Windows, Operating System, Security, Networking, Malware, Support, Forum, Help Site Check Our Facebook Page!
Notices
Malware and Virus Removal Problems removing malware/viruses? Get help from our Malware removal experts.


Register your FREE account to unlock additional features at WindowsBBS.com
   
 
 
LinkBack Thread Tools
Old 20th February 2011   #1
Senior Member
THREAD STARTER
Lifetime Subscription
 
wisserd's Avatar
 
Profile:
Join Date: Feb 2011
Location: South West Wisconsin USA
Posts: 52
Computer Experience:
intermediate
wisserd Reputation Level

My System

[Resolved] Desktop Hijacked, blue background stating system infected


HI all
It started when I reinstalled Java. I deleated old version of Java, turned off webroot and reinstalled java, turned webroot back on, a few minutes latter a window in the toolbar popped up and said to run your antivirus the file WRConsumerservice.exe is infected. Then the desktop background turned blue and at the top of the desktop it said your system is infected, then it went to a blue screen, I can't remember what it said on the blue screen, it filled the whole window. I hit the reset button and rebooted in safe mode. Ran webroot, it found fakealert.gen, rebooted and same desktop. Back to safe mode, ran IObit Security 360 it's log file :

IObit Security 360

OS:Windows XP
Version:1.6.0.2
Define Version:2413
Time Elapsed:01:11:52
Objects Scanned:85848
Threats Found:8

|Name|Type|Description|ID|
180 Solutions.nCase - Quarantined, File, C:\WINDOWS\SoftwareDistribution\Download\c268348752498f57ff1128ae6a23c4f1\w gatray.exe, 9-59256
Trojan.Agent - Quarantined, File, C:\Program Files\Common Files\Roxio Shared\Photo\PS4SendEmail.dll, 11-21084
Spyware.Password - Quarantined, File, D:\Program Files\Graphics\I_VIEW\Plugins\Formats.dll, 11-30358
Spyware.Password - Quarantined, File, D:\Program Files\Graphics\I_VIEW\Plugins\JPEG2000.dll, 11-32985
Spyware.Password - Quarantined, File, D:\Program Files\Graphics\I_VIEW\Plugins\Mng.dll, 11-30792
Trojan.Optix - Quarantined, File, D:\Program Files\Graphics\I_VIEW\Plugins\Ncc.dll, 11-22207
Spyware.Password - Quarantined, File, D:\Program Files\Graphics\I_VIEW\Plugins\Nero.dll, 11-29150
180 Solutions.nCase - Quarantined, File, I:\WINDOWS\SoftwareDistribution\Download\c268348752498f57ff1128ae6a23c4f1\w gatray.exe, 9-59256

Rebooted, same desktop blue background, I rebooted back to safe mode. Then I found your site. Ran Malwarebytes then it rebooted and desktop was back to normal, blue screen was gone. Followed the rest of your steps. Is it all gone and safe, or do I call the bank and credit cards and change password? Here are the 5 logs.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5815

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/19/2011 8:21:09 PM
mbam-log-2011-02-19 (20-21-09).txt

Scan type: Quick scan
Objects scanned: 150374
Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jKiBgGn 01848 (Spyware.Zbot) -> Value: jKiBgGn01848 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\jkibggn01848\jkibggn01848.exe (Spyware.Zbot) -> Quarantined and deleted successfully.



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-19 20:46:23
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD800JB-00ETA0 rev.77.07W77
Running: 5grr9dnl.exe; Driver: C:\DOCUME~1\Wizard\LOCALS~1\Temp\fgtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwAdjustPrivilegesToken [0xF69806B0]
SSDT 82FAE2E8 ZwAllocateVirtualMemory
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwConnectPort [0xF6980BB0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateFile [0xF697F510]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateKey [0xF6980370]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreatePort [0xF6980F10]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xF6A546DC]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateProcessEx [0xF6981870]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateSection [0xF6981170]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateThread [0xF6981470]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDebugActiveProcess [0xF697FE80]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteKey [0xF697E080]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteValueKey [0xF697E1E0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeviceIoControlFile [0xF697FF80]
SSDT spvp.sys ZwEnumerateKey [0xF84B3CA4]
SSDT spvp.sys ZwEnumerateValueKey [0xF84B4032]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenFile [0xF697F7A0]
SSDT spvp.sys ZwOpenKey [0xF84950C0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenProcess [0xF697E3A0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenSection [0xF697FA10]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenThread [0xF6980570]
SSDT spvp.sys ZwQueryKey [0xF84B410A]
SSDT spvp.sys ZwQueryValueKey [0xF84B3F8A]
SSDT 82FED250 ZwQueueApcThread
SSDT 82FE6020 ZwReadVirtualMemory
SSDT 82FD7190 ZwRenameKey
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwResumeThread [0xF697E610]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSecureConnectPort [0xF6980D60]
SSDT 82FCB1A8 ZwSetContextThread
SSDT 82FE0E38 ZwSetInformationKey
SSDT 82FAC308 ZwSetInformationProcess
SSDT 82F43178 ZwSetInformationThread
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSetValueKey [0xF697DEE0]
SSDT 82FC2940 ZwSuspendProcess
SSDT 82F44780 ZwSuspendThread
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateProcess [0xF697DDD0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateThread [0xF697E4F0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xF6A53374]

INT 0x62 ? 82F6FBF8
INT 0x82 ? 82F6FBF8
INT 0x83 ? 82FDFBF8
INT 0xB4 ? 82A2CF00
INT 0xB4 ? 82A2CF00
INT 0xB4 ? 82A2CF00
INT 0xB4 ? 82A2CF00
INT 0xB4 ? 82A2CF00
INT 0xB4 ? 82A2CF00

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 90 804E26FC 4 Bytes CALL 69D121E3
.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [10, 0F, 98, F6, DC, 46, A5, ...]
.text ntoskrnl.exe!_abnormal_termination + 445 804E2AB1 3 Bytes [47, F4, 82]
? cskwcaum.sys The system cannot find the file specified. !
? spvp.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7E0B360, 0x24BB1D, 0xE8000020]
.text USBPORT.SYS!DllUnload F7DC962C 5 Bytes JMP 82A2C4E0
.text ajntbvl8.SYS F6863386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ajntbvl8.SYS F68633AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ajntbvl8.SYS F68633C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ajntbvl8.SYS F68633C9 1 Byte [30]
.text ajntbvl8.SYS F68633C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text I:\downloads\5grr9dnl.exe[240] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text I:\downloads\5grr9dnl.exe[240] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text I:\downloads\5grr9dnl.exe[240] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text I:\downloads\5grr9dnl.exe[240] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text I:\downloads\5grr9dnl.exe[240] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C30001
.text I:\downloads\5grr9dnl.exe[240] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0D0F5A
.text I:\downloads\5grr9dnl.exe[240] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0A0F5A
.text I:\downloads\5grr9dnl.exe[240] ADVAPI32.dll!CreateProcessAsUserW 77DF6285 6 Bytes JMP 5F100F5A
.text I:\downloads\5grr9dnl.exe[240] ADVAPI32.dll!CreateProcessWithLogonW 77E15CFD 3 Bytes [FF, 25, 1E]
.text I:\downloads\5grr9dnl.exe[240] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E15D01 2 Bytes [05, 5F]
.text I:\downloads\5grr9dnl.exe[240] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F190F5A
.text I:\downloads\5grr9dnl.exe[240] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 02450001
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!CreateProcessAsUserW 77DF6285 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!CreateProcessWithLogonW 77E15CFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1260] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E15D01 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F60001
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] ADVAPI32.dll!CreateProcessAsUserW 77DF6285 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] ADVAPI32.dll!CreateProcessWithLogonW 77E15CFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E15D01 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1732] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\rundll32.exe[1764] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1764] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\rundll32.exe[1764] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1764] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\rundll32.exe[1764] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F00001
.text C:\WINDOWS\system32\rundll32.exe[1764] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\rundll32.exe[1764] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\rundll32.exe[1764] ADVAPI32.dll!CreateProcessAsUserW 77DF6285 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\rundll32.exe[1764] ADVAPI32.dll!CreateProcessWithLogonW 77E15CFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1764] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E15D01 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1764] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\rundll32.exe[1764] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00E30001
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] ADVAPI32.dll!CreateProcessAsUserW 77DF6285 6 Bytes JMP 5F100F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] ADVAPI32.dll!CreateProcessWithLogonW 77E15CFD 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E15D01 2 Bytes [05, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F190F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[1768] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00E20001
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] ADVAPI32.dll!CreateProcessAsUserW 77DF6285 6 Bytes JMP 5F100F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] ADVAPI32.dll!CreateProcessWithLogonW 77E15CFD 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E15D01 2 Bytes [05, 5F]
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F190F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[1804] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00D00001
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] ADVAPI32.dll!CreateProcessAsUserW 77DF6285 6 Bytes JMP 5F100F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] ADVAPI32.dll!CreateProcessWithLogonW 77E15CFD 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E15D01 2 Bytes [05, 5F]
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F190F5A
.text C:\Program Files\Lexmark X74-X75\lxbbbmon.exe[1824] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 010D0001
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ADVAPI32.dll!CreateProcessAsUserW 77DF6285 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ADVAPI32.dll!CreateProcessWithLogonW 77E15CFD 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E15D01 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F190F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[1912] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00D80001
.text C:\WINDOWS\system32\ctfmon.exe[1912] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1912] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1912] ADVAPI32.dll!CreateProcessAsUserW 77DF6285 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[1912] ADVAPI32.dll!CreateProcessWithLogonW 77E15CFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1912] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E15D01 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1912] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\ctfmon.exe[1912] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F1C0F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82FDF2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F84C6C4C] spvp.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84C6CA0] spvp.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8496042] spvp.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F849613E] spvp.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84960C0] spvp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F8496800] spvp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84966D6] spvp.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82A2C5E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F84A5E9C] spvp.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 82FDDF30
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 82FDDFA8
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 82FDDFA8
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 82FDDF30
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 82FDDF30
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 82FDDFA8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 82FDDFA8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 82FDDF30
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 82FDDFA8
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 82FDDF30
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 82FDDFA8
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlInitUnicodeString] 00021083
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!swprintf] 01B05E00
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeSetEvent] 5DE58B5B
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 7E8366C3
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 0F740028
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 89320C8D
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmFreeMappingAddress] 0002288B
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 46B70F00
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 66D00328
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmUnmapIoSpace] 002A7E83
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 0C8D1574
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IofCompleteRequest] 248B8932
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 0F000002
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IofCallDriver] 832A46B7
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmAllocateMappingAddress] E08303C0
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 66D003FC
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoConnectInterrupt] 002C7E83
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoDetachDevice] 0C8D1E74
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeWaitForSingleObject] 208B8932
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeInitializeEvent] 8A000002
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 83880846
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlInitAnsiString] 000001C0
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 2C4EB70F
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoQueueWorkItem] 8303C183
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmMapIoSpace] D103FCE1
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2E7E8366
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoReportDetectedDevice] 8D1C7400
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoReportResourceForDetection] 83893204
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 00000218
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!NlsMbCodePageTag] 2E4EB70F
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!PoRequestPowerIrp] 021C8B89
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] B70F0000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] E0C12E46
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!sprintf] 03D00304
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0CB389F2
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ObfDereferenceObject] 80000002
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0975013E
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 1B42E853
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ZwClose] C4830000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] B05E5F04
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] E58B5B01
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CCCCC35D
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!PoStartNextPowerIrp] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!PoCallDriver] 53EC8B55
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoCreateDevice] 08758B56
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0214BE83
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 57000000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ZwOpenKey] 45C60674
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 1EEB010B
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoStartTimer] 020C868B
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeInitializeTimer] C0850000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoInitializeTimer] 808A1074
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeInitializeDpc] 00000804
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeInitializeSpinLock] A03CF024
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoInitializeIrp] 0B45950F
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ZwCreateKey] 45C604EB
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 458A000B
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 88C0840B
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ZwSetValueKey] 840F0946
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000C1
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 14B30E8B
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoStartPacket] 1C8286C6
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 88010000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C859E
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoFreeMdl] A19E8800
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmUnlockPages] C600001C
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 001C8686
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 86C60100
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 00001CA2
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 70518B01
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8D52006A
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoStartNextPacket] 001C8886
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeBugCheckEx] 55E85000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 8B000023
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeSetTimer] 70518B0E
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeCancelTimer] 8D52016A
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!_allmul] 001CA486
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmProbeAndLockPages] 41E85000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!_except_handler3] 8B000023
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!PoSetPowerState] 18C4830E
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 1C8D9E88
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 9E880000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!_aulldiv] 00001CA9
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!strstr] 0E798366
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!_strupr] 74AAB000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeQuerySystemTime] 8186C636
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 1A00001C
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!KeTickCount] 1C8386C6
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] C6020000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoDeleteDevice] 001C8E86
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 86C60200
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00001CAA
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoAllocateIrp] 959E8802
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoAllocateMdl] 8800001C
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB19E
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmLockPagableDataSection] 96868800
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8800001C
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CB286
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!ExFreePoolWithTag] C61AEB00
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoFreeIrp] 001C8186
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!IoFreeWorkItem] 86C61200
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!InitSafeBootMode] 00001C83
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlCompareMemory] 8E868801
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!memmove] 001CAA86
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[ntoskrnl.exe!MmHighestUserAddress] 80968B00
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!KeGetCurrentIrql] 89000001
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!KfRaiseIrql] 0001BC83
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!KfLowerIrql] 24468B00
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!HalGetInterruptVector] 89820C8D
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!KfReleaseSpinLock] 000000BD
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00
IAT \SystemRoot\System32\Drivers\ajntbvl8.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284

wisserd is offline  
Old 20th February 2011   #2
Senior Member
THREAD STARTER
Lifetime Subscription
 
wisserd's Avatar
 
Profile:
Join Date: Feb 2011
Location: South West Wisconsin USA
Posts: 52
Computer Experience:
intermediate
wisserd Reputation Level

My System

Desktop Hijacked, blue background stating system infected


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82B78500

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \FileSystem\Fastfat \FatCdrom 82FDB1F8
Device \FileSystem\Udfs \UdfsCdRom 82950500
Device \FileSystem\Udfs \UdfsCdRom BsUDF.SYS (UDF File System Driver (WindowsXP)/ahead software)
Device \FileSystem\Udfs \UdfsDisk 82950500
Device \FileSystem\Udfs \UdfsDisk BsUDF.SYS (UDF File System Driver (WindowsXP)/ahead software)
Device \Driver\Tcpip \Device\Ip 82AB5100
Device \Driver\Tcpip \Device\Ip 82D6DE90
Device \Driver\Tcpip \Device\Ip 82B97BB8
Device \Driver\Tcpip \Device\Ip 82C9C738

AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

Device \Driver\sptd \Device\3397252648 spvp.sys
Device \Driver\usbuhci \Device\USBPDO-0 82A2B500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 82FDD1F8
Device \Driver\dmio \Device\DmControl\DmConfig 82FDD1F8
Device \Driver\dmio \Device\DmControl\DmPnP 82FDD1F8
Device \Driver\dmio \Device\DmControl\DmInfo 82FDD1F8
Device \Driver\usbuhci \Device\USBPDO-1 82A2B500
Device \Driver\usbuhci \Device\USBPDO-2 82A2B500
Device \Driver\usbuhci \Device\USBPDO-3 82A2B500
Device \Driver\usbehci \Device\USBPDO-4 829561F8
Device \Driver\Tcpip \Device\Tcp 82AB5100
Device \Driver\Tcpip \Device\Tcp 82D6DE90
Device \Driver\Tcpip \Device\Tcp 82B97BB8
Device \Driver\Tcpip \Device\Tcp 82C9C738

AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 82F701F8
Device \Driver\PCI_PNP7648 \Device\00000058 spvp.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 82F701F8
Device \Driver\Cdrom \Device\CdRom0 82A31500
Device \Driver\atapi \Device\Ide\IdePort0 82F6F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 82F6F1F8
Device \Driver\atapi \Device\Ide\IdePort1 82F6F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 82F6F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 82F6F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 82F6F1F8
Device \Driver\Cdrom \Device\CdRom1 82A31500
Device \Driver\Ftdisk \Device\HarddiskVolume3 82F701F8
Device \Driver\Cdrom \Device\CdRom2 82A31500
Device \Driver\Ftdisk \Device\HarddiskVolume4 82F701F8
Device \Driver\Ftdisk \Device\HarddiskVolume5 82F701F8
Device \Driver\Ftdisk \Device\HarddiskVolume6 82F701F8
Device \Driver\Ftdisk \Device\HarddiskVolume7 82F701F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82B95500
Device \Driver\NetBT \Device\NetbiosSmb 82B95500
Device \Driver\Tcpip \Device\Udp 82AB5100
Device \Driver\Tcpip \Device\Udp 82D6DE90
Device \Driver\Tcpip \Device\Udp 82B97BB8
Device \Driver\Tcpip \Device\Udp 82C9C738

AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

Device \Driver\Tcpip \Device\RawIp 82AB5100
Device \Driver\Tcpip \Device\RawIp 82D6DE90
Device \Driver\Tcpip \Device\RawIp 82B97BB8
Device \Driver\Tcpip \Device\RawIp 82C9C738

AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 82A2B500
Device \Driver\usbuhci \Device\USBFDO-1 82A2B500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82A73500
Device \Driver\Tcpip \Device\IPMULTICAST 82AB5100
Device \Driver\Tcpip \Device\IPMULTICAST 82D6DE90
Device \Driver\Tcpip \Device\IPMULTICAST 82B97BB8
Device \Driver\Tcpip \Device\IPMULTICAST 82C9C738
Device \Driver\usbuhci \Device\USBFDO-2 82A2B500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82A73500
Device \Driver\usbuhci \Device\USBFDO-3 82A2B500
Device \Driver\usbehci \Device\USBFDO-4 829561F8
Device \Driver\Ftdisk \Device\FtControl 82F701F8
Device \Driver\viasraid \Device\Scsi\viasraid1 82FDC1F8
Device \Driver\ajntbvl8 \Device\Scsi\ajntbvl81Port3Path0Target0Lun0 82C621F8
Device \Driver\ajntbvl8 \Device\Scsi\ajntbvl81 82C621F8
Device \FileSystem\Fastfat \Fat 82FDB1F8

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \FileSystem\Cdfs \Cdfs 82A6B1F8
Device \FileSystem\Cdfs \Cdfs BsUDF.SYS (UDF File System Driver (WindowsXP)/ahead software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@p0 F:\DTL\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@hdf12 0x3D 0x9B 0xD5 0xA3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001@hdf12 0x55 0x9E 0xA9 0xFD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001\gdq0@hdf12 0xD2 0xDC 0x1A 0xBB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@p0 F:\DTL\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@hdf12 0x3D 0x9B 0xD5 0xA3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@hdf12 0x55 0x9E 0xA9 0xFD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0@hdf12 0xD2 0xDC 0x1A 0xBB ...

---- EOF - GMER 1.0.15 ----


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x00000ffd

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF8AB6000 \WINDOWS\system32\KDCOM.DLL
0xF89C6000 \WINDOWS\system32\BOOTVID.dll
0xF85B6000 cskwcaum.sys
0xF8494000 spvp.sys
0xF8AB8000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF847C000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF844E000 ACPI.sys
0xF843D000 pci.sys
0xF85C6000 isapnp.sys
0xF85D6000 sshrmd.sys
0xF85E6000 ssfs0bbc.sys
0xF840F000 ssidrv.sys
0xF83E2000 \WINDOWS\system32\DRIVERS\NDIS.SYS
0xF8836000 \WINDOWS\system32\DRIVERS\TDI.SYS
0xF8ABA000 viaide.sys
0xF883E000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF85F6000 MountMgr.sys
0xF83C3000 ftdisk.sys
0xF8ABC000 dmload.sys
0xF839D000 dmio.sys
0xF8846000 PartMgr.sys
0xF8606000 VolSnap.sys
0xF8385000 atapi.sys
0xF8372000 viasraid.sys
0xF8616000 disk.sys
0xF8626000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF8352000 fltmgr.sys
0xF8340000 sr.sys
0xF89CA000 bsstor.sys
0xF8636000 PxHelp20.sys
0xF831D000 Fastfat.sys
0xF8306000 KSecDD.sys
0xF884E000 viaagp1.sys
0xF82EB000 Mup.sys
0xF8A6A000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xF8676000 \SystemRoot\System32\DRIVERS\amdk7.sys
0xF7E0B000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF7DF7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8686000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8696000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF86A6000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7DD4000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8ABE000 \SystemRoot\System32\Drivers\incdrm.SYS
0xF886E000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF7DB1000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF8876000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF887E000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF7D93000 \SystemRoot\System32\DRIVERS\parport.sys
0xF86B6000 \SystemRoot\System32\DRIVERS\serial.sys
0xF8A76000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF86C6000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF8886000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF8A7A000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF7D05000 \SystemRoot\system32\drivers\smwdm.sys
0xF7CE1000 \SystemRoot\system32\drivers\portcls.sys
0xF86D6000 \SystemRoot\system32\drivers\drmk.sys
0xF8AC0000 \SystemRoot\system32\drivers\aeaudio.sys
0xF8A7E000 \SystemRoot\System32\DRIVERS\usbscan.sys
0xF8AC2000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF8BCB000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF86E6000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8A82000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF7CCA000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF86F6000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF8706000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7C19000 \SystemRoot\System32\DRIVERS\psched.sys
0xF8716000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF888E000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF8896000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF8726000 \SystemRoot\system32\DRIVERS\bthmodem.sys
0xF7BE8000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF8736000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF889E000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF8AC4000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF7B8C000 \SystemRoot\System32\DRIVERS\update.sys
0xF8A92000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF8746000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8756000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF88A6000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF6A50000 \SystemRoot\system32\drivers\iksysflt.sys
0xF8776000 \SystemRoot\system32\drivers\KCOM.SYS
0xF6A39000 \SystemRoot\system32\drivers\iksyssec.sys
0xF8786000 \SystemRoot\system32\drivers\ikfilesec.SYS
0xF8AC6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C0B000 \SystemRoot\System32\Drivers\Null.SYS
0xF8AC8000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8BC7000 \SystemRoot\System32\DRIVERS\AvgAsCln.sys
0xF88BE000 \SystemRoot\System32\drivers\vga.sys
0xF8ACA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8ACC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF88C6000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF88CE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF82B7000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF6A06000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF69AE000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF6971000 \SystemRoot\system32\drivers\pwipf6.sys
0xF6950000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF8796000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF6928000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF689B000 \SystemRoot\System32\Drivers\Ntfs.SYS
0xF6863000 \SystemRoot\System32\Drivers\ajntbvl8.SYS
0xF6841000 \SystemRoot\System32\drivers\afd.sys
0xF87A6000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF893E000 \??\D:\Program Files\scanners cleaners\suuperantispyware\SASDIFSV.SYS
0xF6776000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF6707000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF87C6000 \SystemRoot\System32\Drivers\Fips.SYS
0xF87E6000 \SystemRoot\System32\Drivers\LHidUsb.Sys
0xF87F6000 \SystemRoot\System32\Drivers\HIDCLASS.SYS
0xF8946000 \SystemRoot\System32\Drivers\HIDPARSE.SYS
0xF894E000 \SystemRoot\system32\DRIVERS\LHidFlt2.Sys
0xF7BE0000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF8806000 \SystemRoot\system32\DRIVERS\LMouFlt2.Sys
0xF8816000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7BCC000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8956000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF821F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xB9D32000 \SystemRoot\System32\Drivers\BsUDF.SYS
0xB9D21000 \SystemRoot\System32\Drivers\Udfs.SYS
0xF8AE2000 \SystemRoot\SYSTEM32\Drivers\wg3n.sys
0xB98BD000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF8AFE000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB9880000 \SystemRoot\system32\drivers\wdmaud.sys
0xB9A81000 \SystemRoot\system32\drivers\sysaudio.sys
0xB9430000 \??\C:\WINDOWS\system32\drivers\PfModNT.sys
0xB947A000 \SystemRoot\System32\DRIVERS\secdrv.sys
0xF898E000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xB90CF000 \SystemRoot\System32\Drivers\HTTP.sys
0xF8B22000 \SystemRoot\System32\Drivers\SmartDefragDriver.sys
0xB8E84000 \??\C:\DOCUME~1\Wizard\LOCALS~1\Temp\fgtdypow.sys
0xB8C9E000 \SystemRoot\system32\drivers\kmixer.sys
0xB974A000 \SystemRoot\system32\DRIVERS\fetnd5bv.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 45):
0 System Idle Process
4 System
416 C:\WINDOWS\System32\SMSS.EXE
488 C:\WINDOWS\System32\CSRSS.EXE
516 C:\WINDOWS\System32\WINLOGON.EXE
560 C:\WINDOWS\System32\SERVICES.EXE
572 C:\WINDOWS\System32\LSASS.EXE
716 C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
828 C:\WINDOWS\System32\SVCHOST.EXE
896 C:\WINDOWS\System32\SVCHOST.EXE
928 C:\WINDOWS\System32\SVCHOST.EXE
984 C:\WINDOWS\System32\SVCHOST.EXE
1132 C:\WINDOWS\System32\SVCHOST.EXE
1212 C:\WINDOWS\System32\SVCHOST.EXE
1260 C:\WINDOWS\EXPLORER.EXE
1300 C:\WINDOWS\System32\LEXBCES.EXE
1348 C:\WINDOWS\System32\SPOOLSV.EXE
1376 C:\WINDOWS\System32\LEXPPS.EXE
1556 C:\WINDOWS\System32\SVCHOST.EXE
1732 C:\WINDOWS\System32\RUNDLL32.EXE
1764 C:\WINDOWS\System32\RUNDLL32.EXE
1768 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
1804 C:\Program Files\Lexmark X74-X75\LXBBBMGR.EXE
1816 D:\Program Files\IObit\IObit Security 360\is360tray.exe
1824 C:\Program Files\Lexmark X74-X75\LXBBBMON.EXE
1844 C:\WINDOWS\System32\CTSVCCDA.EXE
1848 C:\Program Files\Common Files\Java\Java Update\JUSCHED.EXE
1908 D:\Program Files\IObit\IObit Security 360\is360srv.exe
1912 C:\WINDOWS\System32\CTFMON.EXE
1932 D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
180 D:\Program Files\Java\bin\jqs.exe
276 C:\WINDOWS\System32\NVSVC32.EXE
360 C:\WINDOWS\System32\TCPSVCS.EXE
352 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
448 C:\WINDOWS\System32\SVCHOST.EXE
476 D:\PROGRA~1\VCOM\MXTASK.exe
952 C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
2572 C:\WINDOWS\System32\ALG.EXE
2596 D:\PROGRA~1\VCOM\MXTASK.exe
3500 C:\WINDOWS\System32\SVCHOST.EXE
1580 C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
2252 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
2712 D:\Program Files\Mozilla Firefox\firefox.exe
3176 D:\Program Files\IObit\IObit Security 360\is360.exe
3720 I:\downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000003`4bbf7000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000007`b0e7de00 (NTFS)
\\.\F: --> \\.\PhysicalDrive0 at offset 0x0000000c`d1584800 (NTFS)
\\.\I: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)
\\.\J: --> \\.\PhysicalDrive1 at offset 0x00000002`ee1b7200 (FAT32)
\\.\K: --> \\.\PhysicalDrive1 at offset 0x00000006`ad8e3c00 (FAT32)

PhysicalDrive0 Model Number: WDCWD800JB-00ETA0, Rev: 77.07W77
PhysicalDrive1 Model Number: Maxtor4D040H2, Rev: DAH017K0

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
38 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
DDS (Ver_10-12-12.02) - FAT32x86
Run by Wizard at 20:57:37.40 on Sat 02/19/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.68 [GMT -6:00]

AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Webroot Internet Security Essentials *Enabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *Enabled*
FW: Norton Internet Security *Enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
D:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
d:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
D:\Program Files\Java\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
D:\PROGRA~1\VCOM\MXTask.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
D:\PROGRA~1\VCOM\mxtask.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINDOWS\explorer.exe
I:\downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL =
uDefault_Search_URL =
mWindow Title =
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\scanne~1\spybot~1\SDHelper.dll
BHO: Webroot Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Webroot Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [Advanced SystemCare 3] "d:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [smapp] "c:\program files\analog devices\soundmax\SMTray.exe"
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [IObit Security 360] "d:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRunServices: [LoadPowerProfile] "Rundll32.exe" powrprof.dll,LoadCurrentPwrScheme
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE:
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Search - ?p=ZUfox000
IE: Backward &Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Copy to &Lightning Note - d:\program files\corel\wordperfect lightning\programs\WPLightningCopyToNote.hta
IE: Si&milar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\scanne~1\spybot~1\SDHelper.dll
DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: HookRC Class: {a5780613-492e-4a2a-a7fd-549610edf6cc} - d:\program files\vcom\recovery commander\RCHOOK.DLL
SEH: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\scanners cleaners\suuperantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wizard\applic~1\mozilla\firefox\profiles\b31ksli6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swagbucks.com
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&apn_uid=88113D2C-9C4D-413C-B749-49F7900488AA&apn_ptnrs=W5&apn_sauid=5A847347-1B88-4438-B050-4EF2671D8261&apn_dtid=YYYYYYYYUS&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrows errecordext.dll
FF - component: c:\documents and settings\wizard\application data\mozilla\firefox\profiles\b31ksli6.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\wizard\application data\mozilla\firefox\profiles\b31ksli6.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim. dll
FF - plugin: c:\documents and settings\wizard\application data\mozilla\firefox\profiles\b31ksli6.default\extensions\moveplayer@movene tworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: d:\program files\adobe\reader 10.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\java\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\java\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: d:\program files\mozilla firefox\plugins\nppl3260.dll
FF - plugin: d:\program files\mozilla firefox\plugins\nprjplug.dll
FF - plugin: d:\program files\mozilla firefox\plugins\nprpjplug.dll
FF - plugin: d:\program files\netscape6\nppl3260.dll
FF - plugin: d:\program files\netscape6\nprjplug.dll
FF - plugin: d:\program files\netscape6\nprpjplug.dll
FF - plugin: d:\program files\opera\program\plugins\np32dsw.dll
FF - plugin: d:\program files\opera\program\plugins\npdrmv2.dll
FF - plugin: d:\program files\opera\program\plugins\npdsplay.dll
FF - plugin: d:\program files\opera\program\plugins\NPJPI141_07.dll
FF - plugin: d:\program files\opera\program\plugins\NPMetaStream3.dll
FF - plugin: d:\program files\opera\program\plugins\npqtplugin.dll
FF - plugin: d:\program files\opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\program files\opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\program files\opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\program files\opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\program files\opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\program files\opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\program files\opera\program\plugins\npwmsdrm.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox 4.0 beta 4\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: FoxLingo: {ef62e1ce-d2a4-4cdd-b7ec-92b120366b66} - %profile%\extensions\{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Halloween: {BB359C50-BFC9-4f40-8302-3FE5A499A859} - %profile%\extensions\{BB359C50-BFC9-4f40-8302-3FE5A499A859}
FF - Ext: Harley Davidson: {2c088200-b973-11db-8314-0800200c9a66} - %profile%\extensions\{2c088200-b973-11db-8314-0800200c9a66}
FF - Ext: PitchDark: {c1dffba0-628e-11d9-9669-0800200c9a66} - %profile%\extensions\{c1dffba0-628e-11d9-9669-0800200c9a66}
FF - Ext: Resurrect Pages: {0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3} - %profile%\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}
FF - Ext: How-To Video Sidebar: howtovideosidebar@wonderhowto.com - %profile%\extensions\howtovideosidebar@wonderhowto.com
FF - Ext: Microsoft Choice Guard: ChoiceGuard@Microsoft - %profile%\extensions\ChoiceGuard@Microsoft
FF - Ext: Swag Bucks Community Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - %profile%\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}
FF - Ext: Red Cats (blue flavor): {ff356687-aa08-463d-a46c-11c451824939} - %profile%\extensions\{ff356687-aa08-463d-a46c-11c451824939}
FF - Ext: Scribblies Brite: {F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA} - %profile%\extensions\{F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}
FF - Ext: Full Flat: {6E1A2A2E-AE2A-4A26-A812-46F54288379E} - %profile%\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Webroot Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\java\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-9-23 9344]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefrag Driver.sys [2011-2-18 14776]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-9-8 77312]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-12-22 10872]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-12-7 62280]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-12-7 79688]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2011-2-16 108880]
R1 SASDIFSV;SASDIFSV;d:\program files\scanners cleaners\suuperantispyware\SASDIFSV.SYS [2006-10-10 8944]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-9-23 449280]
R2 IS360service;IS360service;d:\program files\iobit\iobit security 360\is360srv.exe [2011-2-18 312152]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2011-2-16 1201640]
S0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-12-7 41288]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; [x]
S1 SASKUTIL;SASKUTIL;d:\progra~1\scanne~1\suuper~1\SASKUTIL.SYS [2007-2-27 55024]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 aawservice;Ad-Aware 2007 Service; [x]
S3 ASEService;Aluria Spyware Eliminator Service; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2011-1-21 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2011-1-21 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]
S3 SASENUM;SASENUM;d:\progra~1\scanne~1\suuper~1\SASENUM.SYS [2006-2-16 4096]
S3 SNDP202;Bushnell ImageView;c:\windows\system32\drivers\sndp202.sys [2010-12-11 243968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v040 0.exe [2010-3-18 753504]
S4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; [x]
S4 FileDeleter;ZeroSpyware FileDeleter; [x]
S4 sdAuxService;PC Tools Auxiliary Service; [x]
S4 sdCoreService;PC Tools Security Service; [x]

=============== Created Last 30 ================

2011-02-20 02:14:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-20 02:14:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-20 01:13:20 -------- d-sh--w- C:\FOUND.002
2011-02-19 06:24:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\jKiBgGn01848
2011-02-19 05:18:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-18 14:42:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\FreeApp
2011-02-18 14:40:42 28496 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-02-18 14:40:42 14776 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-02-18 06:34:49 -------- d-----w- c:\docume~1\wizard\applic~1\IObit
2011-02-18 05:58:36 -------- d-sh--w- C:\FOUND.001
2011-02-18 03:49:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2011-02-17 01:46:16 -------- d-----w- c:\docume~1\wizard\locals~1\applic~1\AskToolbar
2011-02-17 01:14:15 -------- d-----w- c:\program files\Ask.com
2011-02-17 01:13:52 108880 ----a-w- c:\windows\system32\drivers\pwipf6.sys
2011-02-17 01:13:39 1563008 ----a-w- c:\windows\WRSetup.dll
2011-02-17 01:13:39 -------- d-----w- c:\docume~1\wizard\applic~1\Webroot
2011-02-17 01:13:38 -------- d-----w- c:\program files\Webroot
2011-02-16 19:20:20 -------- d-----w- C:\Webroot
2011-02-15 22:12:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\33f20000-d8f8-4acd-3d22-5f9c81cea6b2
2011-02-15 21:53:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2011-02-15 21:37:52 1284836 ----a-w- c:\docume~1\alluse~1\applic~1\bdinstall.bin
2011-02-14 23:40:22 -------- d-sh--w- C:\FOUND.000
2011-02-09 03:22:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\FileCure
2011-02-03 22:34:09 -------- d-----w- c:\docume~1\wizard\applic~1\GetRightToGo
2011-01-30 15:45:12 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-01-28 01:59:35 -------- d-----w- c:\docume~1\wizard\locals~1\applic~1\Temp
2011-01-26 05:09:10 17712 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-01-26 05:09:09 26416 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-01-26 05:06:46 -------- d-----w- c:\docume~1\wizard\applic~1\Downloaded Installations
2011-01-26 03:58:56 98304 ----a-w- c:\windows\system32\redmonnt.dll
2011-01-22 04:37:01 7680 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
2011-01-22 04:36:53 18176 ----a-w- c:\windows\system32\drivers\motccgp.sys

==================== Find3M ====================

2011-02-19 05:17:36 472808 ----a-w- c:\windows\system32\deployJava1.dll

============= FINISH: 21:00:47.93 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/8/2004 4:38:13 PM
System Uptime: 2/19/2011 8:27:56 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7V600-X
Processor: AMD Athlon(TM) MP 1600+ | SOCKET A | 1749/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 13 GiB total, 2.732 GiB free.
D: is FIXED (NTFS) - 18 GiB total, 7.292 GiB free.
E: is FIXED (NTFS) - 21 GiB total, 6.501 GiB free.
F: is FIXED (NTFS) - 23 GiB total, 2.906 GiB free.
G: is CDROM (CDFS)
H: is CDROM (CDFS)
I: is FIXED (FAT32) - 12 GiB total, 3.13 GiB free.
J: is FIXED (FAT32) - 15 GiB total, 14.659 GiB free.
K: is FIXED (FAT32) - 11 GiB total, 11.376 GiB free.
L: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP532: 2/18/2011 10:53:16 PM - Revo Uninstaller's restore point - J2SE Runtime Environment 5.0 Update 6
RP533: 2/18/2011 11:17:21 PM - Installed Java(TM) 6 Update 24

==== Installed Programs ======================


7-Zip 2.30 Beta 25
Abacast Client
AbsolutePoker NET
Adobe AIR
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader X (10.0.1)
Adobe SVG Viewer 3.0
Advanced SystemCare 3
AirBlast
Aluria LiteScanner
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Arcanum
ArcSoft Camera Studio
Ask Toolbar
ASUSUpdate
Baldur's Gate II - Shadows of Amn Collectors CD
Baldur's Gate(TM) II - Throne of Bhaal (TM)
BitLord 1.1
Bonjour
Bushnell ImageView
CCleaner
Clean Disk Security 7.81
Corel WordPerfect Suite 8
Creative MediaSource
Creative MuVo NX-TX
Creative System Information
CT Attrib Lite
Data Lifeguard Tools
Disk Space Fan 1.4.3.1
DivX
DivX Player
DriverAgent Plugin for Netscape by TouchStone Software
Evidence-Blaster 2009
Fallout 3
FaxTools
File Properties Changer
Free Natural Text to Speech Reader 2007
FreeApps
Game Booster
GameSpy Arcade
GemBox.Spreadsheet Free 2.7
GetDiz 3.0
Gimp 2.6.2 Debug
Hide IP Platinum 2.5
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
IIS 6.0 Resource Kit Tools
IIS6 Manager
InCD (Ahead Software)
InCD EasyWrite Reader (Ahead Software)
Intel RSX 3D
IObit Security 360
IrfanView (remove only)
iTunes
Java Auto Updater
Java(TM) 6 Update 24
Kaspersky Online Scanner
Lexmark X74-X75
Logitech Desktop Messenger
Logitech MouseWare 9.79
Logitech Resource Center
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Bootvis
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access database engine 2007 (English)
Microsoft PowerPoint Viewer 97
Microsoft Silverlight
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.13)
Mozilla Firefox 4.0b6 (x86 en-US)
MSN Gaming Zone
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MuVo Driver
Nero
Netscape Navigator (9.0.0.5)
NVIDIA Drivers
Opera 9.63
PhotoSuite 4 (Remove Only)
PowerDesk 5.0
QuickTime
RealPlayer
RealUpgrade 1.0
Recovery Commander
RegCure 1.2.0.4
Renamer (remove only)
Reverse Phone Search Tool
Revo Uninstaller 1.91
Rhapsody Player Engine
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Sky Fight
Smart Defrag 2
Spy Sweeper Core
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.1
Star Wars«: Knights of the Old Republic (TM)
Super Magnify v1.3
SUPERAntiSpyware Free Edition
Swat It v2.1
System Requirements Lab
The Off By One Web Browser
Tom Clancy's Rainbow Six 3: Raven Shield
Total Commander (Remove or Repair)
Tracks Eraser Pro v5.7
TwistedBrush Free Edition
Unlocker 1.8.5
UOGateway
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Useful File Utilities (remove only)
VCOM SystemSuite 5
VIA Integrated Setup Wizard
WebFldrs XP
Webroot Internet Security Essentials
Winamp
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format 11 runtime
WinRAR archiver
WordPerfect Lightning
WordPerfect Lightning - MSOM
ZeroSpyware Limited Edition

==== Event Viewer Messages From Past Week ========

2/19/2011 9:31:10 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
2/19/2011 9:31:10 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/19/2011 8:57:29 AM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
2/19/2011 8:57:28 AM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
2/19/2011 8:57:27 AM, error: Service Control Manager [7022] - The Webroot Spy Sweeper Engine service hung on starting.
2/19/2011 8:29:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AVG Anti-Spyware Driver IKFileSec SASKUTIL uagp35
2/19/2011 7:13:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 AVG Anti-Spyware Driver Fips IKFileSec SASDIFSV SASKUTIL
2/19/2011 12:41:48 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 AVG Anti-Spyware Driver Fips IKFileSec IPSec MRxSmb NetBIOS NetBT pwipf6 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
2/19/2011 12:35:04 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/19/2011 12:34:56 AM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
2/19/2011 12:34:34 AM, error: Service Control Manager [7034] - The SystemSuite Task Manager service terminated unexpectedly. It has done this 1 time(s).
2/19/2011 12:34:34 AM, error: Service Control Manager [7034] - The Simple TCP/IP Services service terminated unexpectedly. It has done this 1 time(s).
2/19/2011 12:34:34 AM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
2/19/2011 12:34:34 AM, error: Service Control Manager [7034] - The IS360service service terminated unexpectedly. It has done this 1 time(s).
2/19/2011 12:34:34 AM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
2/17/2011 11:59:59 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
2/16/2011 11:43:35 PM, error: ssidrv [26] - Failed to set monitor event rule.
2/15/2011 7:24:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 AVG Anti-Spyware Driver Fips IKFileSec IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
2/15/2011 7:24:48 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
2/15/2011 7:24:48 PM, error: Service Control Manager [7001] - The Simple TCP/IP Services service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
2/15/2011 7:24:48 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/15/2011 7:24:48 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/15/2011 7:24:48 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
2/15/2011 7:24:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/15/2011 7:24:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/15/2011 7:24:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/15/2011 5:57:42 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
2/15/2011 5:57:42 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.
2/15/2011 5:24:42 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
2/15/2011 5:24:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AVG Anti-Spyware Driver IKFileSec SASKUTIL
2/15/2011 5:24:41 PM, error: Service Control Manager [7001] - The Network DDE service depends on the Network DDE DSDM service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/15/2011 5:24:41 PM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
2/15/2011 4:03:55 PM, error: Print [23] - Printer Corel Barista failed to initialize because a suitable Corel Barista driver could not be found.

==== End Of File ===========================

wisserd is offline  
Old 20th February 2011   #3
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,099
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Welcome aboard

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================================================

You're running two AV programs and two firewalls, Norton and Webroot.
One of them has to go.
If Norton, make sure to use this tool to uninstall it: http://us.norton.com/support/kb/web_...080710133834EN

When done....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

broni is offline  
Old 20th February 2011   #4
Senior Member
THREAD STARTER
Lifetime Subscription
 
wisserd's Avatar
 
Profile:
Join Date: Feb 2011
Location: South West Wisconsin USA
Posts: 52
Computer Experience:
intermediate
wisserd Reputation Level

My System
I don't remember putting norton on my system. How do I know what product to download? I found nortoninstall log and it says install version:5.5.0.61

wisserd is offline  
Old 20th February 2011   #5
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,099
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
All links lead to a very same Norton Removal Tool.
Whichever link you click, you'll be fine.

broni is offline  
Old 20th February 2011   #6
Senior Member
THREAD STARTER
Lifetime Subscription
 
wisserd's Avatar
 
Profile:
Join Date: Feb 2011
Location: South West Wisconsin USA
Posts: 52
Computer Experience:
intermediate
wisserd Reputation Level

My System
ComboFix 11-02-20.01 - Wizard 02/20/2011 13:30:17.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.237 [GMT -6:00]
Running from: C:\Documents and Settings\Wizard\Desktop\ComboFix.exe
AV: Webroot Internet Security Essentials *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *Disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
.

wisserd is offline  
Old 20th February 2011   #7
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,099
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
This is only a header of Combofix log.
If this is what was produced, re-run it.

broni is offline  
Old 20th February 2011   #8
Senior Member
THREAD STARTER
Lifetime Subscription
 
wisserd's Avatar
 
Profile:
Join Date: Feb 2011
Location: South West Wisconsin USA
Posts: 52
Computer Experience:
intermediate
wisserd Reputation Level

My System
ComboFix 11-02-20.01 - Wizard 02/20/2011 14:21:09.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.221 [GMT -6:00]
Running from: C:\Documents and Settings\Wizard\Desktop\ComboFix.exe
AV: Webroot Internet Security Essentials *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *Enabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\_005425_.tmp.dll
C:\WINDOWS\system32\_005426_.tmp.dll
C:\WINDOWS\system32\_005427_.tmp.dll
C:\WINDOWS\system32\_005428_.tmp.dll
C:\WINDOWS\system32\_005435_.tmp.dll
C:\WINDOWS\system32\_005436_.tmp.dll
C:\WINDOWS\system32\_005437_.tmp.dll
C:\WINDOWS\system32\_005439_.tmp.dll
C:\WINDOWS\system32\_005440_.tmp.dll
C:\WINDOWS\system32\_005441_.tmp.dll
C:\WINDOWS\system32\_005443_.tmp.dll
C:\WINDOWS\system32\_005444_.tmp.dll
C:\WINDOWS\system32\_005446_.tmp.dll
C:\WINDOWS\system32\_005447_.tmp.dll
C:\WINDOWS\system32\_005448_.tmp.dll
C:\WINDOWS\system32\_005450_.tmp.dll
C:\WINDOWS\system32\_005453_.tmp.dll
C:\WINDOWS\system32\_005454_.tmp.dll
C:\WINDOWS\system32\_005458_.tmp.dll
C:\WINDOWS\system32\_005459_.tmp.dll
C:\WINDOWS\system32\_005461_.tmp.dll
C:\WINDOWS\system32\_005464_.tmp.dll
C:\WINDOWS\system32\_005466_.tmp.dll
C:\WINDOWS\system32\_005467_.tmp.dll
C:\WINDOWS\system32\_005468_.tmp.dll
C:\WINDOWS\system32\_005469_.tmp.dll
C:\WINDOWS\system32\_005472_.tmp.dll
C:\WINDOWS\system32\_005473_.tmp.dll
C:\WINDOWS\system32\_005474_.tmp.dll
C:\WINDOWS\system32\_005475_.tmp.dll
C:\WINDOWS\system32\_005476_.tmp.dll
C:\WINDOWS\system32\_005481_.tmp.dll
C:\WINDOWS\system32\_005483_.tmp.dll
C:\WINDOWS\system32\_005484_.tmp.dll
C:\WINDOWS\system32\_007780_.tmp.dll
C:\WINDOWS\system32\_007781_.tmp.dll
C:\WINDOWS\system32\_007782_.tmp.dll
C:\WINDOWS\system32\_007783_.tmp.dll
C:\WINDOWS\system32\_007790_.tmp.dll
C:\WINDOWS\system32\_007791_.tmp.dll
C:\WINDOWS\system32\_007792_.tmp.dll
C:\WINDOWS\system32\_007793_.tmp.dll
C:\WINDOWS\system32\_007795_.tmp.dll
C:\WINDOWS\system32\_007796_.tmp.dll
C:\WINDOWS\system32\_007797_.tmp.dll
C:\WINDOWS\system32\_007799_.tmp.dll
C:\WINDOWS\system32\_007800_.tmp.dll
C:\WINDOWS\system32\_007802_.tmp.dll
C:\WINDOWS\system32\_007803_.tmp.dll
C:\WINDOWS\system32\_007804_.tmp.dll
C:\WINDOWS\system32\_007806_.tmp.dll
C:\WINDOWS\system32\_007809_.tmp.dll
C:\WINDOWS\system32\_007810_.tmp.dll
C:\WINDOWS\system32\_007814_.tmp.dll
C:\WINDOWS\system32\_007815_.tmp.dll
C:\WINDOWS\system32\_007817_.tmp.dll
C:\WINDOWS\system32\_007820_.tmp.dll
C:\WINDOWS\system32\_007822_.tmp.dll
C:\WINDOWS\system32\_007823_.tmp.dll
C:\WINDOWS\system32\_007824_.tmp.dll
C:\WINDOWS\system32\_007825_.tmp.dll
C:\WINDOWS\system32\_007826_.tmp.dll
C:\WINDOWS\system32\_007829_.tmp.dll
C:\WINDOWS\system32\_007830_.tmp.dll
C:\WINDOWS\system32\_007831_.tmp.dll
C:\WINDOWS\system32\_007832_.tmp.dll
C:\WINDOWS\system32\_007833_.tmp.dll
C:\WINDOWS\system32\_007838_.tmp.dll
C:\WINDOWS\system32\_007840_.tmp.dll
C:\WINDOWS\system32\_007841_.tmp.dll
C:\WINDOWS\system32\UNWISE.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
.

2011-02-20 02:14:58 . 2010-12-21 00:09:00 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-02-20 02:14:54 . 2010-12-21 00:08:40 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2011-02-20 01:13:20 . 2011-02-20 01:13:20 -------- d-----w- C:\FOUND.002
2011-02-19 17:40:55 . 2011-02-19 17:40:56 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\IObit
2011-02-19 06:43:20 . 2011-02-19 06:43:22 -------- d-sh--w- C:\Documents and Settings\Administrator\PrivacIE
2011-02-19 06:41:13 . 2011-02-19 06:41:14 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Webroot
2011-02-19 06:24:11 . 2011-02-19 06:24:12 -------- d-----w- C:\Documents and Settings\All Users\Application Data\jKiBgGn01848
2011-02-19 05:18:18 . 2011-02-19 05:17:42 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2011-02-18 14:42:44 . 2011-02-18 14:42:46 -------- d-----w- C:\Documents and Settings\All Users\Application Data\FreeApp
2011-02-18 14:40:42 . 2010-12-13 23:03:50 28496 ----a-w- C:\WINDOWS\system32\SmartDefragBootTime.exe
2011-02-18 14:40:42 . 2010-11-27 00:02:54 14776 ----a-w- C:\WINDOWS\system32\drivers\SmartDefragDriver.sys
2011-02-18 06:34:49 . 2011-02-18 06:34:50 -------- d-----w- C:\Documents and Settings\Wizard\Application Data\IObit
2011-02-18 05:58:36 . 2011-02-18 05:58:36 -------- d-----w- C:\FOUND.001
2011-02-18 03:49:09 . 2011-02-18 03:49:10 -------- d-----w- C:\Documents and Settings\All Users\Application Data\IObit
2011-02-17 01:46:16 . 2011-02-17 01:46:18 -------- d-----w- C:\Documents and Settings\Wizard\Local Settings\Application Data\AskToolbar
2011-02-17 01:14:15 . 2011-02-17 01:14:16 -------- d-----w- C:\Program Files\Ask.com
2011-02-17 01:13:52 . 2011-02-17 01:12:28 108880 ----a-w- C:\WINDOWS\system32\drivers\pwipf6.sys
2011-02-17 01:13:39 . 2011-02-17 01:13:40 -------- d-----w- C:\Documents and Settings\Wizard\Application Data\Webroot
2011-02-17 01:13:39 . 2009-11-06 21:19:42 1563008 ----a-w- C:\WINDOWS\WRSetup.dll
2011-02-17 01:13:38 . 2011-02-17 01:13:40 -------- d-----w- C:\Program Files\Webroot
2011-02-16 22:54:19 . 2011-02-16 22:54:20 -------- d-----w- C:\Program Files\Microsoft Silverlight
2011-02-16 19:20:20 . 2011-02-16 19:20:22 -------- d-----w- C:\Webroot
2011-02-16 01:24:12 . 2011-02-16 01:24:12 -------- d-sh--w- C:\Documents and Settings\Administrator\IETldCache
2011-02-15 22:12:32 . 2011-02-15 22:12:34 -------- d-----w- C:\Documents and Settings\All Users\Application Data\33f20000-d8f8-4acd-3d22-5f9c81cea6b2
2011-02-15 21:53:45 . 2011-02-15 21:53:46 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Webroot
2011-02-15 21:49:55 . 2011-02-17 00:52:06 5555080 ----a-w- C:\Documents and Settings\Administrator\Application Data\wruninstall.exe
2011-02-15 21:37:52 . 2011-02-16 04:08:46 1284836 ----a-w- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
2011-02-14 23:40:22 . 2011-02-14 23:40:22 -------- d-----w- C:\FOUND.000
2011-02-09 03:22:43 . 2011-02-09 03:22:44 -------- d-----w- C:\Documents and Settings\All Users\Application Data\FileCure
2011-02-03 22:34:09 . 2011-02-03 22:34:10 -------- d-----w- C:\Documents and Settings\Wizard\Application Data\GetRightToGo
2011-01-30 15:45:12 . 2011-01-30 15:45:12 135568 ----a-w- C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
2011-01-28 01:59:35 . 2011-01-28 01:59:36 -------- d-----w- C:\Documents and Settings\Wizard\Local Settings\Application Data\Temp
2011-01-26 05:09:31 . 2011-01-26 05:09:32 -------- d-----w- C:\Documents and Settings\Wizard\Application Data\Nitro PDF
2011-01-26 05:09:10 . 2011-01-14 19:35:18 17712 ----a-w- C:\WINDOWS\system32\nitrolocalui.dll
2011-01-26 05:09:09 . 2011-01-14 19:35:16 26416 ----a-w- C:\WINDOWS\system32\nitrolocalmon.dll
2011-01-26 05:08:45 . 2011-01-26 05:08:46 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Nitro PDF
2011-01-26 05:06:46 . 2011-01-26 05:06:48 -------- d-----w- C:\Documents and Settings\Wizard\Application Data\Downloaded Installations
2011-01-26 03:58:56 . 2007-08-21 19:32:44 98304 ----a-w- C:\WINDOWS\system32\redmonnt.dll
2011-01-22 16:41:00 . 2011-01-22 16:41:02 -------- d-----w- C:\Program Files\Common Files\Adobe AIR
2011-01-22 04:37:01 . 2007-01-24 01:03:44 7680 ----a-w- C:\WINDOWS\system32\drivers\motccgpfl.sys
2011-01-22 04:36:53 . 2007-11-02 20:36:10 18176 ----a-w- C:\WINDOWS\system32\drivers\motccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-19 05:17:36 . 2010-07-11 05:43:29 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "C:\Program Files\Ask.com\GenericAskToolbar.dll" [2010-09-29 04:44:28 1400712]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-29 04:44:28 1400712 ----a-w- C:\Program Files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files\Ask.com\GenericAskToolbar.dll" [2010-09-29 04:44:28 1400712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files\Ask.com\GenericAskToolbar.dll" [2010-09-29 04:44:28 1400712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-11-06 21:14:10 238968 ----a-w- C:\Program Files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 18:22:00 7700480]
"nwiz"="nwiz.exe" [2006-10-22 18:22:00 1622016]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 18:22:00 86016]
"smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 14:57:30 143360]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 21:09:12 57344]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 20:49:28 249064]
"SpySweeper"="C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 21:19:58 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 09:48:36 53760]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - C:\Documents and Settings\Administrator\Application Data\wruninstall.exe [2011-2-15 5555080]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= "d:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL" [2003-06-12 19:42:34 102400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\scanners cleaners\suuperantispyware\SASSEH.DLL" [2008-05-28 00:51:32 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-308236825-725345543-1003\Scripts\Logoff\0\0]
"Script"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxs ervice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcore service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Webroo tSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRCons umerService]
@="Service"
path=
backup=

[HKLM\~\startupfolder\^.plugin141_02.trace]
path=\.plugin141_02.trace

[HKLM\~\startupfolder\^.plugin141_07.trace]
path=\.plugin141_07.trace

[HKLM\~\startupfolder\^.recently-used.xbel]
path=\.recently-used.xbel

[HKLM\~\startupfolder\^NTUSER.BAK]
path=\NTUSER.BAK

[HKLM\~\startupfolder\^NTUSER.BK1]
path=\NTUSER.BK1

[HKLM\~\startupfolder\^NTUSER.DAT]
path=\NTUSER.DAT

[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG

[HKLM\~\startupfolder\^ntuser.dat.rmbak]
path=\ntuser.dat.rmbak

[HKLM\~\startupfolder\^NTUSER.DFG.LOG]
path=\NTUSER.DFG.LOG

[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini

[HKLM\~\startupfolder\^PDF9B.PDF]
path=\PDF9B.PDF

[HKLM\~\startupfolder\^S-1-5-21-515967899-308236825-725345543-1003.rrr.LOG]
path=\S-1-5-21-515967899-308236825-725345543-1003.rrr.LOG

[HKLM\~\startupfolder\^the workgear outlet]
path=\the workgear outlet

[HKLM\~\startupfolder\^WINDOWS]
path=\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 18:49:34 932288 ----a-w- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45:14 35736 ----a-w- D:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08:18 417792 ----a-w- D:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-22 05:02:06 202256 ----a-w- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"iPodService"=3 (0x3)
"SDhelper"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"helpsvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\open zip\\Phoenix_Dynasty_Online_Client_7403.exe"=
"C:\\WINDOWS\\System32\\LEXPPS.EXE"=

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\drivers\bsstor.sys [9/23/2004 7:55:58 PM 9344]
R0 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [9/4/2009 9:35:10 PM 721904]
R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00:34 PM 29808]
R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys [9/8/2004 4:43:40 PM 77312]
R1 pwipf6;pwipf6;C:\WINDOWS\system32\drivers\pwipf6.sys [2/16/2011 7:13:52 PM 108880]
R1 SASDIFSV;SASDIFSV;D:\Program Files\scanners cleaners\suuperantispyware\SASDIFSV.SYS [10/10/2006 1:53:48 PM 8944]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\bsudf.sys [9/23/2004 7:55:57 PM 449280]
R2 IS360service;IS360service;D:\Program Files\IObit\IObit Security 360\is360srv.exe [2/18/2011 8:43:53 AM 312152]
R2 WRConsumerService;Webroot Client Service;C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe [2/16/2011 7:14:23 PM 1201640]
S0 SmartDefragDriver;SmartDefragDriver;C:\WINDOWS\system32\drivers\SmartDefrag Driver.sys [2/18/2011 8:40:42 AM 14776]
S1 SASKUTIL;SASKUTIL;D:\PROGRA~1\SCANNE~1\SUUPER~1\SASKUTIL.SYS [2/27/2007 12:39:26 PM 55024]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16:28 PM 130384]
S3 ASEService;Aluria Spyware Eliminator Service; [x]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\drivers\motccgp.sys [1/21/2011 10:36:53 PM 18176]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\drivers\motccgpfl.sys [1/21/2011 10:37:01 PM 7680]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys --> C:\WINDOWS\system32\DRIVERS\motodrv.sys [?]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys --> C:\WINDOWS\system32\DRIVERS\motport.sys [?]
S3 SASENUM;SASENUM;D:\PROGRA~1\SCANNE~1\SUUPER~1\SASENUM.SYS [2/16/2006 5:51:08 PM 4096]
S3 SNDP202;Bushnell ImageView;C:\WINDOWS\system32\drivers\sndp202.sys [12/11/2010 3:52:09 PM 243968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v040 0.exe [3/18/2010 1:16:28 PM 753504]
S4 FileDeleter;ZeroSpyware FileDeleter; [x]
S4 sdAuxService;PC Tools Auxiliary Service; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2011-02-20 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-308236825-725345543-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09:42 . 2010-02-25 04:09:42]

2011-02-20 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-308236825-725345543-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09:42 . 2010-02-25 04:09:42]

2011-02-16 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-308236825-725345543-1006.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09:42 . 2010-02-25 04:09:42]

2011-02-20 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-308236825-725345543-1006.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09:42 . 2010-02-25 04:09:42]

2011-02-20 C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
- C:\Program Files\Ask.com\UpdateTask.exe [2010-09-29 04:44:30 . 2010-09-29 04:44:30]

2011-02-15 C:\WINDOWS\Tasks\Scheduled Checkpoint.job
- d:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE [2005-03-27 16:57:34 . 2003-06-09 22:45:34]

2008-02-09 C:\WINDOWS\Tasks\RegCure.job
- d:\Program Files\RegCure\RegCure.exe [2006-06-06 21:11:32 . 2006-09-10 23:23:09]

2011-02-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34:12 . 2008-07-30 18:34:12]
.

wisserd is offline  
Old 20th February 2011   #9
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,099
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Lower part of the log is missing.
Make sure, you post entire log.
You can locate it in c:\combofix.txt.

broni is offline  
Old 20th February 2011   #10
Senior Member
THREAD STARTER
Lifetime Subscription
 
wisserd's Avatar
 
Profile:
Join Date: Feb 2011
Location: South West Wisconsin USA
Posts: 52
Computer Experience:
intermediate
wisserd Reputation Level

My System
Copy and pasted from C: that is all there is. I let it run for 1 and half hours. Was it not done?

wisserd is offline  
Old 20th February 2011   #11
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,099
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
We'll see what we can do....

Uninstall Ask Toolbar, known foistware.

==============================================================

Uninstall RegCure 1.2.0.4.
Registry cleaners/optimizers are not recommended for several reasons:
  • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

    The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
  • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
  • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
  • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
  • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".
Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.

================================================================


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
C:\WINDOWS\Tasks\RegCure.job
C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job


Folder::
C:\Documents and Settings\All Users\Application Data\jKiBgGn01848


Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

broni is offline  
Old 21st February 2011   #12
Senior Member
THREAD STARTER
Lifetime Subscription
 
wisserd's Avatar
 
Profile:
Join Date: Feb 2011
Location: South West Wisconsin USA
Posts: 52
Computer Experience:
intermediate
wisserd Reputation Level

My System
Its been 1 and a half hours. After about 20 minutes scan was done, screen flashed, ComboxFix-Find3M box came back on with Preparing Log Report Do not run any programs untill comboxfix has finshed. Cursor still in the box and all the icons on the desktop have disappeared and the toolbar too. Should I reboot ? Hard drive light is still flashing every quarter second and bright flash every second or two.

wisserd is offline  
Old 21st February 2011   #13
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,099
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Reboot manually and re-run Combofix with a very same script.

broni is offline  
Old 21st February 2011   #14
Senior Member
THREAD STARTER
Lifetime Subscription
 
wisserd's Avatar
 
Profile:
Join Date: Feb 2011
Location: South West Wisconsin USA
Posts: 52
Computer Experience:
intermediate
wisserd Reputation Level

My System
It took 8 min. to get to Preparing log report. AT ten min. screen flashed /jumped, Windows security center popped up in toolbar with a balloon that said Your computer might be at risk. Webroot internet secutity essentials is turned off. Click this balloon to fix this problem. At ninteen min. hard drive light done. Been half hour comboxfix box on desktop no cursor flashing . First posted text 19k second text not posted 15k..

wisserd is offline  
Old 21st February 2011   #15
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 20,099
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
That's fine.
Those items are not crucial.
We can remove them using another tool.

Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

broni is offline  


 

THIS THREAD HAS EXPIRED.

Are you having the same problem? Please post a new thread, but first you'll have to join us by Registering (FREE).



Discussion Forums
Operating Systems
Windows 10 Windows 10
Windows 8 Windows 8
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Legacy Windows OS Legacy Windows OS
Internet & Networking
Networking (Hardware & Software) Networking
Internet Explorer Internet Explorer
Microsoft Mail Microsoft Mail
Firefox, Thunderbird & SeaMonkey Firefox, Thunderbird
      & SeaMonkey

Web Applications & Cloud Web Applications & Cloud
General Internet
Security
Malware and Virus Removal Malware and Virus
     Removal

Security and Privacy Security and Privacy

Other
Other PC Software Other PC Software
Test Posts Test Posts
Hardware
PC Hardware PC Hardware
Mobile Devices Mobile Devices
Community
Introductions Introductions
General Discussions General Discussions
Site Comments & Suggestions Site Comments
      & Suggestions

News News @ WindowsBBS

Thread Tools


Find us on Facebook   Web Of Trust Rating

All times are GMT. The time now is 16:18.


Recent Discussions
Pin to taskbar question (2)
[DUMP DATA] New computer randomly b.. (1)
Can' Print from IE11 (11)
[Activation issues] (18)
What event will be logged when the .. (17)
Long Running Scripts (6)
Strange character in emails (6)
Need help configuring an Audigy Fx .. (4)
Strike the F1 key to continue (14)
Lock screen (10)
CD formatting question (11)
Need TV Buying Advice (16)
IE9 crashing (11)
Windows Update doesn't work (11)
Replacement for TFC (7)
Loosing connection with giganews? (7)
MS Fax and Scan Replacement (6)
Audio Freezing Sounding Like A Robo.. (14)
Slow running Machine (33)


Donate!
Support Windows BBS!



Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO
Copyright ę 2002 - 2014 WindowsBBS.com. All rights reserved.
FDMA Media LLC
Terms of Use, Legal Information & Privacy Policy
Page generated in 0.97234 seconds with 7 queries