BWarriner

Members
  • Content Count

    66
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by BWarriner

  1. Did you mean for me to redownload and run Combofix?
  2. I sincerely thank you again for your time and diligence resolving my issue.
  3. I already have ERUNT and MVPS Hosts installed as well as my IE8 setup as noted above. Is TFC the same application as ATF cleaner and if so, which do you recommend (pros and cons)? I will be adding Mozilla and the additional plug-ins. In reading your commentary on Geekstogo, I am very interested in the last 2 options under 'Sandbox Programs'. Do you recommend one over the other of the 2 mentioned (Returnil or Sandboxie) and would this have prevented the rootkit infection that I experienced?
  4. OTL logfile created on: 12/16/2009 8:56:39 AM - Run 2 OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free 4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 232.78 Gb Total Space | 62.08 Gb Free Space | 26.67% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: D4G6V31 Current User Name: Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan [color="#E56717"]========== Processes (SafeList) ==========[/color] PRC - [2009/12/13 19:24:52 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\OTL.exe PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe PRC - [2009/08/18 13:30:04 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe PRC - [2009/08/18 13:29:39 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe PRC - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe PRC - [2009/03/21 10:07:24 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/09/29 01:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\SYSTEM32\ati2evxx.exe PRC - [2007/02/01 18:45:44 | 00,455,784 | ---- | M] () -- C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe PRC - [2006/06/13 05:20:00 | 00,127,036 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE PRC - [2005/01/10 07:10:00 | 00,193,592 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe PRC - [2004/08/02 19:36:40 | 00,124,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe PRC - [2004/08/02 19:36:32 | 01,267,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe PRC - [2004/08/02 19:36:26 | 00,030,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe PRC - [2004/08/02 19:28:46 | 00,757,853 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec System Center\NscTop.exe PRC - [2004/06/09 20:31:14 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe PRC - [2004/06/09 20:31:08 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe PRC - [2004/06/09 20:31:06 | 00,066,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe PRC - [2004/03/24 23:00:00 | 00,126,976 | ---- | M] (Intel) -- C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe PRC - [2004/03/24 23:00:00 | 00,073,838 | ---- | M] (Intel) -- C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe PRC - [2003/12/17 08:48:32 | 00,053,305 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\AMS_II\IAO.EXE PRC - [2003/12/17 08:47:28 | 00,028,743 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\AMS_II\HNDLRSVC.EXE PRC - [2003/12/17 08:43:12 | 00,036,915 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\CBA\XFR.EXE PRC - [2003/12/17 08:42:58 | 00,032,819 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\CBA\PDS.EXE PRC - [2003/12/17 08:42:30 | 00,028,729 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\MSGSYS.EXE PRC - [2003/08/13 10:27:40 | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe PRC - [2003/06/18 00:00:00 | 00,045,056 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe PRC - [2003/05/31 18:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe PRC - [2002/10/29 08:18:24 | 00,049,152 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe PRC - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\MsPMSPSv.exe PRC - [1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE [color="#E56717"]========== Modules (SafeList) ==========[/color] MOD - [2009/12/13 19:24:52 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\OTL.exe MOD - [2002/08/29 05:00:00 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\SERWVDRV.DLL MOD - [2002/08/29 05:00:00 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\UMDMXFRM.DLL [color="#E56717"]========== Win32 Services (SafeList) ==========[/color] SRV - File not found [Auto | Stopped] -- -- (SessionLauncher) SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service) SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2009/09/25 16:50:52 | 01,028,432 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service) SRV - [2009/08/18 13:29:39 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd) SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2009/03/24 17:35:44 | 00,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc) SRV - [2009/03/16 20:41:33 | 00,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9a6a9f2595210) Google Update Service (gupdate1c9a6a9f2595210) SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service) SRV - [2008/06/23 09:08:34 | 00,362,992 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe -- (Roxio Upnp Server 10) SRV - [2008/06/23 09:08:28 | 00,313,840 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe -- (Roxio UPnP Renderer 10) SRV - [2008/06/23 09:06:18 | 00,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10) SRV - [2008/06/23 09:06:10 | 00,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10) SRV - [2008/06/23 09:05:38 | 01,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10) SRV - [2007/09/29 01:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\ati2evxx.exe -- (Ati HotKey Poller) SRV - [2007/08/21 20:05:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\ati2sgag.exe -- (ATI Smart) SRV - [2007/02/01 18:45:44 | 00,455,784 | ---- | M] () [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe -- (ioloDMV) SRV - [2005/01/10 07:10:00 | 00,193,592 | ---- | M] (SafeNet, Inc) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer) SRV - [2004/08/02 19:36:36 | 00,173,392 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam) SRV - [2004/08/02 19:36:32 | 01,267,024 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus) SRV - [2004/08/02 19:36:26 | 00,030,024 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch) SRV - [2004/08/02 19:28:46 | 00,757,853 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec System Center\NscTop.exe -- (NSCTOP) SRV - [2004/06/11 18:28:30 | 00,201,944 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc) SRV - [2004/06/09 20:31:14 | 00,242,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr) SRV - [2004/06/09 20:31:12 | 00,087,160 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc) SRV - [2004/06/09 20:31:08 | 00,255,096 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr) SRV - [2004/03/24 23:00:00 | 00,073,838 | ---- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe -- (IAANTMon) SRV - [2003/12/17 08:48:32 | 00,053,305 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\AMS_II\IAO.EXE -- (Intel Alert Originator) SRV - [2003/12/17 08:47:28 | 00,028,743 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\AMS_II\HNDLRSVC.EXE -- (Intel Alert Handler) SRV - [2003/12/17 08:43:12 | 00,036,915 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\CBA\XFR.EXE -- (Intel File Transfer) SRV - [2003/12/17 08:42:58 | 00,032,819 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\CBA\PDS.EXE -- (Intel PDS) SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose) SRV - [2003/05/31 18:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -- (MSSQL$MICROSOFTBCM) SRV - [2003/03/03 13:33:40 | 00,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc) SRV - [2002/12/17 19:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTBCM) SRV - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\MsPMSPSv.exe -- (WMDM PMSP Service) SRV - [1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE -- (Creative Service for CDROM Access) [color="#E56717"]========== Standard Registry (SafeList) ==========[/color] [color="#E56717"]========== Internet Explorer ==========[/color] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.rr.com/flash/index.cfm"]http://www.rr.com/flash/index.cfm[/url] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555 FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/03/21 10:07:58 | 00,000,000 | ---D | M] [2009/03/21 14:26:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Mozilla\Extensions [2009/03/21 14:26:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Mozilla\Extensions\[email protected] O1 HOSTS File: (614790 bytes) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 fr.a2dfp.net O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net O1 - Hosts: 127.0.0.1 ad.a8.net O1 - Hosts: 127.0.0.1 asy.a8ww.net O1 - Hosts: 127.0.0.1 adv.abv.bg O1 - Hosts: 127.0.0.1 bimg.abv.bg O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com O1 - Hosts: 127.0.0.1 accuserveadsystem.com O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com O1 - Hosts: 127.0.0.1 achmedia.com O1 - Hosts: 127.0.0.1 aconti.net O1 - Hosts: 127.0.0.1 secure.aconti.net O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti] O1 - Hosts: 127.0.0.1 ads.active.com O1 - Hosts: 127.0.0.1 am1.activemeter.com O1 - Hosts: 127.0.0.1 www.activemeter.com #[eTrust.Tracking.Cookie] O1 - Hosts: 127.0.0.1 ads.activepower.net O1 - Hosts: 127.0.0.1 data2.activshopper.com #[Trackware.ActivShopper] O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[eTrust.Tracking.Cookie] O1 - Hosts: 127.0.0.1 ad2games.com O1 - Hosts: 127.0.0.1 cms.ad2click.nl O1 - Hosts: 127.0.0.1 ads.ad2games.com O1 - Hosts: 127.0.0.1 content.ad20.net O1 - Hosts: 16153 more lines... O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft) O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.) O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation) O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd) O4 - HKLM..\Run: [DLA] C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE (Sonic Solutions) O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe (Intel) O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel® Corporation) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.) O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation) O4 - Startup: C:\Documents and Settings\xxxxxxxxxxxxxxxx.D4G6V31.000\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O10 - NameSpace_Catalog5\Catalog_Entries0000000004 [] - C:\WINDOWS\SYSTEM32\nwprovau.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries0000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [url="http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab"]http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab[/url] (QuickTime Object) O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} [url="http://www.creative.com/su/ocx/15030/CTSUEng.cab"]http://www.creative.com/su/ocx/15030/CTSUEng.cab[/url] (Creative Software AutoUpdate) O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} [url="http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab"]http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab[/url] (HPSDDX Class) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [url="http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab"]http://download.macromedia.com/pub/shockwa...director/sw.cab[/url] (Shockwave ActiveX Control) O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} [url="http://lads.myspace.com/upload/MySpaceUploader1006.cab"]http://lads.myspace.com/upload/MySpaceUploader1006.cab[/url] (MySpace Uploader Control) O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} [url="http://www.evite.com/html/imageUpload/ImageUploader5.cab"]http://www.evite.com/html/imageUpload/ImageUploader5.cab[/url] (Image Uploader Control) O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} [url="https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab"]https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab[/url] (DLC Class) O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} [url="http://www.evite.com/html/imageUpload/ImageUploader4.cab"]http://www.evite.com/html/imageUpload/ImageUploader4.cab[/url] (Image Uploader Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [url="http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab"]http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[/url] (Java Plug-in 1.6.0_17) O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} [url="http://cs7b.instantservice.com/jars/customerxsigned40.cab"]http://cs7b.instantservice.com/jars/customerxsigned40.cab[/url] (CustomerCtrl Class) O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} [url="http://web1.shutterfly.com/downloads/Uploader.cab"]http://web1.shutterfly.com/downloads/Uploader.cab[/url] (Shutterfly Picture Upload Plugin) O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} [url="http://www.snapfish.com/SnapfishUpload.cab"]http://www.snapfish.com/SnapfishUpload.cab[/url] (Snapfish File Upload ActiveX Control) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [url="http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab"]http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[/url] (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [url="http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab"]http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[/url] (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [url="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"]http://download.macromedia.com/pub/shockwa...ash/swflash.cab[/url] (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [url="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab"]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] (Reg Error: Key error.) O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} [url="http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab"]http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab[/url] (MASHControl Class) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} [url="http://www.creative.com/su/ocx/15030/CTPID.cab"]http://www.creative.com/su/ocx/15030/CTPID.cab[/url] (Creative Software AutoUpdate Support Package) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 24.93.41.127 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\SYSTEM32\NavLogon.dll (Symantec Corporation) O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2002/09/03 13:36:02 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe () O35 - comfile [open] -- "%1" %* O35 - exefile [open] -- "%1" %* [color="#E56717"]========== Files/Folders - Created Within 14 Days ==========[/color] [2009/12/14 13:30:12 | 00,000,000 | ---D | C] -- C:\_OTM [2009/12/14 13:28:13 | 00,425,472 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\OTM.exe [2009/12/14 10:07:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS [2009/12/14 07:50:42 | 00,000,000 | ---D | C] -- C:\Avenger [2009/12/13 19:24:52 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\OTL.exe [2009/12/12 15:58:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\DoctorWeb [2009/12/12 15:56:34 | 24,953,776 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\drweb-cureit.exe [2009/12/12 08:37:25 | 00,000,000 | -HSD | C] -- C:\RECYCLER [2009/12/11 16:12:45 | 00,343,040 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\TFC.exe [2009/12/05 17:37:40 | 00,134,408 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\TDSSKiller.exe [2009/03/31 22:00:27 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2009/03/18 20:31:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google [2009/03/16 20:42:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google [2009/01/02 18:38:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/01/02 18:38:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009/01/02 18:38:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2008/01/26 01:44:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio [2007/09/14 16:29:03 | 00,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll [2007/02/03 19:35:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\iolo [2005/12/16 20:55:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe [2005/12/16 20:08:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe [2004/08/25 11:22:08 | 00,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll [2004/02/11 18:37:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia [26 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ] [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ] [color="#E56717"]========== Files - Modified Within 14 Days ==========[/color] [2009/12/16 08:32:27 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL [2009/12/16 08:30:48 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job [2009/12/16 08:30:20 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2009/12/16 08:30:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2009/12/16 08:30:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT [2009/12/16 08:30:04 | 34,886,77888 | -HS- | M] () -- C:\hiberfil.sys [2009/12/15 20:09:32 | 00,030,912 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/15 20:09:32 | 00,030,912 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/15 20:09:32 | 00,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/15 20:09:32 | 00,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/15 20:09:32 | 00,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/15 20:09:32 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm [2009/12/15 20:09:32 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm [2009/12/15 20:09:26 | 10,485,760 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\ntuser.dat [2009/12/15 20:09:26 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\NTUSER.INI [2009/12/15 20:02:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2009/12/15 18:27:33 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\Outlook 2003.lnk [2009/12/15 17:29:36 | 46,668,943 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2009/12/15 17:29:36 | 00,124,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg [2009/12/14 22:48:11 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2009/12/14 22:46:59 | 00,226,752 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2009/12/14 22:21:48 | 00,000,482 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\My Shared Documents.lnk [2009/12/14 22:08:37 | 00,274,816 | ---- | M] () -- C:\WINDOWS\System32\drivers\iastor.sys [2009/12/14 22:07:29 | 00,274,816 | ---- | M] () -- C:\WINDOWS\System32\drivers\tsk_iastor.sys [2009/12/14 13:52:26 | 00,000,347 | ---- | M] () -- C:\WINDOWS\WIN.INI [2009/12/14 13:52:26 | 00,000,281 | RHS- | M] () -- C:\BOOT.INI [2009/12/14 13:52:26 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2009/12/14 13:28:16 | 00,425,472 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\OTM.exe [2009/12/13 19:24:52 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\OTL.exe [2009/12/12 15:56:31 | 24,953,776 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\drweb-cureit.exe [2009/12/12 15:36:49 | 00,612,952 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009/12/12 00:28:43 | 02,703,136 | -H-- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\IconCache.db [2009/12/11 16:12:27 | 00,343,040 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\TFC.exe [2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe [2009/12/09 20:31:42 | 00,589,814 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2009/12/09 20:31:42 | 00,488,932 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT [2009/12/09 20:31:42 | 00,088,954 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT [2009/12/09 00:46:24 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2009/12/07 20:40:27 | 00,293,888 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\My Documents\Song Listing.xls [2009/12/07 19:30:38 | 00,002,495 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\Excel 2003.lnk [2009/12/05 17:37:40 | 00,134,408 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\TDSSKiller.exe [2009/12/03 18:30:10 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\Word 2003.lnk [2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [26 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ] [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ] [color="#E56717"]========== Files Created - No Company Name ==========[/color] [2009/12/14 22:48:11 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2009/12/14 22:07:29 | 00,274,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\tsk_iastor.sys [2009/12/14 22:04:48 | 34,886,77888 | -HS- | C] () -- C:\hiberfil.sys [2009/12/12 02:07:27 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2009/12/12 02:07:27 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2009/07/02 12:33:22 | 04,148,400 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\rx_image32.Cache [2009/03/31 22:31:45 | 00,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini [2009/03/31 22:31:45 | 00,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL [2009/03/31 22:31:45 | 00,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini [2008/06/16 13:47:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2008/02/15 17:32:37 | 00,569,160 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\rx_audio.Cache [2008/01/26 02:22:44 | 00,218,544 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\rx_image.Cache [2007/09/27 09:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 09:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 09:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2007/09/14 16:29:13 | 00,005,515 | ---- | C] () -- C:\WINDOWS\System32\ENSDEF.INI [2007/03/03 10:07:42 | 00,000,026 | ---- | C] () -- C:\WINDOWS\UpdaterDVW58E.INI [2007/02/03 19:35:26 | 00,696,320 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll [2007/02/03 19:35:26 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll [2007/01/20 02:53:01 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI [2007/01/15 15:07:36 | 00,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini [2006/08/11 13:57:18 | 00,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL [2006/05/23 11:40:34 | 00,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI [2005/06/16 17:17:16 | 00,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL [2005/01/01 11:16:44 | 00,000,364 | ---- | C] () -- C:\WINDOWS\ARFolder.INI [2004/10/23 10:05:45 | 00,000,294 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI [2004/05/30 11:34:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\hpqemlsz.INI [2004/05/29 13:47:04 | 00,000,142 | ---- | C] () -- C:\WINDOWS\Readiris.ini [2004/05/29 13:47:02 | 00,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll [2004/05/29 13:44:06 | 00,049,152 | ---- | C] () -- C:\WINDOWS\StiRegstEng.dll [2004/03/26 11:39:47 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\exeshl.dll [2004/03/23 18:42:53 | 00,000,126 | R--- | C] () -- C:\WINDOWS\hpw9600k.ini [2004/03/23 18:40:16 | 00,014,454 | ---- | C] () -- C:\WINDOWS\hpdj9600.ini [2004/03/20 17:11:47 | 00,000,021 | ---- | C] () -- C:\WINDOWS\DVDSentry.ini [2004/01/06 03:57:40 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\edtExt.dll [2003/12/18 18:58:38 | 00,038,355 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Microsoft Excel.ADR [2003/12/17 19:18:18 | 00,027,233 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Personal Address Book.ADR [2003/12/16 01:02:20 | 00,000,337 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2003/12/14 19:38:19 | 00,338,944 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL [2003/12/14 19:38:19 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL [2003/12/14 18:04:12 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\FASTWiz.html [2003/12/14 15:06:44 | 00,035,649 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\FASTWiz.log [2003/12/14 12:23:14 | 00,001,125 | ---- | C] () -- C:\WINDOWS\Winamp.ini [2003/12/14 12:22:53 | 00,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini [2003/12/14 12:01:45 | 00,000,151 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\fusioncache.dat [2003/12/14 11:45:01 | 00,217,088 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2003/11/26 17:44:17 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2003/11/26 17:35:54 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2003/11/26 17:30:08 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI [2003/11/26 17:29:46 | 00,066,807 | ---- | C] () -- C:\WINDOWS\System32\Aud2_Del.ini [2003/11/26 17:29:21 | 00,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI [2003/11/26 17:25:34 | 00,000,956 | ---- | C] () -- C:\WINDOWS\wininit.ini [2003/11/26 17:22:20 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini [2003/11/26 17:08:43 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll [2003/11/26 16:47:18 | 00,000,552 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2003/08/07 15:01:50 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll [2003/07/03 00:00:00 | 00,274,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\iastor.sys [2003/06/04 00:08:30 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\hpnvr82.dll [2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI [color="#E56717"]========== LOP Check ==========[/color] [2009/12/09 23:47:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software [2007/06/29 21:48:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft [2007/02/04 17:09:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo [2003/12/13 18:30:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT [2008/01/26 01:40:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc [2009/11/24 10:49:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2009/01/01 17:22:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall [2005/07/19 18:39:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2009/11/17 23:42:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} [2009/03/31 21:06:52 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} [2009/09/03 16:56:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} [2008/01/02 18:08:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\ICAClient [2007/02/03 19:33:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\iolo [2003/12/14 12:49:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Leadertech [2006/12/15 18:45:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Simple Star [2009/03/31 21:33:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Windows Desktop Search [2009/08/18 20:48:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Windows Search [2009/12/14 22:48:11 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job [color="#E56717"]========== Purity Check ==========[/color] [color="#E56717"]========== Alternate Data Streams ==========[/color] @Alternate Data Stream - 191 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EFA09BFC < End of report >
  5. Malwarebytes' Anti-Malware 1.42 Database version: 3374 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/16/2009 8:54:59 AM mbam-log-2009-12-16 (08-54-59).txt Scan type: Quick Scan Objects scanned: 134782 Time elapsed: 8 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  6. I didn't try that last night (frankly, was a little scared to considering how long it took to clean the computer up) I will do that when I get home. In retrospect, could you offer some advice on how I could have more aggressively protected my computer? I was infected with 2 brand new rogue antivirus apps within 2 days of each other, both appeared to not have been previously reported. The rootkit was installed (I presume) at the same time which is what caused Google to redirect me and reinfect me with the second rogue antiviurus repeatedly. I currently run Windows XP SP3, IE8 and MVPS Hosts (per Lavasoft's recommendation in the past). While I am considering using Mozilla in the future, I had read that some other folks had been infected on Mozilla as well so I am wondering if Mozilla will provide any better protection. I also have also been advised that I may want to create a 'guest' account profile that does not have adminstrator rights to surf the internet. The theory is that rootkit infections that can make changes to your computer would occur if your adminstrator-rights account is infected (such as with the rootkit infection I got), but the 'guest' account wouldn't be harmed in the same way. What are your thoughts on this?
  7. Ok, upon reboot, I reran TDSSKiller and it did not find anything. I also reran the express scan within Dr.Web.Cureit and it did not find anything either. I know that at least one previous Restore Point is still infected, please let me know what the next steps are. Thanks.
  8. A point to note in regards to running TDSSKiller. It can not be run in Safemode (you get a kernel error.) So, I rebooted and this is the log: Host Name: D4G6V31 OS Name: Microsoft Windows XP Professional OS Version: 5.1.2600 Service Pack 3 Build 2600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Registered Organization: Product ID: 55274-OEM-0011903-00102 Original Install Date: 12/3/2003, 9:56:04 PM System Up Time: 0 Days, 0 Hours, 2 Minutes, 44 Seconds System Manufacturer: Dell Computer Corporation System Model: Dimension XPS Gen 2 System type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x86 Family 15 Model 2 Stepping 9 GenuineIntel ~2992 Mhz BIOS Version: DELL - 8 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume2 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT-06:00) Central Time (US & Canada) Total Physical Memory: 3,327 MB Available Physical Memory: 2,644 MB Virtual Memory: Max Size: 2,048 MB Virtual Memory: Available: 2,000 MB Virtual Memory: In Use: 48 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \\D4G6V31 Hotfix(s): 244 Hotfix(s) Installed. [01]: File 1 [02]: File 1 [03]: File 1 [04]: File 1 [05]: File 1 [06]: File 1 [07]: File 1 [08]: File 1 [09]: File 1 [10]: File 1 [11]: File 1 [12]: File 1 [13]: File 1 [14]: File 1 [15]: File 1 [16]: File 1 [17]: File 1 [18]: File 1 [19]: File 1 [20]: File 1 [21]: File 1 [22]: File 1 [23]: File 1 [24]: File 1 [25]: File 1 [26]: File 1 [27]: File 1 [28]: File 1 [29]: File 1 [30]: File 1 [31]: File 1 [32]: File 1 [33]: File 1 [34]: File 1 [35]: File 1 [36]: File 1 [37]: File 1 [38]: File 1 [39]: File 1 [40]: File 1 [41]: File 1 [42]: File 1 [43]: File 1 [44]: File 1 [45]: File 1 [46]: File 1 [47]: File 1 [48]: File 1 [49]: File 1 [50]: File 1 [51]: File 1 [52]: File 1 [53]: File 1 [54]: File 1 [55]: File 1 [56]: File 1 [57]: File 1 [58]: File 1 [59]: File 1 [60]: File 1 [61]: File 1 [62]: File 1 [63]: File 1 [64]: File 1 [65]: File 1 [66]: File 1 [67]: File 1 [68]: File 1 [69]: File 1 [70]: File 1 [71]: File 1 [72]: File 1 [73]: File 1 [74]: File 1 [75]: File 1 [76]: File 1 [77]: File 1 [78]: File 1 [79]: File 1 [80]: File 1 [81]: File 1 [82]: File 1 [83]: File 1 [84]: File 1 [85]: File 1 [86]: File 1 [87]: File 1 [88]: File 1 [89]: File 1 [90]: File 1 [91]: File 1 [92]: File 1 [93]: File 1 [94]: File 1 [95]: File 1 [96]: File 1 [97]: File 1 [98]: File 1 [99]: File 1 [100]: File 1 [101]: File 1 [102]: File 1 [103]: File 1 [104]: Q147222 [105]: M953297 - Update [106]: S867460 - Update [107]: KB870669 [108]: Q328797 [109]: Q823718 [110]: Q832483 [111]: Q936181 [112]: Q954430 [113]: Q973688 [114]: KB898458 - Update [115]: KB923723 - Update [116]: IDNMitigationAPIs - Update [117]: NLSDownlevelMapping - Update [118]: KB929399 [119]: KB837272 [120]: KB952069_WM9 [121]: KB954155_WM9 [122]: KB968816_WM9 [123]: KB973540_WM9 [124]: Q828026 - Update [125]: wm817787 [126]: wm828026 [127]: KB911565 [128]: KB917734_WMP10 [129]: KB936782_WMP10 [130]: KB936782_WMP11 [131]: KB939683 [132]: KB954154_WM11 [133]: KB959772_WM11 [134]: KB925398_WMP64 [135]: KB932471 - Update [136]: KB923689 [137]: KB941569 [138]: KB928090-IE7 - Update [139]: KB929969 - Update [140]: KB931768-IE7 - Update [141]: KB933566-IE7 - Update [142]: KB937143-IE7 - Update [143]: KB938127-IE7 - Update [144]: KB939653-IE7 - Update [145]: KB942615-IE7 - Update [146]: KB944533-IE7 - Update [147]: KB947864-IE7 - Update [148]: KB950759-IE7 - Update [149]: KB953838-IE7 - Update [150]: KB956390-IE7 - Update [151]: KB958215-IE7 - Update [152]: KB960714-IE7 - Update [153]: KB961260-IE7 - Update [154]: KB963027-IE7 - Update [155]: KB969897-IE7 - Update [156]: KB971961-IE8 - Update [157]: KB972260-IE7 - Update [158]: KB973874-IE8 - Update [159]: KB974455-IE7 - Update [160]: KB974455-IE8 - Update [161]: KB976325-IE8 - Update [162]: KB976749-IE8 - Update [163]: MSCompPackV1 - Update [164]: KB811113 - Service Pack [165]: KB936929 - Service Pack [166]: KB915800-v4 - Update [167]: KB923561 - Update [168]: KB938464 - Update [169]: KB938464-v2 - Update [170]: KB946648 - Update [171]: KB950760 - Update [172]: KB950762 - Update [173]: KB950974 - Update [174]: KB951066 - Update [175]: KB951072-v2 - Update [176]: KB951376 - Update [177]: KB951376-v2 - Update [178]: KB951698 - Update [179]: KB951748 - Update [180]: KB951978 - Update [181]: KB952004 - Update [182]: KB952287 - Update [183]: KB952954 - Update [184]: KB953839 - Update [185]: KB954211 - Update [186]: KB954459 - Update [187]: KB954550-v5 - Update [188]: KB954600 - Update [189]: KB955069 - Update [190]: KB955759 - Update [191]: KB955839 - Update [192]: KB956391 - Update [193]: KB956572 - Update [194]: KB956744 - Update [195]: KB956802 - Update [196]: KB956803 - Update [197]: KB956841 - Update [198]: KB956844 - Update [199]: KB957095 - Update [200]: KB957097 - Update [201]: KB958644 - Update [202]: KB958687 - Update [203]: KB958690 - Update [204]: KB958869 - Update [205]: KB959426 - Update [206]: KB960225 - Update [207]: KB960715 - Update [208]: KB960803 - Update [209]: KB960859 - Update [210]: KB961118 - Update [211]: KB961371 - Update [212]: KB961373 - Update [213]: KB961501 - Update [214]: KB967715 - Update NetWork Card(s): 3 NIC(s) Installed. [01]: Intel® PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: Yes DHCP Server: 192.168.2.1 IP address(es) [01]: 192.168.2.3 [02]: 1394 Net Adapter Connection Name: 1394 Connection DHCP Enabled: Yes DHCP Server: N/A IP address(es) [03]: 1394 Net Adapter Connection Name: 1394 Connection 2 DHCP Enabled: Yes DHCP Server: N/A IP address(es) 22:7:28:0 1496 ForceUnloadDriver: NtUnloadDriver error 2 22:7:28:15 1496 ForceUnloadDriver: NtUnloadDriver error 2 22:7:28:15 1496 ForceUnloadDriver: NtUnloadDriver error 2 22:7:28:78 1496 main: Driver KLMD successfully dropped 22:7:28:296 1496 main: Driver KLMD successfully loaded 22:7:28:296 1496 Scanning Registry ... 22:7:28:328 1496 ScanServices: Searching service UACd.sys 22:7:28:328 1496 ScanServices: Open/Create key error 2 22:7:28:328 1496 ScanServices: Searching service TDSSserv.sys 22:7:28:328 1496 ScanServices: Open/Create key error 2 22:7:28:328 1496 ScanServices: Searching service gaopdxserv.sys 22:7:28:328 1496 ScanServices: Open/Create key error 2 22:7:28:328 1496 ScanServices: Searching service gxvxcserv.sys 22:7:28:328 1496 ScanServices: Open/Create key error 2 22:7:28:328 1496 ScanServices: Searching service MSIVXserv.sys 22:7:28:328 1496 ScanServices: Open/Create key error 2 22:7:28:375 1496 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000 22:7:28:718 1496 UnhookRegistry: Kernel local addr: E40000 22:7:28:734 1496 UnhookRegistry: KeServiceDescriptorTable addr: ECB520 22:7:28:875 1496 UnhookRegistry: KiServiceTable addr: E4D8B0 22:7:28:875 1496 UnhookRegistry: NtEnumerateKey service number (local): 47 22:7:28:875 1496 UnhookRegistry: NtEnumerateKey local addr: EE1E14 22:7:28:906 1496 KLMD_OpenDevice: Trying to open KLMD device 22:7:28:906 1496 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey 22:7:28:906 1496 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey 22:7:28:906 1496 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4] 22:7:28:906 1496 UnhookRegistry: NtEnumerateKey service number (kernel): 47 22:7:28:906 1496 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4] 22:7:28:906 1496 UnhookRegistry: NtEnumerateKey real addr: 80578E14 22:7:28:906 1496 UnhookRegistry: NtEnumerateKey calc addr: 80578E14 22:7:28:906 1496 UnhookRegistry: No SDT hooks found on NtEnumerateKey 22:7:28:906 1496 KLMD_ReadMem: Trying to ReadMemory 0x80578E14[0xA] 22:7:28:906 1496 UnhookRegistry: No splicing found on NtEnumerateKey 22:7:28:906 1496 Scanning Kernel memory ... 22:7:28:906 1496 KLMD_OpenDevice: Trying to open KLMD device 22:7:28:906 1496 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk 22:7:28:906 1496 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk 22:7:28:906 1496 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8B1FC910 22:7:28:906 1496 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects 22:7:28:906 1496 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8B220C68 22:7:28:906 1496 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B220C68 22:7:28:906 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B220C68[0x38] 22:7:28:906 1496 DetectCureTDL3: DRIVER_OBJECT addr: 8B1FC910 22:7:28:906 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B1FC910[0xA8] 22:7:28:906 1496 KLMD_ReadMem: Trying to ReadMemory 0xE1B5B240[0x208] 22:7:28:906 1496 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 22:7:28:906 1496 DetectCureTDL3: IrpHandler (0) addr: F763DBB0 22:7:28:906 1496 DetectCureTDL3: IrpHandler (1) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (2) addr: F763DBB0 22:7:28:906 1496 DetectCureTDL3: IrpHandler (3) addr: F7637D1F 22:7:28:906 1496 DetectCureTDL3: IrpHandler (4) addr: F7637D1F 22:7:28:906 1496 DetectCureTDL3: IrpHandler (5) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (6) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (7) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (8) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (9) addr: F76382E2 22:7:28:906 1496 DetectCureTDL3: IrpHandler (10) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (11) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (12) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (13) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (14) addr: F76383BB 22:7:28:906 1496 DetectCureTDL3: IrpHandler (15) addr: F763BF28 22:7:28:906 1496 DetectCureTDL3: IrpHandler (16) addr: F76382E2 22:7:28:906 1496 DetectCureTDL3: IrpHandler (17) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (18) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (19) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (20) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (21) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (22) addr: F7639C82 22:7:28:906 1496 DetectCureTDL3: IrpHandler (23) addr: F763E99E 22:7:28:906 1496 DetectCureTDL3: IrpHandler (24) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (25) addr: 804F9739 22:7:28:906 1496 DetectCureTDL3: IrpHandler (26) addr: 804F9739 22:7:28:906 1496 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 22:7:28:906 1496 KLMD_ReadMem: DeviceIoControl error 1 22:7:28:906 1496 TDL3_StartIoHookDetect: Unable to get StartIo handler code 22:7:28:906 1496 TDL3_FileDetect: Processing driver: Disk 22:7:28:906 1496 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys 22:7:28:921 1496 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys 22:7:28:921 1496 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys 22:7:29:0 1496 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8B221C68 22:7:29:0 1496 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B221C68 22:7:29:0 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B221C68[0x38] 22:7:29:0 1496 DetectCureTDL3: DRIVER_OBJECT addr: 8B1FC910 22:7:29:0 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B1FC910[0xA8] 22:7:29:0 1496 KLMD_ReadMem: Trying to ReadMemory 0xE1B5B240[0x208] 22:7:29:0 1496 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 22:7:29:0 1496 DetectCureTDL3: IrpHandler (0) addr: F763DBB0 22:7:29:0 1496 DetectCureTDL3: IrpHandler (1) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (2) addr: F763DBB0 22:7:29:0 1496 DetectCureTDL3: IrpHandler (3) addr: F7637D1F 22:7:29:0 1496 DetectCureTDL3: IrpHandler (4) addr: F7637D1F 22:7:29:0 1496 DetectCureTDL3: IrpHandler (5) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (6) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (7) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (8) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (9) addr: F76382E2 22:7:29:0 1496 DetectCureTDL3: IrpHandler (10) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (11) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (12) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (13) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (14) addr: F76383BB 22:7:29:0 1496 DetectCureTDL3: IrpHandler (15) addr: F763BF28 22:7:29:0 1496 DetectCureTDL3: IrpHandler (16) addr: F76382E2 22:7:29:0 1496 DetectCureTDL3: IrpHandler (17) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (18) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (19) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (20) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (21) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (22) addr: F7639C82 22:7:29:0 1496 DetectCureTDL3: IrpHandler (23) addr: F763E99E 22:7:29:0 1496 DetectCureTDL3: IrpHandler (24) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (25) addr: 804F9739 22:7:29:0 1496 DetectCureTDL3: IrpHandler (26) addr: 804F9739 22:7:29:0 1496 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 22:7:29:0 1496 KLMD_ReadMem: DeviceIoControl error 1 22:7:29:0 1496 TDL3_StartIoHookDetect: Unable to get StartIo handler code 22:7:29:0 1496 TDL3_FileDetect: Processing driver: Disk 22:7:29:0 1496 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys 22:7:29:0 1496 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys 22:7:29:0 1496 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys 22:7:29:15 1496 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8B223AB8 22:7:29:15 1496 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B223AB8 22:7:29:31 1496 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8B217030 22:7:29:31 1496 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B217030 22:7:29:31 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B217030[0x38] 22:7:29:31 1496 DetectCureTDL3: DRIVER_OBJECT addr: 8B21BA28 22:7:29:31 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B21BA28[0xA8] 22:7:29:31 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B2749A8[0x38] 22:7:29:31 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B1FCA08[0xA8] 22:7:29:31 1496 KLMD_ReadMem: Trying to ReadMemory 0xE1B35D70[0x208] 22:7:29:31 1496 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor 22:7:29:31 1496 DetectCureTDL3: IrpHandler (0) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (1) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (2) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (3) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (4) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (5) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (6) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (7) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (8) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (9) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (10) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (11) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (12) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (13) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (14) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (15) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (16) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (17) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (18) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (19) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (20) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (21) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (22) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (23) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (24) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (25) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: IrpHandler (26) addr: 8B1D7618 22:7:29:31 1496 DetectCureTDL3: All IRP handlers pointed to one addr: 8B1D7618 22:7:29:31 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B1D7618[0x400] 22:7:29:31 1496 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89 22:7:29:31 1496 Driver "iaStor" Irp handler infected by TDSS rootkit ... 22:7:29:31 1496 KLMD_WriteMem: Trying to WriteMemory 0x8B1D767D[0xD] 22:7:29:31 1496 cured 22:7:29:31 1496 KLMD_ReadMem: Trying to ReadMemory 0x8B1D74BF[0x400] 22:7:29:31 1496 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 1 22:7:29:31 1496 Driver "iaStor" StartIo handler infected by TDSS rootkit ... 22:7:29:31 1496 TDL3_StartIoHookCure: Number of patches 1 22:7:29:31 1496 KLMD_WriteMem: Trying to WriteMemory 0x8B1D75B6[0x6] 22:7:29:31 1496 cured 22:7:29:31 1496 TDL3_FileDetect: Processing driver: iaStor 22:7:29:31 1496 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\iastor.sys, C:\WINDOWS\system32\Drivers\tsk_iastor.sys, SYSTEM\CurrentControlSet\Services\iaStor, system32\Drivers\tsk_iastor.sys 22:7:29:31 1496 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\iastor.sys 22:7:29:31 1496 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\iastor.sys 22:7:29:46 1496 File C:\WINDOWS\system32\drivers\iastor.sys infected by TDSS rootkit ... 22:7:29:46 1496 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\iastor.sys 22:7:29:46 1496 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\iastor.sys 22:7:29:62 1496 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\tsk_iastor.sys 22:7:29:125 1496 TDL3_FileCure: Image path (system32\Drivers\tsk_iastor.sys) was set for service (SYSTEM\CurrentControlSet\Services\iaStor) 22:7:29:125 1496 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\tsk_iastor.sys, C:\WINDOWS\system32\drivers\iastor.sys) success 22:7:29:125 1496 will be cured on next reboot 22:7:29:171 1496 Completed Results: 22:7:29:171 1496 Infected objects in memory: 2 22:7:29:171 1496 Cured objects in memory: 2 22:7:29:171 1496 Infected objects on disk: 1 22:7:29:171 1496 Objects on disk cured on reboot: 1 22:7:29:171 1496 Objects on disk deleted on reboot: 0 22:7:29:171 1496 Registry nodes deleted on reboot: 0 22:7:29:171 1496
  9. Alright, I think we may have made some progress here with TDSSKiller. Here is the DrWeb.Cureit log (as you can see it is reporting the same 5 issues and stating that it "cured" them: Process in memory: C:\WINDOWS\system32\svchost.exe:476;;BackDoor.Tdss.565;Eradicated.; iaStor.sys;C:\WINDOWS\system32\DRIVERS;BackDoor.Tdss.1365;Cured.; iaStor.sys;C:\WINDOWS\system32\DRIVERS;BackDoor.Tdss.1365;Cured.; iastor.sys;c:\windows\system32\drivers;BackDoor.Tdss.1365;Cured.; A0002034.sys;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP8;BackDoor.Tdss.1365;Cured.; iaStor.sys;C:\WINDOWS\SYSTEM32\DRIVERS;BackDoor.Tdss.1365;Cured.;
  10. Dr.Web.Cureit is still running in Safemode and should be completed within the hour. Meanwhile, I was searching around for manual removal techniques for BackDoor.Tdss.1365 and *.565 and came across these forum threads: [url="http://www.bleepingcomputer.com/forums/topic276389.html"]http://www.bleepingcomputer.com/forums/topic276389.html[/url] - this first link describes exactly what happened upon initial infection where I was unable to boot in Safemode without receiving a blue screen multiple times. [url="http://forum.drweb.com/index.php?showtopic=285842"]http://forum.drweb.com/index.php?showtopic=285842[/url] [url="http://forum.avast.com/index.php?topic=51244.0"]http://forum.avast.com/index.php?topic=51244.0[/url] - this one appears to include the manual removal instructions, however, it appears to be ALOT of data that needs to be inputed. [url="http://www.bleepingcomputer.com/forums/topic278503.html"]http://www.bleepingcomputer.com/forums/topic278503.html[/url] - this link describes a slightly different way the settings (uncheck 'Heuristic analysis under the scanning tab) need to be setup in Dr.Web.Cureit application. Not sure if this will help of if there is an easier way to upload a script for manual removal in one of the applications you guys use? Considering the other forums concern over the severity of this rootkit infection, I have already changed all of my passwords on another computer, however, I have been infected with this since last Friday, and I just changed them.
  11. As I begin to run Dr.Web.Curit for the second time, I am already seeing the same 3 infections as before in my last Dr.Web.Cureit log post as well as Norton is catching the same iaStor infection. Would it be better if I attempted these scans in Safemode instead?
  12. I would also like to add that the Internet Security 2010 rogue has been successfully cleaned since the last reinfection, I am still experiencing the Google redirect issues (I presume with the iaStor file). I am not going to try to do any Google search unless notified that all is well, as the redirect reinfects my computer with Internet Security 2010 rogue. If it helps I am also able to reboot in Safemode as well. This issue was resolved some time ago.
  13. All processes killed ========== PROCESSES ========== ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== ========== FILES ========== File C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys successfully replaced with C:\Program Files\Intel\Intel Application Accelerator\Driver\iastor.sys ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: .D4G6V31 ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: .D4G6V31.000 ->Temp folder emptied: 92923414 bytes ->Temporary Internet Files folder emptied: 1577902 bytes ->Java cache emptied: 128020 bytes User: xxxxxx~1~000 User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32902 bytes User: xxxxxxxxxxxxxxxxxxxx(2) User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes Windows Temp folder emptied: 2531 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 156932 bytes RecycleBin emptied: 724952 bytes Total Files Cleaned = 91.12 mb OTM by OldTimer - Version 3.1.2.2 log created on 12142009_133012 Files moved on Reboot... Registry entries deleted on Reboot... I would also like to add that upon reboot, Norton found this threat: Scan type: Auto-Protect Scan Event: Threat Found! Threat: Backdoor.Tidserv.I!inf File: C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys Location: C:\WINDOWS\SYSTEM32\DRIVERS Computer: D4G6V31 User: Action taken: Clean succeeded : Access allowed Date found: Monday, December 14, 2009 1:34:27 PM Which appears to be where I keep running into issues. Hope this helps.
  14. Logfile of The Avenger Version 2.0, © by Swandog46 [url="http://swandog46.geekstogo.com"]http://swandog46.geekstogo.com[/url] Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "C:\WINDOWS\ServicePackFiles\i386\atapi.sys|C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys" completed successfully. Error: could not move file "C:\Program Files\Intel\Intel Application Accelerator\Driver\iastor.sys" File move operation "C:\Program Files\Intel\Intel Application Accelerator\Driver\iastor.sys|C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys" failed! Status: 0xc0000022 (STATUS_ACCESS_DENIED) File "C:\WINDOWS\System32\jiwokavi" deleted successfully. Completed script processing. ******************* Finished! Terminate.
  15. OTL Extras logfile created on: 12/13/2009 7:26:41 PM - Run 1 OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\xxxxxxxxxxxxxxxx.D4G6V31.000\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free 4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 232.78 Gb Total Space | 62.15 Gb Free Space | 26.70% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: D4G6V31 Current User Name: Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard [color="#E56717"]========== Extra Registry (SafeList) ==========[/color] [color="#E56717"]========== File Associations ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1 .html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation) [color="#E56717"]========== Shell Spawning ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation) http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft) Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft) Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" [color="#E56717"]========== Security Center Settings ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirewallDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 "AntiVirusDisableNotify" = 0 "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service [color="#E56717"]========== Authorized Applications List ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer -- (LimeWire) "C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe" = C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe:*:Disabled:Sentinel Protection Server -- (SafeNet, Inc) "C:\Program Files\LightWave [8]\Programs\hub.exe" = C:\Program Files\LightWave [8]\Programs\hub.exe:*:Enabled:hub -- () "C:\Program Files\LightWave [8]\Programs\lightwav.exe" = C:\Program Files\LightWave [8]\Programs\lightwav.exe:*:Enabled:lightwav -- () "C:\Program Files\LightWave [8]\Programs\modeler.exe" = C:\Program Files\LightWave [8]\Programs\modeler.exe:*:Enabled:modeler -- () "C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC) "C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.) "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) [color="#E56717"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{06B8DAD8-2809-475E-BA9D-C34479A0D58A}" = Dell TrueMobile 2300 Control Utility "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data "{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService "{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel "{0C114B7C-9696-4392-9062-C4C0F7249DCB}" = hp deskjet 9600 series "{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic UDF Reader "{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert "{1B683082-8791-4D00-8ADE-6C8986FCCC68}" = Roxio CinePlayer "{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004 "{1F211E59-C268-4A86-ACC2-5B0CD153C26C}" = Symantec System Center "{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(tm) 6 Update 17 "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3E67A8DA-FE7B-4160-8465-F5571EA18753}" = Roxio Disc Gallery "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer "{43FCA273-9534-40DB-B7C5-D7758875616A}" = Dell Support "{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin "{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Easy Media Creator "{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns "{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack "{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup "{64116298-93C5-401D-B06C-39D8E3338508}" = DAO "{65438A88-7717-47F9-8078-EA745EF83580}" = Presto! BizCard 4.0 Eng "{66563AD8-637B-407F-BCA7-0233A16891AB}" = Business Contact Manager for Outlook 2003 "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio "{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper "{83CDDBA5-0306-4173-9851-71F0F0E8412A}" = HP Photo and Imaging 2.2 - Scanjet 8200 Series "{848AC794-8B81-440A-81AE-6474337DB527}" = Symantec AntiVirus "{86A46236-C44B-4217-81E9-6B691C82E1DD}" = Symantec AntiVirus Quarantine Console Snap-in "{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}" = URGE "{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack "{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Roxio CinePlayer Decoder Pack "{8F7A4D82-B168-4F89-99C2-B9873EC877AF}" = HP Image Zone Express "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Application Accelerator RAID Edition "{9074AFC0-CFDA-11DE-B484-005056806466}" = Google Earth "{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization "{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003 "{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry "{9A9A1828-31D1-4590-A99F-022B7237AFAE}" = Roxio MediaShare "{9B93C2B3-D9E8-11D6-AB3E-000102B0F79A}" = Readiris Pro 8 "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime "{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support "{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0 "{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support "{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc "{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation "{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5 "{BF83EFE2-C9F0-40D4-841C-2066668C1D7A}" = Roxio Easy Media Creator 10 Suite "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C3F89170-8177-490C-9AE0-687FB20F1C1C}" = NewTek LightWave 3D [8] "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes "{D2E7A6EA-5853-426A-920D-12F4F250927E}" = Sentinel Protection Installer 7.1.1 "{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility "{D5F881C2-B134-474E-AA60-B25DD218AE0D}" = Crash Analysis Tool "{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 "{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari "{DC1D7AD2-583A-4024-9041-387E8FFA5D8C}" = MediaFACE II "{DCB91C79-B78B-44B1-A7FE-28DECA6E9245}" = Dell TrueMobile 2300 Wireless Broadband Router Control Utility "{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware "{E3436EE2-D5CB-4249-840B-3A0140CC34C3}" = Classic PhoneTools "{E82BF103-904F-49C0-B77F-6EC110B71E87}" = Sound Blaster Audigy 2 "{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin "{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module "{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin "{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729) "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01 "{FA237125-51FF-408C-8BB8-30C2B3DFFF9C}" = Windows Resource Kit Tools "{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement "{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard "{FDB46DE7-9045-47BB-970A-3E4ED5369E03}" = EMC 10 Content "Ad-Aware" = Ad-Aware "Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Photoshop Elements 2.0" = Adobe Photoshop Elements 2.0 "All ATI Software" = ATI - Software Uninstall Utility "ATI Display Driver" = ATI Display Driver "Audio Editor Pro_is1" = Audio Editor Pro 2.97 "AudioConSole" = Creative Audio Console "AVG8Uninstall" = AVG Free 8.5 "AVGantiRootkit" = AVG Anti-Rootkit Free "BCM V.92 56K Modem" = BCM V.92 56K Modem "Creative MediaSource DVD-Audio Player" = Creative MediaSource DVD-Audio Player "DVD Cover Searcher1.4" = DVD Cover Searcher "ERUNT_is1" = ERUNT 1.1j "Google Updater" = Google Updater "HijackThis" = HijackThis 1.99.1 "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin "InstallShield_{831B265C-C203-4B72-A8F6-ECA1530957D3}" = LimeWire "LimeWire" = LimeWire 5.3.6 "LiveUpdate" = LiveUpdate 2.0 (Symantec Corporation) "LUAdmin" = LiveUpdate Administration Utility "Macromedia Shockwave Player" = Macromedia Shockwave Player "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "MSN Music Assistant" = MSN Music Assistant "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "PROSet" = Intel® PRO Network Connections Drivers "RealPlayer 6.0" = RealPlayer "Search and Recover 4_is1" = iolo technologies' Search and Recover 4 "SFBM" = SoundFont Bank Manager "Symantec System Center" = Symantec System Center "Tweak UI 2.10" = Tweak UI "WIC" = Windows Imaging Component "Winamp" = Winamp (remove only) "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinRAR archiver" = WinRAR archiver "WMCSetup" = Windows Media Connect "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0 [color="#E56717"]========== HKEY_CURRENT_USER Uninstall List ==========[/color] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Move Networks Player - IE" = Move Networks Media Player for Internet Explorer [color="#E56717"]========== Last 10 Event Log Errors ==========[/color] [ Application Events ] Error - 12/11/2009 3:33:02 PM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Hacktool.Rootkit in File: C:\DOCUME~1\xxxxxx~1.000\LOCALS~1\Temp\rdlA.tmp by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully. Error - 12/12/2009 2:13:08 AM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Trojan Horse in File: C:\Documents and Settings\All Users\Documents\My Videos\Demos\fr-010\fr010scx.exe by: Manual scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully. Error - 12/12/2009 1:55:57 PM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Backdoor.Tidserv.I!inf in File: C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys by: Auto-Protect scan. Action: Clean succeeded : Access allowed. Action Description: The file was repaired successfully. Error - 12/12/2009 3:42:17 PM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Backdoor.Tidserv.I!inf in File: C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys.vir by: Auto-Protect scan. Action: Clean succeeded : Access allowed. Action Description: The file was repaired successfully. Error - 12/12/2009 6:12:32 PM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Backdoor.Tidserv.I!inf in File: C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: The file was left unchanged. Error - 12/12/2009 6:12:39 PM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Backdoor.Tidserv.I!inf in File: C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys by: Auto-Protect scan. Action: Clean succeeded : Access allowed. Action Description: The file was repaired successfully. Error - 12/12/2009 6:12:43 PM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Backdoor.Tidserv.I!inf in File: C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys by: Auto-Protect scan. Action: Clean succeeded : Access allowed. Action Description: The file was repaired successfully. Error - 12/13/2009 12:16:25 PM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Backdoor.Tidserv.I!inf in File: C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: The file was left unchanged. Error - 12/13/2009 12:16:33 PM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Backdoor.Tidserv.I!inf in File: C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys by: Auto-Protect scan. Action: Clean succeeded : Access allowed. Action Description: The file was repaired successfully. Error - 12/13/2009 12:16:35 PM | Computer Name = D4G6V31 | Source = Symantec AntiVirus | ID = 16711685 Description = Threat Found!Threat: Backdoor.Tidserv.I!inf in File: C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys by: Auto-Protect scan. Action: Clean succeeded : Access allowed. Action Description: The file was repaired successfully. [ System Events ] Error - 12/12/2009 5:38:31 PM | Computer Name = D4G6V31 | Source = Service Control Manager | ID = 7000 Description = The SessionLauncher service failed to start due to the following error: %%3 Error - 12/12/2009 5:50:24 PM | Computer Name = D4G6V31 | Source = Service Control Manager | ID = 7000 Description = The SessionLauncher service failed to start due to the following error: %%3 Error - 12/13/2009 6:08:43 PM | Computer Name = D4G6V31 | Source = Service Control Manager | ID = 7000 Description = The SessionLauncher service failed to start due to the following error: %%3 Error - 12/13/2009 7:03:40 PM | Computer Name = D4G6V31 | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 12/13/2009 7:04:50 PM | Computer Name = D4G6V31 | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 FileDisk Fips intelppm SAVRT SYMTDI Error - 12/13/2009 7:05:02 PM | Computer Name = D4G6V31 | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} Error - 12/13/2009 7:06:25 PM | Computer Name = D4G6V31 | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} Error - 12/13/2009 7:12:45 PM | Computer Name = D4G6V31 | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} Error - 12/13/2009 7:13:02 PM | Computer Name = D4G6V31 | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 12/13/2009 7:16:28 PM | Computer Name = D4G6V31 | Source = Service Control Manager | ID = 7000 Description = The SessionLauncher service failed to start due to the following error: %%3 < End of report >
  16. OTL logfile created on: 12/13/2009 7:26:41 PM - Run 1 OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free 4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 232.78 Gb Total Space | 62.15 Gb Free Space | 26.70% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: D4G6V31 Current User Name: xxxxxx Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard [color="#E56717"]========== Processes (SafeList) ==========[/color] PRC - [2009/12/13 19:24:52 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\OTL.exe PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe PRC - [2009/08/18 13:30:04 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe PRC - [2009/08/18 13:29:39 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe PRC - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe PRC - [2009/03/21 10:07:24 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/09/29 01:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\SYSTEM32\ati2evxx.exe PRC - [2007/02/01 18:45:44 | 00,455,784 | ---- | M] () -- C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe PRC - [2006/06/13 05:20:00 | 00,127,036 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE PRC - [2005/01/10 07:10:00 | 00,193,592 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe PRC - [2004/08/02 19:36:40 | 00,124,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe PRC - [2004/08/02 19:36:32 | 01,267,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe PRC - [2004/08/02 19:36:26 | 00,030,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe PRC - [2004/08/02 19:28:46 | 00,757,853 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec System Center\NscTop.exe PRC - [2004/06/09 20:31:14 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe PRC - [2004/06/09 20:31:08 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe PRC - [2004/06/09 20:31:06 | 00,066,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe PRC - [2004/03/24 23:00:00 | 00,073,838 | ---- | M] (Intel) -- C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe PRC - [2003/12/17 08:48:32 | 00,053,305 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\AMS_II\IAO.EXE PRC - [2003/12/17 08:47:28 | 00,028,743 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\AMS_II\HNDLRSVC.EXE PRC - [2003/12/17 08:43:12 | 00,036,915 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\CBA\XFR.EXE PRC - [2003/12/17 08:42:58 | 00,032,819 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\CBA\PDS.EXE PRC - [2003/12/17 08:42:30 | 00,028,729 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\SYSTEM32\MSGSYS.EXE PRC - [2003/08/13 10:27:40 | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe PRC - [2003/06/18 00:00:00 | 00,045,056 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe PRC - [2003/05/31 18:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe PRC - [2002/10/29 08:18:24 | 00,049,152 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe PRC - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\MsPMSPSv.exe PRC - [1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE [color="#E56717"]========== Modules (SafeList) ==========[/color] MOD - [2009/12/13 19:24:52 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\OTL.exe MOD - [2002/08/29 05:00:00 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\SERWVDRV.DLL MOD - [2002/08/29 05:00:00 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\UMDMXFRM.DLL [color="#E56717"]========== Win32 Services (SafeList) ==========[/color] SRV - File not found [Auto | Stopped] -- -- (SessionLauncher) SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service) SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2009/09/25 16:50:52 | 01,028,432 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service) SRV - [2009/08/18 13:29:39 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd) SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2009/03/24 17:35:44 | 00,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc) SRV - [2009/03/16 20:41:33 | 00,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9a6a9f2595210) Google Update Service (gupdate1c9a6a9f2595210) SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service) SRV - [2008/06/23 09:08:34 | 00,362,992 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe -- (Roxio Upnp Server 10) SRV - [2008/06/23 09:08:28 | 00,313,840 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe -- (Roxio UPnP Renderer 10) SRV - [2008/06/23 09:06:18 | 00,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10) SRV - [2008/06/23 09:06:10 | 00,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10) SRV - [2008/06/23 09:05:38 | 01,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10) SRV - [2007/09/29 01:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\ati2evxx.exe -- (Ati HotKey Poller) SRV - [2007/08/21 20:05:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\ati2sgag.exe -- (ATI Smart) SRV - [2007/02/01 18:45:44 | 00,455,784 | ---- | M] () [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe -- (ioloDMV) SRV - [2005/01/10 07:10:00 | 00,193,592 | ---- | M] (SafeNet, Inc) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer) SRV - [2004/08/02 19:36:36 | 00,173,392 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam) SRV - [2004/08/02 19:36:32 | 01,267,024 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus) SRV - [2004/08/02 19:36:26 | 00,030,024 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch) SRV - [2004/08/02 19:28:46 | 00,757,853 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec System Center\NscTop.exe -- (NSCTOP) SRV - [2004/06/11 18:28:30 | 00,201,944 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc) SRV - [2004/06/09 20:31:14 | 00,242,808 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr) SRV - [2004/06/09 20:31:12 | 00,087,160 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc) SRV - [2004/06/09 20:31:08 | 00,255,096 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr) SRV - [2004/03/24 23:00:00 | 00,073,838 | ---- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe -- (IAANTMon) SRV - [2003/12/17 08:48:32 | 00,053,305 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\AMS_II\IAO.EXE -- (Intel Alert Originator) SRV - [2003/12/17 08:47:28 | 00,028,743 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\AMS_II\HNDLRSVC.EXE -- (Intel Alert Handler) SRV - [2003/12/17 08:43:12 | 00,036,915 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\CBA\XFR.EXE -- (Intel File Transfer) SRV - [2003/12/17 08:42:58 | 00,032,819 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\CBA\PDS.EXE -- (Intel PDS) SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose) SRV - [2003/05/31 18:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -- (MSSQL$MICROSOFTBCM) SRV - [2003/03/03 13:33:40 | 00,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc) SRV - [2002/12/17 19:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTBCM) SRV - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\MsPMSPSv.exe -- (WMDM PMSP Service) SRV - [1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE -- (Creative Service for CDROM Access) [color="#E56717"]========== Driver Services (SafeList) ==========[/color] DRV - [2009/12/13 19:04:28 | 00,274,816 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor) DRV - [2009/12/13 03:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091213.008\navex15.sys -- (NAVEX15) DRV - [2009/12/13 03:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091213.008\naveng.sys -- (NAVENG) DRV - [2009/08/28 19:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbaapl.sys -- (USBAAPL) DRV - [2009/08/18 13:30:03 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86) DRV - [2009/08/18 13:30:03 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86) DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM) DRV - [2009/03/09 13:06:56 | 00,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd) DRV - [2008/06/23 10:11:24 | 00,057,328 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\RxFilter.sys -- (RxFilter) DRV - [2008/04/13 12:56:06 | 00,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nwlnkipx.sys -- (NwlnkIpx) DRV - [2008/04/13 12:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp) DRV - [2008/04/13 12:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp) DRV - [2008/04/08 03:00:00 | 00,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20) DRV - [2008/03/12 03:00:00 | 00,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys -- (Cdralw2k) DRV - [2008/03/12 03:00:00 | 00,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys -- (Cdr4_xp) DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys -- (Secdrv) DRV - [2007/09/29 02:06:00 | 02,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag) DRV - [2007/06/18 22:55:42 | 00,022,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbsermpt.sys -- (usbsermpt) DRV - [2007/01/31 07:33:46 | 00,005,632 | ---- | M] (GRISOFT, s.r.o.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\avgarkt.sys -- (AVG Anti-Rootkit) DRV - [2007/01/18 06:00:28 | 00,003,968 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys -- (AvgArCln) DRV - [2006/08/11 13:48:52 | 00,061,952 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\CTHWIUT.DLL -- (CTHWIUT.DLL) DRV - [2006/08/11 13:48:50 | 00,158,720 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\CT20XUT.DLL -- (CT20XUT.DLL) DRV - [2006/08/11 13:48:42 | 01,170,432 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\CTEXFIFX.dll -- (CTEXFIFX.DLL) DRV - [2006/08/11 13:48:32 | 00,548,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\ctsblfx.dll -- (CTSBLFX.DLL) DRV - [2006/08/11 13:48:28 | 00,160,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\cteapsfx.dll -- (CTEAPSFX.DLL) DRV - [2006/08/11 13:48:12 | 00,536,576 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\ctaudfx.dll -- (CTAUDFX.DLL) DRV - [2006/08/11 13:48:08 | 00,087,552 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\commonfx.dll -- (COMMONFX.DLL) DRV - [2006/08/11 13:48:06 | 00,317,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\CTEDSPSY.DLL -- (CTEDSPSY.DLL) DRV - [2006/08/11 13:45:50 | 00,115,200 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\CTEDSPIO.DLL -- (CTEDSPIO.DLL) DRV - [2006/08/11 13:45:40 | 00,269,824 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\CTEDSPFX.DLL -- (CTEDSPFX.DLL) DRV - [2006/08/11 13:45:40 | 00,007,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctprxy2k.sys -- (ctprxy2k) DRV - [2006/08/11 13:45:38 | 00,499,584 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM) DRV - [2006/08/11 13:45:28 | 00,180,224 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\haP17v2k.sys -- (hap17v2k) DRV - [2006/08/11 13:45:26 | 00,766,976 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ha10kx2k.sys -- (ha10kx2k) DRV - [2006/08/11 13:45:26 | 00,154,112 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\haP16v2k.sys -- (hap16v2k) DRV - [2006/08/11 13:45:24 | 00,116,224 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys -- (ossrv) DRV - [2006/08/11 13:45:18 | 00,143,872 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys -- (ctsfm2k) DRV - [2006/08/11 13:45:18 | 00,078,336 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\emupia2k.sys -- (emupia) DRV - [2006/08/11 13:45:14 | 00,502,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctac32k.sys -- (ctac32k) DRV - [2006/07/24 17:51:34 | 00,009,341 | ---- | M] (iolo technologies, LLC (based on original work by Bo Brantén)) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\filedisk.sys -- (FileDisk) DRV - [2006/06/13 05:20:00 | 00,094,460 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAUDFAM.SYS -- (DLAUDFAM) DRV - [2006/06/13 05:20:00 | 00,088,476 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAUDF_M.SYS -- (DLAUDF_M) DRV - [2006/06/13 05:20:00 | 00,086,844 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAIFS_M.SYS -- (DLAIFS_M) DRV - [2006/06/13 05:20:00 | 00,025,724 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLABOIOM.SYS -- (DLABOIOM) DRV - [2006/06/13 05:20:00 | 00,014,716 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAOPIOM.SYS -- (DLAOPIOM) DRV - [2006/06/13 05:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLAPoolM.SYS -- (DLAPoolM) DRV - [2006/06/13 05:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DLA\DLADResN.SYS -- (DLADResN) DRV - [2006/06/12 03:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB) DRV - [2006/03/17 08:35:24 | 00,005,660 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DLACDBHM.SYS -- (DLACDBHM) DRV - [2006/03/17 08:34:46 | 00,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DLARTL_N.SYS -- (DLARTL_N) DRV - [2006/03/17 05:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DRVNDDM.SYS -- (DRVNDDM) DRV - [2005/11/10 16:06:04 | 00,340,704 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctdvda2k.sys -- (ctdvda2k) DRV - [2005/06/29 09:49:04 | 00,163,840 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\e1000325.sys -- (E1000) Intel® DRV - [2005/01/10 07:10:00 | 00,090,168 | ---- | M] (SafeNet, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel) DRV - [2005/01/10 07:10:00 | 00,028,216 | ---- | M] (SafeNet, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SNTNLUSB.SYS -- (SNTNLUSB) DRV - [2004/10/07 19:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AFS2K.SYS -- (AFS2K) DRV - [2004/08/03 23:29:54 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv) DRV - [2004/08/03 23:29:49 | 00,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4) DRV - [2004/08/03 23:29:47 | 00,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3) DRV - [2004/08/03 23:29:45 | 00,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4) DRV - [2004/08/03 23:29:43 | 00,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3) DRV - [2004/08/03 23:29:42 | 00,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1) DRV - [2004/08/03 23:29:41 | 00,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0) DRV - [2004/08/03 23:29:37 | 00,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0) DRV - [2004/08/03 23:29:37 | 00,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1) DRV - [2004/08/03 23:29:37 | 00,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2) DRV - [2004/08/03 23:29:36 | 00,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x) DRV - [2004/06/11 18:28:10 | 00,263,736 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI) DRV - [2004/06/11 18:28:08 | 00,016,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV) DRV - [2004/03/04 23:46:46 | 00,082,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent) DRV - [2004/02/09 15:43:56 | 00,301,200 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT) DRV - [2004/02/09 15:43:56 | 00,037,008 | R--- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL) DRV - [2003/08/29 03:59:24 | 01,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\BCMSM.sys -- (BCMModem) DRV - [2002/12/04 18:08:00 | 00,134,304 | ---- | M] (Dell Computer Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\AtlsVid.sys -- (EMATCORE) DRV - [2002/12/03 11:48:00 | 00,021,504 | ---- | M] (Dell Computer Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\AtlsAud.sys -- (AtlsAud) DRV - [2002/11/08 13:45:06 | 00,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci) DRV - [2002/08/29 05:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKNB.SYS -- (NwlnkNb) DRV - [2002/08/29 05:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKSPX.SYS -- (NwlnkSpx) DRV - [2002/08/29 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS -- (Ptilink) DRV - [2001/08/17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow) DRV - [2001/08/17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3) DRV - [2001/08/17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi) DRV - [2001/08/17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx) DRV - [2001/08/17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810) DRV - [2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA) DRV - [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1) DRV - [2001/08/17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra) DRV - [2001/08/17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160) DRV - [2001/08/17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080) DRV - [2001/08/17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280) DRV - [2001/08/17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k) DRV - [2001/08/17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x) DRV - [2001/08/17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc) DRV - [2001/08/17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550) DRV - [2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde) DRV - [2001/08/17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde) DRV - [2001/08/17 12:11:06 | 00,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC) [color="#E56717"]========== Standard Registry (SafeList) ==========[/color] [color="#E56717"]========== Internet Explorer ==========[/color] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.rr.com/flash/index.cfm"]http://www.rr.com/flash/index.cfm[/url] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555 FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/03/21 10:07:58 | 00,000,000 | ---D | M] [2009/03/21 14:26:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Mozilla\Extensions [2009/03/21 14:26:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Mozilla\Extensions\[email protected] O1 HOSTS File: (614790 bytes) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 fr.a2dfp.net O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net O1 - Hosts: 127.0.0.1 ad.a8.net O1 - Hosts: 127.0.0.1 asy.a8ww.net O1 - Hosts: 127.0.0.1 adv.abv.bg O1 - Hosts: 127.0.0.1 bimg.abv.bg O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com O1 - Hosts: 127.0.0.1 accuserveadsystem.com O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com O1 - Hosts: 127.0.0.1 achmedia.com O1 - Hosts: 127.0.0.1 aconti.net O1 - Hosts: 127.0.0.1 secure.aconti.net O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti] O1 - Hosts: 127.0.0.1 ads.active.com O1 - Hosts: 127.0.0.1 am1.activemeter.com O1 - Hosts: 127.0.0.1 www.activemeter.com #[eTrust.Tracking.Cookie] O1 - Hosts: 127.0.0.1 ads.activepower.net O1 - Hosts: 127.0.0.1 data2.activshopper.com #[Trackware.ActivShopper] O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[eTrust.Tracking.Cookie] O1 - Hosts: 127.0.0.1 ad2games.com O1 - Hosts: 127.0.0.1 cms.ad2click.nl O1 - Hosts: 127.0.0.1 ads.ad2games.com O1 - Hosts: 127.0.0.1 content.ad20.net O1 - Hosts: 16153 more lines... O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft) O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.) O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation) O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd) O4 - HKLM..\Run: [DLA] C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE (Sonic Solutions) O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe (Intel) O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel® Corporation) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.) O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation) O4 - Startup: C:\Documents and Settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O10 - NameSpace_Catalog5\Catalog_Entries0000000004 [] - C:\WINDOWS\SYSTEM32\nwprovau.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries0000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [url="http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab"]http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab[/url] (QuickTime Object) O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} [url="http://www.creative.com/su/ocx/15030/CTSUEng.cab"]http://www.creative.com/su/ocx/15030/CTSUEng.cab[/url] (Creative Software AutoUpdate) O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} [url="http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab"]http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab[/url] (HPSDDX Class) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [url="http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab"]http://download.macromedia.com/pub/shockwa...director/sw.cab[/url] (Shockwave ActiveX Control) O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} [url="http://lads.myspace.com/upload/MySpaceUploader1006.cab"]http://lads.myspace.com/upload/MySpaceUploader1006.cab[/url] (MySpace Uploader Control) O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} [url="http://www.evite.com/html/imageUpload/ImageUploader5.cab"]http://www.evite.com/html/imageUpload/ImageUploader5.cab[/url] (Image Uploader Control) O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} [url="https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab"]https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab[/url] (DLC Class) O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} [url="http://www.evite.com/html/imageUpload/ImageUploader4.cab"]http://www.evite.com/html/imageUpload/ImageUploader4.cab[/url] (Image Uploader Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [url="http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab"]http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[/url] (Java Plug-in 1.6.0_17) O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} [url="http://cs7b.instantservice.com/jars/customerxsigned40.cab"]http://cs7b.instantservice.com/jars/customerxsigned40.cab[/url] (CustomerCtrl Class) O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} [url="http://web1.shutterfly.com/downloads/Uploader.cab"]http://web1.shutterfly.com/downloads/Uploader.cab[/url] (Shutterfly Picture Upload Plugin) O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} [url="http://www.snapfish.com/SnapfishUpload.cab"]http://www.snapfish.com/SnapfishUpload.cab[/url] (Snapfish File Upload ActiveX Control) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [url="http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab"]http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[/url] (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [url="http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab"]http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[/url] (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [url="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"]http://download.macromedia.com/pub/shockwa...ash/swflash.cab[/url] (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [url="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab"]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] (Reg Error: Key error.) O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} [url="http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab"]http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab[/url] (MASHControl Class) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} [url="http://www.creative.com/su/ocx/15030/CTPID.cab"]http://www.creative.com/su/ocx/15030/CTPID.cab[/url] (Creative Software AutoUpdate Support Package) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 24.93.41.128 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\SYSTEM32\NavLogon.dll (Symantec Corporation) O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2002/09/03 13:36:02 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe () O35 - comfile [open] -- "%1" %* O35 - exefile [open] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2003/11/26 16:42:08 | 00,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: Ip6FwHlp - File not found MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe - (Adobe Systems, Inc.) MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - (Adobe Systems Incorporated) MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe - (Microsoft Corporation) MsConfig - StartUpReg: [b]AVG8_TRAY[/b] - hkey= - key= - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.) MsConfig - StartUpReg: [b]BCMSMMSG[/b] - hkey= - key= - C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation) MsConfig - StartUpReg: [b]BuildBU[/b] - hkey= - key= - c:\DELL\BLDBUBG.EXE () MsConfig - StartUpReg: [b]CTHelper[/b] - hkey= - key= - C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd) MsConfig - StartUpReg: [b]CTxfiHlp[/b] - hkey= - key= - File not found MsConfig - StartUpReg: [b]CtxfiReg[/b] - hkey= - key= - File not found MsConfig - StartUpReg: [b]DMXLauncher[/b] - hkey= - key= - C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe () MsConfig - StartUpReg: [b]DwlClient[/b] - hkey= - key= - C:\Program Files\Common Files\Dell\EUSW\Support.exe (Dell) MsConfig - StartUpReg: [b]HPWITOOLBOX[/b] - hkey= - key= - C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe (Hewlett-Packard Company) MsConfig - StartUpReg: [b]ISUSScheduler[/b] - hkey= - key= - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation) MsConfig - StartUpReg: [b]iTunesHelper[/b] - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) MsConfig - StartUpReg: [b]Malwarebytes Anti-Malware (reboot)[/b] - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) MsConfig - StartUpReg: [b]MoneyAgent[/b] - hkey= - key= - C:\Program Files\Microsoft Money\System\mnyexpr.exe (Microsoft Corp.) MsConfig - StartUpReg: [b]QuickTime Task[/b] - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.) MsConfig - StartUpReg: [b]RoxWatchTray[/b] - hkey= - key= - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe (Sonic Solutions) MsConfig - StartUpReg: [b]Share-to-Web Namespace Daemon[/b] - hkey= - key= - C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard) MsConfig - StartUpReg: [b]TkBellExe[/b] - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) MsConfig - StartUpReg: [b]updateMgr[/b] - hkey= - key= - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated) MsConfig - StartUpReg: [b]WMPNSCFG[/b] - hkey= - key= - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) MsConfig - State: "system.ini" - 0 MsConfig - State: "win.ini" - 0 MsConfig - State: "bootini" - 2 MsConfig - State: "services" - 0 MsConfig - State: "startup" - 2 SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: SCSI Class - Driver Group SafeBootMin: sermouse.sys - Driver SafeBootMin: System Bus Extender - Driver Group SafeBootMin: vds - Service SafeBootMin: vga.sys - Driver SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: SCSI Class - Driver Group SafeBootNet: sermouse.sys - Driver SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: vga.sys - Driver SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} - Reg Error: Value error. SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player ActiveX: {057997dd-71e4-43cc-b161-3f8180691a9e} - Q824145 ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML) ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1 ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow ActiveX: {2298d453-bcae-4519-bf33-1cbf3faf1524} - Q867801 ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4 ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1 ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {2cc9d512-6db6-4f1c-8979-9a41fae88de0} - Q837009 ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8 ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW ActiveX: {5f3c70b3-ac2f-432c-8f9c-1624df61f54f} - Microsoft Data Access Components KB870669 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ActiveX: {795d0712-722c-43ec-906a-fc5e678eada9} - Q831167 ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {abcdf74f-9a64-4e6e-b8eb-6e5a41de6550} - ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297) ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: {ECD292A0-0347-4244-8C24-5DBCE990FB40} - Hotfix for Microsoft .NET Framework 3.0 (KB932471) ActiveX: {eddbec60-89cb-44ef-8291-0850fd28ff6a} - Q832894 ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate ActiveX: {f5173cf0-1dfb-4978-8e50-a90169ee7ca9} - Q823353 ActiveX: {F5776D81-AE53-4935-8E84-B0B283D8BCEF} - Q330994 ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE ActiveX: Microsoft Base Smart Card Crypto Provider Package - Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation) Drivers32: msacm.l3acm - C:\WINDOWS\SYSTEM32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.) Drivers32: msacm.trspch - C:\WINDOWS\System32\TSSOFT32.ACM (DSP GROUP, INC.) Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation) Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.) Drivers32: vidc.iv31 - C:\WINDOWS\System32\IR32_32.DLL () Drivers32: vidc.iv32 - C:\WINDOWS\System32\IR32_32.DLL () Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation) Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation) Drivers32: VIDC.MP42 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation) Drivers32: VIDC.MP43 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation) Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation) Drivers32: wave - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation) [color="#E56717"]========== Files/Folders - Created Within 30 Days ==========[/color] [2009/12/13 19:24:52 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\OTL.exe [2009/12/12 15:58:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\DoctorWeb [2009/12/12 15:56:34 | 24,953,776 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\drweb-cureit.exe [2009/12/12 08:37:25 | 00,000,000 | -HSD | C] -- C:\RECYCLER [2009/12/11 16:12:45 | 00,343,040 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\TFC.exe [2009/12/10 03:25:50 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll [2009/11/18 00:02:58 | 00,000,000 | ---D | C] -- C:\Program Files\Safari [2009/11/17 23:41:25 | 00,000,000 | ---D | C] -- C:\Program Files\iPod [2009/11/17 23:41:19 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes [2009/11/17 23:41:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} [2009/11/17 23:38:30 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime [2009/11/16 17:41:00 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll [2009/11/16 17:40:53 | 00,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll [2009/03/31 22:00:27 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2009/03/18 20:31:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google [2009/03/16 20:42:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google [2009/01/02 18:38:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/01/02 18:38:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009/01/02 18:38:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2008/01/26 01:44:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio [2007/09/14 16:29:03 | 00,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll [2007/02/03 19:35:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\iolo [2005/12/16 20:55:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe [2005/12/16 20:08:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe [2004/08/25 11:22:08 | 00,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll [2004/02/11 18:37:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia [26 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ] [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ] [color="#E56717"]========== Files - Modified Within 30 Days ==========[/color] [2009/12/13 19:24:52 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxx.D4G6V31.000\Desktop\OTL.exe [2009/12/13 19:20:57 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL [2009/12/13 19:20:08 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job [2009/12/13 19:19:14 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2009/12/13 19:19:03 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2009/12/13 19:18:53 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT [2009/12/13 19:18:48 | 34,886,77888 | -HS- | M] () -- C:\hiberfil.sys [2009/12/13 19:17:54 | 10,485,760 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxx.D4G6V31.000\ntuser.dat [2009/12/13 19:17:54 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxx.D4G6V31.000\NTUSER.INI [2009/12/13 19:04:28 | 00,274,816 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iaStor.sys [2009/12/13 18:40:40 | 00,000,347 | ---- | M] () -- C:\WINDOWS\WIN.INI [2009/12/13 18:40:40 | 00,000,281 | RHS- | M] () -- C:\BOOT.INI [2009/12/13 18:40:40 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2009/12/13 17:38:35 | 00,030,912 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/13 17:38:35 | 00,030,912 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/13 17:38:35 | 00,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/13 17:38:35 | 00,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/13 17:38:35 | 00,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx [2009/12/13 17:38:35 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm [2009/12/13 17:38:35 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm [2009/12/13 17:24:06 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\Outlook 2003.lnk [2009/12/13 17:02:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2009/12/13 08:07:28 | 46,570,310 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2009/12/13 02:18:29 | 00,123,708 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg [2009/12/12 15:56:31 | 24,953,776 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\drweb-cureit.exe [2009/12/12 15:36:49 | 00,612,952 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009/12/12 00:28:43 | 02,703,136 | -H-- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\IconCache.db [2009/12/11 16:12:27 | 00,343,040 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\TFC.exe [2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe [2009/12/09 20:31:42 | 00,589,814 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2009/12/09 20:31:42 | 00,488,932 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT [2009/12/09 20:31:42 | 00,088,954 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT [2009/12/09 00:46:24 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2009/12/07 20:40:27 | 00,293,888 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\My Documents\Song Listing.xls [2009/12/07 19:30:38 | 00,002,495 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\Excel 2003.lnk [2009/12/03 18:30:10 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\Word 2003.lnk [2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009/11/22 22:06:15 | 00,000,364 | ---- | M] () -- C:\WINDOWS\ARFolder.INI [2009/11/21 09:51:42 | 01,206,508 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb [2009/11/21 09:51:04 | 00,471,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll [26 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ] [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ] [color="#E56717"]========== Files Created - No Company Name ==========[/color] [2099/01/01 12:00:00 | 00,011,168 | -H-- | C] () -- C:\WINDOWS\System32\jiwokavi [2009/12/13 19:18:48 | 34,886,77888 | -HS- | C] () -- C:\hiberfil.sys [2009/12/12 02:07:27 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2009/12/12 02:07:27 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2009/07/02 12:33:22 | 04,148,400 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\rx_image32.Cache [2009/03/31 22:31:45 | 00,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini [2009/03/31 22:31:45 | 00,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL [2009/03/31 22:31:45 | 00,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini [2008/06/16 13:47:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2008/02/15 17:32:37 | 00,569,160 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\rx_audio.Cache [2008/01/26 02:22:44 | 00,218,544 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\rx_image.Cache [2007/09/27 09:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 09:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 09:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2007/09/14 16:29:13 | 00,005,515 | ---- | C] () -- C:\WINDOWS\System32\ENSDEF.INI [2007/03/03 10:07:42 | 00,000,026 | ---- | C] () -- C:\WINDOWS\UpdaterDVW58E.INI [2007/02/03 19:35:26 | 00,696,320 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll [2007/02/03 19:35:26 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll [2007/01/20 02:53:01 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI [2007/01/15 15:07:36 | 00,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini [2006/08/11 13:57:18 | 00,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL [2006/05/23 11:40:34 | 00,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI [2005/06/16 17:17:16 | 00,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL [2005/01/01 11:16:44 | 00,000,364 | ---- | C] () -- C:\WINDOWS\ARFolder.INI [2004/10/23 10:05:45 | 00,000,294 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI [2004/05/30 11:34:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\hpqemlsz.INI [2004/05/29 13:47:04 | 00,000,142 | ---- | C] () -- C:\WINDOWS\Readiris.ini [2004/05/29 13:47:02 | 00,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll [2004/05/29 13:44:06 | 00,049,152 | ---- | C] () -- C:\WINDOWS\StiRegstEng.dll [2004/03/26 11:39:47 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\exeshl.dll [2004/03/23 18:42:53 | 00,000,126 | R--- | C] () -- C:\WINDOWS\hpw9600k.ini [2004/03/23 18:40:16 | 00,014,454 | ---- | C] () -- C:\WINDOWS\hpdj9600.ini [2004/03/20 17:11:47 | 00,000,021 | ---- | C] () -- C:\WINDOWS\DVDSentry.ini [2004/01/06 03:57:40 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\edtExt.dll [2003/12/18 18:58:38 | 00,038,355 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Microsoft Excel.ADR [2003/12/17 19:18:18 | 00,027,233 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Personal Address Book.ADR [2003/12/16 01:02:20 | 00,000,337 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2003/12/14 19:38:19 | 00,338,944 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL [2003/12/14 19:38:19 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL [2003/12/14 18:04:12 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\FASTWiz.html [2003/12/14 15:06:44 | 00,035,649 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\FASTWiz.log [2003/12/14 12:23:14 | 00,001,125 | ---- | C] () -- C:\WINDOWS\Winamp.ini [2003/12/14 12:22:53 | 00,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini [2003/12/14 12:01:45 | 00,000,151 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\fusioncache.dat [2003/12/14 11:45:01 | 00,217,088 | ---- | C] () -- C:\Documents and Settings\xxxxxxxxxxxxxxxxxxxxx.D4G6V31.000\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2003/11/26 17:44:17 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2003/11/26 17:35:54 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2003/11/26 17:30:08 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI [2003/11/26 17:29:46 | 00,066,807 | ---- | C] () -- C:\WINDOWS\System32\Aud2_Del.ini [2003/11/26 17:29:21 | 00,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI [2003/11/26 17:25:34 | 00,000,956 | ---- | C] () -- C:\WINDOWS\wininit.ini [2003/11/26 17:22:20 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini [2003/11/26 17:08:43 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll [2003/11/26 16:47:18 | 00,000,552 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2003/08/07 15:01:50 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll [2003/06/04 00:08:30 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\hpnvr82.dll [2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI [color="#E56717"]========== Custom Scans ==========[/color] [color="#A23BEC"]< %SYSTEMDRIVE%\*.exe >[/color] [2005/10/31 09:56:00 | 00,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe [color="#A23BEC"]< MD5 for: AGP440.SYS >[/color] [2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys [2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys [2004/08/04 00:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys [2004/08/04 00:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\agp440.sys [2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SYSTEM32\ReinstallBackups10\DriverFiles\i386\AGP440.SYS [color="#A23BEC"]< MD5 for: ATAPI.SYS >[/color] [2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys [2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DLLCACHE\atapi.sys [2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys [2004/08/03 23:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys [2004/08/03 23:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\atapi.sys [color="#A23BEC"]< MD5 for: EVENTLOG.DLL >[/color] [2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll [2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\eventlog.dll [2004/08/04 01:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll [2004/08/04 01:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\eventlog.dll [color="#A23BEC"]< MD5 for: IASTOR.SYS >[/color] [2003/07/03 00:00:00 | 00,274,816 | ---- | M] (Intel Corporation) MD5=50B56E7DE809BE4B8F4D24B3F0381520 -- C:\DRIVERS\STORAGE\ONBOARD\IASTOR.SYS [2003/07/03 00:00:00 | 00,274,816 | ---- | M] (Intel Corporation) MD5=50B56E7DE809BE4B8F4D24B3F0381520 -- C:\WINDOWS\SYSTEM32\ReinstallBackups16\DriverFiles\iaStor.sys [2004/03/24 23:00:00 | 00,274,816 | ---- | M] (Intel Corporation) MD5=9B5D077B6033BB41AB5AF0E28E566164 -- C:\Program Files\Intel\Intel Application Accelerator\Driver\iastor.sys [2009/12/13 19:04:28 | 00,274,816 | ---- | M] (Intel Corporation) MD5=9B5D077B6033BB41AB5AF0E28E566164 -- C:\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys [color="#A23BEC"]< MD5 for: NETLOGON.DLL >[/color] [2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll [2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\netlogon.dll [2004/08/04 01:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll [2004/08/04 01:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\netlogon.dll [color="#A23BEC"]< MD5 for: SCECLI.DLL >[/color] [2004/08/04 01:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2004/08/04 01:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\scecli.dll [2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll [2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\scecli.dll [color="#A23BEC"]< %systemroot%\*. /mp /s >[/color] [color="#A23BEC"]< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >[/color] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-12-09 06:46:24 [color="#E56717"]========== Alternate Data Streams ==========[/color] @Alternate Data Stream - 191 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EFA09BFC < End of report >
  17. New Hijack This Log: Logfile of HijackThis v1.99.1 Scan saved at 5:00:29 PM, on 12/13/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE C:\PROGRA~1\SYMANT~1\VPTray.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\ams_ii\iao.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\system32\winupdate86.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\InternetSecurity2010\IS2010.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HiJack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.rr.com/flash/index.cfm"]http://www.rr.com/flash/index.cfm[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url="http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab"]http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab[/url] O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - [url="http://www.creative.com/su/ocx/15030/CTSUEng.cab"]http://www.creative.com/su/ocx/15030/CTSUEng.cab[/url] O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - [url="http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab"]http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab[/url] O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [url="http://lads.myspace.com/upload/MySpaceUploader1006.cab"]http://lads.myspace.com/upload/MySpaceUploader1006.cab[/url] O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - [url="http://www.evite.com/html/imageUpload/ImageUploader5.cab"]http://www.evite.com/html/imageUpload/ImageUploader5.cab[/url] O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - [url="https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab"]https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab[/url] O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - [url="http://www.evite.com/html/imageUpload/ImageUploader4.cab"]http://www.evite.com/html/imageUpload/ImageUploader4.cab[/url] O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - [url="http://cs7b.instantservice.com/jars/customerxsigned40.cab"]http://cs7b.instantservice.com/jars/customerxsigned40.cab[/url] O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [url="http://web1.shutterfly.com/downloads/Uploader.cab"]http://web1.shutterfly.com/downloads/Uploader.cab[/url] O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - [url="http://www.snapfish.com/SnapfishUpload.cab"]http://www.snapfish.com/SnapfishUpload.cab[/url] O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [url="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab"]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - [url="http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab"]http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab[/url] O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url="http://www.creative.com/su/ocx/15030/CTPID.cab"]http://www.creative.com/su/ocx/15030/CTPID.cab[/url] O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Update Service (gupdate1c9a6a9f2595210) (gupdate1c9a6a9f2595210) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\xxxxxx~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  18. Well, my computer is reinfected. Evidentally, any search after the first link within Google redirects me and causes my computer to be infected with the rogue Internet Security 2010. I was trying to retrace my steps from the very beginning of this thread and redownload Combofix, but it appears that the site is down?
  19. I was able to successfully download and run it, here is the report: Process in memory: C:\WINDOWS\system32\svchost.exe:1096;;BackDoor.Tdss.565;Eradicated.; iaStor.sys;C:\WINDOWS\system32\DRIVERS;BackDoor.Tdss.1365;Cured.; iastor.sys;c:\windows\system32\drivers;BackDoor.Tdss.1365;Cured.; A0001842.exe\32788R22FWJFW\List-C.bat;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7\A0001842.exe;Probably BATCH.Virus;; A0001842.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7;Archive contains infected objects;Moved.; A0001872.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7;Tool.Prockill;; A0001874.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7;Tool.ShutDown.14;; iaStor.sys;C:\WINDOWS\SYSTEM32\DRIVERS;BackDoor.Tdss.1365;Cured.; Additionally, it asked if I wanted to change my HOSTS files (I currently use MVPS HOSTS) but I declined that change. I suspect that the iaStor is still infected though. Should this have been run while in Safemode?
  20. In the process of downloading Dr.Web CureIt.exe, but it says it's going to take approximately 6 hours, then it timed out, should I try again?
  21. From the Combofix log, as you can see, the same iaStor is infected as it was in the previous Combofix logs: ComboFix 09-12-11.04 - xxxxxxxxxxxxxxxxxx 12/12/2009 2:16.8.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2640 [GMT -6:00] Running from: c:\documents and settings\xxxxxxxxxxxxxxxxx.D4G6V31.000\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected Restored copy from - c:\windows\SYSTEM32\ReinstallBackups16\DriverFiles\iaStor.sys . ((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 ))))))))))))))))))))))))))))))) . 2009-12-11 19:34 . 2009-12-11 19:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-12-10 09:25 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2009-11-18 06:02 . 2009-11-18 06:03 -------- d-----w- c:\program files\Safari 2009-11-18 05:41 . 2009-11-18 06:00 -------- d-----w- c:\program files\iPod 2009-11-18 05:41 . 2009-11-18 06:00 -------- d-----w- c:\program files\iTunes 2009-11-18 05:41 . 2009-11-18 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-11-18 05:38 . 2009-11-18 05:39 -------- d-----w- c:\program files\QuickTime 2009-11-16 23:41 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll 2009-11-16 23:40 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-12 08:37 . 2007-01-20 08:27 -------- d-----w- c:\program files\Symantec AntiVirus 2009-12-12 08:11 . 2003-07-03 06:00 274816 ----a-w- c:\windows\system32\drivers\iaStor.sys 2009-12-12 05:35 . 2009-03-17 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-12-11 22:10 . 2006-06-09 23:04 -------- d-----w- c:\program files\HiJack This 2009-12-10 08:33 . 2009-03-20 23:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-10 08:32 . 2009-12-10 08:32 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-10 05:47 . 2003-11-26 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software 2009-12-10 05:46 . 2003-11-26 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-12-04 23:07 . 2009-03-17 02:39 -------- d-----w- c:\program files\Google 2009-12-03 22:14 . 2009-03-20 23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 22:13 . 2009-03-20 23:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-28 02:00 . 2009-09-25 22:50 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2009-11-25 16:17 . 2009-12-11 16:53 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-11-25 16:17 . 2009-12-11 16:53 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-11-25 16:17 . 2009-12-11 16:53 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe 2009-11-24 16:49 . 2008-01-16 00:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-18 06:57 . 2009-09-03 22:56 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Apple Computer 2009-11-18 06:01 . 2009-11-18 06:01 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2009-11-18 06:00 . 2009-09-03 22:53 -------- d-----w- c:\program files\Common Files\Apple 2009-11-18 05:33 . 2009-11-18 05:33 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-11-15 21:39 . 2009-09-03 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-11-12 01:32 . 2009-11-12 01:32 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Sony Corporation 2009-11-12 01:28 . 2009-11-12 01:28 -------- d-----w- c:\program files\Sonic 2009-11-12 01:25 . 2009-11-12 01:25 -------- d-----w- c:\program files\Sony 2009-11-12 01:23 . 2009-11-12 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation 2009-11-08 20:11 . 2004-06-08 23:38 -------- d-----w- c:\program files\LimeWire 2009-11-04 00:05 . 2009-03-21 19:42 -------- d-----w- c:\program files\Java 2009-11-04 00:04 . 2009-11-04 00:04 152576 ----a-w- c:\documents and settings\xxxxxxxxxxxxxxxxxxx.D4G6V31.000\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-10-29 07:45 . 2004-02-06 23:05 916480 ------w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-17 02:15 . 2009-06-19 23:24 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-10-13 10:30 . 2002-08-29 11:00 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2002-08-29 11:00 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2002-08-29 11:00 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-11 10:17 . 2009-03-19 03:07 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-25 22:51 . 2009-06-19 23:24 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-09-25 22:51 . 2009-06-19 23:24 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-09-25 22:51 . 2009-06-19 23:24 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-09-25 22:51 . 2009-05-29 22:27 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-09-25 22:51 . 2009-09-25 22:51 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll 2009-09-25 22:51 . 2009-06-19 23:24 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-09-25 22:51 . 2009-06-19 23:24 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-09-25 22:51 . 2009-06-19 23:24 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-09-25 22:51 . 2009-05-29 22:27 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-09-25 22:51 . 2009-05-29 22:27 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-09-25 22:50 . 2009-09-25 22:50 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys 2009-09-25 22:50 . 2009-05-29 22:27 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-09-25 22:50 . 2009-09-25 22:50 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe 2009-09-25 22:50 . 2009-06-19 23:24 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-09-25 22:50 . 2009-06-19 23:24 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-09-25 22:50 . 2009-06-19 23:24 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-09-25 22:50 . 2009-06-19 23:24 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe 2009-09-25 22:50 . 2009-06-19 23:24 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-09-25 22:50 . 2009-06-19 23:24 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-25 126976] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "CTDVDDET"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-21 198160] c:\documents and settings\XXXXXXXXXXXXXXXXXX.D4G6V31.000\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-18 19:30 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] 2009-09-25 22:50 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2009-12-11 16:52 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] 2003-08-29 09:59 122880 ----a-w- c:\windows\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] 2003-09-10 20:47 61440 ----a-w- c:\dell\BLDBUBG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] 2006-08-11 19:56 17920 ----a-w- c:\windows\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] 2006-08-11 19:56 18944 ----a-w- c:\windows\SYSTEM32\CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg] 2006-08-11 19:53 42496 ----a-w- c:\windows\SYSTEM32\CTXFIREG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] 2008-06-12 15:00 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient] 2004-05-28 01:05 323584 ----a-w- c:\program files\Common Files\Dell\EUSW\Support.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWITOOLBOX] 2003-07-24 06:28 290816 ----a-w- c:\program files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-10-29 02:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] 2003-06-18 18:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2008-06-23 15:05 244208 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-17 15:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-03-21 16:07 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\hub.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\lightwav.exe"= "c:\\Program Files\\LightWave [8]\\Programs\\modeler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/31/2009 9:07 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [1/2/2009 6:41 PM 335240] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/2/2009 6:05 PM 297752] S2 gupdate1c9a6a9f2595210;Google Update Service (gupdate1c9a6a9f2595210);c:\program files\Google\Update\GoogleUpdate.exe [3/16/2009 8:41 PM 133104] S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [6/23/2008 9:08 AM 362992] S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [6/23/2008 9:06 AM 309744] S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [6/23/2008 9:06 AM 166384] S2 SessionLauncher;SessionLauncher;c:\docume~1\XXXXXX~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\XXXXXX~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1028432] S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [6/23/2008 9:08 AM 313840] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/23/2008 9:05 AM 1120752] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 7:36 PM 173392] . ------- Supplementary Scan ------- . uStart Page = hxxp://www.rr.com/flash/index.cfm uInternet Settings,ProxyServer = http=127.0.0.1:5555 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: LimeShop Preferences - file://c:\program files\LimeShop\System\Temp\limeshop_script0.htm DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - hxxp://www.evite.com/html/imageUpload/ImageUploader4.cab DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} - hxxp://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab . - - - - ORPHANS REMOVED - - - - SafeBoot-AVG Anti-Spyware Driver SafeBoot-AVG Anti-Spyware Guard ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2009-12-12 02:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B1F4618]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28 \Driver\ACPI -> ACPI.sys @ 0xf75aecb8 \Driver\atapi -> atapi.sys @ 0xf74a0852 \Driver\iaStor -> iaStor.sys @ 0xf74662f0 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7868bb0 PacketIndicateHandler -> NDIS.sys @ 0xf7875a21 SendHandler -> NDIS.sys @ 0xf785387b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\COMRes.dll - - - - - - - > 'lsass.exe'(884) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3552) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\System32\CTsvcCDA.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\Intel\Intel Application Accelerator\iaantmon.exe c:\windows\system32\cba\pds.exe c:\program files\iolo\Common\Lib\ioloDMVSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe c:\progra~1\Symantec\SYMANT~1\NSCTOP.EXE c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\System32\MsPMSPSv.exe c:\windows\system32\ams_ii\hndlrsvc.exe c:\windows\system32\MsgSys.EXE c:\windows\system32\ams_ii\iao.exe c:\windows\system32\cba\xfr.exe c:\program files\Windows Media Player\WMPNetwk.exe . ************************************************************************** . Completion time: 2009-12-12 02:50:56 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-12 08:50 Pre-Run: 66,708,488,192 bytes free Post-Run: 66,630,778,880 bytes free Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - D038E651F80709189DBE485B5FE36366
  22. The computer itself appears to be running fine, however, last night I noticed that whatever search I try to perform in Google, I get redirected. As an example, I get redirected by chameleonsearch.com or another questionable source and it usually tries to redirect me to websites that appear to be selling the same rogue antivirus that I was infected with originally. I reran Combofix, and it is still stating that it is detecting rootkit activity, I am also attaching the Combofix log. Logfile of HijackThis v1.99.1 Scan saved at 8:31:03 AM, on 12/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\ams_ii\iao.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\cba\xfr.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HiJack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.rr.com/flash/index.cfm"]http://www.rr.com/flash/index.cfm[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url="http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab"]http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab[/url] O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - [url="http://www.creative.com/su/ocx/15030/CTSUEng.cab"]http://www.creative.com/su/ocx/15030/CTSUEng.cab[/url] O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - [url="http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab"]http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab[/url] O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [url="http://lads.myspace.com/upload/MySpaceUploader1006.cab"]http://lads.myspace.com/upload/MySpaceUploader1006.cab[/url] O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - [url="http://www.evite.com/html/imageUpload/ImageUploader5.cab"]http://www.evite.com/html/imageUpload/ImageUploader5.cab[/url] O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - [url="https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab"]https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab[/url] O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} (Image Uploader Control) - [url="http://www.evite.com/html/imageUpload/ImageUploader4.cab"]http://www.evite.com/html/imageUpload/ImageUploader4.cab[/url] O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - [url="http://cs7b.instantservice.com/jars/customerxsigned40.cab"]http://cs7b.instantservice.com/jars/customerxsigned40.cab[/url] O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [url="http://web1.shutterfly.com/downloads/Uploader.cab"]http://web1.shutterfly.com/downloads/Uploader.cab[/url] O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - [url="http://www.snapfish.com/SnapfishUpload.cab"]http://www.snapfish.com/SnapfishUpload.cab[/url] O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [url="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab"]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - [url="http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab"]http://www.amiuptodate.com/vsc/mvt/bin/1,0,0,7/mash.cab[/url] O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url="http://www.creative.com/su/ocx/15030/CTPID.cab"]http://www.creative.com/su/ocx/15030/CTPID.cab[/url] O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Update Service (gupdate1c9a6a9f2595210) (gupdate1c9a6a9f2595210) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\xxxxxx~1.000\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  23. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Friday, December 11, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Friday, December 11, 2009 22:02:37 Records in database: 3360436 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ Scan statistics: Objects scanned: 119368 Threats found: 8 Infected objects found: 10 Suspicious objects found: 0 Scan duration: 04:25:57 File name / Threat / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine2780000.VBN Infected: Exploit.JS.Pdfka.al 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineDA00000.VBN Infected: Rootkit.Win32.Bezopi.g 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineDBC0000.VBN Infected: Rootkit.Win32.Bezopi.g 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineE800000.VBN Infected: Trojan-Downloader.WMA.GetCodec.r 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\iaStor.sys.vir Infected: Rootkit.Win32.TDSS.y 1 C:\Qoobox\Quarantine\[4]-Submit_2009-12-11_11.04.56.zip Infected: Trojan.Win32.Koblu.bkv 1 C:\Qoobox\Quarantine\[4]-Submit_2009-12-11_11.04.56.zip Infected: Trojan.Win32.Cosmu.emd 1 C:\Qoobox\Quarantine\[4]-Submit_2009-12-11_11.04.56.zip Infected: Packed.Win32.TDSS.aa 2 C:\Qoobox\Quarantine\[4]-Submit_2009-12-11_11.04.56.zip Infected: Trojan-GameThief.Win32.WOW.vls 1 Selected area has been scanned.
  24. Malwarebytes' Anti-Malware 1.42 Database version: 3347 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/11/2009 4:29:48 PM mbam-log-2009-12-11 (16-29-48).txt Scan type: Quick Scan Objects scanned: 142667 Time elapsed: 8 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)