Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirection and excessive svchost.exe memory usage

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Redirection and excessive svchost.exe memory usage

Unread postby maxi » September 24th, 2011, 3:57 pm

Hi drjbg,

Ok you can try to run ComboFix again. Make sure you follow the instructions above about saving the "CFscript" and dragging it into ComboFix.

Also run TDSSkiller if you have not done so and post the logfile for me to see. If you have already ran TDSSkiller please post the logfile.

Regards maxi :)
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.
Advertisement
Register to Remove

Re: Redirection and excessive svchost.exe memory usage

Unread postby drjbg » September 24th, 2011, 7:02 pm

Hi Maxi,

I ran the Combo Fix CFS, but I can only find the original Combo fix log that I ran on 9/21.

This is the TDSS killer log:

17:54:55.0812 2148 TDSS rootkit removing tool 2.6.0.0 Sep 23 2011 07:42:37
17:54:57.0828 2148 ============================================================
17:54:57.0843 2148 Current date / time: 2011/09/24 17:54:57.0828
17:54:57.0843 2148 SystemInfo:
17:54:57.0843 2148
17:54:57.0859 2148 OS Version: 5.1.2600 ServicePack: 3.0
17:54:57.0859 2148 Product type: Workstation
17:54:57.0859 2148 ComputerName: JAKE
17:54:57.0875 2148 UserName: Jake
17:54:57.0875 2148 Windows directory: C:\WINDOWS
17:54:57.0890 2148 System windows directory: C:\WINDOWS
17:54:57.0890 2148 Processor architecture: Intel x86
17:54:57.0890 2148 Number of processors: 1
17:54:57.0906 2148 Page size: 0x1000
17:54:57.0906 2148 Boot type: Normal boot
17:54:57.0906 2148 ============================================================
17:54:59.0468 2148 Initialize success
17:55:15.0234 3372 ============================================================
17:55:15.0234 3372 Scan started
17:55:15.0234 3372 Mode: Manual;
17:55:15.0234 3372 ============================================================
17:55:16.0046 3372 6cbae931 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\837401196:2470778574.exe
17:55:17.0625 3372 Suspicious file (Hidden): C:\WINDOWS\837401196:2470778574.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
17:55:17.0625 3372 6cbae931 ( HiddenFile.Multi.Generic ) - warning
17:55:17.0625 3372 6cbae931 - detected HiddenFile.Multi.Generic (1)
17:55:17.0718 3372 Abiosdsk - ok
17:55:17.0781 3372 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
17:55:17.0781 3372 abp480n5 - ok
17:55:17.0828 3372 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:55:17.0843 3372 ACPI - ok
17:55:17.0906 3372 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:55:17.0906 3372 ACPIEC - ok
17:55:18.0031 3372 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
17:55:18.0046 3372 adpu160m - ok
17:55:18.0125 3372 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
17:55:18.0125 3372 aeaudio - ok
17:55:18.0203 3372 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:55:18.0203 3372 aec - ok
17:55:18.0296 3372 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
17:55:18.0296 3372 AFD - ok
17:55:18.0359 3372 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
17:55:18.0359 3372 agp440 - ok
17:55:18.0421 3372 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
17:55:18.0421 3372 agpCPQ - ok
17:55:18.0468 3372 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
17:55:18.0484 3372 Aha154x - ok
17:55:18.0515 3372 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
17:55:18.0515 3372 aic78u2 - ok
17:55:18.0546 3372 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
17:55:18.0546 3372 aic78xx - ok
17:55:18.0593 3372 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
17:55:18.0609 3372 AliIde - ok
17:55:18.0640 3372 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
17:55:18.0640 3372 alim1541 - ok
17:55:18.0671 3372 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
17:55:18.0671 3372 amdagp - ok
17:55:18.0703 3372 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
17:55:18.0703 3372 amsint - ok
17:55:18.0765 3372 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
17:55:18.0765 3372 asc - ok
17:55:18.0812 3372 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
17:55:18.0812 3372 asc3350p - ok
17:55:18.0859 3372 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
17:55:18.0875 3372 asc3550 - ok
17:55:18.0968 3372 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:55:18.0968 3372 AsyncMac - ok
17:55:19.0015 3372 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:55:19.0015 3372 atapi - ok
17:55:19.0046 3372 Atdisk - ok
17:55:19.0109 3372 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:55:19.0109 3372 Atmarpc - ok
17:55:19.0171 3372 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:55:19.0171 3372 audstub - ok
17:55:19.0218 3372 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:55:19.0218 3372 Beep - ok
17:55:19.0281 3372 bvurqape - ok
17:55:19.0406 3372 catchme - ok
17:55:19.0468 3372 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
17:55:19.0468 3372 cbidf - ok
17:55:19.0531 3372 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:55:19.0531 3372 cbidf2k - ok
17:55:19.0578 3372 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
17:55:19.0578 3372 cd20xrnt - ok
17:55:19.0640 3372 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:55:19.0640 3372 Cdaudio - ok
17:55:19.0718 3372 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:55:19.0718 3372 Cdfs - ok
17:55:19.0765 3372 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:55:19.0765 3372 Cdrom - ok
17:55:19.0796 3372 Changer - ok
17:55:19.0875 3372 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
17:55:19.0875 3372 CmdIde - ok
17:55:19.0921 3372 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
17:55:19.0921 3372 Compbatt - ok
17:55:20.0000 3372 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
17:55:20.0000 3372 Cpqarray - ok
17:55:20.0078 3372 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
17:55:20.0078 3372 dac2w2k - ok
17:55:20.0125 3372 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
17:55:20.0125 3372 dac960nt - ok
17:55:20.0218 3372 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:55:20.0234 3372 Disk - ok
17:55:20.0328 3372 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:55:20.0343 3372 dmboot - ok
17:55:20.0406 3372 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
17:55:20.0406 3372 dmio - ok
17:55:20.0453 3372 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:55:20.0453 3372 dmload - ok
17:55:20.0500 3372 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:55:20.0500 3372 DMusic - ok
17:55:20.0562 3372 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
17:55:20.0562 3372 dpti2o - ok
17:55:20.0609 3372 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:55:20.0609 3372 drmkaud - ok
17:55:20.0687 3372 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
17:55:20.0687 3372 E100B - ok
17:55:20.0828 3372 EraserUtilDrvI2 - ok
17:55:20.0953 3372 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:55:20.0953 3372 Fastfat - ok
17:55:21.0046 3372 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:55:21.0046 3372 Fdc - ok
17:55:21.0125 3372 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:55:21.0125 3372 Fips - ok
17:55:21.0218 3372 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:55:21.0218 3372 Flpydisk - ok
17:55:21.0296 3372 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
17:55:21.0296 3372 FltMgr - ok
17:55:21.0390 3372 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:55:21.0406 3372 Fs_Rec - ok
17:55:21.0468 3372 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:55:21.0484 3372 Ftdisk - ok
17:55:21.0562 3372 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
17:55:21.0562 3372 GEARAspiWDM - ok
17:55:21.0656 3372 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:55:21.0656 3372 Gpc - ok
17:55:21.0718 3372 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
17:55:21.0718 3372 HidBatt - ok
17:55:21.0781 3372 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:55:21.0781 3372 HidUsb - ok
17:55:21.0843 3372 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
17:55:21.0843 3372 hpn - ok
17:55:21.0984 3372 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:55:22.0000 3372 HTTP - ok
17:55:22.0046 3372 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
17:55:22.0046 3372 i2omgmt - ok
17:55:22.0093 3372 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
17:55:22.0109 3372 i2omp - ok
17:55:22.0156 3372 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:55:22.0156 3372 i8042prt - ok
17:55:22.0281 3372 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
17:55:22.0343 3372 ialm - ok
17:55:22.0421 3372 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
17:55:22.0421 3372 Imapi - ok
17:55:22.0500 3372 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
17:55:22.0500 3372 ini910u - ok
17:55:22.0546 3372 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:55:22.0546 3372 IntelIde - ok
17:55:22.0593 3372 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:55:22.0593 3372 intelppm - ok
17:55:22.0640 3372 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
17:55:22.0640 3372 Ip6Fw - ok
17:55:22.0718 3372 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:55:22.0718 3372 IpFilterDriver - ok
17:55:22.0781 3372 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:55:22.0781 3372 IpInIp - ok
17:55:22.0843 3372 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:55:22.0843 3372 IpNat - ok
17:55:22.0953 3372 IPSec (c773971c089973d2ef124120cfa360a7) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:55:22.0953 3372 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: c773971c089973d2ef124120cfa360a7, Fake md5: 23c74d75e36e7158768dd63d92789a91
17:55:22.0953 3372 IPSec ( ForgedFile.Multi.Generic ) - warning
17:55:22.0953 3372 IPSec - detected ForgedFile.Multi.Generic (1)
17:55:23.0046 3372 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:55:23.0046 3372 IRENUM - ok
17:55:23.0109 3372 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:55:23.0109 3372 isapnp - ok
17:55:23.0187 3372 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:55:23.0187 3372 Kbdclass - ok
17:55:23.0250 3372 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:55:23.0250 3372 kbdhid - ok
17:55:23.0328 3372 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:55:23.0328 3372 kmixer - ok
17:55:23.0406 3372 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:55:23.0421 3372 KSecDD - ok
17:55:23.0468 3372 Lavasoft Kernexplorer - ok
17:55:23.0546 3372 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
17:55:23.0546 3372 Lbd - ok
17:55:23.0593 3372 lbrtfdc - ok
17:55:23.0656 3372 LMIInfo - ok
17:55:23.0750 3372 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
17:55:23.0750 3372 lmimirr - ok
17:55:23.0781 3372 LMIRfsClientNP - ok
17:55:23.0843 3372 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
17:55:23.0843 3372 LMIRfsDriver - ok
17:55:23.0937 3372 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:55:23.0953 3372 mnmdd - ok
17:55:24.0046 3372 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:55:24.0046 3372 Modem - ok
17:55:24.0125 3372 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:55:24.0125 3372 Mouclass - ok
17:55:24.0203 3372 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:55:24.0203 3372 mouhid - ok
17:55:24.0234 3372 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:55:24.0234 3372 MountMgr - ok
17:55:24.0343 3372 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
17:55:24.0343 3372 MpFilter - ok
17:55:24.0421 3372 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
17:55:24.0421 3372 mraid35x - ok
17:55:24.0468 3372 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:55:24.0468 3372 MRxDAV - ok
17:55:24.0562 3372 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:55:24.0625 3372 MRxSmb - ok
17:55:24.0671 3372 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:55:24.0671 3372 Msfs - ok
17:55:24.0734 3372 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:55:24.0734 3372 MSKSSRV - ok
17:55:24.0781 3372 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:55:24.0781 3372 MSPCLOCK - ok
17:55:24.0812 3372 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:55:24.0812 3372 MSPQM - ok
17:55:24.0890 3372 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:55:24.0890 3372 mssmbios - ok
17:55:24.0953 3372 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
17:55:24.0953 3372 Mup - ok
17:55:25.0046 3372 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:55:25.0046 3372 NDIS - ok
17:55:25.0140 3372 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:55:25.0140 3372 NdisTapi - ok
17:55:25.0218 3372 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:55:25.0218 3372 Ndisuio - ok
17:55:25.0250 3372 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:55:25.0250 3372 NdisWan - ok
17:55:25.0328 3372 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
17:55:25.0328 3372 NDProxy - ok
17:55:25.0390 3372 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:55:25.0390 3372 NetBIOS - ok
17:55:25.0453 3372 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:55:25.0453 3372 NetBT - ok
17:55:25.0546 3372 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:55:25.0546 3372 Npfs - ok
17:55:25.0609 3372 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:55:25.0640 3372 Ntfs - ok
17:55:25.0687 3372 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:55:25.0687 3372 Null - ok
17:55:25.0812 3372 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
17:55:25.0890 3372 nv - ok
17:55:25.0968 3372 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:55:25.0968 3372 NwlnkFlt - ok
17:55:26.0062 3372 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:55:26.0062 3372 NwlnkFwd - ok
17:55:26.0156 3372 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
17:55:26.0171 3372 OMCI - ok
17:55:26.0250 3372 Orex02 (8e22965dd1c0f7dd72ee4903b9435d60) C:\WINDOWS\system32\Drivers\Orex02.sys
17:55:26.0265 3372 Orex02 - ok
17:55:26.0343 3372 PalmUSBD (dc450992eba6f914080c1f7fbeeed72c) C:\WINDOWS\system32\drivers\PalmUSBD.sys
17:55:26.0343 3372 PalmUSBD - ok
17:55:26.0437 3372 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:55:26.0437 3372 Parport - ok
17:55:26.0515 3372 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:55:26.0531 3372 PartMgr - ok
17:55:26.0593 3372 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:55:26.0593 3372 ParVdm - ok
17:55:26.0671 3372 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:55:26.0671 3372 PCI - ok
17:55:26.0734 3372 PCIDump - ok
17:55:26.0796 3372 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:55:26.0796 3372 PCIIde - ok
17:55:26.0875 3372 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:55:26.0875 3372 Pcmcia - ok
17:55:26.0921 3372 PDCOMP - ok
17:55:26.0984 3372 PDFRAME - ok
17:55:27.0046 3372 PDRELI - ok
17:55:27.0093 3372 PDRFRAME - ok
17:55:27.0171 3372 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
17:55:27.0171 3372 perc2 - ok
17:55:27.0234 3372 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
17:55:27.0234 3372 perc2hib - ok
17:55:27.0359 3372 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:55:27.0359 3372 PptpMiniport - ok
17:55:27.0453 3372 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
17:55:27.0453 3372 Processor - ok
17:55:27.0515 3372 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:55:27.0515 3372 PSched - ok
17:55:27.0578 3372 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:55:27.0593 3372 Ptilink - ok
17:55:27.0656 3372 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:55:27.0656 3372 PxHelp20 - ok
17:55:27.0718 3372 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
17:55:27.0718 3372 ql1080 - ok
17:55:27.0765 3372 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
17:55:27.0765 3372 Ql10wnt - ok
17:55:27.0828 3372 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
17:55:27.0843 3372 ql12160 - ok
17:55:27.0890 3372 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
17:55:27.0890 3372 ql1240 - ok
17:55:28.0062 3372 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
17:55:28.0062 3372 ql1280 - ok
17:55:28.0156 3372 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:55:28.0156 3372 RasAcd - ok
17:55:28.0187 3372 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:55:28.0187 3372 Rasl2tp - ok
17:55:28.0250 3372 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:55:28.0250 3372 RasPppoe - ok
17:55:28.0312 3372 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:55:28.0312 3372 Raspti - ok
17:55:28.0406 3372 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:55:28.0406 3372 Rdbss - ok
17:55:28.0500 3372 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:55:28.0500 3372 RDPCDD - ok
17:55:28.0593 3372 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:55:28.0609 3372 rdpdr - ok
17:55:28.0687 3372 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
17:55:28.0703 3372 RDPWD - ok
17:55:28.0765 3372 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:55:28.0765 3372 redbook - ok
17:55:28.0859 3372 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
17:55:28.0859 3372 rtl8139 - ok
17:55:28.0968 3372 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:55:28.0968 3372 Secdrv - ok
17:55:29.0062 3372 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:55:29.0062 3372 serenum - ok
17:55:29.0093 3372 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:55:29.0093 3372 Serial - ok
17:55:29.0203 3372 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:55:29.0203 3372 Sfloppy - ok
17:55:29.0265 3372 Simbad - ok
17:55:29.0328 3372 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
17:55:29.0343 3372 sisagp - ok
17:55:29.0437 3372 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys
17:55:29.0468 3372 smwdm - ok
17:55:29.0531 3372 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
17:55:29.0531 3372 SONYPVU1 - ok
17:55:29.0609 3372 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
17:55:29.0609 3372 Sparrow - ok
17:55:29.0656 3372 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:55:29.0656 3372 splitter - ok
17:55:29.0703 3372 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:55:29.0703 3372 sr - ok
17:55:29.0781 3372 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
17:55:29.0796 3372 Srv - ok
17:55:29.0859 3372 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
17:55:29.0875 3372 StarOpen - ok
17:55:29.0968 3372 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:55:29.0984 3372 swenum - ok
17:55:30.0062 3372 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:55:30.0078 3372 swmidi - ok
17:55:30.0156 3372 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
17:55:30.0156 3372 symc810 - ok
17:55:30.0218 3372 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
17:55:30.0218 3372 symc8xx - ok
17:55:30.0265 3372 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
17:55:30.0265 3372 sym_hi - ok
17:55:30.0312 3372 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
17:55:30.0312 3372 sym_u3 - ok
17:55:30.0375 3372 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:55:30.0375 3372 sysaudio - ok
17:55:30.0468 3372 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:55:30.0484 3372 Tcpip - ok
17:55:30.0578 3372 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:55:30.0578 3372 TDPIPE - ok
17:55:30.0640 3372 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:55:30.0640 3372 TDTCP - ok
17:55:30.0687 3372 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:55:30.0687 3372 TermDD - ok
17:55:30.0734 3372 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
17:55:30.0750 3372 TosIde - ok
17:55:30.0812 3372 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:55:30.0812 3372 Udfs - ok
17:55:30.0937 3372 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
17:55:30.0953 3372 ultra - ok
17:55:31.0046 3372 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:55:31.0062 3372 Update - ok
17:55:31.0171 3372 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
17:55:31.0171 3372 USBAAPL - ok
17:55:31.0265 3372 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
17:55:31.0265 3372 usbaudio - ok
17:55:31.0359 3372 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:55:31.0359 3372 usbccgp - ok
17:55:31.0421 3372 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:55:31.0421 3372 usbehci - ok
17:55:31.0484 3372 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:55:31.0484 3372 usbhub - ok
17:55:31.0546 3372 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:55:31.0546 3372 usbprint - ok
17:55:31.0640 3372 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:55:31.0640 3372 usbscan - ok
17:55:31.0687 3372 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:55:31.0687 3372 USBSTOR - ok
17:55:31.0750 3372 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:55:31.0750 3372 usbuhci - ok
17:55:31.0781 3372 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:55:31.0781 3372 VgaSave - ok
17:55:31.0828 3372 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
17:55:31.0828 3372 viaagp - ok
17:55:31.0890 3372 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
17:55:31.0890 3372 ViaIde - ok
17:55:31.0953 3372 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:55:31.0953 3372 VolSnap - ok
17:55:32.0062 3372 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:55:32.0062 3372 Wanarp - ok
17:55:32.0093 3372 WDICA - ok
17:55:32.0203 3372 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:55:32.0218 3372 wdmaud - ok
17:55:32.0437 3372 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:55:32.0437 3372 WudfPf - ok
17:55:32.0546 3372 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:55:32.0546 3372 WudfRd - ok
17:55:32.0656 3372 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
17:55:32.0671 3372 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
17:55:32.0812 3372 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
17:55:32.0828 3372 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
17:55:32.0859 3372 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
17:55:32.0875 3372 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected
17:55:32.0875 3372 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
17:55:32.0906 3372 Boot (0x1200) (3f49f2eda399515df61f70af3d8a926d) \Device\Harddisk0\DR0\Partition0
17:55:32.0921 3372 \Device\Harddisk0\DR0\Partition0 - ok
17:55:32.0921 3372 ============================================================
17:55:32.0921 3372 Scan finished
17:55:32.0921 3372 ============================================================
17:55:32.0968 2184 Detected object count: 3
17:55:32.0968 2184 Actual detected object count: 3
17:57:14.0187 2184 6cbae931 ( HiddenFile.Multi.Generic ) - skipped by user
17:57:14.0187 2184 6cbae931 ( HiddenFile.Multi.Generic ) - User select action: Skip
17:57:14.0187 2184 IPSec ( ForgedFile.Multi.Generic ) - skipped by user
17:57:14.0187 2184 IPSec ( ForgedFile.Multi.Generic ) - User select action: Skip
17:57:14.0218 2184 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
17:57:14.0218 2184 \Device\Harddisk0\DR0 - ok
17:57:14.0218 2184 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure
17:58:21.0546 1832 Deinitialize success
drjbg
Regular Member
 
Posts: 48
Joined: September 16th, 2011, 7:57 pm

Re: Redirection and excessive svchost.exe memory usage

Unread postby maxi » September 25th, 2011, 2:26 pm

Hi drjbg,

17:57:14.0218 2184 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure


When running TDSSKiller i asked you to select the "Skip" option, but it appears you selected the "Cure" option which was unwise at that point.
Please read all my instructions carefully, it is important for the safety of your computer that you do so.


How is your computer performing now ? Are you still getting redirected ?

I need you to answer my questions and run another scan with DDS and post the log in your next reply

Regards maxi :)
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Redirection and excessive svchost.exe memory usage

Unread postby drjbg » September 25th, 2011, 11:36 pm

Maxi,

I noticed this also at the end of the TDSSKiller log and don't know why this happened. I did have the selection on "skip" and was well aware not to choose "cure". After the scan was finished, I saw that the computer was going to "cure" after the next reboot, so I kept the computer running and was going to see what you were going to suggest, but the computer still uses up memory and eventually slows down to the point that there was no choice but to reboot. Anyway, I wish I could tell you that this was an oversight, but I ran the scan as you instructed. The last thing I want to do is waste your time and delay the hopefully, eventual full use of my computer.

Yes, I'm still getting redirected.

This is the new DDS log.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Run by Jake at 22:11:42 on 2011-09-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1246 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\837401196:2470778574.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://cffc.peak.aecium.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SpeechExec Startup] c:\program files\common files\philips speech shared\components\PSP.SpeechExec.StartupApp.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: aecium.com\cffc.peak
DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/co ... mHcmsX.CAB
DPF: {2A59CE46-2E9E-4B00-BC9B-A183638E8D4E} - hxxps://cffc.peak.aecium.com/Green/live ... werApp.CAB
DPF: {300FE705-8D95-41F4-93C0-621F927379D0} - hxxps://cffc.peak.aecium.com/Green/live ... dPrint.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v ... 2434139265
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 2655706359
DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} - hxxps://cffc.peak.aecium.com/aspnet_cli ... ontrol.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {C8FE369D-3517-490E-8EB5-256CA6C73236} - hxxps://cffc.peak.aecium.com/Green/live ... corder.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E6C4B65B-FD06-46F8-A031-34237B31B299} - hxxps://cffc.peak.aecium.com/Green/live ... aching.CAB
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/ins ... downde.cab
TCP: DhcpNameServer = 76.85.229.110 76.85.229.111
TCP: Interfaces\{6A47E9CA-BAB3-4A84-B05E-B13B5B1F3A8A} : DhcpNameServer = 76.85.229.110 76.85.229.111
Notify: dimsntfy32 - dimsntfy32.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: mdhcp32 - mdhcp32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rdiadmin\application data\mozilla\firefox\profiles\ihzdbp9d.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-09-22 01:47:45 49152 ----a-w- c:\windows\system32\sname
2011-09-22 01:46:52 13248 ----a-w- c:\windows\system32\0.045629815589275036.exe
2011-09-22 01:36:16 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33692a74-046a-4f42-a6c0-ab3015e27863}\mpengine.dll
2011-09-22 01:32:11 296291 ----a-w- c:\windows\system32\shimg.dll
2011-09-22 01:32:08 49152 ----a-w- c:\windows\system32\mdhcp32.dll
2011-09-22 01:31:55 135680 ----a-w- c:\windows\system32\dimsntfy32.dll
2011-09-22 01:31:29 13248 ----a-w- c:\windows\system32\0.8686894774185765.exe
2011-09-22 01:20:31 -------- d-----w- c:\documents and settings\rdiadmin\local settings\application data\ApplicationHistory
2011-09-21 16:30:58 -------- d-sha-r- C:\cmdcons
2011-09-21 15:40:35 -------- d-----w- C:\3ac22b318350a892bf5c77
2011-09-17 15:35:55 479232 ----a-w- c:\windows\system32\ihzp.exe
2011-09-17 02:00:33 -------- d-----w- c:\program files\Trend Micro
2011-09-15 01:38:27 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-09-11 16:29:44 0 ----a-w- c:\windows\Plitevul.bin
2011-09-11 16:29:43 -------- d-----w- c:\documents and settings\rdiadmin\local settings\application data\{D69C9FCF-9CA3-487D-86A3-37CCBCC8CC78}
2011-09-11 14:09:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-11 14:09:04 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 14:09:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-07 12:37:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-29 18:57:01 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
.
============= FINISH: 22:15:25.35 ===============
drjbg
Regular Member
 
Posts: 48
Joined: September 16th, 2011, 7:57 pm

Re: Redirection and excessive svchost.exe memory usage

Unread postby drjbg » September 25th, 2011, 11:47 pm

Maxi,

I was just reviewing the end of the TDSSKiller log and it seems like "skip" was selected, but the next line reads, "will be cured on reboot". I'm not suggesting I know how to interpret the log, but this is exactly what happened after I ran the scan. I remember being attentive to this, so I truly don't have an explanation.
JG

17:57:14.0187 2184 6cbae931 ( HiddenFile.Multi.Generic ) - skipped by user
17:57:14.0187 2184 6cbae931 ( HiddenFile.Multi.Generic ) - User select action: Skip
17:57:14.0187 2184 IPSec ( ForgedFile.Multi.Generic ) - skipped by user
17:57:14.0187 2184 IPSec ( ForgedFile.Multi.Generic ) - User select action: Skip
17:57:14.0218 2184 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
drjbg
Regular Member
 
Posts: 48
Joined: September 16th, 2011, 7:57 pm

Re: Redirection and excessive svchost.exe memory usage

Unread postby maxi » September 26th, 2011, 10:29 am

Hi drjbg,
It appears you have an infection called "ZeroAccess" and it can be difficult to remove, here is what i would like you to do.
First please delete your copy of ComboFix and down load a fresh copy from Here
Remember you must save ComboFix to your Desktop, Now please disable Microsoft Security Essentials and run ComboFix again.
If successful post the resulting ComboFix.txt in your next reply

Regards maxi
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Redirection and excessive svchost.exe memory usage

Unread postby drjbg » September 26th, 2011, 8:26 pm

Maxi,

I can't seem to be able to delete Combofix.exe from my desk top. The error message says I don't have access rights or that it is write protected or it is in use. I'm not sure how to get rid of it.
JG
drjbg
Regular Member
 
Posts: 48
Joined: September 16th, 2011, 7:57 pm

Re: Redirection and excessive svchost.exe memory usage

Unread postby maxi » September 27th, 2011, 2:18 pm

Hi drjbg,

Please reboot your computer and try again to delete ComboFix from your desktop. If that does'nt work you can try the way below.


You can then download a fresh copy of ComboFix from the link in the previous link above.

Regards maxi
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Redirection and excessive svchost.exe memory usage

Unread postby drjbg » September 27th, 2011, 11:03 pm

Maxi,

I think I'm ready to re-install the OS. After a reboot I still couldn't delete the original Combofix. The Combofix remover ran and said it was done, but I still saw it on my desktop. I tried re-installing Combofix and it ran, but I don't see the log.

I'll keep trying things if you have any more suggestions, but if I'm at a dead end, let me know and I'll plan to format the disc and re-install.
Thanks.
JG
drjbg
Regular Member
 
Posts: 48
Joined: September 16th, 2011, 7:57 pm

Re: Redirection and excessive svchost.exe memory usage

Unread postby maxi » September 28th, 2011, 1:51 pm

Hi drjbg,
I think I'm ready to re-install the OS.

I'll keep trying things if you have any more suggestions, but if I'm at a dead end, let me know and I'll plan to format the disc and re-install.

Personally as mentioned at the start of this topic, i would of preformed a reformat straight away due the the nature of this infection.
That would still be my advice to you but the decision is yours,
The trouble with this infection is that it can protect itself by blocking the tools we use, so it can prove a real pain to remove.
But if you wish to continue there is still a few things we can try, please let me know what you decide to do.

Regards maxi
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Redirection and excessive svchost.exe memory usage

Unread postby drjbg » September 29th, 2011, 5:29 pm

Hi Maxi,

I understand your position. I'll give it another round of trying to fix it, but I'll set a deadline and I won't hesitate to re-install if the next attempt doesn't work. Thanks for your continued help.
JG
drjbg
Regular Member
 
Posts: 48
Joined: September 16th, 2011, 7:57 pm

Re: Redirection and excessive svchost.exe memory usage

Unread postby Cypher » September 30th, 2011, 5:33 am

Hi drjbg,
maxi is unavailable so if it's ok with you i will take over for him.
Lets continue with the instructions below.

Please download GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All << (don't miss this one)
    See image below, Click the image to enlarge it
    Image

  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.


Next.

Please download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.


Logs/Information to Post in your Next Reply

  • Gmer.txt.
  • OTL.txt and Extra.txt contents.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Redirection and excessive svchost.exe memory usage

Unread postby drjbg » September 30th, 2011, 6:18 pm

Hi,

The 1st scan ran, but it never gave me an opportunity to save a file. It just disappeared. Is there a log file that is stored somewhere that may be useful?
JG
drjbg
Regular Member
 
Posts: 48
Joined: September 16th, 2011, 7:57 pm

Re: Redirection and excessive svchost.exe memory usage

Unread postby Cypher » October 1st, 2011, 5:46 am

Hi drjbg,
The 1st scan ran, but it never gave me an opportunity to save a file. It just disappeared. Is there a log file that is stored somewhere that may be useful?

No unless you save the file it won't be stored anywhere, run the scan again and see if you can save the log this time.
If not forget about that scan for now, go ahead and run OTL and post both resulting logs please.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Redirection and excessive svchost.exe memory usage

Unread postby drjbg » October 1st, 2011, 5:30 pm

Hi,

These are the 2 logs from OTL. The other scan log could not be saved or found.
Thanks.
JG

OTL logfile created on: 10/1/2011 4:08:40 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\rdiadmin\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 67.03% Memory free
3.84 Gb Paging File | 3.33 Gb Available in Paging File | 86.73% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.02 Gb Total Space | 93.20 Gb Free Space | 62.54% Space Free | Partition Type: NTFS

Computer Name: JAKE | User Name: Jake | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\837401196:2470778574.exe File not found
PRC - C:\Documents and Settings\rdiadmin\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()
PRC - C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe (American Power Conversion Corporation)
PRC - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (American Power Conversion Corporation)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\SYSTEM32\mdhcp32.dll ()
MOD - C:\WINDOWS\SYSTEM32\dimsntfy32.dll ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()
MOD - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()


========== Win32 Services (SafeList) ==========

SRV - (Onyx-RAD Space-Management Server) -- File not found
SRV - (Onyx-RAD Image Server) -- File not found
SRV - (LMIGuardianSvc) -- File not found
SRV - (SENS) -- C:\Documents and Settings\All Users\Application Data\asotocomfo.dat (Qjam evfg hlmfa p)
SRV - (CarboniteService) -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe (Carbonite, Inc. (www.carbonite.com))
SRV - (NMSAccessU) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
SRV - (AdobeActiveFileMonitor4.0) -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()
SRV - (APC UPS Service) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (American Power Conversion Corporation)
SRV - (NetSvc) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel(R) Corporation)


========== Driver Services (SafeList) ==========

DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (StarOpen) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()
DRV - (LMIRfsDriver) -- C:\WINDOWS\SYSTEM32\DRIVERS\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (PalmUSBD) -- C:\WINDOWS\SYSTEM32\DRIVERS\PalmUSBD.sys (PalmSource, Inc.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (Orex02) Orex Ver(2000)(M) -- C:\WINDOWS\SYSTEM32\DRIVERS\Orex02.sys (Compuware Corporation)
DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://cffc.peak.aecium.com/
IE - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://news.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {46868735-c3fa-47ce-8ce7-cce51a66aceb}:1.2
FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.608


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D69C9FCF-9CA3-487D-86A3-37CCBCC8CC78}: C:\Documents and Settings\rdiadmin\Local Settings\Application Data\{D69C9FCF-9CA3-487D-86A3-37CCBCC8CC78}\ [2011/09/11 11:29:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/14 20:29:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/15 19:29:06 | 000,000,000 | ---D | M]

[2008/09/09 00:01:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\rdiadmin\Application Data\Mozilla\Extensions
[2011/05/08 00:00:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\rdiadmin\Application Data\Mozilla\Firefox\Profiles\ihzdbp9d.default\extensions
[2010/12/18 12:51:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\rdiadmin\Application Data\Mozilla\Firefox\Profiles\ihzdbp9d.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/09/09 00:36:21 | 000,000,000 | ---D | M] (oldbar) -- C:\Documents and Settings\rdiadmin\Application Data\Mozilla\Firefox\Profiles\ihzdbp9d.default\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}
[2011/02/27 21:19:17 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\rdiadmin\Application Data\Mozilla\Firefox\Profiles\ihzdbp9d.default\extensions\LogMeInClient@logmein.com
[2009/11/11 22:40:25 | 000,002,164 | ---- | M] () -- C:\Documents and Settings\rdiadmin\Application Data\Mozilla\Firefox\Profiles\ihzdbp9d.default\searchplugins\bing.xml
[2011/05/08 00:00:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/11 11:29:43 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\RDIADMIN\LOCAL SETTINGS\APPLICATION DATA\{D69C9FCF-9CA3-487D-86A3-37CCBCC8CC78}
[2009/11/20 21:52:43 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/09/14 20:29:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/08 00:40:12 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/09/21 11:51:29 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [SpeechExec Startup] C:\Program Files\Common Files\Philips Speech Shared\Components\PSP.SpeechExec.StartupApp.exe (Philips Austria GmbH - Speech Processing)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\SYSTEM32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\SYSTEM32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10w_Plugin.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\c072916da.dat ()
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\dxdiag.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\..Trusted Domains: aecium.com ([cffc.peak] https in Trusted sites)
O15 - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} http://www.trendsecure.com/framework/co ... mHcmsX.CAB (TmHcmsX Control)
O16 - DPF: {2A59CE46-2E9E-4B00-BC9B-A183638E8D4E} https://cffc.peak.aecium.com/Green/live ... werApp.CAB (CimDocImageViewerApp.CimDocImageViewer)
O16 - DPF: {300FE705-8D95-41F4-93C0-621F927379D0} https://cffc.peak.aecium.com/Green/live ... dPrint.CAB (FTPSecureAndPrint.clsFileSystemObject)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.com/v ... 2434139265 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 2655706359 (MUWebControl Class)
O16 - DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} https://cffc.peak.aecium.com/aspnet_cli ... ontrol.cab (Crystal Reports Print Control 12.0)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C8FE369D-3517-490E-8EB5-256CA6C73236} https://cffc.peak.aecium.com/Green/live ... corder.CAB (VoiceRecorder.Recorder)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/aut ... s-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E6C4B65B-FD06-46F8-A031-34237B31B299} https://cffc.peak.aecium.com/Green/live ... aching.CAB (ClinicianCaching.CIMCaching)
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} http://pccheckup.dellfix.com/rel/41/ins ... downde.cab (Dell PC Checkup Installer Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6A47E9CA-BAB3-4A84-B05E-B13B5B1F3A8A}: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy32: DllName - (dimsntfy32.dll) - C:\WINDOWS\System32\dimsntfy32.dll ()
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\mdhcp32: DllName - (mdhcp32.dll) - C:\WINDOWS\System32\mdhcp32.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\rdiadmin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\rdiadmin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-4274134260-3623583512-2864591513-1005\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/09/29 21:59:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/09/29 20:50:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\rdiadmin\My Documents\Fax
[2011/09/27 21:40:56 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/09/26 19:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\rdiadmin\Desktop\Logs
[2011/09/24 17:53:31 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/09/21 20:57:27 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/09/21 20:20:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\rdiadmin\Local Settings\Application Data\ApplicationHistory
[2011/09/21 11:30:58 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/09/21 10:40:35 | 000,000,000 | ---D | C] -- C:\3ac22b318350a892bf5c77
[2011/09/18 08:18:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/09/17 10:35:55 | 000,479,232 | ---- | C] (WatanabeBudweiser Talmud Castro MalaysiaBurchDanbury Wilhelmina EdnaSocrates) -- C:\WINDOWS\System32\ihzp.exe
[2011/09/16 21:00:33 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/09/14 20:38:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/09/14 19:26:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/09/11 11:29:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\rdiadmin\Local Settings\Application Data\{D69C9FCF-9CA3-487D-86A3-37CCBCC8CC78}
[2011/09/11 09:09:11 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/11 09:09:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/11 09:09:04 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/11 09:09:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/10 01:25:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/09/10 01:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/09/10 01:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/09/10 00:48:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/10 00:47:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/09/10 00:47:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/09/03 05:17:37 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2011/06/23 13:36:30 | 001,136,337 | -H-- | C] (Qjam evfg hlmfa p) -- C:\Documents and Settings\All Users\Application Data\asotocomfo.dat
[2009/12/02 14:10:00 | 000,495,616 | ---- | C] ( ) -- C:\WINDOWS\System32\TOCRRService.exe
[2009/12/02 14:10:00 | 000,086,016 | ---- | C] ( ) -- C:\WINDOWS\System32\TOCRRdll.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/10/01 16:11:33 | 076,004,920 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\ofmocotosa.dat
[2011/10/01 16:11:09 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/01 16:06:10 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/01 16:03:00 | 000,013,668 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2011/10/01 16:02:58 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/01 16:01:50 | 000,000,016 | ---- | M] () -- C:\WINDOWS\System32\crt.dat
[2011/10/01 16:01:50 | 000,000,000 | ---- | M] () -- C:\WINDOWS\837401196
[2011/10/01 16:01:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/10/01 16:01:47 | 2138,099,712 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/30 21:48:54 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\rdiadmin\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003 (2).lnk
[2011/09/30 16:58:45 | 018,166,784 | ---- | M] () -- C:\Documents and Settings\rdiadmin\My Documents\Business Cards.cdb
[2011/09/29 22:15:04 | 000,002,557 | ---- | M] () -- C:\Documents and Settings\rdiadmin\Application Data\Microsoft\Internet Explorer\Quick Launch\Dragon Medical 10.1.lnk
[2011/09/29 21:59:51 | 2138,128,384 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2011/09/29 08:45:39 | 000,002,234 | ---- | M] () -- C:\Documents and Settings\rdiadmin\Application Data\SAS7_000.DAT
[2011/09/27 21:41:21 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/09/26 19:12:07 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\rdiadmin\Desktop\Microsoft Office Word 2003.lnk
[2011/09/26 19:03:25 | 000,296,374 | ---- | M] () -- C:\WINDOWS\System32\shimg.dll
[2011/09/25 14:47:48 | 000,002,539 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dragon Medical 10.1.lnk
[2011/09/24 17:16:47 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\rdiadmin\Desktop\Microsoft Office Publisher 2003.lnk
[2011/09/23 21:51:31 | 004,238,357 | R--- | M] () -- C:\Documents and Settings\rdiadmin\Desktop\ComboFix.exe
[2011/09/21 20:51:09 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/21 20:47:45 | 000,049,152 | ---- | M] () -- C:\WINDOWS\System32\sname
[2011/09/21 20:46:53 | 000,013,248 | ---- | M] () -- C:\WINDOWS\System32\0.045629815589275036.exe
[2011/09/21 20:34:45 | 000,000,077 | ---- | M] () -- C:\WINDOWS\System32\dimsntfy.ocx
[2011/09/21 20:32:08 | 000,049,152 | ---- | M] () -- C:\WINDOWS\System32\mdhcp32.dll
[2011/09/21 20:31:55 | 000,135,680 | ---- | M] () -- C:\WINDOWS\System32\dimsntfy32.dll
[2011/09/21 20:31:29 | 000,013,248 | ---- | M] () -- C:\WINDOWS\System32\0.8686894774185765.exe
[2011/09/21 11:51:29 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2011/09/21 11:31:10 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/09/17 10:37:43 | 000,000,992 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011/09/17 10:36:00 | 000,479,232 | ---- | M] (WatanabeBudweiser Talmud Castro MalaysiaBurchDanbury Wilhelmina EdnaSocrates) -- C:\WINDOWS\System32\ihzp.exe
[2011/09/14 20:26:16 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/09/14 18:26:34 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/09/14 18:26:34 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/09/14 18:18:30 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Pvakucow.dat
[2011/09/14 18:18:30 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Plitevul.bin
[2011/09/11 09:09:12 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/07 08:01:35 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/09/07 07:37:35 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/03 05:17:37 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/23 21:51:28 | 004,238,357 | R--- | C] () -- C:\Documents and Settings\rdiadmin\Desktop\ComboFix.exe
[2011/09/21 20:51:09 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/21 20:49:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\837401196
[2011/09/21 20:47:45 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sname
[2011/09/21 20:46:52 | 000,013,248 | ---- | C] () -- C:\WINDOWS\System32\0.045629815589275036.exe
[2011/09/21 20:34:45 | 000,000,077 | ---- | C] () -- C:\WINDOWS\System32\dimsntfy.ocx
[2011/09/21 20:32:12 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\crt.dat
[2011/09/21 20:32:11 | 000,296,374 | ---- | C] () -- C:\WINDOWS\System32\shimg.dll
[2011/09/21 20:32:08 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\mdhcp32.dll
[2011/09/21 20:31:55 | 000,135,680 | ---- | C] () -- C:\WINDOWS\System32\dimsntfy32.dll
[2011/09/21 20:31:29 | 000,013,248 | ---- | C] () -- C:\WINDOWS\System32\0.8686894774185765.exe
[2011/09/21 12:17:03 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/17 10:26:13 | 000,000,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011/09/16 19:01:58 | 2138,099,712 | -HS- | C] () -- C:\hiberfil.sys
[2011/09/11 11:29:44 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Pvakucow.dat
[2011/09/11 11:29:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Plitevul.bin
[2011/09/11 09:09:12 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/23 13:36:30 | 076,004,920 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\ofmocotosa.dat
[2011/05/29 10:32:38 | 000,000,254 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2011/03/20 22:32:35 | 000,391,462 | ---- | C] () -- C:\Documents and Settings\rdiadmin\Application Data\fontlst2.opf
[2011/03/03 06:59:19 | 000,000,094 | ---- | C] () -- C:\WINDOWS\family.ini
[2010/08/01 09:49:54 | 000,041,684 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/05/16 21:08:53 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/04/07 21:16:34 | 000,000,067 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009/12/02 14:10:00 | 003,253,758 | ---- | C] () -- C:\WINDOWS\System32\UsaIDs.bin
[2009/12/02 14:10:00 | 000,000,128 | ---- | C] () -- C:\WINDOWS\System32\TOCRR.ini
[2009/12/02 14:09:50 | 000,708,608 | ---- | C] () -- C:\WINDOWS\System32\OCR_PreProc.dll
[2009/12/02 14:09:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\STBXPCOM.exe
[2009/12/02 14:09:50 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\SX32W.DLL
[2009/12/02 14:09:50 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\Parser.dll
[2009/12/02 14:09:08 | 001,798,144 | ---- | C] () -- C:\WINDOWS\System32\ltmm_n.dll
[2009/12/02 14:08:46 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\LMOggSpl.dll
[2009/12/02 14:08:44 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\LMOggMux.dll
[2009/12/02 14:08:44 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\LMJ2K.dll
[2009/12/02 14:08:38 | 001,273,856 | ---- | C] () -- C:\WINDOWS\System32\LEncVorbis.dll
[2009/12/02 14:08:38 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\LDecVorbis.dll
[2009/12/02 14:08:38 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\LCODCJ2K.dll
[2009/12/02 14:08:28 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrtRTECG.dll
[2009/12/02 14:08:26 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BarCode.dll
[2009/11/12 23:43:10 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2009/11/12 01:09:16 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2009/11/12 01:09:16 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2009/11/12 00:32:34 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2009/02/21 15:23:09 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\Inst2892.dll
[2009/01/15 22:15:39 | 000,000,600 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/10/16 07:47:22 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\rdiadmin\Local Settings\Application Data\fusioncache.dat
[2008/10/11 21:27:55 | 000,197,120 | ---- | C] () -- C:\Documents and Settings\rdiadmin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/10 20:34:22 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\rdiadmin\Local Settings\Application Data\FASTWiz.html
[2008/09/10 11:03:16 | 000,001,299 | ---- | C] () -- C:\WINDOWS\checkip.dat
[2008/09/10 08:44:16 | 000,002,234 | ---- | C] () -- C:\Documents and Settings\rdiadmin\Application Data\SAS7_000.DAT
[2008/09/10 08:07:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/09 00:01:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/09/08 23:44:20 | 000,001,100 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2007/11/16 11:37:14 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2007/02/05 12:16:18 | 000,000,033 | ---- | C] () -- C:\WINDOWS\System32\speechexeclic.dat
[2007/02/05 12:14:38 | 000,000,226 | ---- | C] () -- C:\WINDOWS\System32\speechexeclic.ini
[2007/02/05 11:14:38 | 000,000,231 | ---- | C] () -- C:\WINDOWS\System32\SpeechExecSpcapi.ini
[2005/01/19 15:03:54 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\Pspwma.ini
[2004/12/16 16:26:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2004/12/15 14:43:15 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS5c.DLL
[2004/12/06 15:43:35 | 000,000,012 | ---- | C] () -- C:\WINDOWS\cd_dent.ini
[2004/12/06 15:35:07 | 002,777,088 | ---- | C] () -- C:\WINDOWS\System32\qt222.dll
[2004/10/27 23:13:03 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/10/27 23:03:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/10/27 23:02:18 | 000,447,852 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/10/27 23:02:18 | 000,074,464 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/10/27 22:52:54 | 000,000,516 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/09/23 14:31:10 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\Pspmp3.ini
[2004/08/11 17:25:56 | 000,000,791 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/11 17:20:10 | 000,244,720 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/11 17:14:38 | 000,004,318 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/11 17:12:16 | 000,023,428 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/04 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2004/07/19 16:01:02 | 000,045,056 | ---- | C] () -- C:\WINDOWS\SETPWRCG.EXE
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/05/03 09:03:58 | 000,000,219 | R--- | C] () -- C:\WINDOWS\System32\pspgru.ini
[2001/05/03 08:04:00 | 000,000,220 | ---- | C] () -- C:\WINDOWS\System32\smlpcbb.ini
[2001/05/03 08:03:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\smcelp32.ini
[2001/05/03 08:03:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\psptrusp.ini
[2000/11/10 14:57:04 | 000,005,025 | ---- | C] () -- C:\WINDOWS\System32\patterns.dat
[1999/11/05 09:42:36 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspusbct.ini
[1999/10/08 13:58:24 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspusblb.ini
[1998/12/11 11:55:00 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspsbext.ini
[1998/08/10 14:04:00 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspfidrv.ini
[1998/08/10 14:04:00 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspaudrv.ini
[1998/08/10 14:03:00 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspapdrv.ini
[1998/08/10 14:03:00 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\mcipspwa.ini
[1998/08/10 14:03:00 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\mcipspct.ini
[1998/08/10 14:02:00 | 000,000,221 | ---- | C] () -- C:\WINDOWS\System32\pspfbase.ini
[1998/08/10 14:02:00 | 000,000,220 | ---- | C] () -- C:\WINDOWS\System32\pspwave.ini
[1998/08/10 14:02:00 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\PSPDSS.INI
[1998/08/10 14:02:00 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\pspddi.ini
[1980/01/01 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\837401196:2470778574.exe
@Alternate Data Stream - 224 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A24211BA
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >


OTL Extras logfile created on: 10/1/2011 4:08:40 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\rdiadmin\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 67.03% Memory free
3.84 Gb Paging File | 3.33 Gb Available in Paging File | 86.73% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.02 Gb Total Space | 93.20 Gb Free Space | 62.54% Space Free | Partition Type: NTFS

Computer Name: JAKE | User Name: Jake | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-4274134260-3623583512-2864591513-1005\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Disabled:Google Earth -- (Google)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Corex\CardScan\cs.exe" = C:\Program Files\Corex\CardScan\cs.exe:*:Disabled:CardScan Program -- (CardScan, Inc.)
"C:\Documents and Settings\rdiadmin\My Documents\Downloads\tdsskiller.exe" = C:\Documents and Settings\rdiadmin\My Documents\Downloads\tdsskiller.exe:*:Enabled:TDSS rootkit removing tool -- (Kaspersky Lab ZAO)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1B260954-B5F8-435A-A628-0B0CA6BF1C2A}" = SpeechExec Pro Dictate
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{4A5A427F-BA39-4BF0-9A47-9999FBE60C9F}" = Visual C++ Runtime for Dragon NaturallySpeaking
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{629B8602-DCDC-40F7-A5CE-E3A13E25691F}" = Melloware PlacesBar Editor
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{891280E0-7794-4FCA-8525-09BE96D264F1}" = Eclipsys PeakPractice Client Tools for 1095
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel(R) PROSet
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.6
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1BD700E-92C1-4F3E-B934-0140440B336A}" = CardScan 7.0.5
"{E4C1DBF1-67D9-4973-9DEC-677E695E7CE0}" = AxCrypt 1.7.2126.0
"{E7712E53-7A7F-46EB-AA13-70D5987D30F2}" = Dragon NaturallySpeaking 10
"{EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}" = Adobe Photoshop Elements 4.0
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F445476A-42DE-11D4-80D0-00C04F2750A6}" = Epocrates Essentials
"{F5372C96-5224-40E5-90A5-D1F6D88F21E6}" = DiMAGE Scan Elite5400 2 ver.1.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 4" = Adobe Photoshop Elements 4.0
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.7 (Unicode)
"B991B020-2968-11D8-AF23-444553540000_is1" = FreeMind
"Carbonite Backup" = Carbonite
"ie8" = Windows Internet Explorer 8
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 6.0.2 (x86 en-US)" = Mozilla Firefox 6.0.2 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"ODIR_is1" = ODIR
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/21/2011 9:49:49 PM | Computer Name = JAKE | Source = Microsoft Security Client | ID = 5000
Description =

Error - 9/21/2011 9:51:24 PM | Computer Name = JAKE | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module mshtml.dll, version 8.0.6001.19120, fault address 0x00067b98.

Error - 9/24/2011 6:44:27 PM | Computer Name = JAKE | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application outlook.exe, version 11.0.8217.0, stamp 480f95d9,
faulting module outllib.dll, version 11.0.8217.0, stamp 480f94f8, debug? 0, fault
address 0x0025ec6e.

Error - 9/24/2011 6:44:37 PM | Computer Name = JAKE | Source = Microsoft Office 11 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Office Outlook.

Error - 9/25/2011 11:21:08 AM | Computer Name = JAKE | Source = Application Hang | ID = 1002
Description = Hanging application natspeak.exe, version 10.10.0.272, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/25/2011 3:48:30 PM | Computer Name = JAKE | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/25/2011 6:58:17 PM | Computer Name = JAKE | Source = Application Hang | ID = 1002
Description = Hanging application natspeak.exe, version 10.10.0.272, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/25/2011 11:15:45 PM | Computer Name = JAKE | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module mshtml.dll, version 8.0.6001.19120, fault address 0x00067b98.

Error - 9/27/2011 10:33:47 PM | Computer Name = JAKE | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 9/27/2011 10:33:57 PM | Computer Name = JAKE | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.


< End of report >
drjbg
Regular Member
 
Posts: 48
Joined: September 16th, 2011, 7:57 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 61 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware