Free Malware Removal Forum

[zoyano]

Anytime I use the search engines in Firefox next to the address bar, if I click on one of the results it will sometimes redirect me to a page other than what the link is. I have tried running malwarebytes and Spybot which removed some things and and avira a/v which found nothing but I still have the redirect problem in FF. This also occurs in IE for the search add-ins next to the address bar. I also tried removing the search plugins and reinstalling them, same issue exists. I also do not have the problem if I go straight to google.com to do the search. This is driving me nuts and I don't know what else to do. Thanks for any help you can provide!

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:49:11 PM, on 6/12/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\WinSnap\WinSnap.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\Users\Zory\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:53857
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [WinSnap] C:\Program Files\WinSnap\WinSnap.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: ProcessExplorer.lnk = C:\Program Files\ProcessExplorer\procexp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4921 bytes


Uninstall list:
3ivx MPEG-4 5.0.3 (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
Avira AntiVir Personal - Free Antivirus
BlackBerry Desktop Software 5.0.1
BlackBerry Desktop Software 5.0.1
BlackBerry Device Software v5.0.0 for the BlackBerry 9530 smartphone
Cisco Systems VPN Client 5.0.03.0530
Digsby
FlipShare
Google SketchUp 7
IrfanView (remove only)
Java(TM) 6 Update 18
K-Lite Codec Pack 5.7.0 (Full)
Logitech High Quality Video
Logitech Webcam Software Driver Package
Malwarebytes' Anti-Malware
Microsoft Choice Guard
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.3)
MSVCRT
Notebook Hardware Control 2.0 Pre-Release-06 Bugfix
OpenOffice.org 3.2
PDFCreator
Picasa 3
Realtek USB 2.0 Card Reader
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Simple Webcam Capture v1.2 (remove only)
Skype™ 4.1
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Uplink
WinAce Archiver
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
WinSnap

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[Odd dude]

Hello and welcome to the forums!

I'm Odd dude, pleased to meet you; if it helps, you can call me OD . I will be helping you to get rid of whatever you have on your computer (don't worry, just the malware stuff ). However, it is important to take note of the following:

• Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  
• Please carefully read any instruction that I give you.
  Reading too lightly will cause you to miss important steps, which could have destructive effects.
  
• If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  
• Please try to reply within three days - failure to do so might result in this thread being archived before we have finished cleaning you up.
  If you need more time than that, all you need to do is tell me.
  
• Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
  
• If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  
• All tools need to be started by right clicking and selecting Run as administrator!
  
• Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.

• Right click the file you just downloaded and choose Extract all
• Click Next
• Click Browse
• Click the + next to My Computer
• Click Local Disk (C:)
• Click Make new folder
• Enter GMER
• Click OK, then Next
• Check Show extracted files and click Finish
• Right-click GMER.exe and choose run as administrator to run it.
• Select the Rootkit tab.
• On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click on the Scan button.
• When the scan is finished, click Copy to save the scan log to the Windows clipboard.
• Open Notepad or a similar text editor.
• Paste the clipboard contents into the text editor.
• Save the GMER scan log and post it in your next reply.
• Close GMER.

RSIT
Please download random/random's system information tool (RSIT) and run it via right-click->run as administrator. At the disclaimer screen, choose a period of one month. Then click Continue. It will produce two logs:

• log.txt (will be maximized)
• info.txt (will be minimized)

Please post both in your next reply. If they won't fit into one post, divide them over multiple posts

[Odd dude]

Do you still need help?

[zoyano]

Yes, sorry, I am in the process of getting the info you requested now. Thanks!

[zoyano]

Below is my gmer log. When I try to run RSIT it gives me the error "Line 2563 Error: Variable used without being declared."

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-23 18:27:50
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Zory\AppData\Local\Temp\uglyypow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A22AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A22104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A223F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A0B2D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A221DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A22958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A226F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A22F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A231A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A82599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AA6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 92E18C9D 28 Bytes [9E, 0C, 5E, A2, 04, 0A, FA, ...]
.text peauth.sys 92E18CC1 28 Bytes [9E, 0C, 5E, A2, 04, 0A, FA, ...]
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
.text autochk.exe 002E1204 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text autochk.exe 002E120C 1 Byte [00]
.text autochk.exe 002E1210 1 Byte [00]
.text autochk.exe 002E1214 2 Bytes [00, 00] {ADD [EAX], AL}
.text autochk.exe 002E1218 2 Bytes [00, 00] {ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtProtectVirtualMemory 77415360 5 Bytes JMP 002E000A
.text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtWriteVirtualMemory 77415EE0 5 Bytes JMP 002F000A
.text C:\Windows\system32\svchost.exe[944] ntdll.dll!KiUserExceptionDispatcher 77416448 5 Bytes JMP 001C000A
.text C:\Windows\system32\svchost.exe[944] ole32.dll!CoCreateInstance 763E57FC 5 Bytes JMP 003B000A
.text C:\Windows\system32\svchost.exe[944] USER32.dll!GetCursorPos 75B7C198 5 Bytes JMP 00E7000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1648] ntdll.dll!NtProtectVirtualMemory 77415360 5 Bytes JMP 004B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1648] ntdll.dll!NtWriteVirtualMemory 77415EE0 5 Bytes JMP 004C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1648] ntdll.dll!KiUserExceptionDispatcher 77416448 5 Bytes JMP 0038000A
.text C:\Windows\Explorer.EXE[2332] ntdll.dll!NtProtectVirtualMemory 77415360 5 Bytes JMP 0061000A
.text C:\Windows\Explorer.EXE[2332] ntdll.dll!NtWriteVirtualMemory 77415EE0 5 Bytes JMP 0062000A
.text C:\Windows\Explorer.EXE[2332] ntdll.dll!KiUserExceptionDispatcher 77416448 5 Bytes JMP 002A000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\ACPI_HAL \Device\00000053 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85215EC5

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[Odd dude]

Hi

I have to double-check something with my colleagues - there is definitely an infection showing but it may need special handling in your case. Rest assured I will have instructions for you within 24 hours.

[Odd dude]

OK, this is what you should do:

TDSSKiller

• Please Download TDSSKiller.exe and save it on your desktop.
• Important!: Run this fix once and once only.
• Right click TDSSKiller.exe and choose run as administrator to run it.
• a log file should be created on your C: drive named something like TDSSKiller.2.3.2.0 19.06.2010
• To find the log click Start > Computer > C:.
• Please post the contents of that log in your next reply.

ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without expert guidance.

ComboFix uses brute tactics to rip malware off your system. Do not panic if your antivirus software warns you about the file.

Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!!
(If I should give more detailed instructions regarding how to do this, please inform me and do not proceed)

• Download ComboFix from here and save it to your desktop.
• Disable ALL antivirus/antimalware programs before proceeding!
• Now start ComboFix (right click->run as administrator!).
• The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
• If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
• Do not touch the computer AT ALL while ComboFix is running! (Unless ComboFix needs you to do something )
• When finished, the report will open. Reenable your protection software and post the log in your next reply.

If you cannot connect to the internet after running ComboFix, plug the cable/reciever/whatever you use to connect to the internet out and back in.


Post:
- TDSSkiller log
- Combofix log

[Odd dude]

It has been a day and a half since my last post to you. Is everything all right?

If you haven't posted a reply within 36 hours, I'm afraid this topic will be closed due to inactivity on your part.

[zoyano]

Sorry, the emails for an update to the site didn't come through to my phone, I will look at this now, thanks.

[zoyano]

12:22:37:907 3992 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
12:22:37:907 3992 ================================================================================
12:22:37:907 3992 SystemInfo:

12:22:37:907 3992 OS Version: 6.1.7600 ServicePack: 0.0
12:22:37:907 3992 Product type: Workstation
12:22:37:907 3992 ComputerName: ZKLAPTOP
12:22:37:922 3992 UserName: Zory
12:22:37:922 3992 Windows directory: C:\Windows
12:22:37:922 3992 Processor architecture: Intel x86
12:22:37:922 3992 Number of processors: 2
12:22:37:922 3992 Page size: 0x1000
12:22:37:922 3992 Boot type: Normal boot
12:22:37:922 3992 ================================================================================
12:22:40:391 3992 Initialize success
12:22:40:391 3992
12:22:40:391 3992 Scanning Services ...
12:22:42:235 3992 Raw services enum returned 456 services
12:22:42:250 3992
12:22:42:250 3992 Scanning Drivers ...
12:22:45:313 3992 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
12:22:45:485 3992 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
12:22:45:625 3992 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
12:22:45:672 3992 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
12:22:45:719 3992 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
12:22:45:782 3992 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
12:22:45:829 3992 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
12:22:46:063 3992 AgereSoftModem (7e10e3bb9b258ad8a9300f91214d67b9) C:\Windows\system32\DRIVERS\AGRSM.sys
12:22:46:141 3992 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
12:22:46:250 3992 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
12:22:46:282 3992 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
12:22:46:313 3992 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
12:22:46:329 3992 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
12:22:46:360 3992 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
12:22:46:407 3992 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
12:22:46:469 3992 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
12:22:46:516 3992 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
12:22:46:625 3992 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
12:22:46:657 3992 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
12:22:46:735 3992 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
12:22:46:797 3992 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
12:22:46:844 3992 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
12:22:46:938 3992 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
12:22:47:032 3992 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
12:22:47:141 3992 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\Windows\system32\DRIVERS\avgntflt.sys
12:22:47:172 3992 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\Windows\system32\DRIVERS\avipbb.sys
12:22:47:297 3992 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
12:22:47:375 3992 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
12:22:47:422 3992 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
12:22:47:594 3992 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
12:22:47:641 3992 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
12:22:47:704 3992 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
12:22:47:735 3992 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
12:22:47:797 3992 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
12:22:47:844 3992 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
12:22:47:860 3992 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
12:22:47:875 3992 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
12:22:47:922 3992 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
12:22:48:110 3992 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
12:22:48:172 3992 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
12:22:48:235 3992 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
12:22:48:282 3992 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
12:22:48:422 3992 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
12:22:48:485 3992 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
12:22:48:532 3992 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
12:22:48:579 3992 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
12:22:48:610 3992 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
12:22:48:782 3992 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
12:22:48:860 3992 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
12:22:48:985 3992 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
12:22:49:032 3992 CVPNDRVA (57310c245810b26e378de9e6b22db598) C:\Windows\system32\Drivers\CVPNDRVA.sys
12:22:49:172 3992 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
12:22:49:204 3992 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
12:22:49:266 3992 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
12:22:49:329 3992 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\Windows\system32\DRIVERS\dne2000.sys
12:22:49:360 3992 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
12:22:49:547 3992 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
12:22:49:813 3992 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
12:22:50:047 3992 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
12:22:50:079 3992 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
12:22:50:125 3992 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
12:22:50:188 3992 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
12:22:50:219 3992 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
12:22:50:360 3992 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
12:22:50:391 3992 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
12:22:50:454 3992 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
12:22:50:547 3992 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
12:22:50:579 3992 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
12:22:50:719 3992 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
12:22:50:797 3992 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
12:22:50:875 3992 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
12:22:50:907 3992 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
12:22:50:954 3992 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
12:22:51:125 3992 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
12:22:51:172 3992 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
12:22:51:204 3992 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
12:22:51:235 3992 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
12:22:51:250 3992 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
12:22:51:313 3992 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
12:22:51:454 3992 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
12:22:51:563 3992 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
12:22:51:594 3992 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
12:22:51:750 3992 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
12:22:51:782 3992 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
12:22:51:813 3992 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
12:22:51:860 3992 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
12:22:51:907 3992 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
12:22:51:985 3992 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
12:22:52:063 3992 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
12:22:52:204 3992 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
12:22:52:266 3992 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
12:22:52:329 3992 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
12:22:52:407 3992 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
12:22:52:547 3992 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
12:22:52:625 3992 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\Windows\system32\drivers\klmd.sys
12:22:52:657 3992 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
12:22:52:735 3992 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
12:22:52:813 3992 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
12:22:52:922 3992 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
12:22:52:985 3992 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
12:22:53:016 3992 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
12:22:53:063 3992 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
12:22:53:110 3992 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
12:22:53:188 3992 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\Windows\system32\DRIVERS\lvrs.sys
12:22:53:594 3992 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\Windows\system32\DRIVERS\lvuvc.sys
12:22:54:047 3992 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
12:22:54:094 3992 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
12:22:54:125 3992 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
12:22:54:157 3992 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
12:22:54:188 3992 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
12:22:54:250 3992 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
12:22:54:407 3992 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
12:22:54:454 3992 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
12:22:54:500 3992 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
12:22:54:579 3992 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
12:22:54:672 3992 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
12:22:54:797 3992 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
12:22:54:860 3992 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
12:22:54:907 3992 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
12:22:54:954 3992 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
12:22:54:985 3992 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
12:22:55:000 3992 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
12:22:55:172 3992 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
12:22:55:204 3992 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
12:22:55:266 3992 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
12:22:55:329 3992 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
12:22:55:407 3992 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
12:22:55:516 3992 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
12:22:55:547 3992 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
12:22:55:610 3992 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
12:22:55:641 3992 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
12:22:55:704 3992 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
12:22:55:782 3992 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
12:22:55:907 3992 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
12:22:55:985 3992 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
12:22:56:016 3992 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
12:22:56:079 3992 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
12:22:56:172 3992 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
12:22:56:313 3992 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
12:22:56:344 3992 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
12:22:56:422 3992 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
12:22:56:469 3992 nhcDriverDevice (37260a293b6a89373ae76791e6cc5a12) C:\Windows\system32\drivers\nhcDriver.sys
12:22:56:516 3992 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
12:22:56:625 3992 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
12:22:56:750 3992 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
12:22:56:922 3992 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
12:22:57:000 3992 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
12:22:57:047 3992 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
12:22:57:094 3992 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
12:22:57:141 3992 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
12:22:57:188 3992 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
12:22:57:329 3992 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
12:22:57:360 3992 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
12:22:57:407 3992 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
12:22:57:500 3992 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
12:22:57:563 3992 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
12:22:57:704 3992 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
12:22:57:766 3992 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
12:22:57:907 3992 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
12:22:58:047 3992 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
12:22:58:141 3992 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
12:22:58:235 3992 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
12:22:58:266 3992 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
12:22:58:532 3992 R300 (15b131177ec8a6dd6cbec2c124712ee4) C:\Windows\system32\DRIVERS\atikmdag.sys
12:22:58:704 3992 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
12:22:58:782 3992 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
12:22:58:860 3992 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
12:22:58:938 3992 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
12:22:59:110 3992 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
12:22:59:219 3992 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
12:22:59:266 3992 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
12:22:59:344 3992 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
12:22:59:500 3992 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
12:22:59:547 3992 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
12:22:59:610 3992 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
12:22:59:672 3992 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
12:22:59:766 3992 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
12:22:59:813 3992 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
12:22:59:938 3992 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
12:22:59:985 3992 ROOTMODEM (564297827d213f52c7a3a2ff749568ca) C:\Windows\system32\Drivers\RootMdm.sys
12:23:00:047 3992 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
12:23:00:204 3992 rtl8185 (2479368dae88512c69664413102f8426) C:\Windows\system32\DRIVERS\rtl8185.sys
12:23:00:422 3992 RTL85n86 (17bb009e31a660b4ccfc061b02de2ef6) C:\Windows\system32\DRIVERS\RTL85n86.sys
12:23:00:625 3992 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
12:23:00:672 3992 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
12:23:00:735 3992 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
12:23:00:797 3992 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
12:23:00:860 3992 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
12:23:00:907 3992 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
12:23:00:954 3992 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
12:23:01:125 3992 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
12:23:01:172 3992 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
12:23:01:204 3992 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\Windows\system32\DRIVERS\sffp_sd.sys
12:23:01:266 3992 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
12:23:01:313 3992 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
12:23:01:360 3992 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
12:23:01:407 3992 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
12:23:01:438 3992 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
12:23:01:563 3992 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
12:23:01:625 3992 srv (50a83ca406c808bd35ac9141a0c7618f) C:\Windows\system32\DRIVERS\srv.sys
12:23:01:672 3992 srv2 (dce7e10feaabd4cae95948b3de5340bb) C:\Windows\system32\DRIVERS\srv2.sys
12:23:01:719 3992 srvnet (bd1433a32792fd0dc450479094fc435a) C:\Windows\system32\DRIVERS\srvnet.sys
12:23:01:782 3992 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
12:23:01:891 3992 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
12:23:01:938 3992 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
12:23:01:969 3992 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
12:23:02:000 3992 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
12:23:02:063 3992 SynTP (c265da984863e6806b060a433ef576a0) C:\Windows\system32\DRIVERS\SynTP.sys
12:23:02:157 3992 Tcpip (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\drivers\tcpip.sys
12:23:02:360 3992 TCPIP6 (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\DRIVERS\tcpip.sys
12:23:02:422 3992 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
12:23:02:579 3992 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
12:23:02:766 3992 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
12:23:03:110 3992 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
12:23:03:172 3992 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
12:23:03:329 3992 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
12:23:03:391 3992 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
12:23:03:438 3992 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
12:23:03:469 3992 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
12:23:03:532 3992 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
12:23:03:563 3992 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
12:23:03:719 3992 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
12:23:03:782 3992 usbaudio (2436a42aab4ad48a9b714e5b0f344627) C:\Windows\system32\drivers\usbaudio.sys
12:23:03:860 3992 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
12:23:03:891 3992 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
12:23:03:938 3992 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
12:23:04:063 3992 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
12:23:04:157 3992 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
12:23:04:204 3992 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
12:23:04:297 3992 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
12:23:04:344 3992 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:23:04:438 3992 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
12:23:04:485 3992 usbvideo (f642a7e4bf78cfa359cca0a3557c28d7) C:\Windows\system32\Drivers\usbvideo.sys
12:23:04:532 3992 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
12:23:04:563 3992 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
12:23:04:657 3992 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
12:23:04:766 3992 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
12:23:04:860 3992 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
12:23:04:875 3992 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
12:23:04:907 3992 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
12:23:04:969 3992 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
12:23:05:000 3992 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
12:23:05:079 3992 volmgr (436e18ad20ad1cf1f9a52bc9c9dfa028) C:\Windows\system32\DRIVERS\volmgr.sys
12:23:05:079 3992 Suspicious file (Forged): C:\Windows\system32\DRIVERS\volmgr.sys. Real md5: 436e18ad20ad1cf1f9a52bc9c9dfa028, Fake md5: 384e5a2aa49934295171e499f86ba6f3
12:23:05:094 3992 File "C:\Windows\system32\DRIVERS\volmgr.sys" infected by TDSS rootkit ... 12:23:05:469 3992 Backup copy found, using it..
12:23:05:547 3992 will be cured on next reboot
12:23:05:704 3992 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
12:23:05:813 3992 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
12:23:05:860 3992 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
12:23:05:891 3992 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
12:23:05:954 3992 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
12:23:06:000 3992 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
12:23:06:047 3992 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
12:23:06:157 3992 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
12:23:06:219 3992 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
12:23:06:297 3992 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
12:23:06:329 3992 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
12:23:06:407 3992 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\Windows\system32\DRIVERS\WinUsb.sys
12:23:06:579 3992 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
12:23:06:610 3992 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
12:23:06:672 3992 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
12:23:06:766 3992 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
12:23:07:125 3992 yukonw7 (b07c5b7efdf936ff93d4f540938725be) C:\Windows\system32\DRIVERS\yk62x86.sys
12:23:07:141 3992 Reboot required for cure complete..
12:23:07:875 3992 Cure on reboot scheduled successfully
12:23:07:875 3992
12:23:07:875 3992 Completed
12:23:07:875 3992
12:23:07:875 3992 Results:
12:23:07:875 3992 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:23:07:875 3992 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:23:07:875 3992
12:23:07:891 3992 KLMD(ARK) unloaded successfully

[zoyano]

ComboFix 10-06-25.04 - Zory 06/26/2010 12:36:23.1.2 - x86
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.958.272 [GMT -4:00]
Running from: c:\users\Zory\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-26 16:42 . 2010-06-26 16:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-23 22:30 . 2010-06-23 22:32 -------- d-----w- c:\program files\trend micro
2010-06-23 22:30 . 2010-06-23 22:30 -------- d-----w- C:\rsit
2010-06-19 04:07 . 2010-06-03 14:05 343552 ----a-w- c:\users\Zory\AppData\Roaming\Mozilla\Firefox\Profiles\yfv92dud.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
2010-06-18 03:31 . 2010-06-18 03:31 120284 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-14 03:44 . 2010-06-14 03:44 26694 ----a-r- c:\users\Zory\AppData\Roaming\Microsoft\Installer\{ACB5E1FD-169B-42CA-9B63-F705BA60A622}\BlackBerry.exe
2010-06-12 14:04 . 2010-06-12 17:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-12 14:04 . 2010-06-12 14:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-12 02:41 . 2010-06-12 02:41 -------- d-----w- c:\users\Zory\AppData\Roaming\U3
2010-06-11 23:11 . 2010-06-18 04:50 -------- d-----w- c:\program files\Uplink
2010-06-11 23:11 . 1997-11-19 19:49 303616 ----a-w- c:\windows\IsUninst.exe
2010-06-11 04:17 . 2010-06-11 04:17 -------- d-----w- c:\users\Zory\AppData\Roaming\Malwarebytes
2010-06-11 04:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-11 04:17 . 2010-06-11 04:17 -------- d-----w- c:\programdata\Malwarebytes
2010-06-11 04:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-11 04:17 . 2010-06-11 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-10 02:04 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-10 02:04 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-10 02:04 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 02:04 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-10 02:04 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-07 05:16 . 2010-06-07 05:16 -------- d-----w- c:\program files\Flip Video
2010-05-30 06:05 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 16:25 . 2009-07-13 23:11 53312 ----a-w- c:\windows\system32\drivers\volmgr.sys
2010-06-26 14:55 . 2010-04-03 15:37 1 ----a-w- c:\users\Zory\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-26 14:53 . 2009-12-23 04:24 256 ----a-w- c:\windows\system32\pool.bin
2010-06-26 02:07 . 2009-12-17 01:22 -------- d-----w- c:\users\Zory\AppData\Roaming\Skype
2010-06-26 00:56 . 2010-02-01 00:47 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-18 01:12 . 2009-12-18 01:54 -------- d-----w- c:\program files\Digsby
2010-05-27 00:03 . 2010-05-27 00:03 -------- d-----w- c:\users\Zory\AppData\Roaming\Avira
2010-05-20 17:00 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\programdata\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe
2010-05-12 15:21 . 2009-12-17 00:07 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 04:16 . 2010-05-05 04:16 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-04-30 12:36 . 2010-04-30 12:36 -------- d--h--w- c:\programdata\CanonBJ
2010-04-30 02:06 . 2010-04-30 02:06 -------- d-----w- c:\program files\Microsoft
2010-04-30 02:05 . 2010-04-30 02:04 -------- d-----w- c:\program files\Windows Live
2010-04-30 02:05 . 2010-04-30 02:05 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-30 02:02 . 2010-04-30 02:02 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-04-29 22:26 . 2010-04-29 22:26 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-29 22:26 . 2009-12-17 00:47 62952 ----a-w- c:\users\Zory\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-27 16:33 . 2010-04-27 16:33 50354 ----a-w- c:\users\Zory\AppData\Roaming\Facebook\uninstall.exe
2010-04-23 07:13 . 2010-05-25 18:06 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-03 15:27 . 2009-12-17 00:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSnap"="c:\program files\WinSnap\WinSnap.exe" [2007-01-30 143872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-30 794713]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\users\Zory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ProcessExplorer.lnk - c:\program files\ProcessExplorer\procexp.exe [2009-2-3 3550592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

R3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\DRIVERS\RTL85n86.sys [2010-03-23 1812512]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:53857
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\users\Zory\AppData\Roaming\Mozilla\Firefox\Profiles\yfv92dud.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Zory\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Zory\AppData\Roaming\Mozilla\Firefox\Profiles\yfv92dud.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-Simple Webcam Capture - c:\program files\Simple Webcam Capture\uninst.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-26 12:46:33
ComboFix-quarantined-files.txt 2010-06-26 16:46

Pre-Run: 73,338,425,344 bytes free
Post-Run: 73,649,684,480 bytes free

- - End Of File - - 04E36FE8690B494FB2CFC245B08E0E3B

[Odd dude]

Run CFScript
Open notepad and copy/paste the following to it:

Code: Select all

Killall::

Driver::
KLMDB

File::
C:\windows\system32\KLMDB.sys

Save this to your desktop as "CFScript.txt" - that means that in Notepad you give it the name CFScript (no quotation marks) - not CFScript.txt because that will create a file named CFScript.txt.txt.

Disconnect from the internet, disable your antimalware software like you did before, and then click Start>Run.
Enter this:

Code: Select all

cmd

and press Ctrl+Shift+Enter to run it as administrator. Then copy and paste this into the CMD prompt (you can paste through clicking the icon in the title-bar):

Code: Select all

CD %userprofile%\Desktop
ComboFix CFScript.txt

ComboFix will run again, please be patient and post the log like usual.
Also tell me how the computer is running.

[zoyano]

Here is the logfile text. It seems like I can search for stuff without it redirecting now. Thanks! How is this log looking?

ComboFix 10-06-25.04 - Zory 06/27/2010 23:07:01.2.2 - x86
Running from: c:\users\Zory\Desktop\ComboFix.exe
Command switches used :: cfscript.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-28 03:14 . 2010-06-28 03:14 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-28 03:14 . 2010-06-28 03:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-23 22:30 . 2010-06-23 22:32 -------- d-----w- c:\program files\trend micro
2010-06-23 22:30 . 2010-06-23 22:30 -------- d-----w- C:\rsit
2010-06-19 04:07 . 2010-06-03 14:05 343552 ----a-w- c:\users\Zory\AppData\Roaming\Mozilla\Firefox\Profiles\yfv92dud.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
2010-06-18 03:31 . 2010-06-18 03:31 120284 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-14 03:44 . 2010-06-14 03:44 26694 ----a-r- c:\users\Zory\AppData\Roaming\Microsoft\Installer\{ACB5E1FD-169B-42CA-9B63-F705BA60A622}\BlackBerry.exe
2010-06-12 14:04 . 2010-06-12 17:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-12 14:04 . 2010-06-12 14:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-12 02:41 . 2010-06-12 02:41 -------- d-----w- c:\users\Zory\AppData\Roaming\U3
2010-06-11 23:11 . 2010-06-18 04:50 -------- d-----w- c:\program files\Uplink
2010-06-11 23:11 . 1997-11-19 19:49 303616 ----a-w- c:\windows\IsUninst.exe
2010-06-11 04:17 . 2010-06-11 04:17 -------- d-----w- c:\users\Zory\AppData\Roaming\Malwarebytes
2010-06-11 04:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-11 04:17 . 2010-06-11 04:17 -------- d-----w- c:\programdata\Malwarebytes
2010-06-11 04:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-11 04:17 . 2010-06-11 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-10 02:04 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-10 02:04 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-10 02:04 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 02:04 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-10 02:04 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-07 05:16 . 2010-06-07 05:16 -------- d-----w- c:\program files\Flip Video
2010-05-30 06:05 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 16:25 . 2009-07-13 23:11 53312 ----a-w- c:\windows\system32\drivers\volmgr.sys
2010-06-26 14:55 . 2010-04-03 15:37 1 ----a-w- c:\users\Zory\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-26 14:53 . 2009-12-23 04:24 256 ----a-w- c:\windows\system32\pool.bin
2010-06-26 02:07 . 2009-12-17 01:22 -------- d-----w- c:\users\Zory\AppData\Roaming\Skype
2010-06-26 00:56 . 2010-02-01 00:47 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-18 01:12 . 2009-12-18 01:54 -------- d-----w- c:\program files\Digsby
2010-05-27 00:03 . 2010-05-27 00:03 -------- d-----w- c:\users\Zory\AppData\Roaming\Avira
2010-05-20 17:00 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\programdata\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe
2010-05-12 15:21 . 2009-12-17 00:07 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 04:16 . 2010-05-05 04:16 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-04-30 12:36 . 2010-04-30 12:36 -------- d--h--w- c:\programdata\CanonBJ
2010-04-30 02:06 . 2010-04-30 02:06 -------- d-----w- c:\program files\Microsoft
2010-04-30 02:05 . 2010-04-30 02:04 -------- d-----w- c:\program files\Windows Live
2010-04-30 02:05 . 2010-04-30 02:05 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-30 02:02 . 2010-04-30 02:02 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-04-29 22:26 . 2010-04-29 22:26 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-29 22:26 . 2009-12-17 00:47 62952 ----a-w- c:\users\Zory\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-27 16:33 . 2010-04-27 16:33 50354 ----a-w- c:\users\Zory\AppData\Roaming\Facebook\uninstall.exe
2010-04-23 07:13 . 2010-05-25 18:06 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-03 15:27 . 2009-12-17 00:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-26_16.43.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-17 02:52 . 2010-06-28 03:01 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-17 02:52 . 2010-06-26 02:00 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:41 . 2010-06-26 02:00 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2010-06-28 03:01 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-18 23:49 . 2010-06-28 03:04 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-18 23:49 . 2010-06-26 16:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-18 23:49 . 2010-06-28 03:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-12-18 23:49 . 2010-06-26 16:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-12-18 23:49 . 2010-06-28 03:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-12-18 23:49 . 2010-06-26 16:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-12-17 00:11 . 2010-06-28 03:04 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-17 00:11 . 2010-06-26 16:28 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-13 23:26 . 2009-07-14 01:03 2560 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.1.7600.20694_none_0c765eae6cc69df0\AcRes.dll
+ 2009-07-13 23:26 . 2009-07-14 01:03 2560 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.1.7600.16576_none_0c04624f5396f8f2\AcRes.dll
+ 2010-02-24 03:40 . 2009-12-13 09:30 465408 c:\windows\winsxs\x86_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.1.7600.16590_none_dbc3c0bbb86fd17a\psisdecd.dll
+ 2009-07-13 23:26 . 2009-07-14 01:14 211968 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.1.7600.20694_none_0c7a5fd66cc3034c\AcXtrnal.dll
+ 2009-07-13 23:27 . 2009-07-14 01:14 559616 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.1.7600.20694_none_0c7a5fd66cc3034c\AcLayers.dll
+ 2009-07-13 23:26 . 2009-07-14 01:14 211968 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.1.7600.16576_none_0c08637753935e4e\AcXtrnal.dll
+ 2009-07-13 23:27 . 2009-07-14 01:14 559616 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.1.7600.16576_none_0c08637753935e4e\AcLayers.dll
- 2009-12-17 01:59 . 2010-06-26 14:02 201932 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-12-17 01:59 . 2010-06-28 03:01 201932 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
- 2009-07-14 02:05 . 2010-06-26 16:30 615360 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2010-06-28 03:04 615360 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-06-26 16:30 103702 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2010-06-28 03:04 103702 c:\windows\System32\perfc009.dat
- 2009-12-16 23:55 . 2010-06-26 15:31 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-12-16 23:55 . 2010-06-28 03:01 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 00:35 . 2009-06-10 21:14 1736536 c:\windows\winsxs\x86_presentationcore_31bf3856ad364e35_6.1.7600.20658_none_acb4799c0a4a7137\wpfgfx_v0300.dll
+ 2009-07-14 00:35 . 2009-06-10 21:14 1736536 c:\windows\winsxs\x86_presentationcore_31bf3856ad364e35_6.1.7600.16542_none_ac2fab00f12a1d72\wpfgfx_v0300.dll
+ 2009-07-14 02:03 . 2010-06-26 19:18 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:03 . 2010-06-26 16:39 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-12-17 02:52 . 2010-06-26 15:05 1818624 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-17 02:52 . 2010-06-28 03:01 1818624 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 07:14 . 2010-06-26 19:19 22284631 c:\windows\winsxs\ManifestCache\e4e8be02b8fae2a7_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSnap"="c:\program files\WinSnap\WinSnap.exe" [2007-01-30 143872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-30 794713]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\users\Zory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ProcessExplorer.lnk - c:\program files\ProcessExplorer\procexp.exe [2009-2-3 3550592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

R3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\DRIVERS\RTL85n86.sys [2010-03-23 1812512]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:53857
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\users\Zory\AppData\Roaming\Mozilla\Firefox\Profiles\yfv92dud.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Zory\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Zory\AppData\Roaming\Mozilla\Firefox\Profiles\yfv92dud.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-27 23:17:39
ComboFix-quarantined-files.txt 2010-06-28 03:17

Pre-Run: 73,645,264,896 bytes free
Post-Run: 73,601,712,128 bytes free

- - End Of File - - DBACF82C6292BB1BC7CBCDA541340F7C

[Odd dude]

OK, that did not work as expected. The infection that was causing your redirects is dead, but there is still one more thing that needs to be cleaned up.

Please copy and paste this to notepad:

Code: Select all

@echo off
mkdir\ODBox
for %%i in (stop delete) do sc %%i KLMDB >>\ODBox\log.txt 2>&1
attrib C:\windows\system32\KLMDB.sys >>\ODBox\log.txt 2>&1
attrib -a -h -s -r C:\windows\system32\KLMDB.sys >>\ODBox\log.txt 2>&1
move C:\windows\system32\KLMDB.sys \ODBox\ >>\ODBox\log.txt 2>&1

Save it to your desktop as "fix.cmd" (include the quotation marks when saving)

Reboot your computer to Safe Mode (reboot your computer, press F8 before the Windows-logo shows up, then choose safe mode). Log in as usual. Right-click fix.cmd and choose run as administrator. A CMD prompt will flash up briefly, after that you can reboot your computer (this time not into safe mode).

Then post the contents of C:\ODBox\log.txt
Also see if you can now run RSIT as I instructed you to a few posts above