Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Browser Hijack and Windows Update inaccessible [Solved]

Started by str_mtb , Apr 06 2010 11:41 PM

This topic is locked

#1
str_mtb

Posted 06 April 2010 - 11:41 PM

Member

Member
21 posts

It's been an interesting week. Had some Vundo variant which seemed to be cleared up by a combination of SuperAntiSpyware and MBAM. Then Sunday started seeing the "XP Security" windows popping up. Thought I cleaned that up until the point I'm at now.

Symptoms are:
- Internet Explorer: try to access Safety | Windows Update and get a "cannot display the webpage" error. The bing home page displays ok but I don't use IE for anything else.
- Firefox: Google for "windows update" and click on the first Microsoft link and get a "connection reset" error page.
- Firefox: Clicking on any other link returned for a Google search redirects to random crap/ad sites.
- Occasionally hear the standard Windows Error and Windows Critical Stop wav files played when I'm not actively using the computer.

My situation seems similar to http://www.geekstogo...ed-t273239.html
but I've not tried anything suggested there.

Currently MBAM is running clean. Tried TDSS last night which showed rootkit in atapi.sys but was unable to clean it.

Here are the logs (MBAM, GEMR, OTL, OTL Extras). Thanks in advance for any help - this site has been very informative!

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3958

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

4/6/2010 6:12:06 PM
mbam-log-2010-04-06 (18-12-06).txt

Scan type: Quick scan
Objects scanned: 109653
Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=====================================================

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-06 20:49:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\fxdoapoc.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2DB7320]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xF7B1963C]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat AA047D20
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 872D5AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{411c2a73-d249-45b6-8367-2e50e8c3b658}\InprocServer32@ c:\windows\system32\hilemebu.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{411c2a73-d249-45b6-8367-2e50e8c3b658}\InprocServer32@ThreadingModel Both

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

OTL logfile created on: 4/6/2010 8:59:05 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Paul\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 591.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 4.39 Gb Free Space | 7.86% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DBFKH851
Current User Name: Paul
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/06 20:57:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\OTL.exe
PRC - [2010/04/02 12:48:16 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/20 09:08:30 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/02/18 16:40:26 | 002,012,912 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 23:16:38 | 000,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2007/12/20 08:16:24 | 000,037,376 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2007/07/14 14:07:04 | 000,339,968 | ---- | M] (Western Digital Technologies, Inc.) -- C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
PRC - [2006/06/12 15:32:26 | 000,700,416 | ---- | M] () -- C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
PRC - [2005/10/13 08:47:22 | 000,081,920 | ---- | M] (High Criteria inc.) -- C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
PRC - [2005/07/25 09:05:44 | 001,896,448 | ---- | M] (GARMIN Corp.) -- C:\Garmin\gStart.exe
PRC - [2005/02/17 09:50:20 | 001,040,384 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\SYSTEM32\bcmntray.EXE
PRC - [2004/05/27 21:05:42 | 000,323,584 | ---- | M] (Dell) -- C:\Program Files\Common Files\Dell\EUSW\Support.exe
PRC - [2004/04/19 12:45:52 | 000,131,072 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
PRC - [2004/03/05 00:45:34 | 000,192,573 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2004/03/04 18:59:30 | 000,487,424 | ---- | M] () -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2004/02/02 13:32:16 | 000,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003/10/07 17:20:18 | 000,352,256 | ---- | M] ( ) -- c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
PRC - [2003/08/18 23:01:00 | 000,110,592 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
PRC - [2003/02/26 09:08:42 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe

========== Modules (SafeList) ==========

MOD - [2010/04/06 20:57:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\OTL.exe
MOD - [2003/06/17 08:50:08 | 000,073,728 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll

========== Win32 Services (SafeList) ==========

SRV - [2004/03/05 00:45:34 | 000,192,573 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}:0.9.10.2
FF - prefs.js..extensions.enabledItems: [email protected]:1.8.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 12:48:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 12:48:33 | 000,000,000 | ---D | M]

[2008/08/25 20:57:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Mozilla\Extensions
[2010/04/05 20:12:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\1u3isiqu.default\extensions
[2010/02/04 21:25:42 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\1u3isiqu.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2010/03/27 00:16:32 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\1u3isiqu.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/03/31 18:34:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\1u3isiqu.default\extensions\[email protected]
[2010/04/05 20:10:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/05/11 13:28:00 | 000,044,153 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\inspector.dll
[2005/06/07 19:49:58 | 000,028,672 | ---- | M] (WebEx) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2005/06/07 19:49:58 | 000,098,304 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2005/06/07 19:49:57 | 000,057,344 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
[2004/01/13 19:09:25 | 000,176,176 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2004/03/19 15:37:50 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\bcmntray.exe (Broadcom Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe ()
O4 - HKLM..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe (Dell)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe (High Criteria inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [WD Button Manager] C:\WINDOWS\System32\WDBtnMgr.exe (Western Digital Technologies, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKCU..\Run: [CTSyncU.exe] C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe ()
O4 - HKCU..\Run: [gStart] C:\Garmin\gStart.exe (GARMIN Corp.)
O4 - HKCU..\Run: [MoneyAgent] C:\Program Files\Microsoft Money\System\mnyexpr.exe (Microsoft Corp.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....467&clcid=0x409 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1180818894515 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\gehuseda.dll c:\windows\system32\hilemebu.dll) - C:\WINDOWS\System32\gehuseda.dll File not found
O20 - AppInit_DLLs: (poveyawi.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/03/20 10:58:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0489f896-757a-11dd-82a1-000f1f1d0cc9}\Shell\AutoRun\command - "" = E:\contents\StartGoA.bat -- File not found
O33 - MountPoints2\{0489f896-757a-11dd-82a1-000f1f1d0cc9}\Shell\open\command - "" = E:\contents\StartGoA.bat -- File not found
O33 - MountPoints2\{3b1a8afc-0e3b-11dd-818f-000f1f1d0cc9}\Shell\AutoRun\command - "" = E:\wd_windows_tools\setup.exe -- File not found
O33 - MountPoints2\{71298bd7-f438-11de-8661-000f1f1d0cc9}\Shell\AutoRun\command - "" = E:\contents\StartGoA.bat -- File not found
O33 - MountPoints2\{71298bd7-f438-11de-8661-000f1f1d0cc9}\Shell\open\command - "" = E:\contents\StartGoA.bat -- File not found
O33 - MountPoints2\{a03097ba-8939-11da-bbb2-000f1f1d0cc9}\Shell\AutoRun\command - "" = E:\JDSecure\Windows\JDSecure20.exe -- File not found
O33 - MountPoints2\{c2f91894-1a79-11db-bce0-000f1f1d0cc9}\Shell - "" = AutoRun
O33 - MountPoints2\{c2f91894-1a79-11db-bce0-000f1f1d0cc9}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2004/07/12 08:12:00 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/06 20:57:54 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\OTL.exe
[2010/04/06 17:08:28 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\TFC.exe
[2010/04/05 17:54:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Desktop\GooredFix Backups
[2010/04/05 17:49:03 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Paul\Desktop\GooredFix.exe
[2010/04/05 06:28:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/04/04 23:38:43 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/04/04 20:08:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/04 17:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/04 17:32:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/30 22:00:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/03/30 21:58:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/03/30 21:36:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2010/03/30 21:36:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2010/03/30 21:36:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/03/30 19:39:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/03/30 19:13:31 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Paul\PrivacIE
[2010/03/30 19:09:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Paul\IETldCache
[2010/03/30 19:01:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/03/30 18:55:57 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/03/29 18:15:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 18:15:47 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/29 18:15:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/29 18:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/28 22:23:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/28 21:51:38 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/03/28 21:40:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Malwarebytes
[2010/03/28 19:28:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/03/28 19:28:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\SUPERAntiSpyware.com
[2010/03/28 19:28:09 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/03/28 19:26:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2008/08/03 18:46:35 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/08/03 18:46:35 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/08/03 18:46:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/11/13 18:07:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Talkback
[2007/11/13 18:03:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2007/11/13 18:03:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla

========== Files - Modified Within 14 Days ==========

[2010/04/06 21:00:00 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\htmfjrui.job
[2010/04/06 20:57:57 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\OTL.exe
[2010/04/06 20:55:28 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/04/06 20:55:27 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2906237116-3094984405-4234484057-1006.job
[2010/04/06 20:55:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/06 20:55:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/04/06 20:55:09 | 1072,984,064 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/06 20:51:16 | 013,631,488 | ---- | M] () -- C:\Documents and Settings\Paul\ntuser.dat
[2010/04/06 20:51:16 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Paul\NTUSER.INI
[2010/04/06 17:08:31 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\TFC.exe
[2010/04/05 21:34:01 | 000,000,000 | ---- | M] () -- C:\WINDOWS\vpd.properties
[2010/04/05 21:33:35 | 000,000,095 | ---- | M] () -- C:\WINDOWS\System32\productregistry
[2010/04/05 20:30:14 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\gmer.exe
[2010/04/05 20:29:37 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\gmer.zip
[2010/04/05 19:31:38 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2906237116-3094984405-4234484057-1006.job
[2010/04/05 17:44:20 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Paul\Desktop\GooredFix.exe
[2010/04/04 23:07:55 | 000,001,543 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Command Prompt.lnk
[2010/04/04 22:55:48 | 000,196,608 | -HS- | M] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\2186891745.dll
[2010/04/04 22:50:09 | 000,014,762 | -HS- | M] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\VHx0W
[2010/04/04 22:50:09 | 000,014,762 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\VHx0W
[2010/04/04 17:33:28 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/31 18:07:07 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/30 22:02:13 | 000,381,930 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/03/30 22:02:13 | 000,053,634 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/03/30 22:02:09 | 000,441,626 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/30 21:59:50 | 000,000,537 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2010/03/30 21:59:32 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/03/30 21:58:00 | 000,372,080 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/30 21:55:52 | 002,228,014 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2010/03/30 21:26:23 | 000,250,048 | RHS- | M] () -- C:\NTLDR
[2010/03/30 21:01:48 | 000,000,063 | ---- | M] () -- C:\WINDOWS\VBADDIN.INI
[2010/03/29 18:15:53 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/29 18:02:40 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\setusibi
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 22:23:52 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\HijackThis.lnk
[2010/03/28 19:28:23 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\setusibi
[2010/04/06 18:26:35 | 1072,984,064 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/05 20:29:29 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\gmer.zip
[2010/04/04 22:50:50 | 000,196,608 | -HS- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\2186891745.dll
[2010/04/04 22:48:00 | 000,014,762 | -HS- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\VHx0W
[2010/04/04 22:48:00 | 000,014,762 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\VHx0W
[2010/04/04 17:33:28 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/29 18:15:53 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/29 18:00:57 | 000,000,292 | ---- | C] () -- C:\WINDOWS\tasks\htmfjrui.job
[2010/03/28 22:23:52 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\HijackThis.lnk
[2010/03/28 19:28:23 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/02/25 11:02:52 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008/02/25 11:02:52 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/07/15 21:02:08 | 000,000,500 | ---- | C] () -- C:\Documents and Settings\Paul\to.txt
[2006/06/01 15:10:25 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/06/01 15:06:32 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/02/01 21:55:31 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\Paul\.asadmintruststore
[2005/11/14 19:34:13 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2005/11/14 19:34:12 | 001,204,224 | ---- | C] () -- C:\WINDOWS\System32\bcmwcfg.dll
[2005/11/14 19:34:11 | 000,946,176 | ---- | C] () -- C:\WINDOWS\System32\bcmacfg.dll
[2005/11/14 19:34:11 | 000,909,312 | ---- | C] () -- C:\WINDOWS\System32\bcmctrls.dll
[2005/06/07 19:50:10 | 000,051,392 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2005/05/13 13:40:29 | 013,631,488 | ---- | C] () -- C:\Documents and Settings\Paul\ntuser.dat
[2005/04/26 08:34:21 | 000,108,032 | ---- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/12/20 12:08:28 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 12:03:26 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/07/18 17:32:24 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\fusioncache.dat
[2004/07/18 17:32:15 | 000,000,306 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/07/16 22:55:42 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/07/16 22:41:02 | 000,010,796 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/07/16 21:11:04 | 000,000,310 | ---- | C] () -- C:\Documents and Settings\Paul\convert.log
[2004/07/16 21:11:01 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Paul\ntuser.dat.LOG
[2004/07/16 21:11:01 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Paul\NTUSER.INI
[2004/07/16 21:09:04 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2004/07/16 21:09:04 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2004/07/12 09:03:01 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/07/12 08:49:08 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/07/12 08:33:33 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/07/12 08:16:54 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/03/26 14:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/03/20 11:21:34 | 000,000,791 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/03/19 15:37:28 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[1979/12/31 22:00:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

========== LOP Check ==========

[2009/12/10 19:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2007/04/19 21:26:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2004/07/12 08:52:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/07/15 09:15:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\.BitTornado
[2010/03/18 22:27:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Azureus
[2008/10/12 10:43:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\GARMIN
[2005/11/02 00:33:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\GEAR DVD Standard Edition 7.0
[2005/08/10 20:05:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\iShell
[2004/07/30 20:09:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\JetBrains
[2009/01/28 07:07:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Juniper Networks
[2005/02/12 15:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Leadertech
[2007/02/03 18:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Musicmatch
[2005/05/17 21:53:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\RhinoSoft.com
[2005/03/13 21:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\SharpReader
[2010/04/06 21:00:00 | 000,000,292 | ---- | M] () -- C:\WINDOWS\Tasks\htmfjrui.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/11/24 17:42:18 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:AGP440.sys
[2010/03/30 21:18:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:AGP440.sys
[2004/11/24 17:42:18 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2010/03/30 21:18:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2010/03/30 21:18:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2004/08/03 23:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2001/08/17 11:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/03/19 15:43:04 | 010,158,890 | ---- | M] () .cab file -- C:\I386\sp1.cab:atapi.sys
[2004/03/19 15:43:04 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp1.cab:atapi.sys
[2004/11/24 17:42:18 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:atapi.sys
[2010/03/30 21:18:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:atapi.sys
[2004/11/24 17:42:18 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2010/03/30 21:18:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2010/03/30 21:18:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sp3.cab:atapi.sys
[2004/03/19 15:43:04 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtUninstallQ331060$\ATAPI.SYS
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[2010/04/05 19:25:20 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
[2004/08/03 22:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2003/04/23 07:29:54 | 000,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\I386\atapi.sys
[2003/04/23 07:29:54 | 000,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2004/08/04 00:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2004/03/19 15:37:08 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\netlogon.dll
[2004/03/19 15:40:30 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\sp2qfe\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\sp2qfe\netlogon.dll
[2004/08/04 00:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2004/03/19 15:42:24 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/03/20 10:49:04 | 000,094,208 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.SAV
[2004/03/20 10:49:04 | 000,626,688 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.SAV
[2004/03/20 10:49:02 | 000,421,888 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.SAV
< End of report >

OTL Extras logfile created on: 4/6/2010 8:59:05 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Paul\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 591.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 4.39 Gb Free Space | 7.86% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DBFKH851
Current User Name: Paul
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"27623:TCP" = 27623:TCP:*:Enabled:Azureus-TCP
"57105:UDP" = 57105:UDP:*:Enabled:Azureus-UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\SharpReader\SharpReader.exe" = C:\Program Files\SharpReader\SharpReader.exe:*:Enabled:SharpReader -- File not found
"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" = C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe:*:Enabled:Ad-Aware SE Personal -- (Lavasoft Sweden)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\mozilla.org\Mozilla\mozilla.exe" = C:\Program Files\mozilla.org\Mozilla\mozilla.exe:*:Enabled:Mozilla -- File not found
"C:\WINDOWS\SYSTEM32\javaw.exe" = C:\WINDOWS\SYSTEM32\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- (Sun Microsystems, Inc.)
"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- ()
"C:\Program Files\Sun\Creator2\java\bin\java.exe" = C:\Program Files\Sun\Creator2\java\bin\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- File not found
"C:\Program Files\Sun\Creator2\java\jre\bin\java.exe" = C:\Program Files\Sun\Creator2\java\jre\bin\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- File not found
"C:\tools\Azureus\Azureus.exe" = C:\tools\Azureus\Azureus.exe:*:Enabled:Azureus -- (Vuze Inc.)
"C:\Program Files\Java\jre1.5.0_06\bin\java.exe" = C:\Program Files\Java\jre1.5.0_06\bin\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- (Sun Microsystems, Inc.)
"C:\Program Files\JetBrains\IntelliJ IDEA 5.0\bin\idea.exe" = C:\Program Files\JetBrains\IntelliJ IDEA 5.0\bin\idea.exe:*:Enabled:idea -- (JetBrains s.r.o)
"C:\Program Files\Grisoft\AVG7\avginet.exe" = C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe -- File not found
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe" = C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe -- File not found
"C:\Program Files\Grisoft\AVG7\avgcc.exe" = C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe -- File not found
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Soulseek\slsk.exe" = C:\Program Files\Soulseek\slsk.exe:*:Disabled:SoulSeek -- File not found
"C:\Documents and Settings\Paul\Desktop\slsk.exe" = C:\Documents and Settings\Paul\Desktop\slsk.exe:*:Disabled:SoulSeek -- ()
"C:\tools\eclipse-3.3\eclipse\eclipse.exe" = C:\tools\eclipse-3.3\eclipse\eclipse.exe:*:Enabled:eclipse -- ()
"C:\WINDOWS\SYSTEM32\fxsclnt.exe" = C:\WINDOWS\SYSTEM32\fxsclnt.exe:*:Disabled:Microsoft Fax Console -- (Microsoft Corporation)
"C:\tools\PFPortChecker\PFPortChecker.exe" = C:\tools\PFPortChecker\PFPortChecker.exe:*:Enabled:PFPortchecker by portforward.com helps check if your ports are properly forwarded. -- (portforward.com)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe:*:Enabled:SUPERAntiSpyware -- (SUPERAntiSpyware.com)
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" = C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe:*:Enabled:CTSyncU -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04410044-9149-45C6-A806-F2BF9CFCE762}" = Microsoft Encarta Encyclopedia Standard 2004
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{17B66E83-1BC9-11D5-A54A-0090278A1BB8}" = Microsoft FrontPage Client - English
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1AA69CCD-1078-473A-BD6E-11CE30A81C57}" = NUnit 2.2
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{20227921-DB38-4810-9162-DDC6FCA936E7}" = Dell Home Systems Services Agreement
"{20610409-CA18-41A6-9E21-A93AE82EE7C5}" = Visual Studio .NET Professional 2003 - English
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{2A6282FF-B75B-463F-90F5-0A43732F690D}" = Broadcom Management Programs
"{31C44235-A613-4E95-B297-207BF6C6A8C1}" = Creative ZEN Vision M Series
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35A3A4F4-B792-11D6-A78A-00B0D0142050}" = Java 2 SDK, SE v1.4.2_05
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{366FFC89-C800-4366-B903-B9C4314109A5}" = Garmin WebUpdater
"{43FCA273-9534-40DB-B7C5-D7758875616A}" = Dell Support
"{5757AE1A-1DB4-4898-9806-09F77FBD5E57}" = MSDN Library for Visual Studio .NET 2003
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{84CB1B46-FA2E-41BE-B222-5EFC83BC7668}" = JetBrains ReSharper
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{89E3B7E9-243C-48DC-B849-6B17009F7434}" = Eudora
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-0054-0409-0000-0000000FF1CE}_VISPROR_{519D9F45-CBF4-4E57-B419-11F196CCA8AE}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}" = Creative ZEN V Series (R2)
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A77FEBEF-B7CB-4B62-8635-01E586630D41}" = NUnit V2.1
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{BF755CD9-E185-498A-AAFB-E9F8470AB1CC}" = User Profile Hive Cleanup Service
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{D4D24FE5-FAB3-4FE2-AFFC-623955F4DF3A}" = Visual Studio.NET Baseline - English
"{DE659AC8-EEF0-4115-AA0C-6500D194FB10}" = Garmin Training Center v4
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{F6970FBD-809A-4C51-BAB3-D94A04C6C8E7}" = Garmin Communicator Plugin
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"7-Zip" = 7-Zip 4.42
"8461-7759-5462-8226" = Vuze
"ActiveTouchMeetingClient" = WebEx
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"ATI Display Driver" = ATI Display Driver
"AudibleManager" = AudibleManager
"Azureus" = Azureus
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"BitTornado" = BitTornado 0.3.7
"Broadcom 802.11 Application" = Broadcom Wireless Utility
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Utility
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"eMusic Download Manager" = eMusic Download Manager 3.0
"ENTERPRISER" = Microsoft Office Enterprise 2007
"Exact Audio Copy" = Exact Audio Copy 0.95b4
"FTP Voyager_is1" = FTP Voyager 12.0
"geoAGENT_is1" = geoAGENT Ver. 1.1.4
"GSpot" = GSpot Codec Information Appliance
"HijackThis" = HijackThis 2.0.2
"Iconoid_is1" = Iconoid Version 3.2.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{2A6282FF-B75B-463F-90F5-0A43732F690D}" = Broadcom Management Programs
"IntelliJ IDEA 5.0" = IntelliJ IDEA 5.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PFPortChecker" = PFPortChecker 1.0.28
"QuickTime" = QuickTime
"RealPlayer 12.0" = RealPlayer
"Shockwave" = Shockwave
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Soulseek" = SoulSeek Client 156c
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SysInfo" = Creative System Information
"TotalRecorder" = Total Recorder 5.3
"VISPROR" = Microsoft Office Visio Professional 2007
"Visual Studio .NET Professional 2003 - English" = Microsoft Visual Studio .NET Professional 2003 - English
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"XviD_is1" = XviD MPEG-4 Video Codec
"ZENcast Organizer" = ZENcast Organizer

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/4/2010 10:30:33 PM | Computer Name = DBFKH851 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash9d.ocx, version 9.0.47.0, fault address 0x0008dc4b.

Error - 4/4/2010 10:51:31 PM | Computer Name = DBFKH851 | Source = Application Error | ID = 1001
Description = Fault bucket 1716608813.

Error - 4/5/2010 12:15:37 AM | Computer Name = DBFKH851 | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 4/5/2010 9:28:08 AM | Computer Name = DBFKH851 | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 4/5/2010 8:57:33 PM | Computer Name = DBFKH851 | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 4/5/2010 9:18:23 PM | Computer Name = DBFKH851 | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 4/5/2010 10:26:35 PM | Computer Name = DBFKH851 | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 4/5/2010 11:58:24 PM | Computer Name = DBFKH851 | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x30123790.

Error - 4/6/2010 8:12:00 PM | Computer Name = DBFKH851 | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 4/6/2010 9:26:51 PM | Computer Name = DBFKH851 | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

[ System Events ]
Error - 4/6/2010 9:01:14 PM | Computer Name = DBFKH851 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/6/2010 9:01:14 PM | Computer Name = DBFKH851 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/6/2010 9:01:59 PM | Computer Name = DBFKH851 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/6/2010 9:02:03 PM | Computer Name = DBFKH851 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 4/6/2010 9:22:28 PM | Computer Name = DBFKH851 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 4/6/2010 9:22:36 PM | Computer Name = DBFKH851 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/6/2010 9:27:02 PM | Computer Name = DBFKH851 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/6/2010 9:27:02 PM | Computer Name = DBFKH851 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/6/2010 11:55:36 PM | Computer Name = DBFKH851 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/6/2010 11:55:36 PM | Computer Name = DBFKH851 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

< End of report >

#2
Rorschach112

Posted 07 April 2010 - 04:56 AM

Ralphie

Retired Staff
47,710 posts

hi

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O33 - MountPoints2\{0489f896-757a-11dd-82a1-000f1f1d0cc9}\Shell\AutoRun\command - "" = E:\contents\StartGoA.bat -- File not found
O33 - MountPoints2\{0489f896-757a-11dd-82a1-000f1f1d0cc9}\Shell\open\command - "" = E:\contents\StartGoA.bat -- File not found
O33 - MountPoints2\{3b1a8afc-0e3b-11dd-818f-000f1f1d0cc9}\Shell\AutoRun\command - "" = E:\wd_windows_tools\setup.exe -- File not found
O33 - MountPoints2\{71298bd7-f438-11de-8661-000f1f1d0cc9}\Shell\AutoRun\command - "" = E:\contents\StartGoA.bat -- File not found
O33 - MountPoints2\{71298bd7-f438-11de-8661-000f1f1d0cc9}\Shell\open\command - "" = E:\contents\StartGoA.bat -- File not found
O33 - MountPoints2\{a03097ba-8939-11da-bbb2-000f1f1d0cc9}\Shell\AutoRun\command - "" = E:\JDSecure\Windows\JDSecure20.exe -- File not found
O33 - MountPoints2\{c2f91894-1a79-11db-bce0-000f1f1d0cc9}\Shell - "" = AutoRun
O33 - MountPoints2\{c2f91894-1a79-11db-bce0-000f1f1d0cc9}\Shell\AutoRun - "" = Auto&Play
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
[2010/04/06 21:00:00 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\htmfjrui.job
[2010/03/29 18:02:40 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\setusibi

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\explorer.exe"=-

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Download TDSSKiller and save it to your Desktop.

Extract the file and run it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#3
str_mtb

Posted 07 April 2010 - 07:20 PM

Member

Topic Starter
Member
21 posts

Hi Rorschach112 - thanks for the quick response! Followed all the instructions with no snags, here are the logs:
(Just noticed IE is now by default browser...will switch back to firefox after the all clear is given.)

17:33:09:546 2736 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
17:33:09:546 2736 ================================================================================
17:33:09:546 2736 SystemInfo:

17:33:09:546 2736 OS Version: 5.1.2600 ServicePack: 3.0
17:33:09:546 2736 Product type: Workstation
17:33:09:546 2736 ComputerName: DBFKH851
17:33:09:546 2736 UserName: Paul
17:33:09:546 2736 Windows directory: C:\WINDOWS
17:33:09:546 2736 Processor architecture: Intel x86
17:33:09:546 2736 Number of processors: 2
17:33:09:546 2736 Page size: 0x1000
17:33:09:546 2736 Boot type: Normal boot
17:33:09:546 2736 ================================================================================
17:33:09:578 2736 UnloadDriverW: NtUnloadDriver error 2
17:33:09:578 2736 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:33:09:687 2736 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:33:09:687 2736 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:33:09:687 2736 wfopen_ex: Trying to KLMD file open
17:33:09:687 2736 wfopen_ex: File opened ok (Flags 2)
17:33:09:687 2736 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:33:09:687 2736 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:33:09:687 2736 wfopen_ex: Trying to KLMD file open
17:33:09:687 2736 wfopen_ex: File opened ok (Flags 2)
17:33:09:687 2736 Initialize success
17:33:09:687 2736
17:33:09:687 2736 Scanning Services ...
17:33:10:234 2736 Raw services enum returned 336 services
17:33:10:234 2736
17:33:10:234 2736 Scanning Kernel memory ...
17:33:10:234 2736 Devices to scan: 3
17:33:10:234 2736
17:33:10:234 2736 Driver Name: Disk
17:33:10:234 2736 IRP_MJ_CREATE : F75F5BB0
17:33:10:234 2736 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
17:33:10:234 2736 IRP_MJ_CLOSE : F75F5BB0
17:33:10:234 2736 IRP_MJ_READ : F75EFD1F
17:33:10:234 2736 IRP_MJ_WRITE : F75EFD1F
17:33:10:234 2736 IRP_MJ_QUERY_INFORMATION : 804F9759
17:33:10:234 2736 IRP_MJ_SET_INFORMATION : 804F9759
17:33:10:234 2736 IRP_MJ_QUERY_EA : 804F9759
17:33:10:234 2736 IRP_MJ_SET_EA : 804F9759
17:33:10:234 2736 IRP_MJ_FLUSH_BUFFERS : F75F02E2
17:33:10:234 2736 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
17:33:10:234 2736 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
17:33:10:234 2736 IRP_MJ_DIRECTORY_CONTROL : 804F9759
17:33:10:234 2736 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
17:33:10:234 2736 IRP_MJ_DEVICE_CONTROL : F75F03BB
17:33:10:234 2736 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75F3F28
17:33:10:234 2736 IRP_MJ_SHUTDOWN : F75F02E2
17:33:10:234 2736 IRP_MJ_LOCK_CONTROL : 804F9759
17:33:10:234 2736 IRP_MJ_CLEANUP : 804F9759
17:33:10:234 2736 IRP_MJ_CREATE_MAILSLOT : 804F9759
17:33:10:234 2736 IRP_MJ_QUERY_SECURITY : 804F9759
17:33:10:234 2736 IRP_MJ_SET_SECURITY : 804F9759
17:33:10:234 2736 IRP_MJ_POWER : F75F1C82
17:33:10:234 2736 IRP_MJ_SYSTEM_CONTROL : F75F699E
17:33:10:234 2736 IRP_MJ_DEVICE_CHANGE : 804F9759
17:33:10:234 2736 IRP_MJ_QUERY_QUOTA : 804F9759
17:33:10:234 2736 IRP_MJ_SET_QUOTA : 804F9759
17:33:10:265 2736 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:33:10:265 2736
17:33:10:265 2736 Driver Name: Disk
17:33:10:265 2736 IRP_MJ_CREATE : F75F5BB0
17:33:10:265 2736 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
17:33:10:265 2736 IRP_MJ_CLOSE : F75F5BB0
17:33:10:265 2736 IRP_MJ_READ : F75EFD1F
17:33:10:265 2736 IRP_MJ_WRITE : F75EFD1F
17:33:10:265 2736 IRP_MJ_QUERY_INFORMATION : 804F9759
17:33:10:265 2736 IRP_MJ_SET_INFORMATION : 804F9759
17:33:10:265 2736 IRP_MJ_QUERY_EA : 804F9759
17:33:10:265 2736 IRP_MJ_SET_EA : 804F9759
17:33:10:265 2736 IRP_MJ_FLUSH_BUFFERS : F75F02E2
17:33:10:265 2736 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
17:33:10:265 2736 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
17:33:10:265 2736 IRP_MJ_DIRECTORY_CONTROL : 804F9759
17:33:10:265 2736 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
17:33:10:265 2736 IRP_MJ_DEVICE_CONTROL : F75F03BB
17:33:10:265 2736 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75F3F28
17:33:10:265 2736 IRP_MJ_SHUTDOWN : F75F02E2
17:33:10:265 2736 IRP_MJ_LOCK_CONTROL : 804F9759
17:33:10:265 2736 IRP_MJ_CLEANUP : 804F9759
17:33:10:265 2736 IRP_MJ_CREATE_MAILSLOT : 804F9759
17:33:10:265 2736 IRP_MJ_QUERY_SECURITY : 804F9759
17:33:10:265 2736 IRP_MJ_SET_SECURITY : 804F9759
17:33:10:265 2736 IRP_MJ_POWER : F75F1C82
17:33:10:265 2736 IRP_MJ_SYSTEM_CONTROL : F75F699E
17:33:10:265 2736 IRP_MJ_DEVICE_CHANGE : 804F9759
17:33:10:265 2736 IRP_MJ_QUERY_QUOTA : 804F9759
17:33:10:265 2736 IRP_MJ_SET_QUOTA : 804F9759
17:33:10:265 2736 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:33:10:265 2736
17:33:10:265 2736 Driver Name: atapi
17:33:10:265 2736 IRP_MJ_CREATE : 87313AC8
17:33:10:265 2736 IRP_MJ_CREATE_NAMED_PIPE : 87313AC8
17:33:10:265 2736 IRP_MJ_CLOSE : 87313AC8
17:33:10:265 2736 IRP_MJ_READ : 87313AC8
17:33:10:265 2736 IRP_MJ_WRITE : 87313AC8
17:33:10:265 2736 IRP_MJ_QUERY_INFORMATION : 87313AC8
17:33:10:265 2736 IRP_MJ_SET_INFORMATION : 87313AC8
17:33:10:265 2736 IRP_MJ_QUERY_EA : 87313AC8
17:33:10:265 2736 IRP_MJ_SET_EA : 87313AC8
17:33:10:265 2736 IRP_MJ_FLUSH_BUFFERS : 87313AC8
17:33:10:265 2736 IRP_MJ_QUERY_VOLUME_INFORMATION : 87313AC8
17:33:10:265 2736 IRP_MJ_SET_VOLUME_INFORMATION : 87313AC8
17:33:10:265 2736 IRP_MJ_DIRECTORY_CONTROL : 87313AC8
17:33:10:265 2736 IRP_MJ_FILE_SYSTEM_CONTROL : 87313AC8
17:33:10:265 2736 IRP_MJ_DEVICE_CONTROL : 87313AC8
17:33:10:265 2736 IRP_MJ_INTERNAL_DEVICE_CONTROL : 87313AC8
17:33:10:265 2736 IRP_MJ_SHUTDOWN : 87313AC8
17:33:10:265 2736 IRP_MJ_LOCK_CONTROL : 87313AC8
17:33:10:265 2736 IRP_MJ_CLEANUP : 87313AC8
17:33:10:265 2736 IRP_MJ_CREATE_MAILSLOT : 87313AC8
17:33:10:265 2736 IRP_MJ_QUERY_SECURITY : 87313AC8
17:33:10:265 2736 IRP_MJ_SET_SECURITY : 87313AC8
17:33:10:265 2736 IRP_MJ_POWER : 87313AC8
17:33:10:265 2736 IRP_MJ_SYSTEM_CONTROL : 87313AC8
17:33:10:265 2736 IRP_MJ_DEVICE_CHANGE : 87313AC8
17:33:10:265 2736 IRP_MJ_QUERY_QUOTA : 87313AC8
17:33:10:265 2736 IRP_MJ_SET_QUOTA : 87313AC8
17:33:10:265 2736 Driver "atapi" infected by TDSS rootkit!
17:33:10:281 2736 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
17:33:10:281 2736 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 17:33:10:281 2736 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
17:33:10:281 2736 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:33:10:859 2736 vfvi6
17:33:10:921 2736 !dsvbh1
17:33:11:296 2736 dsvbh2
17:33:11:296 2736 fdfb2
17:33:11:296 2736 Backup copy found, using it..
17:33:11:312 2736 will be cured on next reboot
17:33:11:312 2736 Reboot required for cure complete..
17:33:11:328 2736 Cure on reboot scheduled successfully
17:33:11:328 2736
17:33:11:328 2736 Completed
17:33:11:328 2736
17:33:11:328 2736 Results:
17:33:11:328 2736 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
17:33:11:328 2736 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:33:11:328 2736 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:33:11:328 2736
17:33:11:343 2736 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:33:11:343 2736 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:33:11:343 2736 UnloadDriverW: NtUnloadDriver error 1
17:33:11:343 2736 KLMD(ARK) unloaded successfully

ComboFix 10-04-06.05 - Paul 04/07/2010 17:47:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.495 [GMT -7:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.

2010-04-08 00:23 . 2010-04-08 00:23 -------- d-----w- C:\_OTL
2010-04-05 13:28 . 2010-04-05 13:28 -------- d-----w- c:\windows\system32\LogFiles
2010-04-05 06:38 . 2010-04-05 06:38 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-05 05:50 . 2010-04-05 05:55 196608 --sha-w- c:\documents and settings\Paul\Local Settings\Application Data\2186891745.dll
2010-04-05 00:33 . 2010-04-05 00:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-05 00:32 . 2010-04-05 00:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-01 01:50 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2010-03-31 05:00 . 2010-03-31 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-31 04:36 . 2010-03-31 04:36 -------- d-----w- c:\windows\system32\scripting
2010-03-31 04:36 . 2010-03-31 04:36 -------- d-----w- c:\windows\l2schemas
2010-03-31 04:36 . 2010-03-31 04:36 -------- d-----w- c:\windows\system32\en
2010-03-31 02:13 . 2010-03-31 02:13 -------- d-sh--w- c:\documents and settings\Paul\PrivacIE
2010-03-31 02:09 . 2010-03-31 02:09 -------- d-sh--w- c:\documents and settings\Paul\IETldCache
2010-03-31 02:02 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-31 02:02 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-31 02:01 . 2010-03-31 02:01 -------- d-----w- c:\windows\ie8updates
2010-03-31 02:00 . 2010-02-16 04:50 64000 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-31 01:55 . 2010-03-31 01:57 -------- dc-h--w- c:\windows\ie8
2010-03-30 04:03 . 2009-12-04 18:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-30 04:03 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-03-30 01:15 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 01:15 . 2010-03-30 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 01:15 . 2010-03-30 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-30 01:15 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 05:23 . 2010-03-29 05:23 -------- d-----w- c:\program files\Trend Micro
2010-03-29 04:51 . 2010-03-29 04:51 -------- d-----w- C:\VundoFix Backups
2010-03-29 04:40 . 2010-03-29 04:40 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes
2010-03-29 03:38 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-03-29 03:38 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-03-29 02:28 . 2010-03-29 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-29 02:28 . 2010-04-05 06:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-29 02:28 . 2010-03-29 02:28 -------- d-----w- c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com
2010-03-29 02:26 . 2010-03-29 02:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-20 16:15 . 2010-03-20 16:15 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Real
2010-03-20 16:10 . 2010-03-20 16:10 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-20 16:08 . 2010-03-20 16:10 -------- d-----w- c:\program files\real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 00:34 . 2003-04-23 14:29 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-05 03:50 . 2004-07-12 15:46 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-01 01:31 . 2004-07-18 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-01 00:54 . 2007-01-14 06:51 -------- d-----w- c:\documents and settings\Paul\Application Data\U3
2010-03-31 04:41 . 2004-03-20 17:57 88855 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-03-31 04:05 . 2004-07-12 16:02 100104 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-31 03:55 . 2007-06-02 21:07 -------- d-----w- c:\program files\Microsoft Works
2010-03-29 02:45 . 2008-07-25 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-29 02:29 . 2010-03-29 02:29 52224 ----a-w- c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-29 02:29 . 2010-03-29 02:29 117760 ----a-w- c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-20 16:12 . 2010-03-20 16:12 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-20 16:12 . 2010-03-20 16:12 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-20 16:12 . 2010-03-20 16:12 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-20 16:12 . 2010-03-20 16:12 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-20 16:12 . 2010-03-20 16:12 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-20 16:12 . 2010-03-20 16:12 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-20 16:12 . 2010-03-20 16:12 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-20 16:12 . 2010-03-20 16:12 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-20 16:12 . 2010-03-20 16:12 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-20 16:12 . 2004-07-12 15:52 -------- d-----w- c:\program files\Common Files\Real
2010-03-20 16:08 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-19 05:27 . 2006-04-19 02:29 -------- d-----w- c:\documents and settings\Paul\Application Data\Azureus
2010-02-25 06:24 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll
2005-05-11 20:28 . 2005-05-13 05:46 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2005-06-08 02:49 . 2005-06-08 02:49 28672 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2005-06-08 02:49 . 2005-06-08 02:49 98304 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"gStart"="c:\garmin\gStart.exe" [2005-07-25 1896448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-22 335872]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-12-12 217088]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-03-05 487424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-07-12 77824]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-10-13 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WD Button Manager"="WDBtnMgr.exe" [2007-07-14 339968]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-20 202256]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-15 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\javaw.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\tools\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\JetBrains\\IntelliJ IDEA 5.0\\bin\\idea.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Paul\\Desktop\\slsk.exe"=
"c:\\tools\\eclipse-3.3\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\tools\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27623:TCP"= 27623:TCP:Azureus-TCP
"57105:UDP"= 57105:UDP:Azureus-UDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2906237116-3094984405-4234484057-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2906237116-3094984405-4234484057-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
TCP: {1CF4BE3A-EA13-491C-B468-B643D478B42D} = 207.69.188.186,207.69.188.185
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\1u3isiqu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.01.06);user_pref(general.useragent.extra.zencast, Creative ZENcast v1.01.06c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 18:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x???????????@????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87326AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75faf28
\Driver\ACPI -> ACPI.sys @ 0xf756dcb8
\Driver\atapi -> atapi.sys @ 0xf7507852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf73febb0
PacketIndicateHandler -> NDIS.sys @ 0xf73eda0d
SendHandler -> NDIS.sys @ 0xf7401b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{411c2a73-d249-45b6-8367-2e50e8c3b658}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\hilemebu.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3528)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\BCMSMMSG.exe
c:\windows\system32\bcmntray.exe
c:\windows\system32\WDBtnMgr.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\Apoint\Apntex.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-04-07 18:10:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-08 01:10

Pre-Run: 4,421,521,408 bytes free
Post-Run: 4,269,826,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 2C7EBB4D9C6725D1158D25C51108D9FE

#4
Rorschach112

Posted 08 April 2010 - 11:57 AM

Ralphie

Retired Staff
47,710 posts

hi

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

#5
str_mtb

Posted 08 April 2010 - 08:51 PM

Member

Topic Starter
Member
21 posts

Hi again, thanks for the help. Log file follows below. Last night I used IE, did a bing search and clicked on the link without thinking. Immediately was redirected to some random page and soon-after had the bogus XP Security app screaming at me. I used SuperAntiSpyware to remove the in-memory stuff, rebooted and found the .exe file associations were gone so used MBAM to clean that up. I ran GMER with the settings suggested above and here are the results:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-08 19:39:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\fxdoapoc.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB1894320]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xF7B6F63C]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\isapnp.sys entry point in ".rsrc" section [0xF75B7014]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\Explorer.EXE[1396] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1396] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1396] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\wuauclt.exe[1996] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[1996] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[1996] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat A7111D20
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 872D5AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{411c2a73-d249-45b6-8367-2e50e8c3b658}\InprocServer32@ c:\windows\system32\hilemebu.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{411c2a73-d249-45b6-8367-2e50e8c3b658}\InprocServer32@ThreadingModel Both

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\isapnp.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6
Rorschach112

Posted 09 April 2010 - 06:25 AM

Ralphie

Retired Staff
47,710 posts

Open OTL click the none button, paste this in the custom scan box

/md5start
isapnp.sys
/md5stop

click run scan post that log

#7
str_mtb

Posted 09 April 2010 - 07:41 AM

Member

Topic Starter
Member
21 posts

I'll be around the house a bit today so maybe we can make some good progress...here's the OTL log:

OTL logfile created on: 4/9/2010 6:34:22 AM - Run 2
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Paul\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 676.00 Mb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 6.35 Gb Free Space | 11.37% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DBFKH851
Current User Name: Paul
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========

< MD5 for: ISAPNP.SYS >
[2010/03/30 21:18:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:isapnp.sys
[2010/03/30 21:18:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:isapnp.sys
[2010/03/30 21:18:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sp3.cab:isapnp.sys
[2008/04/13 11:36:41 | 000,037,248 | ---- | M] (Microsoft Corporation) MD5=05A299EC56E52649B1CF2FC52D20F2D7 -- C:\WINDOWS\ServicePackFiles\i386\isapnp.sys
[2008/04/13 11:36:41 | 000,037,248 | ---- | M] (Microsoft Corporation) MD5=05A299EC56E52649B1CF2FC52D20F2D7 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys
[2010/04/07 19:23:10 | 000,037,248 | ---- | M] (Microsoft Corporation) MD5=05A299EC56E52649B1CF2FC52D20F2D7 -- C:\WINDOWS\SYSTEM32\DLLCACHE\isapnp.sys
[2010/04/07 19:23:10 | 000,037,248 | ---- | M] (Microsoft Corporation) MD5=05A299EC56E52649B1CF2FC52D20F2D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\isapnp.sys
[2001/08/17 11:58:02 | 000,035,840 | ---- | M] (Microsoft Corporation) MD5=E504F706CCB699C2596E9A3DA1596E87 -- C:\I386\isapnp.sys
[2001/08/17 11:58:02 | 000,035,840 | ---- | M] (Microsoft Corporation) MD5=E504F706CCB699C2596E9A3DA1596E87 -- C:\WINDOWS\$NtServicePackUninstall$\isapnp.sys
[2001/08/17 11:58:02 | 000,035,840 | ---- | M] (Microsoft Corporation) MD5=E504F706CCB699C2596E9A3DA1596E87 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\i386\isapnp.sys
< End of report >

#8
Rorschach112

Posted 09 April 2010 - 08:16 AM

Ralphie

Retired Staff
47,710 posts

this should help hopefully

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the Avenger folder to your desktop
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to move:
C:\WINDOWS\ServicePackFiles\i386\isapnp.sys | C:\WINDOWS\SYSTEM32\DRIVERS\isapnp.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Tell me how its running after that

#9
str_mtb

Posted 09 April 2010 - 08:30 AM

Member

Topic Starter
Member
21 posts

Given the results below I didn't try too much to see if it's been resolved. Windows Update is still inaccessible via IE.
What shall we try next?

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not move file "C:\WINDOWS\ServicePackFiles\i386\isapnp.sys"
File move operation "C:\WINDOWS\ServicePackFiles\i386\isapnp.sys|C:\WINDOWS\SYSTEM32\DRIVERS\isapnp.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

#10
Rorschach112

Posted 09 April 2010 - 08:31 AM

Ralphie

Retired Staff
47,710 posts

yup that failed

this wont I hope

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\isapnp.sys | C:\WINDOWS\SYSTEM32\DRIVERS\isapnp.sys
KillAll::

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#11
str_mtb

Posted 09 April 2010 - 09:17 AM

Member

Topic Starter
Member
21 posts

Need to duck out for a few hours & haven't had a chance to look at the report results. Will dig into this more in the early afternoon. Thanks for the speedy replies this morning!

ComboFix 10-04-06.05 - Paul 04/09/2010 7:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.656 [GMT -7:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul\Desktop\CFScript.txt
.
PEV Error: LocalAppDataFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\isapnp.sys --> c:\windows\SYSTEM32\DRIVERS\isapnp.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-08 04:06 . 2010-04-08 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-08 04:06 . 2010-04-08 04:06 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\avG
2010-04-08 00:23 . 2010-04-08 00:23 -------- d-----w- C:\_OTL
2010-04-05 13:28 . 2010-04-05 13:28 -------- d-----w- c:\windows\system32\LogFiles
2010-04-05 06:38 . 2010-04-05 06:38 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-05 05:50 . 2010-04-05 05:55 196608 --sha-w- c:\documents and settings\Paul\Local Settings\Application Data\2186891745.dll
2010-04-05 00:33 . 2010-04-05 00:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-05 00:32 . 2010-04-05 00:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-01 01:50 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2010-03-31 05:00 . 2010-03-31 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-31 04:36 . 2010-03-31 04:36 -------- d-----w- c:\windows\system32\scripting
2010-03-31 04:36 . 2010-03-31 04:36 -------- d-----w- c:\windows\l2schemas
2010-03-31 04:36 . 2010-03-31 04:36 -------- d-----w- c:\windows\system32\en
2010-03-31 02:13 . 2010-03-31 02:13 -------- d-sh--w- c:\documents and settings\Paul\PrivacIE
2010-03-31 02:09 . 2010-03-31 02:09 -------- d-sh--w- c:\documents and settings\Paul\IETldCache
2010-03-31 02:02 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-31 02:02 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-31 02:01 . 2010-03-31 02:01 -------- d-----w- c:\windows\ie8updates
2010-03-31 02:00 . 2010-02-16 04:50 64000 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-31 01:55 . 2010-03-31 01:57 -------- dc-h--w- c:\windows\ie8
2010-03-30 04:03 . 2009-12-04 18:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-30 04:03 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-03-30 01:15 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 01:15 . 2010-03-30 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 01:15 . 2010-03-30 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-30 01:15 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 05:23 . 2010-03-29 05:23 -------- d-----w- c:\program files\Trend Micro
2010-03-29 04:51 . 2010-03-29 04:51 -------- d-----w- C:\VundoFix Backups
2010-03-29 04:40 . 2010-03-29 04:40 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes
2010-03-29 03:38 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-03-29 03:38 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-03-29 02:28 . 2010-03-29 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-29 02:28 . 2010-04-05 06:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-29 02:28 . 2010-03-29 02:28 -------- d-----w- c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com
2010-03-29 02:26 . 2010-03-29 02:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-20 16:15 . 2010-03-20 16:15 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Real
2010-03-20 16:10 . 2010-03-20 16:10 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-20 16:08 . 2010-03-20 16:10 -------- d-----w- c:\program files\real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 14:49 . 2004-07-12 15:46 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-08 00:34 . 2003-04-23 14:29 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-01 01:31 . 2004-07-18 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-01 00:54 . 2007-01-14 06:51 -------- d-----w- c:\documents and settings\Paul\Application Data\U3
2010-03-31 04:41 . 2004-03-20 17:57 88855 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-03-31 04:05 . 2004-07-12 16:02 100104 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-31 03:55 . 2007-06-02 21:07 -------- d-----w- c:\program files\Microsoft Works
2010-03-29 02:45 . 2008-07-25 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-29 02:29 . 2010-03-29 02:29 52224 ----a-w- c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-29 02:29 . 2010-03-29 02:29 117760 ----a-w- c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-20 16:12 . 2010-03-20 16:12 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-20 16:12 . 2010-03-20 16:12 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-20 16:12 . 2010-03-20 16:12 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-20 16:12 . 2010-03-20 16:12 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-20 16:12 . 2010-03-20 16:12 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-20 16:12 . 2010-03-20 16:12 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-20 16:12 . 2010-03-20 16:12 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-20 16:12 . 2010-03-20 16:12 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-20 16:12 . 2010-03-20 16:12 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-20 16:12 . 2004-07-12 15:52 -------- d-----w- c:\program files\Common Files\Real
2010-03-20 16:08 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-19 05:27 . 2006-04-19 02:29 -------- d-----w- c:\documents and settings\Paul\Application Data\Azureus
2010-02-25 06:24 . 2004-02-06 23:05 916480 ------w- c:\windows\system32\wininet.dll
2005-05-11 20:28 . 2005-05-13 05:46 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2005-06-08 02:49 . 2005-06-08 02:49 28672 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2005-06-08 02:49 . 2005-06-08 02:49 98304 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"gStart"="c:\garmin\gStart.exe" [2005-07-25 1896448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-22 335872]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-12-12 217088]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-03-05 487424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-07-12 77824]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-10-13 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WD Button Manager"="WDBtnMgr.exe" [2007-07-14 339968]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-20 202256]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-15 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\javaw.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\tools\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\JetBrains\\IntelliJ IDEA 5.0\\bin\\idea.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Paul\\Desktop\\slsk.exe"=
"c:\\tools\\eclipse-3.3\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\tools\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27623:TCP"= 27623:TCP:Azureus-TCP
"57105:UDP"= 57105:UDP:Azureus-UDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2906237116-3094984405-4234484057-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2906237116-3094984405-4234484057-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
TCP: {1CF4BE3A-EA13-491C-B468-B643D478B42D} = 207.69.188.186,207.69.188.185
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\1u3isiqu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.01.06);user_pref(general.useragent.extra.zencast, Creative ZENcast v1.01.06c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-09 08:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x???????????@????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87323AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75f3f28
\Driver\ACPI -> ACPI.sys @ 0xf7566cb8
\Driver\atapi -> atapi.sys @ 0xf7500852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf73f7bb0
PacketIndicateHandler -> NDIS.sys @ 0xf73e6a0d
SendHandler -> NDIS.sys @ 0xf73fab40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{411c2a73-d249-45b6-8367-2e50e8c3b658}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\hilemebu.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(608)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\BCMSMMSG.exe
c:\windows\system32\bcmntray.exe
c:\windows\system32\WDBtnMgr.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2010-04-09 08:14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-09 15:14
ComboFix2.txt 2010-04-08 01:10

Pre-Run: 7,015,235,584 bytes free
Post-Run: 7,028,994,048 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A8A25E1AC58FDBFAF5426633E987A1D8

#12
Rorschach112

Posted 09 April 2010 - 11:34 AM

Ralphie

Retired Staff
47,710 posts

ok let me know if that has stopped the hijacks

if not do this

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

#13
str_mtb

Posted 09 April 2010 - 03:02 PM

Member

Topic Starter
Member
21 posts

Internet Explorer is still unable to access windowsupdate.microsoft.com. Firefox shows the "connection reset" error when trying to access it. I didn't try any live links since I don't want to reawaken the XP Security monster.

GMER takes about 2 hours to run, will post log when complete.

#14
Rorschach112

Posted 09 April 2010 - 03:25 PM

Ralphie

Retired Staff
47,710 posts

ok, let me know if your browser is hijacked

#15
str_mtb

Posted 09 April 2010 - 06:24 PM

Member

Topic Starter
Member
21 posts

Hi again, I'll work backwards. I just tried to google for "geekstogo" and clicked on the link pointing to the forusm in the results list. I was about to be redirected to something like citycentermortgage but closed the browser before anything came up. In my history the site h-t-t-p://76v84nks81.cc/RkA1dg1E8P6j2yc71253f03c6832032361acbe1a869c8af906c shows up at about that point in time (dashes added to keep anyone from clicking the link).

GMER took about an hour longer to run than last time so I checked the running processes once it finished and saw that wuauaclt.exe was using about 50% processor time. No other processes were very active. Rebooted and that seemed to quiet things down there.

Here's the log from GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-09 17:08:14
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\fxdoapoc.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB1829320]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA9E8D63C]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\isapnp.sys entry point in ".rsrc" section [0xF75B7014]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[332] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[332] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1092] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01AE000A
.text C:\WINDOWS\System32\svchost.exe[1092] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01AD000A
.text C:\WINDOWS\system32\wuauclt.exe[1900] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[1900] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[1900] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat A8EE5D20
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 87326AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{411c2a73-d249-45b6-8367-2e50e8c3b658}\InprocServer32@ c:\windows\system32\hilemebu.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{411c2a73-d249-45b6-8367-2e50e8c3b658}\InprocServer32@ThreadingModel Both

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\isapnp.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----