-bit) icon and then select 'Run as administrator' from the right-click menu.

http://www.eset.com/online-scanner

Accept the Terms of Use and then press the Start button

Allow the ActiveX control to be installed.

Put a check by Remove found threats and then run the scan.

When the scan is finished, you will see the results in a window.

A log.txt file is created here: C:\Program Files\EsetOnlineScanner\log.txt.

Open the log file with Notepad and copy and paste the contents here please.


----------



## valis (Sep 24, 2004)

on it........


----------



## valis (Sep 24, 2004)

can't get there, Karen......just get that run-time error, ok out and the page has been reset....tried about 30 times....any other ideas?


----------



## Cookiegal (Aug 27, 2003)

What is the exact error?


----------



## valis (Sep 24, 2004)

the pic I posted in 105........


----------



## Cookiegal (Aug 27, 2003)

Try running rkill without rebooting and then see if you can get thh on-line scan to run.

Also do this:

Please download GMER from: http://gmer.net/index.php

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

*Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.*

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are *unchecked *on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the *Scan *button and when the scan is finished, click *Save* and save the log in Notepad with the name ark.txt to your desktop.

*Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze. You should disable your screen saver as if it comes on it may cause the program to freeze.*

Open the ark.txt file and copy and paste the contents of the log here please.


----------



## valis (Sep 24, 2004)

jeeze......I can tell I'm running on fumes...shoulda thought of rkill myself...uno momento.


----------



## valis (Sep 24, 2004)

rkill didn't fix it, running gmer now.


----------



## valis (Sep 24, 2004)

gmer below....going to try eset again.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-10 13:31:51
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.8.16
Running: e7bcttu5.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\afndraow.sys

---- System - GMER 1.0.15 ----

SSDT E186B270 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!DialogBoxIndirectParamA  7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2248] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3244] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3244] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3244] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3244] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3244] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3244] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3244] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3244] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3244] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3684] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp  SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

GMER isn't showing any problems.

Do you still have both MSE and Norton installed? They may be causing conflicts.

Try OTL again. Drag it to the Recycle Bin and then download a new copy.

*OTL* to your Desktop. 

Double-click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. 
Click the Quick Scan button. Do not change any settings unless otherwise instructed. The scan won't take long. 
When the scan completes, it will open two Notepad windows called *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL. 
Please copy and paste the contents of both of these files here in your next reply.


----------



## valis (Sep 24, 2004)

crap......I'm sorry Karen......running on about 5 hours sleep since Sunday.....betcha norton and mse are both active.....uno momento.


----------



## valis (Sep 24, 2004)

removed symantec, still got the error.


----------



## valis (Sep 24, 2004)

rebooted too, I forgot to say.


----------



## valis (Sep 24, 2004)

otl still will not run. Here's the error from eventvwr.msc

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 4/10/2012
Time: 2:40:35 PM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Faulting application otl.exe, version 3.2.39.2, faulting module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6f 74 6c ure otl
0018: 2e 65 78 65 20 33 2e 32 .exe 3.2
0020: 2e 33 39 2e 32 20 69 6e .39.2 in
0028: 20 6b 65 72 6e 65 6c 33 kernel3
0030: 32 2e 64 6c 6c 20 35 2e 2.dll 5.
0038: 31 2e 32 36 30 30 2e 35 1.2600.5
0040: 37 38 31 20 61 74 20 6f 781 at o
0048: 66 66 73 65 74 20 30 30 ffset 00
0050: 30 31 32 61 66 62 0d 0a 012afb..

beginning to wonder if this is nuke and pave worthy.


----------



## Cookiegal (Aug 27, 2003)

Maybe. Please run OTS again and post that log but this time check everyting in the options on the right-hand side. You may have to zip the log and attach it.


----------



## valis (Sep 24, 2004)

will do.....it may not appear until tomorrow morning, however, in a conf call currently and I'm boogeying as soon as that ends.......long night here last night. 

thanks again, Karen.


----------



## Cookiegal (Aug 27, 2003)

OK. We'll see if we can't solve this tomorrow without a reload.


----------



## valis (Sep 24, 2004)

if we have to reload, cool......if not, I've already told him that it's a 6/5 pick 'em type of deal (betting term) that he will have to reformat....he's cool with that. At this point, however, it's become personal, and I'm learning boatloads. That little app that unhides everything is now in my toolbox.......THAT will come in handy with recalcitrant servers that wish to not show me what is what. 

again, Karen, mille grazie.......


----------



## Cookiegal (Aug 27, 2003)

Tomorrow I'll have more time to go through the entire thread and all of the logs to see if I missed something. 

Mille bienvenues.


----------



## valis (Sep 24, 2004)

running the scan now.......


----------



## valis (Sep 24, 2004)

attached.


----------



## Cookiegal (Aug 27, 2003)

I found a file created called netbt.svs (.svs as opposed to .sys) so we're deleting that and cleaning up some things with OTS.

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Administrator\Application Data\Mozilla\FireFox\Profiles\m7shtpr7.default\prefs.js
YN -> browser.search.defaultthis.engineName -> "Productivity 3.1 Customized Web Search"
YN -> browser.search.defaulturl -> "http://search.conduit.com/ResultsExt.aspx?ctid=CT3008668&SearchSource=3&q={searchTerms}"
YN -> browser.search.selectedEngine -> "Productivity 3.1 Customized Web Search"
YN -> browser.startup.homepage -> "http://search.conduit.com/?ctid=CT3008668&SearchSource=13"
< FireFox Extensions [User Folders] > -> 
YY -> Productivity 3.1 Community Toolbar   -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\extensions\{9427041a-a8dc-4d06-9a68-93873486e957}
[Registry - Additional Scans - Safe List]
< Ext (PreApproved) - [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
YN -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Ext (Settings) - [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\
YN -> {754FF233-5D4E-11D2-875B-00A0C93C09B3} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {B1549E58-3894-11D2-BB7F-00A0C999C4C1} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {BDD307C3-7BC0-4542-9F8F-A9611FE6C1BF} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {C533ADF1-0C80-11D1-8C54-00A02468F316} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  9 C:\Documents and Settings\Administrator\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Administrator\Local Settings\temp\*.tmp
[Files - No Company Name]
NY ->  netbt.svs -> C:\WINDOWS\System32\drivers\netbt.svs
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
```


----------



## Cookiegal (Aug 27, 2003)

Also, please use SystemLook again with this script:


```
:filefind
MRxSmb.s*
redbook.s*
```


----------



## valis (Sep 24, 2004)

on it....back shortly.....


----------



## valis (Sep 24, 2004)

think that helped a lot......managed to get right into TSG, whereas from this rig it usually takes a dozen times or so. below is the OTS file, hjt to follow that, and the file finder doohickey after that.
***********************************

All Processes Killed
[Registry - Safe List]
Prefs.js: "Productivity 3.1 Customized Web Search" removed from browser.search.defaultthis.engineName
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3008668&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl
Prefs.js: "Productivity 3.1 Customized Web Search" removed from browser.search.selectedEngine
Prefs.js: "http://search.conduit.com/?ctid=CT3008668&SearchSource=13" removed from browser.startup.homepage
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\extensions\{9427041a-a8dc-4d06-9a68-93873486e957}\searchplugin folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\extensions\{9427041a-a8dc-4d06-9a68-93873486e957}\modules folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\extensions\{9427041a-a8dc-4d06-9a68-93873486e957}\META-INF folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\extensions\{9427041a-a8dc-4d06-9a68-93873486e957}\defaults folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\extensions\{9427041a-a8dc-4d06-9a68-93873486e957}\components folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\extensions\{9427041a-a8dc-4d06-9a68-93873486e957}\chrome folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\extensions\{9427041a-a8dc-4d06-9a68-93873486e957} folder moved successfully.
[Registry - Additional Scans - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{754FF233-5D4E-11D2-875B-00A0C93C09B3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{754FF233-5D4E-11D2-875B-00A0C93C09B3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B1549E58-3894-11D2-BB7F-00A0C999C4C1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1549E58-3894-11D2-BB7F-00A0C999C4C1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BDD307C3-7BC0-4542-9F8F-A9611FE6C1BF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDD307C3-7BC0-4542-9F8F-A9611FE6C1BF}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C533ADF1-0C80-11D1-8C54-00A02468F316}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C533ADF1-0C80-11D1-8C54-00A02468F316}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\Administrator\Local Settings\temp\~DF7B4E.tmp deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\~DFD847.tmp deleted successfully.
[Files - No Company Name]
C:\WINDOWS\System32\drivers\netbt.svs moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 58115 bytes
->Temporary Internet Files folder emptied: 15838919 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 566 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 3452 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 24534 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 15.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator
->Java cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.47.2 fix logfile created on 04112012_112906

Files\Folders moved on Reboot...
C:\Documents and Settings\Administrator\Local Settings\Temp\IadHide4.dll moved successfully.
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7B4E.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFD847.tmp not found!

Registry entries deleted on Reboot...


----------



## valis (Sep 24, 2004)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:38:18 AM, on 4/11/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209309656750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 7143 bytes


----------



## valis (Sep 24, 2004)

spoke too soon.....just blew up on me.....running filefind now.


----------



## valis (Sep 24, 2004)

I see you watching, etaf.......glad you didn't take this one on?


----------



## valis (Sep 24, 2004)

system look

*************************

SystemLook 30.07.11 by jpshortstuff
Log created at 11:44 on 11/04/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "MRxSmb.s*"
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mrxsmb.sys.vir	--a---- 456320 bytes	[16:59 04/04/2012]	[13:29 15/07/2011] CA63643FDC1D54C4DCA0E465D8F14775
C:\WINDOWS\$hf_mig$\KB2511455\SP3QFE\mrxsmb.sys	--a---- 457472 bytes	[22:44 15/04/2011]	[13:19 17/02/2011] FB7DFD15D760AD339837A470F0E780D3
C:\WINDOWS\$hf_mig$\KB2536276\SP3QFE\mrxsmb.sys	--a---- 457856 bytes	[21:01 15/06/2011]	[16:47 29/04/2011] 8DD801E28EB76FDA2A38907882A0036F
C:\WINDOWS\$hf_mig$\KB2536276-v2\SP3QFE\mrxsmb.sys	------- 457856 bytes	[22:16 09/08/2011]	[13:29 15/07/2011] FB2FCCC70F7174C7BF64F48E96D3ADF4
C:\WINDOWS\$hf_mig$\KB914389\SP2QFE\mrxsmb.sys	--a--c- 454400 bytes	[10:16 05/05/2006]	[10:16 05/05/2006] 7412CE77C6FD823F8889B4DF420C680B
C:\WINDOWS\$hf_mig$\KB957097\SP3QFE\mrxsmb.sys	--a--c- 455936 bytes	[03:17 12/11/2008]	[11:41 24/10/2008] 7170AB42B51954DEF2781A4D1CCE65F4
C:\WINDOWS\$hf_mig$\KB978251\SP3QFE\mrxsmb.sys	--a--c- 456832 bytes	[00:11 10/02/2010]	[17:25 04/12/2009] 602549D1E8A622E5746991F6C56B21CA
C:\WINDOWS\$hf_mig$\KB980232\SP3QFE\mrxsmb.sys	--a--c- 457216 bytes	[23:31 14/04/2010]	[11:57 24/02/2010] D09B9F0B9960DD41E73127B7814C115F
C:\WINDOWS\$NtServicePackUninstall$\mrxsmb.sys	-----c- 453120 bytes	[20:06 17/08/2008]	[09:41 05/05/2006] 025AF03CE51645C62F3B6907A7E2BE5E
C:\WINDOWS\$NtServicePackUninstall$\mrxsmb.sys.000	-----c- 453120 bytes	[20:09 17/08/2008]	[09:41 05/05/2006] 025AF03CE51645C62F3B6907A7E2BE5E
C:\WINDOWS\$NtUninstallKB2511455$\mrxsmb.sys	-----c- 455680 bytes	[08:01 17/04/2011]	[13:11 24/02/2010] F3AEFB11ABC521122B67095044169E98
C:\WINDOWS\$NtUninstallKB2536276$\mrxsmb.sys	-----c- 455936 bytes	[13:54 16/06/2011]	[13:18 17/02/2011] 0EA4D8ED179B75F8AFA7998BA22285CA
C:\WINDOWS\$NtUninstallKB2536276-v2$\mrxsmb.sys	-----c- 456320 bytes	[05:55 10/08/2011]	[16:19 29/04/2011] 0DC719E9B15E902346E87E9DCD5751FA
C:\WINDOWS\$NtUninstallKB914389$\mrxsmb.sys	-----c- 451456 bytes	[15:17 27/04/2008]	[10:00 04/08/2004] 1FD607FC67F7F7C633C3DA65BFC53D18
C:\WINDOWS\$NtUninstallKB957097$\mrxsmb.sys	-----c- 456576 bytes	[09:04 12/11/2008]	[19:17 13/04/2008] 68755F0FF16070178B54674FE5B847B0
C:\WINDOWS\$NtUninstallKB978251$\mrxsmb.sys	-----c- 455296 bytes	[17:45 10/02/2010]	[11:21 24/10/2008] 60AE98742484E7AB80C3C1450E708148
C:\WINDOWS\$NtUninstallKB980232$\mrxsmb.sys	-----c- 455424 bytes	[08:18 15/04/2010]	[18:22 04/12/2009] 421F7B922CEC5A5F340E7574A98F7B7C
C:\WINDOWS\Driver Cache\i386\mrxsmb.sys	------- 456320 bytes	[03:17 12/11/2008]	[13:29 15/07/2011] 7D304A5EB4344EBEEAB53A2FE3FFB9F0
C:\WINDOWS\ServicePackFiles\i386\mrxsmb.sys	-----c- 456576 bytes	[18:04 17/08/2008]	[19:17 13/04/2008] 68755F0FF16070178B54674FE5B847B0
C:\WINDOWS\SoftwareDistribution\Download\dfeddbe03266add4998ad4eea2bf3073\sp2gdr\mrxsmb.sys	--a--c- 448128 bytes	[01:14 28/10/2004]	[01:14 28/10/2004] C9D17DAA82B917CF2FD6E4F595974934
C:\WINDOWS\SoftwareDistribution\Download\dfeddbe03266add4998ad4eea2bf3073\sp2qfe\mrxsmb.sys	--a--c- 448128 bytes	[01:15 28/10/2004]	[01:15 28/10/2004] A1BE3CB080DCC0A8270D21E3CA3B7005
C:\WINDOWS\system32\dllcache\mrxsmb.sys	-----c- 456320 bytes	[03:17 12/11/2008]	[13:29 15/07/2011] 7D304A5EB4344EBEEAB53A2FE3FFB9F0
C:\WINDOWS\system32\drivers\mrxsmb.sys	--a---- 457856 bytes	[15:43 05/04/2012]	[13:29 15/07/2011] FB2FCCC70F7174C7BF64F48E96D3ADF4

Searching for "redbook.s*"
C:\WINDOWS\$NtServicePackUninstall$\redbook.sys	-----c- 57472 bytes	[20:06 17/08/2008]	[22:59 03/08/2004] B31B4588E4086D8D84ADBF9845C2402B
C:\WINDOWS\ServicePackFiles\i386\redbook.sys	-----c- 57600 bytes	[18:04 17/08/2008]	[18:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
C:\WINDOWS\system32\drivers\redbook.sys	--a---- 57600 bytes	[19:38 22/04/2008]	[13:19 06/04/2012] F828DD7E1419B6653894A8F97A0094C5

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

valis said:


> spoke too soon.....just blew up on me.....running filefind now.


What does "blew up on me" mean?

Please use SystemLook again with this script:


```
:filefind
netbt.*
```


----------



## etaf (Oct 2, 2003)

YEP , but interesting to follow - MOST waaaaaaayyyyyy over my head


----------



## valis (Sep 24, 2004)

etaf said:


> YEP , but interesting to follow - MOST waaaaaaayyyyyy over my head


if it's over YOUR head, imagine where it is to me.......leaving freakin' contrails.....


----------



## valis (Sep 24, 2004)

Cookiegal said:


> What does "blew up on me" mean?
> 
> Please use SystemLook again with this script:
> 
> ...


IE just started acting up again, got that run time error, and had to re-login about 6 times.....but it ran nice for about a minute.  That's something.

let me go run that for you, back shortly.


----------



## valis (Sep 24, 2004)

SystemLook 30.07.11 by jpshortstuff
Log created at 12:04 on 11/04/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.*"
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir	--a---- 162816 bytes	[10:00 04/08/2004]	[19:21 13/04/2008] E60F81BC7C76D6EB28F5816311B971B6
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys	-----c- 162816 bytes	[20:06 17/08/2008]	[10:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\ServicePackFiles\i386\netbt.sys	-----c- 162816 bytes	[18:04 17/08/2008]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\dllcache\netbt.sys	--a--c- 162816 bytes	[10:00 04/08/2004]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\drivers\netbt.sys	--a---- 162816 bytes	[10:00 04/08/2004]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\_OTS\MovedFiles\04112012_112906\C_WINDOWS\System32\drivers\netbt.svs	--a---- 162816 bytes	[16:26 04/04/2012]	[19:21 13/04/2008] 64FF53D7ACED86548176E7280CBB0D5F

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Rats. That file seemed to have something to do with it but it's gone now.

Do you have any TDSSKiller logs from prior runs that you can post? 

Also, please run a new scan with ComboFix and post that log.


----------



## valis (Sep 24, 2004)

I'll see if I can find one......then I'll start CF.


----------



## valis (Sep 24, 2004)

running CF now......what naming convention does TDS use? There a notepad entry with a date and some numbers following it.....


----------



## Cookiegal (Aug 27, 2003)

valis said:


> running CF now......what naming convention does TDS use? There a notepad entry with a date and some numbers following it.....


It would have the date but it should also have TDSS in it, I believe. 

Yup, should be:

C:\TDSSKiller.<version_date_time>log.txt


----------



## valis (Sep 24, 2004)

okay, once CF is done I'll go take a gander. 

thanks again, Karen.


----------



## valis (Sep 24, 2004)

ComboFix 12-04-09.02 - Administrator 04/11/2012 12:16:15.6.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\tim\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Administrator\Local Settings\temp\IadHide4.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
.
.
2012-04-11 17:28 . 2012-04-11 17:28	56200	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E184056-23D1-47D5-BC5D-839007CFA993}\offreg.dll
2012-04-11 16:45 . 2012-03-14 00:15	6582328	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E184056-23D1-47D5-BC5D-839007CFA993}\mpengine.dll
2012-04-10 15:59 . 2012-04-10 15:59	388096	-c--a-r-	c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-10 15:59 . 2012-04-10 15:59	--------	dc----w-	c:\program files\Trend Micro
2012-04-10 12:25 . 2012-04-10 12:25	--------	d-----w-	C:\found.000
2012-04-09 23:29 . 2012-03-14 00:15	6582328	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-09 23:07 . 2012-04-09 23:07	--------	dc----w-	C:\_OTS
2012-04-06 18:05 . 2008-04-13 19:15	64512	----a-w-	c:\windows\system32\drivers\Serial.sys
2012-04-05 15:43 . 2011-07-15 13:29	457856	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2012-04-05 15:41 . 2008-04-14 00:11	792064	----a-w-	c:\windows\system32\comres.dll
2012-04-04 18:20 . 2012-04-04 18:20	--------	dc----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-04 15:58 . 2012-01-31 12:44	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-04-04 15:56 . 2012-04-04 15:57	--------	dc----w-	c:\program files\Microsoft Security Client
2012-03-21 05:31 . 2012-03-21 05:31	592824	----a-w-	c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-21 05:31 . 2012-03-21 05:31	44472	----a-w-	c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-06 13:19 . 2008-04-22 19:38	57600	----a-w-	c:\windows\system32\drivers\redbook.sys
2012-02-03 09:22 . 2004-08-04 10:00	1860096	----a-w-	c:\windows\system32\win32k.sys
2012-03-21 05:31 . 2011-05-07 04:43	97208	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-07-12 20480]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-7-11 450560]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 02:59	937920	-c--a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57	40368	-c--a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 17:48	58656	-c--a-w-	c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 18:25	202560	----a-w-	c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24	54840	-c--a-w-	c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 21:33	421160	-c--a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38	421888	-c--a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06	254696	-c--a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService	REG_MULTI_SZ HPSLPSVC
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-04-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.25.25
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: browser.search.selectedEngine - 
FF - prefs.js: browser.startup.homepage - 
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-11 12:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-436374069-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2012-04-11 12:38:00 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-11 17:37
ComboFix2.txt 2012-04-10 12:37
ComboFix3.txt 2012-04-09 14:32
ComboFix4.txt 2012-04-09 13:55
ComboFix5.txt 2012-04-11 17:14
.
Pre-Run: 25,890,885,632 bytes free
Post-Run: 26,030,510,080 bytes free
.
- - End Of File - - 7BCF08931C237CFA6AAEA5A47CE6E674


----------



## valis (Sep 24, 2004)

first tds below, then the third....there were only 4 minutes separating the second and third, but if you want the second as well, let me know.

ComboFix 12-04-09.02 - Administrator 04/11/2012 12:16:15.6.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\tim\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Administrator\Local Settings\temp\IadHide4.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
.
.
2012-04-11 17:28 . 2012-04-11 17:28	56200	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E184056-23D1-47D5-BC5D-839007CFA993}\offreg.dll
2012-04-11 16:45 . 2012-03-14 00:15	6582328	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E184056-23D1-47D5-BC5D-839007CFA993}\mpengine.dll
2012-04-10 15:59 . 2012-04-10 15:59	388096	-c--a-r-	c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-10 15:59 . 2012-04-10 15:59	--------	dc----w-	c:\program files\Trend Micro
2012-04-10 12:25 . 2012-04-10 12:25	--------	d-----w-	C:\found.000
2012-04-09 23:29 . 2012-03-14 00:15	6582328	-c--a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-09 23:07 . 2012-04-09 23:07	--------	dc----w-	C:\_OTS
2012-04-06 18:05 . 2008-04-13 19:15	64512	----a-w-	c:\windows\system32\drivers\Serial.sys
2012-04-05 15:43 . 2011-07-15 13:29	457856	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2012-04-05 15:41 . 2008-04-14 00:11	792064	----a-w-	c:\windows\system32\comres.dll
2012-04-04 18:20 . 2012-04-04 18:20	--------	dc----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-04-04 15:58 . 2012-01-31 12:44	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-04-04 15:56 . 2012-04-04 15:57	--------	dc----w-	c:\program files\Microsoft Security Client
2012-03-21 05:31 . 2012-03-21 05:31	592824	----a-w-	c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-21 05:31 . 2012-03-21 05:31	44472	----a-w-	c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-06 13:19 . 2008-04-22 19:38	57600	----a-w-	c:\windows\system32\drivers\redbook.sys
2012-02-03 09:22 . 2004-08-04 10:00	1860096	----a-w-	c:\windows\system32\win32k.sys
2012-03-21 05:31 . 2011-05-07 04:43	97208	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-07-12 20480]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-7-11 450560]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 02:59	937920	-c--a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57	40368	-c--a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 17:48	58656	-c--a-w-	c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 18:25	202560	----a-w-	c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24	54840	-c--a-w-	c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 21:33	421160	-c--a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38	421888	-c--a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06	254696	-c--a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService	REG_MULTI_SZ HPSLPSVC
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 17:39]
.
2012-04-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-04-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.25.25
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\m7shtpr7.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: browser.search.selectedEngine - 
FF - prefs.js: browser.startup.homepage - 
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-11 12:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-436374069-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,40,95,58,47,9a,1b,4b,87,dc,20,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2012-04-11 12:38:00 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-11 17:37
ComboFix2.txt 2012-04-10 12:37
ComboFix3.txt 2012-04-09 14:32
ComboFix4.txt 2012-04-09 13:55
ComboFix5.txt 2012-04-11 17:14
.
Pre-Run: 25,890,885,632 bytes free
Post-Run: 26,030,510,080 bytes free
.
- - End Of File - - 7BCF08931C237CFA6AAEA5A47CE6E674


----------



## valis (Sep 24, 2004)

13:34:51.0527 1240	TDSS rootkit removing tool 2.7.27.0 Apr 9 2012 09:53:37
13:34:51.0965 1240	============================================================
13:34:51.0965 1240	Current date / time: 2012/04/09 13:34:51.0965
13:34:51.0965 1240	SystemInfo:
13:34:51.0965 1240	
13:34:51.0965 1240	OS Version: 5.1.2600 ServicePack: 3.0
13:34:51.0965 1240	Product type: Workstation
13:34:51.0965 1240	ComputerName: HOME-B3392EFE51
13:34:51.0965 1240	UserName: Administrator
13:34:51.0965 1240	Windows directory: C:\WINDOWS
13:34:51.0965 1240	System windows directory: C:\WINDOWS
13:34:51.0965 1240	Processor architecture: Intel x86
13:34:51.0965 1240	Number of processors: 1
13:34:51.0965 1240	Page size: 0x1000
13:34:51.0965 1240	Boot type: Normal boot
13:34:51.0965 1240	============================================================
13:34:54.0512 1240	Drive \Device\Harddisk0\DR0 - Size: 0x9502F9000 (37.25 Gb), SectorSize: 0x200, Cylinders: 0x12FF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:34:54.0527 1240	\Device\Harddisk0\DR0:
13:34:54.0527 1240	MBR used
13:34:54.0527 1240	\Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A7D53F
13:34:54.0543 1240	Initialize success
13:34:54.0543 1240	============================================================
13:35:04.0699 2220	============================================================
13:35:04.0699 2220	Scan started
13:35:04.0699 2220	Mode: Manual; 
13:35:04.0699 2220	============================================================
13:35:04.0965 2220	Abiosdsk - ok
13:35:05.0059 2220	abp480n5 - ok
13:35:05.0184 2220	ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:35:05.0184 2220	ACPI - ok
13:35:05.0293 2220	ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:35:05.0293 2220	ACPIEC - ok
13:35:05.0402 2220	ADM8511 (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
13:35:05.0402 2220	ADM8511 - ok
13:35:05.0481 2220	adpu160m - ok
13:35:05.0590 2220	aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
13:35:05.0590 2220	aeaudio - ok
13:35:05.0699 2220	aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:35:05.0715 2220	aec - ok
13:35:05.0824 2220	AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
13:35:05.0824 2220	AFD - ok
13:35:05.0918 2220	Aha154x - ok
13:35:05.0949 2220	aic78u2 - ok
13:35:05.0981 2220	aic78xx - ok
13:35:06.0043 2220	Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
13:35:06.0043 2220	Alerter - ok
13:35:06.0152 2220	ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
13:35:06.0152 2220	ALG - ok
13:35:06.0215 2220	AliIde - ok
13:35:06.0262 2220	amsint - ok
13:35:06.0371 2220	Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
13:35:06.0371 2220	Apple Mobile Device - ok
13:35:06.0481 2220	AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
13:35:06.0481 2220	AppMgmt - ok
13:35:06.0559 2220	asc - ok
13:35:06.0637 2220	asc3350p - ok
13:35:06.0731 2220	asc3550 - ok
13:35:06.0856 2220	aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
13:35:06.0856 2220	aspnet_state - ok
13:35:06.0965 2220	AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:35:06.0981 2220	AsyncMac - ok
13:35:07.0090 2220	atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:35:07.0090 2220	atapi - ok
13:35:07.0184 2220	Atdisk - ok
13:35:07.0293 2220	Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:35:07.0293 2220	Atmarpc - ok
13:35:07.0387 2220	AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
13:35:07.0387 2220	AudioSrv - ok
13:35:07.0512 2220	audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:35:07.0512 2220	audstub - ok
13:35:07.0621 2220	Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:35:07.0621 2220	Beep - ok
13:35:07.0746 2220	BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
13:35:07.0746 2220	BITS - ok
13:35:07.0887 2220	Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files\Bonjour\mDNSResponder.exe
13:35:07.0902 2220	Bonjour Service - ok
13:35:08.0027 2220	Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
13:35:08.0027 2220	Browser - ok
13:35:08.0043 2220	catchme - ok
13:35:08.0168 2220	cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:35:08.0168 2220	cbidf2k - ok
13:35:08.0262 2220	CCALib8 (8ef654045e518ac00e52e7a1e2d3ad70) C:\Program Files\Canon\CAL\CALMAIN.exe
13:35:08.0277 2220	CCALib8 - ok
13:35:08.0387 2220	CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
13:35:08.0387 2220	CCDECODE - ok
13:35:08.0496 2220	ccEvtMgr (08d26906c74805bee8deca4c7be8c7f5) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
13:35:08.0512 2220	ccEvtMgr - ok
13:35:08.0621 2220	ccPwdSvc (15e9ab7c078059998933e235a9742502) C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
13:35:08.0621 2220	ccPwdSvc - ok
13:35:08.0668 2220	ccSetMgr (bd565b4456dbce6e02182f35586fd5bf) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
13:35:08.0684 2220	ccSetMgr - ok
13:35:08.0762 2220	cd20xrnt - ok
13:35:08.0824 2220	Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:35:08.0824 2220	Cdaudio - ok
13:35:08.0949 2220	Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:35:08.0949 2220	Cdfs - ok
13:35:09.0090 2220	Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:35:09.0090 2220	Cdrom - ok
13:35:09.0215 2220	cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
13:35:09.0215 2220	cercsr6 - ok
13:35:09.0277 2220	Changer - ok
13:35:09.0356 2220	CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
13:35:09.0356 2220	CiSvc - ok
13:35:09.0449 2220	ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
13:35:09.0465 2220	ClipSrv - ok
13:35:09.0574 2220	clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
13:35:09.0590 2220	clr_optimization_v2.0.50727_32 - ok
13:35:09.0668 2220	CmdIde - ok
13:35:09.0715 2220	COMSysApp - ok
13:35:09.0777 2220	Cpqarray - ok
13:35:09.0840 2220	CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
13:35:09.0840 2220	CryptSvc - ok
13:35:09.0918 2220	dac2w2k - ok
13:35:09.0981 2220	dac960nt - ok
13:35:10.0074 2220	DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
13:35:10.0090 2220	DcomLaunch - ok
13:35:10.0215 2220	DefWatch (a3985a8ded49f67e3e25d2d2921b4dac) C:\Program Files\Symantec AntiVirus\DefWatch.exe
13:35:10.0215 2220	DefWatch - ok
13:35:10.0340 2220	Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
13:35:10.0340 2220	Dhcp - ok
13:35:10.0465 2220	Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:35:10.0465 2220	Disk - ok
13:35:10.0543 2220	dmadmin - ok
13:35:10.0684 2220	dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:35:10.0699 2220	dmboot - ok
13:35:10.0824 2220	dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:35:10.0824 2220	dmio - ok
13:35:10.0934 2220	dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:35:10.0934 2220	dmload - ok
13:35:11.0059 2220	dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
13:35:11.0059 2220	dmserver - ok
13:35:11.0199 2220	DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:35:11.0199 2220	DMusic - ok
13:35:11.0324 2220	Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
13:35:11.0324 2220	Dnscache - ok
13:35:11.0449 2220	Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
13:35:11.0449 2220	Dot3svc - ok
13:35:11.0527 2220	dpti2o - ok
13:35:11.0652 2220	drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:35:11.0652 2220	drmkaud - ok
13:35:11.0762 2220	E1000 (a97b4360acc61d9d3cae50cd155ef02c) C:\WINDOWS\system32\DRIVERS\e1000325.sys
13:35:11.0762 2220	E1000 - ok
13:35:11.0871 2220	EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
13:35:11.0871 2220	EapHost - ok
13:35:11.0981 2220	ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
13:35:11.0981 2220	ERSvc - ok
13:35:12.0074 2220	Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
13:35:12.0074 2220	Eventlog - ok
13:35:12.0184 2220	EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
13:35:12.0199 2220	EventSystem - ok
13:35:12.0309 2220	Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:35:12.0309 2220	Fastfat - ok
13:35:12.0434 2220	FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:35:12.0434 2220	FastUserSwitchingCompatibility - ok
13:35:12.0543 2220	Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:35:12.0543 2220	Fdc - ok
13:35:12.0652 2220	Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:35:12.0652 2220	Fips - ok
13:35:12.0746 2220	Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:35:12.0746 2220	Flpydisk - ok
13:35:12.0840 2220	FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:35:12.0840 2220	FltMgr - ok
13:35:12.0965 2220	FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
13:35:12.0965 2220	FontCache3.0.0.0 - ok
13:35:13.0090 2220	Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:35:13.0090 2220	Fs_Rec - ok
13:35:13.0246 2220	Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:35:13.0246 2220	Ftdisk - ok
13:35:13.0340 2220	GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
13:35:13.0340 2220	GEARAspiWDM - ok
13:35:13.0434 2220	Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:35:13.0434 2220	Gpc - ok
13:35:13.0559 2220	gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
13:35:13.0559 2220	gupdate - ok
13:35:13.0574 2220	gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
13:35:13.0574 2220	gupdatem - ok
13:35:13.0684 2220	helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
13:35:13.0699 2220	helpsvc - ok
13:35:13.0809 2220	HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
13:35:13.0809 2220	HidServ - ok
13:35:13.0918 2220	HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:35:13.0934 2220	HidUsb - ok
13:35:14.0043 2220	hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
13:35:14.0043 2220	hkmsvc - ok
13:35:14.0121 2220	hpn - ok
13:35:14.0293 2220	hpqcxs08 (0a3c6aa4a9fc38c20ba4eac2c3351c05) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
13:35:14.0293 2220	hpqcxs08 - ok
13:35:14.0449 2220	hpqddsvc (f3f72a2a86c22610bca5439fa789dd52) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
13:35:14.0465 2220	hpqddsvc - ok
13:35:14.0621 2220	HPSLPSVC (568e44f6dcfa173f3670172b69379891) C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
13:35:14.0652 2220	HPSLPSVC - ok
13:35:14.0777 2220	HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
13:35:14.0777 2220	HPZid412 - ok
13:35:14.0887 2220	HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
13:35:14.0887 2220	HPZipr12 - ok
13:35:14.0996 2220	HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
13:35:14.0996 2220	HPZius12 - ok
13:35:15.0106 2220	HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:35:15.0121 2220	HTTP - ok
13:35:15.0231 2220	HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
13:35:15.0246 2220	HTTPFilter - ok
13:35:15.0324 2220	i2omgmt - ok
13:35:15.0402 2220	i2omp - ok
13:35:15.0512 2220	i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:35:15.0512 2220	i8042prt - ok
13:35:15.0637 2220	ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
13:35:15.0637 2220	ialm - ok
13:35:15.0793 2220	idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
13:35:15.0824 2220	idsvc - ok
13:35:15.0934 2220	Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:35:15.0934 2220	Imapi - ok
13:35:15.0996 2220	ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
13:35:16.0012 2220	ImapiService - ok
13:35:16.0074 2220	ini910u - ok
13:35:16.0215 2220	IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
13:35:16.0215 2220	IntelIde - ok
13:35:16.0340 2220	intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:35:16.0340 2220	intelppm - ok
13:35:16.0465 2220	Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:35:16.0465 2220	Ip6Fw - ok
13:35:16.0590 2220	IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:35:16.0590 2220	IpFilterDriver - ok
13:35:16.0699 2220	IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:35:16.0699 2220	IpInIp - ok
13:35:16.0809 2220	IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:35:16.0824 2220	IpNat - ok
13:35:16.0934 2220	iPod Service (9033d67b7112d23eded6789bacded128) C:\Program Files\iPod\bin\iPodService.exe
13:35:16.0965 2220	iPod Service - ok
13:35:17.0074 2220	IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:35:17.0074 2220	IPSec - ok
13:35:17.0168 2220	IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:35:17.0168 2220	IRENUM - ok
13:35:17.0277 2220	isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:35:17.0277 2220	isapnp - ok
13:35:17.0434 2220	JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
13:35:17.0449 2220	JavaQuickStarterService - ok
13:35:17.0574 2220	Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:35:17.0574 2220	Kbdclass - ok
13:35:17.0684 2220	kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:35:17.0684 2220	kbdhid - ok
13:35:17.0777 2220	kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:35:17.0777 2220	kmixer - ok
13:35:17.0871 2220	KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:35:17.0871 2220	KSecDD - ok
13:35:17.0981 2220	lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
13:35:17.0981 2220	lanmanserver - ok
13:35:18.0074 2220	lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
13:35:18.0074 2220	lanmanworkstation - ok
13:35:18.0184 2220	lbrtfdc - ok
13:35:18.0293 2220	LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
13:35:18.0309 2220	LmHosts - ok
13:35:18.0434 2220	LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\drivers\lvusbsta.sys
13:35:18.0434 2220	LVUSBSta - ok
13:35:18.0543 2220	McComponentHostService (f453d1e6d881e8f8717e20ccd4199e85) C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
13:35:18.0543 2220	McComponentHostService - ok
13:35:18.0652 2220	Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
13:35:18.0668 2220	Messenger - ok
13:35:18.0777 2220	mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:35:18.0777 2220	mnmdd - ok
13:35:18.0840 2220	mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
13:35:18.0840 2220	mnmsrvc - ok
13:35:18.0934 2220	Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:35:18.0949 2220	Modem - ok
13:35:19.0059 2220	Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:35:19.0059 2220	Mouclass - ok
13:35:19.0246 2220	mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:35:19.0262 2220	mouhid - ok
13:35:19.0356 2220	MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:35:19.0356 2220	MountMgr - ok
13:35:19.0481 2220	MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
13:35:19.0481 2220	MpFilter - ok
13:35:19.0652 2220	MpKsl17f1f22d (a69630d039c38018689190234f866d77) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F8EDB43-E86B-46A6-939F-EC44A8786F0B}\MpKsl17f1f22d.sys
13:35:19.0652 2220	MpKsl17f1f22d - ok
13:35:19.0746 2220	mraid35x - ok
13:35:19.0856 2220	MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:35:19.0871 2220	MRxDAV - ok
13:35:19.0996 2220	MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\Drivers\mrxsmb.sys
13:35:20.0059 2220	MRxSmb - ok
13:35:20.0184 2220	MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
13:35:20.0184 2220	MSDTC - ok
13:35:20.0340 2220	Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:35:20.0340 2220	Msfs - ok
13:35:20.0418 2220	MSIServer - ok
13:35:20.0481 2220	MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:35:20.0496 2220	MSKSSRV - ok
13:35:20.0637 2220	MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
13:35:20.0637 2220	MsMpSvc - ok
13:35:20.0762 2220	MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:35:20.0762 2220	MSPCLOCK - ok
13:35:20.0856 2220	MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:35:20.0856 2220	MSPQM - ok
13:35:20.0949 2220	mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:35:20.0965 2220	mssmbios - ok
13:35:21.0059 2220	MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
13:35:21.0059 2220	MSTEE - ok
13:35:21.0184 2220	Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:35:21.0184 2220	Mup - ok
13:35:21.0309 2220	NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
13:35:21.0309 2220	NABTSFEC - ok
13:35:21.0434 2220	napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
13:35:21.0465 2220	napagent - ok
13:35:21.0637 2220	NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110502.002\naveng.sys
13:35:21.0637 2220	NAVENG - ok
13:35:21.0840 2220	NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110502.002\navex15.sys
13:35:21.0887 2220	NAVEX15 - ok
13:35:22.0012 2220	NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:35:22.0012 2220	NDIS - ok
13:35:22.0106 2220	NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
13:35:22.0106 2220	NdisIP - ok
13:35:22.0231 2220	NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:35:22.0231 2220	NdisTapi - ok
13:35:22.0356 2220	Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:35:22.0356 2220	Ndisuio - ok
13:35:22.0481 2220	NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:35:22.0481 2220	NdisWan - ok
13:35:22.0574 2220	NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:35:22.0574 2220	NDProxy - ok
13:35:22.0699 2220	Net Driver HPZ12 (510c138564486ff926a3f773205c63d1) C:\WINDOWS\system32\HPZinw12.dll
13:35:22.0699 2220	Net Driver HPZ12 - ok
13:35:22.0840 2220	NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:35:22.0840 2220	NetBIOS - ok
13:35:22.0949 2220	NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:35:22.0949 2220	NetBT - ok
13:35:23.0059 2220	NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:35:23.0059 2220	NetDDE - ok
13:35:23.0074 2220	NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:35:23.0074 2220	NetDDEdsdm - ok
13:35:23.0215 2220	Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:35:23.0231 2220	Netlogon - ok
13:35:23.0356 2220	Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
13:35:23.0356 2220	Netman - ok
13:35:23.0496 2220	NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
13:35:23.0512 2220	NetTcpPortSharing - ok
13:35:23.0637 2220	Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
13:35:23.0652 2220	Nla - ok
13:35:23.0762 2220	Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:35:23.0777 2220	Npfs - ok
13:35:23.0918 2220	Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:35:23.0918 2220	Ntfs - ok
13:35:23.0996 2220	NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:35:24.0012 2220	NtLmSsp - ok
13:35:24.0152 2220	NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
13:35:24.0152 2220	NtmsSvc - ok
13:35:24.0246 2220	Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:35:24.0246 2220	Null - ok
13:35:24.0340 2220	NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:35:24.0340 2220	NwlnkFlt - ok
13:35:24.0434 2220	NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:35:24.0434 2220	NwlnkFwd - ok
13:35:24.0527 2220	OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
13:35:24.0527 2220	OMCI - ok
13:35:24.0637 2220	ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
13:35:24.0637 2220	ose - ok
13:35:24.0762 2220	Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:35:24.0777 2220	Parport - ok
13:35:24.0887 2220	PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:35:24.0887 2220	PartMgr - ok
13:35:24.0996 2220	ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:35:24.0996 2220	ParVdm - ok
13:35:25.0106 2220	PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:35:25.0106 2220	PCI - ok
13:35:25.0168 2220	PCIDump - ok
13:35:25.0293 2220	PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:35:25.0293 2220	PCIIde - ok
13:35:25.0418 2220	Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:35:25.0418 2220	Pcmcia - ok
13:35:25.0496 2220	PDCOMP - ok
13:35:25.0606 2220	PDFRAME - ok
13:35:25.0699 2220	PDRELI - ok
13:35:25.0777 2220	PDRFRAME - ok
13:35:25.0856 2220	pepifilter (2a3efd6c3f116675d149da5e36a010a4) C:\WINDOWS\system32\DRIVERS\lv302af.sys
13:35:25.0856 2220	pepifilter - ok
13:35:25.0934 2220	perc2 - ok
13:35:26.0012 2220	perc2hib - ok
13:35:26.0184 2220	PID_08A0 (cebefeae6156f4fee41f56be89ea9c96) C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
13:35:26.0215 2220	PID_08A0 - ok
13:35:26.0340 2220	PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
13:35:26.0340 2220	PlugPlay - ok
13:35:26.0465 2220	Pml Driver HPZ12 (37e5e8ffbad35605daeec3224ea0e465) C:\WINDOWS\system32\HPZipm12.dll
13:35:26.0465 2220	Pml Driver HPZ12 - ok
13:35:26.0574 2220	PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:35:26.0574 2220	PolicyAgent - ok
13:35:26.0731 2220	PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:35:26.0731 2220	PptpMiniport - ok
13:35:26.0840 2220	ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:35:26.0840 2220	ProtectedStorage - ok
13:35:26.0981 2220	PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:35:26.0996 2220	PSched - ok
13:35:27.0090 2220	Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:35:27.0090 2220	Ptilink - ok
13:35:27.0168 2220	ql1080 - ok
13:35:27.0246 2220	Ql10wnt - ok
13:35:27.0324 2220	ql12160 - ok
13:35:27.0387 2220	ql1240 - ok
13:35:27.0465 2220	ql1280 - ok
13:35:27.0543 2220	RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:35:27.0543 2220	RasAcd - ok
13:35:27.0652 2220	RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
13:35:27.0668 2220	RasAuto - ok
13:35:27.0777 2220	Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:35:27.0777 2220	Rasl2tp - ok
13:35:27.0887 2220	RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
13:35:27.0887 2220	RasMan - ok
13:35:28.0012 2220	RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:35:28.0012 2220	RasPppoe - ok
13:35:28.0121 2220	Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:35:28.0137 2220	Raspti - ok
13:35:28.0262 2220	Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:35:28.0262 2220	Rdbss - ok
13:35:28.0371 2220	RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:35:28.0371 2220	RDPCDD - ok
13:35:28.0481 2220	rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:35:28.0496 2220	rdpdr - ok
13:35:28.0621 2220	RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
13:35:28.0621 2220	RDPWD - ok
13:35:28.0731 2220	RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
13:35:28.0731 2220	RDSessMgr - ok
13:35:28.0856 2220	redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:35:28.0856 2220	redbook - ok
13:35:28.0949 2220	RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
13:35:28.0949 2220	RemoteAccess - ok
13:35:29.0074 2220	RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
13:35:29.0074 2220	RemoteRegistry - ok
13:35:29.0199 2220	RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
13:35:29.0199 2220	RpcLocator - ok
13:35:29.0324 2220	RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
13:35:29.0324 2220	RpcSs - ok
13:35:29.0449 2220	RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
13:35:29.0449 2220	RSVP - ok
13:35:29.0574 2220	SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:35:29.0574 2220	SamSs - ok
13:35:29.0684 2220	SavRoam (40f6c7dd9228e62aa54f25df23585634) C:\Program Files\Symantec AntiVirus\SavRoam.exe
13:35:29.0699 2220	SavRoam - ok
13:35:29.0809 2220	SAVRT (c8023be4dda22a52cd2f60d9cb9b3985) C:\Program Files\Symantec AntiVirus\savrt.sys
13:35:29.0824 2220	SAVRT - ok
13:35:29.0934 2220	SAVRTPEL (30547fd7692dc799a0b397b2b918a158) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
13:35:29.0934 2220	SAVRTPEL - ok
13:35:30.0059 2220	SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
13:35:30.0059 2220	SCardSvr - ok
13:35:30.0184 2220	Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
13:35:30.0184 2220	Schedule - ok
13:35:30.0309 2220	Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:35:30.0309 2220	Secdrv - ok
13:35:30.0434 2220	seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
13:35:30.0434 2220	seclogon - ok
13:35:30.0559 2220	SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
13:35:30.0559 2220	SENS - ok
13:35:30.0699 2220	serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:35:30.0699 2220	serenum - ok
13:35:30.0840 2220	Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:35:30.0840 2220	Sfloppy - ok
13:35:30.0981 2220	SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
13:35:31.0027 2220	SharedAccess - ok
13:35:31.0152 2220	ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:35:31.0168 2220	ShellHWDetection - ok
13:35:31.0262 2220	Simbad - ok
13:35:31.0371 2220	SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
13:35:31.0371 2220	SLIP - ok
13:35:31.0512 2220	smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys
13:35:31.0574 2220	smwdm - ok
13:35:31.0684 2220	SNDSrvc (e6d3841a12face16e2eba24e714ca203) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
13:35:31.0684 2220	SNDSrvc - ok
13:35:31.0777 2220	Sparrow - ok
13:35:31.0887 2220	splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:35:31.0902 2220	splitter - ok
13:35:32.0012 2220	Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
13:35:32.0012 2220	Spooler - ok
13:35:32.0152 2220	sprtsvc_ddoctorv2 (c3716ec0d36ad924b6888d794563e647) C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
13:35:32.0152 2220	sprtsvc_ddoctorv2 - ok
13:35:32.0309 2220	sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:35:32.0309 2220	sr - ok
13:35:32.0434 2220	srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
13:35:32.0434 2220	srservice - ok
13:35:32.0590 2220	Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:35:32.0637 2220	Srv - ok
13:35:32.0746 2220	SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
13:35:32.0746 2220	SSDPSRV - ok
13:35:32.0871 2220	stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
13:35:32.0871 2220	stisvc - ok
13:35:32.0996 2220	streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
13:35:32.0996 2220	streamip - ok
13:35:33.0106 2220	swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:35:33.0106 2220	swenum - ok
13:35:33.0199 2220	swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:35:33.0199 2220	swmidi - ok
13:35:33.0293 2220	SwPrv - ok
13:35:33.0434 2220	Symantec AntiVirus (91c4579e77abdfac02c16e0d0736123e) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
13:35:33.0481 2220	Symantec AntiVirus - ok
13:35:33.0574 2220	symc810 - ok
13:35:33.0652 2220	symc8xx - ok
13:35:33.0746 2220	SymEvent (42123611a49c33536ab29bdd852a9f5e) C:\Program Files\Symantec\SYMEVENT.SYS
13:35:33.0746 2220	SymEvent - ok
13:35:33.0856 2220	SYMREDRV (145eaae477f5b56f2621956150a143b0) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
13:35:33.0856 2220	SYMREDRV - ok
13:35:33.0965 2220	SYMTDI (926efafc087d356bba50bdf6e640bc13) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
13:35:33.0965 2220	SYMTDI - ok
13:35:34.0059 2220	sym_hi - ok
13:35:34.0137 2220	sym_u3 - ok
13:35:34.0262 2220	sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:35:34.0262 2220	sysaudio - ok
13:35:34.0387 2220	SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
13:35:34.0387 2220	SysmonLog - ok
13:35:34.0496 2220	TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
13:35:34.0512 2220	TapiSrv - ok
13:35:34.0652 2220	Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:35:34.0652 2220	Tcpip - ok
13:35:34.0777 2220	TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:35:34.0777 2220	TDPIPE - ok
13:35:34.0871 2220	TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:35:34.0871 2220	TDTCP - ok
13:35:34.0996 2220	TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:35:34.0996 2220	TermDD - ok
13:35:35.0106 2220	TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
13:35:35.0121 2220	TermService - ok
13:35:35.0231 2220	Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:35:35.0231 2220	Themes - ok
13:35:35.0340 2220	TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
13:35:35.0356 2220	TlntSvr - ok
13:35:35.0434 2220	TosIde - ok
13:35:35.0543 2220	TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
13:35:35.0543 2220	TrkWks - ok
13:35:35.0668 2220	Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:35:35.0668 2220	Udfs - ok
13:35:35.0746 2220	ultra - ok
13:35:35.0856 2220	Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:35:35.0871 2220	Update - ok
13:35:35.0981 2220	upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
13:35:35.0981 2220	upnphost - ok
13:35:36.0043 2220	UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
13:35:36.0043 2220	UPS - ok
13:35:36.0184 2220	USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
13:35:36.0184 2220	USBAAPL - ok
13:35:36.0309 2220	usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
13:35:36.0309 2220	usbaudio - ok
13:35:36.0418 2220	usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:35:36.0418 2220	usbccgp - ok
13:35:36.0527 2220	usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:35:36.0543 2220	usbehci - ok
13:35:36.0652 2220	usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:35:36.0652 2220	usbhub - ok
13:35:36.0777 2220	usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:35:36.0777 2220	usbprint - ok
13:35:36.0887 2220	usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:35:36.0887 2220	usbscan - ok
13:35:36.0996 2220	USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:35:36.0996 2220	USBSTOR - ok
13:35:37.0121 2220	usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:35:37.0121 2220	usbuhci - ok
13:35:37.0231 2220	VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:35:37.0231 2220	VgaSave - ok
13:35:37.0293 2220	ViaIde - ok
13:35:37.0371 2220	VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:35:37.0371 2220	VolSnap - ok
13:35:37.0496 2220	VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
13:35:37.0512 2220	VSS - ok
13:35:37.0621 2220	W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
13:35:37.0621 2220	W32Time - ok
13:35:37.0762 2220	Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:35:37.0762 2220	Wanarp - ok
13:35:37.0856 2220	WDICA - ok
13:35:37.0965 2220	wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:35:37.0981 2220	wdmaud - ok
13:35:38.0090 2220	WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
13:35:38.0090 2220	WebClient - ok
13:35:38.0277 2220	winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
13:35:38.0277 2220	winmgmt - ok
13:35:38.0418 2220	WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
13:35:38.0418 2220	WmdmPmSN - ok
13:35:38.0543 2220	Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
13:35:38.0574 2220	Wmi - ok
13:35:38.0731 2220	WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
13:35:38.0731 2220	WmiApSrv - ok
13:35:38.0840 2220	WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
13:35:38.0871 2220	WMPNetworkSvc - ok
13:35:38.0981 2220	WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
13:35:38.0981 2220	WS2IFSL - ok
13:35:39.0121 2220	wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
13:35:39.0121 2220	wscsvc - ok
13:35:39.0277 2220	WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
13:35:39.0277 2220	WSTCODEC - ok
13:35:39.0387 2220	wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
13:35:39.0387 2220	wuauserv - ok
13:35:39.0496 2220	WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:35:39.0512 2220	WudfPf - ok
13:35:39.0621 2220	WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:35:39.0621 2220	WudfRd - ok
13:35:39.0731 2220	WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
13:35:39.0746 2220	WudfSvc - ok
13:35:39.0871 2220	WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
13:35:39.0887 2220	WZCSVC - ok
13:35:40.0012 2220	xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
13:35:40.0012 2220	xmlprov - ok
13:35:40.0168 2220	{6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
13:35:40.0168 2220	{6080A529-897E-4629-A488-ABA0C29B635E} - ok
13:35:40.0309 2220	{D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
13:35:40.0324 2220	{D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
13:35:40.0356 2220	MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
13:35:40.0496 2220	\Device\Harddisk0\DR0 - ok
13:35:40.0512 2220	Boot (0x1200) (64ad772ebc128d9c7bcd0046c537c75d) \Device\Harddisk0\DR0\Partition0
13:35:40.0512 2220	\Device\Harddisk0\DR0\Partition0 - ok
13:35:40.0512 2220	============================================================
13:35:40.0512 2220	Scan finished
13:35:40.0512 2220	============================================================
13:35:40.0543 1360	Detected object count: 0
13:35:40.0543 1360	Actual detected object count: 0
13:35:55.0793 3472	Deinitialize success


----------



## Cookiegal (Aug 27, 2003)

I'd like the one that shows things were detected and removed. I remember you posted the screenshot but if possible, it would be nice to see the actual report.


----------



## valis (Sep 24, 2004)

that was all I found at that location......want me to run it again?


----------



## Cookiegal (Aug 27, 2003)

You might as well but I don't expect it will find anything.


----------



## valis (Sep 24, 2004)

are you sure that screen shot was from TDS?


----------



## valis (Sep 24, 2004)

btw, what's backweb887640.exe? That's running in task manager, and I doubt it should be.


----------



## valis (Sep 24, 2004)

tds found nothing......hmmm.


----------



## Cookiegal (Aug 27, 2003)

valis said:


> are you sure that screen shot was from TDS?


Yes. See post no. 23.


----------



## Cookiegal (Aug 27, 2003)

valis said:


> btw, what's backweb887640.exe? That's running in task manager, and I doubt it should be.


That's Logitech Desktop Messenger. It can cause problems and it's recommended to uninstall it. It should be listed in Add or Remove Programs in the Control Panel.

Let me know if there's any improvement after removing it.


----------



## valis (Sep 24, 2004)

valis said:


> btw, what's backweb887640.exe? That's running in task manager, and I doubt it should be.


turns out it's related to logitech.

Just for the heck of it running an MSE scan....this is beginning to tick me off mightily.


----------



## valis (Sep 24, 2004)

whups, missed your post......


----------



## Cookiegal (Aug 27, 2003)

Also, we never ran DDS so let's try that.

Please download DDS by sUBs to your desktop from one of the following locations:

http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

Double-click the DDS.scr to run the tool.

When DDS has finished scanning, it will open two logs named as follows:

DDS.txt
Attach.txt

Save them both to your desktop. Copy and paste the contents of the DDS.txt and Attach.txt files in your reply please.


----------



## valis (Sep 24, 2004)

dunno if this helps, but googling that run time error I got this. Once the MSE scan is done I may try to hit those sites.....maybe I can get there if not eset......


----------



## valis (Sep 24, 2004)

alright, will run DDS first......we seem to talking over each other.


----------



## valis (Sep 24, 2004)

dds

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_29
Run by Administrator at 14:54:53 on 2012-04-11
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost;*.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe 
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209309656750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.25.25
TCP: Interfaces\{9704363F-027F-49EE-A04A-8DE8A6A96AD7} : DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.25.25
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\m7shtpr7.default\
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: browser.search.selectedEngine - 
FF - prefs.js: browser.startup.homepage - 
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-04-11 19:29:01	56200	-c--a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{457a6077-42f2-4b0b-8281-f5f67d7baabb}\offreg.dll
2012-04-11 19:29:01	29904	-c--a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{457a6077-42f2-4b0b-8281-f5f67d7baabb}\MpKsl14023c7a.sys
2012-04-11 19:19:45	6582328	-c--a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{457a6077-42f2-4b0b-8281-f5f67d7baabb}\mpengine.dll
2012-04-10 19:31:10	--------	d-----w-	c:\windows\system32\appmgmt
2012-04-10 15:59:08	388096	-c--a-r-	c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-04-10 15:59:07	--------	dc----w-	c:\program files\Trend Micro
2012-04-10 12:25:17	--------	d-----w-	C:\found.000
2012-04-09 23:29:31	6582328	-c--a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-04-09 23:07:52	--------	dc----w-	C:\_OTS
2012-04-06 18:05:45	64512	-c--a-w-	c:\windows\system32\dllcache\serial.sys
2012-04-06 18:05:45	64512	----a-w-	c:\windows\system32\drivers\Serial.sys
2012-04-05 15:43:19	457856	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2012-04-05 15:41:17	792064	----a-w-	c:\windows\system32\comres.dll
2012-04-04 16:24:43	--------	dcsha-r-	C:\cmdcons
2012-04-04 16:22:50	98816	----a-w-	c:\windows\sed.exe
2012-04-04 16:22:50	518144	----a-w-	c:\windows\SWREG.exe
2012-04-04 16:22:50	256000	----a-w-	c:\windows\PEV.exe
2012-04-04 16:22:50	208896	----a-w-	c:\windows\MBR.exe
2012-04-04 15:58:40	237072	------w-	c:\windows\system32\MpSigStub.exe
2012-04-04 15:56:49	--------	dc----w-	c:\program files\Microsoft Security Client
2012-03-21 05:31:02	592824	----a-w-	c:\program files\mozilla firefox\gkmedias.dll
2012-03-21 05:31:02	44472	----a-w-	c:\program files\mozilla firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-04-06 13:19:26	57600	----a-w-	c:\windows\system32\drivers\redbook.sys
2012-02-03 09:22:18	1860096	----a-w-	c:\windows\system32\win32k.sys
.
============= FINISH: 14:55:42.03 ===============


----------



## valis (Sep 24, 2004)

attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
4500_G510nz_Help
4500G510nz
4500G510nz_Software_Min
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.3.1
Adobe Shockwave Player 11.6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
BufferChm
Canon Camera Access Library
Canon Camera Support Core Library
Canon Digital Camera Solution Disk 34 Software Starter Guide
Canon Direct Print User Guide
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PowerShot A470 Camera User Guide
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Comcast High-Speed Internet Install Wizard
Comcast Toolbar
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Desktop Doctor
Destinations
DeviceDiscovery
DocMgr
DocProc
Fax
Google Chrome
Google Earth
Google Update Helper
GPBaseService2
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 13.0
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510n-z
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPDiagnosticAlert
HPProductAssistant
HPSSupply
Instant Play Keyboard Express
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD
iPhone Configuration Utility
iTunes
Java Auto Updater
Java(TM) 6 Update 29
LiveUpdate 2.0 (Symantec Corporation)
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MarketResearch
McAfee Security Scan Plus
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
MobileMe Control Panel
Mozilla Firefox 11.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Coach Player
Network
OCR Software by I.R.I.S. 13.0
OGA Notifier 2.0.0048.0
QuickTime
Safari
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
SoundMAX
Spybot - Search & Destroy 1.3
Status
swMSM
Teachers Toolkit
Toolbox
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
.
==== End Of File ===========================


----------



## Cookiegal (Aug 27, 2003)

valis said:


> dunno if this helps, but googling that run time error I got this. Once the MSE scan is done I may try to hit those sites.....maybe I can get there if not eset......


Yeah, I saw that too but I'm not seeing any evidence of it. Are you still getting the same Runtime error and specific number?


----------



## valis (Sep 24, 2004)

Yup.


----------



## Cookiegal (Aug 27, 2003)

You didn't uninstall Logitech Desktop Messenger yet.


----------



## Cookiegal (Aug 27, 2003)

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## valis (Sep 24, 2004)

no, work has been hectic today.......running from my office at the other end to this office at this end, trying to do 19 things at once.


----------



## valis (Sep 24, 2004)

StartupList report, 4/11/2012, 3:10:45 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HiJackThis\HiJackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18702)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe 
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
AppleSyncNotifier = C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
MSC = "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\ComFile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

HP Print Enhancer - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll - {0347C33E-8762-4905-BF09-768834316C61}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
HP Smart BHO Class - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job
MP Scheduled Scan.job
OGALogon.job

--------------------------------------------------

Enumerating Download Program Files:

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209309656750

[Java Plug-in 1.6.0_29]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

[Java Plug-in 1.6.0_29]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

[Java Plug-in 1.6.0_29]
InProcServer32 = C:\Program Files\Java\jre6\bin\npjpi160_29.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10h.ocx
CODEBASE = https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
ADMtek ADM8511/AN986 USB To Fast Ethernet Converter: system32\DRIVERS\ADM8511.SYS (manual start)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Apple Mobile Device: "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Bonjour Service: "C:\Program Files\Bonjour\mDNSResponder.exe" (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\ComboFix\catchme.sys (manual start)
Canon Camera Access Library 8: C:\Program Files\Canon\CAL\CALMAIN.exe (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
CryptSvc: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Wired AutoConfig: %SystemRoot%\System32\svchost.exe -k dot3svc (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO/1000 Adapter Driver: system32\DRIVERS\e1000325.sys (manual start)
Extensible Authentication Protocol Service: %SystemRoot%\System32\svchost.exe -k eapsvcs (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Windows Presentation Foundation Font Cache 3.0.0.0: c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (manual start)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
GEAR ASPI Filter Driver: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Google Update Service (gupdate): "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (autostart)
Google Update Service (gupdatem): "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
Health Key and Certificate Management Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
hpqcxs08: %SystemRoot%\system32\svchost.exe -k hpdevmgmt (manual start)
HP CUE DeviceDiscovery Service: %SystemRoot%\system32\svchost.exe -k hpdevmgmt (autostart)
HP Network Devices Support: %SystemRoot%\system32\svchost.exe -k HPService (autostart)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
Windows CardSpace: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: %systemroot%\system32\imapi.exe (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Java Quick Starter: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" (autostart)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Logitech USB Monitor Filter: system32\drivers\lvusbsta.sys (manual start)
McAfee Security Scan Component Host Service: "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" (manual start)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
Microsoft Malware Protection Driver: system32\DRIVERS\MpFilter.sys (system)
MpKsl14023c7a: \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{457A6077-42F2-4B0B-8281-F5F67D7BAABB}\MpKsl14023c7a.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\Drivers\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Antimalware Service: "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" (autostart)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Network Access Protection Agent: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
Net Driver HPZ12: %SystemRoot%\System32\svchost.exe -k HPZ12 (autostart)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net.Tcp Port Sharing Service: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" (disabled)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Volume Adapter: system32\DRIVERS\lv302af.sys (manual start)
QuickCam IM(PID_08A0): system32\DRIVERS\LV302AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: %SystemRoot%\System32\svchost.exe -k HPZ12 (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost.exe -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SupportSoft Sprocket Service (ddoctorv2): "C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{DC1B719F-D9CD-4127-83D7-2A362784F89B} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Apple Mobile USB Driver: System32\Drivers\usbaapl.sys (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
wscsvc: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)
mbr: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe|||.

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\shell32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 36,692 bytes
Report generated in 0.250 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

OK, see post 168.

Then, I would try uninstalling IE8 to revert back to IE7 and then reinstalling IE8 but not until I've seen the startup log in case there's anything evident here.


----------



## valis (Sep 24, 2004)

afraid that's it for today.....have a few things to do here, and then cub scouts.....until the morrow, Karen. And as always, thanks a ton.


----------



## Cookiegal (Aug 27, 2003)

OK Tim. I'll look over that log later. I have to start dinner.


----------



## Cookiegal (Aug 27, 2003)

Also, try uninstalling Spybot Search & Destroy. It's an old version and has been known to cause such errors.


----------



## valis (Sep 24, 2004)

uninstalled that, as well as Mcaffee system scanner.....below is the error I'm getting on IE...no clue where to go from here, as it took me 30 minutes just to get to this page......I"m going to try eset again, we'll see.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 4/12/2012
Time: 7:52:48 AM
User: N/A
Computer:	HOME-B3392EFE51
Description:
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18854, fault address 0x00209f9c.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 38 2e 30 2e 36 30 e 8.0.60
0028: 30 31 2e 31 38 37 30 32 01.18702
0030: 20 69 6e 20 6d 73 68 74 in msht
0038: 6d 6c 2e 64 6c 6c 20 38 ml.dll 8
0040: 2e 30 2e 36 30 30 31 2e .0.6001.
0048: 31 38 38 35 34 20 61 74 18854 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 32 30 39 66 39 63 00209f9c
0060: 0d 0a ..


----------



## valis (Sep 24, 2004)

think I found a work-around to get ESET to scan.....downloaded it with chrome, but it said it was okay as it would open a a new window. It's d/ling definitions now, will touch base shortly.


----------



## Cookiegal (Aug 27, 2003)

Sounds good. I think the problem lies in IE.


----------



## valis (Sep 24, 2004)

wonder if I upgraded to IE 9...........any input?


----------



## Cookiegal (Aug 27, 2003)

You can't run IE9 on XP unfortunately. That's why I suggested going back to IE7 and see if the problem persists. I don't see any sign of malware. It may be residual damage.

It may also be something to do with add-ons. Try running IE with no add-ons.


----------



## valis (Sep 24, 2004)

I'll let eset finish, uinstall IE8 and see what happens.....danke, Karen......you are one in a million. :up:


----------



## Cookiegal (Aug 27, 2003)

valis said:


> I'll let eset finish, uinstall IE8 and see what happens.....danke, Karen......you are one in a million. :up:


You're welcome but I would hold off on the compliments until (or IF) we find the problem.


----------



## valis (Sep 24, 2004)

nope........you have definitely earned this one........I'll check it in about 30 minutes and give you an update.


----------



## valis (Sep 24, 2004)

IE 7 is running smoothly....debating if I should reinstall 8 and see what happens......


----------



## Cookiegal (Aug 27, 2003)

Maybe try running it for a bit because that last time it only ran smoothly for a few minutes.

If it does then I'd try to reinstall IE8.


----------



## valis (Sep 24, 2004)

sounds good......running some basic stuff now, also going to defrag and do some random house cleaning, will let you know.

Thanks, Karen.


----------



## Cookiegal (Aug 27, 2003)

OK, fingers crossed.


----------



## valis (Sep 24, 2004)

he ended up taking it home over the weekend, so I'm going to mark this solved. I emailed my 'join TSG and solve your own problems' can, will let you know if he has any further issues.....still need to get him to test IE8, but IE7 was running smooth last Friday.

Thanks again for all your assistance, Cookiegal........:up:


----------



## Cookiegal (Aug 27, 2003)

You're welcome valis. It's my pleasure.


----------



## valis (Sep 24, 2004)

You say that now......wait until I find another ZA rootkit....... 

and etaf? You ain't living this one down anytime soon.........


----------



## Cookiegal (Aug 27, 2003)




----------



## etaf (Oct 2, 2003)

well, if you do have zone alarm  issues - let me know


----------



## valis (Sep 24, 2004)

roger that, will do..........

I reckon we can both say we learned quite a bit from this mess, eh?


----------



## etaf (Oct 2, 2003)

> I reckon we can both say we learned


 sat most of the time with tongue hanging out - in complete awe


----------



## valis (Sep 24, 2004)

hahahahahaha......


----------



## etaf (Oct 2, 2003)

and must have save you a fortune in gym fees - going back and forwards across the building


----------



## valis (Sep 24, 2004)

Yup......needed to get some rollerblades for that one.........


----------

