Jump to content

Welcome to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute.
Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message and all ads will be removed once you have signed in.
Create an Account Login to Account

Malwarebyte's stops responding


  • Please log in to reply

#1
drunkducki

drunkducki

    Member

  • Member
  • PipPip
  • 87 posts
i'm posting this for a friend,

the computer is a dell xps 600 with intel pentium D, 2gb ram, and geforce 6800 graphics on a XP SP3. when running malwarebytes on the computer, about 2 mins into the scan, malwarebytes would just freeze and there will be a message saying malwarebytes stops responding and asking do i want to send a report. neither yes/no option will automatically close malwarebytes and you will have to go into the task manager and terminate the process.

I've tried running quick scan, full scan, safe mode, and safe mode with networking. They all return the same message. I've tried uninstall and download the latest version and that doesn't help. I also ran superantispyware and found nothing. Ran several online scanners such as panada, eset, and kaspersky also nothing. However, the antivirus on the computer, trendmicro, found 2 viruses a while back and deleted them. Did the scan again with trendmicro and there's nothing. I'm wondering if the problem has to do with those 2 viruses.

Please let me know if you need more info. Thank you.

********************************************************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:53:16 AM, on 9/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP3 (7.00.5730.0013)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\nvraidservice.exe
I:\WINDOWS\system32\RTDCPL.EXE
I:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
I:\WINDOWS\system32\rundll32.exe
I:\WINDOWS\system32\RUNDLL32.EXE
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
I:\Program Files\RealVNC\VNC4\WinVNC4.exe
I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
I:\WINDOWS\system32\wbem\unsecapp.exe
I:\WINDOWS\TEMP\SCA089.EXE
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\Mozilla Firefox\plugin-container.exe
I:\WINDOWS\system32\msiexec.exe
I:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - I:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - I:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NVRaidService] I:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "I:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "I:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IMJPMIG8.1] "I:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] I:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] I:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] I:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] I:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1272489429046
O17 - HKLM\System\CCS\Services\Tcpip\..\{71B6702D-F18F-4D62-BD08-587DE9A03198}: NameServer = 216.251.128.8,216.251.128.9
O20 - Winlogon Notify: !SASWinLogon - I:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - I:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - I:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - I:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - I:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - I:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5218 bytes

**********************************************************************************************************************************************

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 10:55:47.89 on 09/03/2010 Fri
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.950.886.1033.18.1789.1277 [GMT -7:00]

AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {849635BA-0E5F-4EB0-ACD7-C1895B1C4860}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {849635BA-0E5F-4EB0-ACD7-C1895B1C4860}

============== Running Processes ===============

I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
I:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\nvraidservice.exe
I:\WINDOWS\system32\RTDCPL.EXE
I:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
I:\WINDOWS\system32\rundll32.exe
I:\WINDOWS\system32\RUNDLL32.EXE
I:\WINDOWS\system32\ctfmon.exe
svchost.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\WINDOWS\system32\svchost.exe -k imgsvc
I:\Program Files\RealVNC\VNC4\WinVNC4.exe
I:\WINDOWS\system32\wbem\unsecapp.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\Mozilla Firefox\plugin-container.exe
I:\WINDOWS\system32\msiexec.exe
I:\WINDOWS\system32\mmc.exe
I:\Documents and Settings\Administrator\Desktop\dds.scr
I:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://manuals.craftsmancollision.com/Operations/default.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - i:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] i:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NVRaidService] i:\windows\system32\nvraidservice.exe
mRun: [RTDCPL] RTDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "i:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "i:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "i:\program files\java\jre6\bin\jusched.exe"
mRun: [OfficeScanNT Monitor] "i:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [IMJPMIG8.1] "i:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] i:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] i:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] i:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] i:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE i:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE i:\windows\system32\NvMcTray.dll,NvTaskbarInit
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272489429046
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {71B6702D-F18F-4D62-BD08-587DE9A03198} = 216.251.128.8,216.251.128.9
Notify: !SASWinLogon - i:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - i:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - i:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6zb9x1bc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

---- FIREFOX POLICIES ----
i:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
i:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
i:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
i:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
i:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
i:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
i:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
i:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
i:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
i:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
i:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
i:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
i:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
i:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
i:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
i:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
i:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
i:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
i:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
i:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
i:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
i:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
i:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
i:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
i:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;i:\windows\system32\drivers\pavboot.sys [2010-8-20 28552]
R1 SASDIFSV;SASDIFSV;i:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;i:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 TmPreFilter;Trend Micro PreFilter;i:\program files\trend micro\client server security agent\tmpreflt.sys [2006-9-27 36368]
S2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall;i:\program files\trend micro\client server security agent\OfcPfwSvc.exe [2007-3-29 282704]
S2 TmFilter;Trend Micro Filter;i:\program files\trend micro\client server security agent\tmxpflt.sys [2006-9-27 230928]
S3 MBAMSwissArmy;MBAMSwissArmy;i:\windows\system32\drivers\mbamswissarmy.sys [2010-8-30 38224]

=============== Created Last 30 ================

2010-08-31 15:44:53 0 d-----w- i:\windows\system32\KB905474
2010-08-31 10:09:30 354304 -c----w- i:\windows\system32\dllcache\srv.sys
2010-08-31 10:09:06 81920 -c----w- i:\windows\system32\dllcache\fontsub.dll
2010-08-31 10:09:06 119808 -c----w- i:\windows\system32\dllcache\t2embed.dll
2010-08-31 10:09:04 153088 -c----w- i:\windows\system32\dllcache\triedit.dll
2010-08-31 10:09:03 2146304 -c----w- i:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-31 10:09:02 2189952 -c----w- i:\windows\system32\dllcache\ntoskrnl.exe
2010-08-31 10:09:02 2066816 -c----w- i:\windows\system32\dllcache\ntkrnlpa.exe
2010-08-31 10:09:02 2024448 -c----w- i:\windows\system32\dllcache\ntkrpamp.exe
2010-08-31 10:08:43 203136 -c----w- i:\windows\system32\dllcache\rmcast.sys
2010-08-31 10:08:40 331776 -c----w- i:\windows\system32\dllcache\msadce.dll
2010-08-31 10:06:41 128512 -c----w- i:\windows\system32\dllcache\dhtmled.ocx
2010-08-30 23:01:01 38224 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys
2010-08-30 23:01:00 20952 ----a-w- i:\windows\system32\drivers\mbam.sys
2010-08-30 23:00:59 0 d-----w- i:\program files\Malwarebytes' Anti-Malware
2010-08-30 22:59:00 274288 ----a-w- i:\windows\system32\mucltui.dll
2010-08-30 22:59:00 215920 ----a-w- i:\windows\system32\muweb.dll
2010-08-30 22:59:00 16736 ----a-w- i:\windows\system32\mucltui.dll.mui
2010-08-30 22:20:08 221568 ------w- i:\windows\system32\MpSigStub.exe
2010-08-30 22:16:13 0 d-----w- i:\windows\system32\SoftwareDistribution
2010-08-20 21:18:58 28552 ----a-w- i:\windows\system32\drivers\pavboot.sys
2010-08-20 21:18:33 0 d-----w- i:\program files\Panda Security
2010-08-05 21:59:19 5632 ----a-w- i:\windows\system32\ptpusb.dll
2010-08-05 21:59:18 159232 ----a-w- i:\windows\system32\ptpusd.dll
2010-08-05 21:59:18 15104 -c--a-w- i:\windows\system32\dllcache\usbscan.sys
2010-08-05 21:59:18 15104 ----a-w- i:\windows\system32\drivers\usbscan.sys

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- i:\windows\system32\schannel.dll
2010-06-23 13:44:04 1851904 ----a-w- i:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- i:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- i:\windows\system32\msxml3.dll

============= FINISH: 10:56:03.20 ===============


*********************************************************************************************************************************************



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-03 11:48:46
Windows 5.1.2600 Service Pack 3
Running: 1wx24enh.exe; Driver: I:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgrdifob.sys


---- System - GMER 1.0.15 ----

SSDT \??\I:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB0548620]

---- Kernel code sections - GMER 1.0.15 ----

.text I:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB712F360, 0x24BB1D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text I:\Program Files\Mozilla Firefox\firefox.exe[2876] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 I:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text I:\Program Files\Mozilla Firefox\plugin-container.exe[3736] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D I:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

---- EOF - GMER 1.0.15 ----
  • 0

Advertisement


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
Can you run OTL per the instructions in the top post in this forum?


http://www.geekstogo...uide-t2852.html


Ron
  • 0

#3
drunkducki

drunkducki

    Member

  • Member
  • PipPip
  • 87 posts
OTL logfile created on: 9/7/2010 4:19:19 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = I:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): I:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
Drive C: | 14.89 Gb Total Space | 11.26 Gb Free Space | 75.57% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 298.01 Gb Total Space | 122.62 Gb Free Space | 41.15% Space Free | Partition Type: NTFS

Computer Name: HARBOURSIDEXPS
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/07 16:18:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/08/30 14:49:08 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- I:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2010/07/26 08:31:09 | 000,014,808 | ---- | M] (Mozilla Corporation) -- I:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/26 08:31:08 | 000,910,296 | ---- | M] (Mozilla Corporation) -- I:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\explorer.exe
PRC - [2007/03/29 08:10:06 | 000,394,952 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
PRC - [2007/03/29 08:10:02 | 000,214,712 | ---- | M] () -- I:\WINDOWS\Temp\UY470A.EXE
PRC - [2007/03/29 08:09:38 | 000,603,856 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
PRC - [2007/03/29 08:09:36 | 000,685,776 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
PRC - [2007/03/29 08:03:16 | 000,282,704 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
PRC - [2005/07/22 17:02:40 | 000,126,464 | ---- | M] (NVIDIA Corporation) -- I:\WINDOWS\system32\nvraidservice.exe
PRC - [2005/05/26 11:38:38 | 012,275,200 | ---- | M] (Realtek Semiconductor Corp.) -- I:\WINDOWS\system32\RTDCPL.EXE
PRC - [2004/06/15 15:29:42 | 000,380,928 | ---- | M] (RealVNC Ltd.) -- I:\Program Files\RealVNC\VNC4\winvnc4.exe


========== Modules (SafeList) ==========

MOD - [2010/09/07 16:18:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/14 06:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\system32\msscript.ocx
MOD - [2006/10/22 12:22:00 | 001,470,464 | ---- | M] () -- I:\WINDOWS\system32\nview.dll
MOD - [2006/10/22 12:22:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- I:\WINDOWS\system32\nvwddi.dll


========== Win32 Services (SafeList) ==========

SRV - [2007/03/29 08:09:38 | 000,603,856 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe -- (ntrtscan)
SRV - [2007/03/29 08:09:36 | 000,685,776 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe -- (tmlisten)
SRV - [2007/03/29 08:03:16 | 000,282,704 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe -- (OfcPfwSvc)
SRV - [2004/06/15 15:29:42 | 000,380,928 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- I:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)


========== Driver Services (SafeList) ==========

DRV - [2010/05/10 11:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- I:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- I:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/02/17 11:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- I:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/04 16:39:06 | 000,230,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\tmxpflt.sys -- (TmFilter)
DRV - [2009/12/04 16:38:18 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys -- (TmPreFilter)
DRV - [2009/12/04 16:05:06 | 001,322,680 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\vsapint.sys -- (VSApiNt)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- I:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2007/12/24 18:37:00 | 000,138,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2007/03/22 10:54:58 | 001,844,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\TM_CFW.sys -- (TM_CFW)
DRV - [2006/10/22 12:22:00 | 003,994,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/07/26 18:48:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/26 18:48:28 | 000,033,664 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/07/19 22:59:26 | 000,093,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- I:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2005/07/19 14:59:28 | 000,076,544 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- I:\WINDOWS\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce™
DRV - [2005/06/14 04:38:58 | 002,802,112 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 03:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- I:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=302398"
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: I:\Program Files\Mozilla Firefox\components [2010/07/26 08:31:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: I:\Program Files\Mozilla Firefox\plugins [2010/08/05 15:25:59 | 000,000,000 | ---D | M]

[2010/04/22 09:30:39 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/04/22 09:30:39 | 000,000,000 | ---D | M] (No name found) -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/08/05 15:26:28 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions
[2010/07/08 16:08:44 | 000,000,000 | ---D | M] -- I:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 03:00:00 | 000,000,734 | ---- | M]) - I:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [IMEKRMIG6.1] I:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] I:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] I:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NvCplDaemon] I:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] I:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVRaidService] I:\WINDOWS\system32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] I:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OfficeScanNT Monitor] I:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [PHIME2002A] I:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] I:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [RTDCPL] I:\WINDOWS\System32\RTDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1272489429046 (WUWebControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - I:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - I:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - I:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: I:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: I:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - I:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - I:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - I:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - I:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - I:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - I:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - I:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - I:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - I:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - I:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56590025235628032)

========== Files/Folders - Created Within 90 Days ==========

[2010/09/07 16:18:25 | 000,574,976 | ---- | C] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/07 09:44:21 | 000,000,000 | ---D | C] -- I:\WINDOWS\LastGood
[2010/08/31 08:44:53 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\KB905474
[2010/08/31 03:00:20 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\PreInstall
[2010/08/30 16:01:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- I:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/30 16:01:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- I:\WINDOWS\System32\drivers\mbam.sys
[2010/08/30 16:00:59 | 000,000,000 | ---D | C] -- I:\Program Files\Malwarebytes' Anti-Malware
[2010/08/30 15:54:53 | 000,000,000 | RH-D | C] -- I:\Documents and Settings\Administrator\Recent
[2010/08/30 15:16:13 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\SoftwareDistribution
[2010/08/30 14:47:27 | 000,446,464 | ---- | C] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/08/20 15:18:34 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- I:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe
[2010/08/20 14:18:58 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- I:\WINDOWS\System32\drivers\pavboot.sys
[2010/08/20 14:18:33 | 000,000,000 | ---D | C] -- I:\Program Files\Panda Security
[2010/08/05 14:59:34 | 000,000,000 | R--D | C] -- I:\Documents and Settings\Administrator\My Documents\My Pictures
[2010/07/21 08:43:51 | 000,000,000 | ---D | C] -- I:\Image Backup
[2010/07/08 16:09:47 | 000,000,000 | ---D | C] -- I:\Program Files\PDFCreator
[2010/07/08 16:08:44 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\appmgmt
[2010/06/10 11:53:22 | 000,000,000 | ---D | C] -- I:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/06/10 11:53:22 | 000,000,000 | ---D | C] -- I:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/06/10 11:53:17 | 000,000,000 | ---D | C] -- I:\Program Files\SUPERAntiSpyware

========== Files - Modified Within 90 Days ==========

[2010/09/07 16:18:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/07 09:44:58 | 000,002,206 | ---- | M] () -- I:\WINDOWS\System32\wpa.dbl
[2010/09/07 09:42:52 | 000,275,400 | ---- | M] () -- I:\WINDOWS\System32\NvApps.xml
[2010/09/07 09:42:46 | 000,000,006 | -H-- | M] () -- I:\WINDOWS\tasks\SA.DAT
[2010/09/07 09:42:45 | 000,002,048 | --S- | M] () -- I:\WINDOWS\bootstat.dat
[2010/09/03 10:57:27 | 000,293,376 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\1wx24enh.exe
[2010/09/03 10:54:42 | 000,525,824 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/09/03 10:52:51 | 000,002,463 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/09/03 10:52:13 | 001,402,880 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.msi
[2010/09/01 03:17:49 | 000,311,604 | ---- | M] () -- I:\WINDOWS\System32\perfh009.dat
[2010/09/01 03:17:49 | 000,039,992 | ---- | M] () -- I:\WINDOWS\System32\perfc009.dat
[2010/09/01 03:17:48 | 000,356,120 | ---- | M] () -- I:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/01 03:15:40 | 001,835,008 | -H-- | M] () -- I:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/01 03:15:40 | 000,000,178 | -HS- | M] () -- I:\Documents and Settings\Administrator\ntuser.ini
[2010/09/01 03:15:36 | 002,692,776 | -H-- | M] () -- I:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/09/01 03:00:25 | 000,001,789 | ---- | M] () -- I:\WINDOWS\imsins.BAK
[2010/08/31 10:42:48 | 000,119,744 | ---- | M] () -- I:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/30 16:01:03 | 000,000,696 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/30 14:47:28 | 000,446,464 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/08/20 15:19:03 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- I:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe
[2010/08/11 09:02:58 | 000,008,875 | ---- | M] () -- I:\WINDOWS\cfgall.ini
[2010/08/06 15:53:11 | 1040,355,328 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\vista_6000.16386.061101-2205-LRMAIK_EN.img
[2010/08/06 09:50:24 | 001,849,343 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\WindowsServer2003-KB892778-SP1-DeployTools-x86-ENU.cab
[2010/07/29 16:39:46 | 001,015,348 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\p95v2511.zip
[2010/07/08 16:09:54 | 000,000,706 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\PDFCreator.lnk
[2010/06/10 11:53:19 | 000,001,678 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

========== Files Created - No Company Name ==========

[2010/09/03 10:57:26 | 000,293,376 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\1wx24enh.exe
[2010/09/03 10:54:40 | 000,525,824 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/09/03 10:52:44 | 000,002,463 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/09/03 10:52:09 | 001,402,880 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.msi
[2010/08/31 03:00:22 | 000,001,789 | ---- | C] () -- I:\WINDOWS\imsins.BAK
[2010/08/30 16:01:03 | 000,000,696 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/10 13:06:50 | 000,005,946 | ---- | C] () -- I:\Documents and Settings\Administrator\reset.log
[2010/08/06 14:47:00 | 1040,355,328 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\vista_6000.16386.061101-2205-LRMAIK_EN.img
[2010/08/06 09:50:20 | 001,849,343 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\WindowsServer2003-KB892778-SP1-DeployTools-x86-ENU.cab
[2010/07/29 16:39:45 | 001,015,348 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\p95v2511.zip
[2010/07/08 16:09:54 | 000,000,706 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\PDFCreator.lnk
[2010/07/08 16:09:49 | 000,116,224 | ---- | C] () -- I:\WINDOWS\System32\pdfcmnnt.dll
[2010/06/10 11:53:19 | 000,001,678 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/06 15:25:53 | 000,212,992 | ---- | C] () -- I:\WINDOWS\System32\nvapi.dll
[2010/04/06 11:45:20 | 000,000,036 | ---- | C] () -- I:\WINDOWS\webica.ini
[2009/12/22 10:45:43 | 000,008,875 | ---- | C] () -- I:\WINDOWS\cfgall.ini
[2009/12/22 10:40:10 | 000,156,672 | ---- | C] () -- I:\WINDOWS\System32\RTLCPAPI.dll
[2006/10/22 12:22:00 | 001,662,976 | ---- | C] () -- I:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 12:22:00 | 001,470,464 | ---- | C] () -- I:\WINDOWS\System32\nview.dll
[2006/10/22 12:22:00 | 001,019,904 | ---- | C] () -- I:\WINDOWS\System32\nvwimg.dll
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- I:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,466,944 | ---- | C] () -- I:\WINDOWS\System32\nvshell.dll
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- I:\WINDOWS\System32\nvnt4cpl.dll

========== LOP Check ==========

[2010/03/30 14:28:38 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\ICAClient
[2010/04/06 16:23:32 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
[2010/04/22 09:30:39 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\Thunderbird

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/12/22 02:01:16 | 000,000,210 | -HS- | M] () -- I:\boot.ini
[2010/08/12 09:32:15 | 000,000,109 | ---- | M] () -- I:\mbam-error.txt
[2004/08/04 03:00:00 | 000,047,564 | RHS- | M] () -- I:\NTDETECT.COM
[2009/12/22 10:53:57 | 000,250,048 | RHS- | M] () -- I:\ntldr
[2010/09/07 09:42:39 | 2013,265,920 | -HS- | M] () -- I:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2009/12/22 02:01:16 | 000,094,208 | ---- | M] () -- I:\WINDOWS\system32\config\default.sav
[2009/12/22 02:01:16 | 000,659,456 | ---- | M] () -- I:\WINDOWS\system32\config\software.sav
[2009/12/22 02:01:16 | 000,921,600 | ---- | M] () -- I:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-09-01 10:00:32
< End of report >
  • 0

#4
drunkducki

drunkducki

    Member

  • Member
  • PipPip
  • 87 posts
OTL Extras logfile created on: 9/7/2010 4:19:19 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = I:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): I:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
Drive C: | 14.89 Gb Total Space | 11.26 Gb Free Space | 75.57% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 298.01 Gb Total Space | 122.62 Gb Free Space | 41.15% Space Free | Partition Type: NTFS

Computer Name: HARBOURSIDEXPS
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- I:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "I:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "I:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{95120000-0052-0409-0000-0000000FF1CE}" = Microsoft Office Visio Viewer 2007
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{DF1D5FEC-D67C-43C8-9230-41F5DF350196}" = MetaFrame Presentation Server Client
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"7-Zip" = 7-Zip 4.65
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"CCleaner" = CCleaner
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"OfficeScanNT" = Trend Micro Client/Server Security Agent
"RealVNC_is1" = VNC 4.0
"Revo Uninstaller" = Revo Uninstaller 1.87
"SystemRequirementsLab" = System Requirements Lab
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/7/2010 7:56:43 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 489
Description = wuauclt (2992) An attempt to open the file "I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 9/7/2010 7:56:43 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 455
Description = wuaueng.dll (2992) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 9/7/2010 7:56:55 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 489
Description = wuauclt (760) An attempt to open the file "I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 9/7/2010 7:56:55 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 455
Description = wuaueng.dll (760) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred
while opening logfile I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 9/7/2010 7:57:05 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 489
Description = wuauclt (760) An attempt to open the file "I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 9/7/2010 7:57:05 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 455
Description = wuaueng.dll (760) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred
while opening logfile I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 9/7/2010 7:57:18 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 489
Description = wuauclt (1828) An attempt to open the file "I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 9/7/2010 7:57:18 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 455
Description = wuaueng.dll (1828) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 9/7/2010 7:57:28 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 489
Description = wuauclt (1828) An attempt to open the file "I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 9/7/2010 7:57:28 AM | Computer Name = HARBOURSIDEXPS | Source = ESENT | ID = 455
Description = wuaueng.dll (1828) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile I:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

[ System Events ]
Error - 8/30/2010 6:37:56 PM | Computer Name = HARBOURSIDEXPS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 8/30/2010 6:55:20 PM | Computer Name = HARBOURSIDEXPS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 8/30/2010 6:55:31 PM | Computer Name = HARBOURSIDEXPS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 8/30/2010 6:55:41 PM | Computer Name = HARBOURSIDEXPS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 8/30/2010 6:56:06 PM | Computer Name = HARBOURSIDEXPS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/30/2010 6:57:03 PM | Computer Name = HARBOURSIDEXPS | Source = nvraid | ID = 262155
Description = The driver detected a controller error on .

Error - 8/30/2010 7:00:52 PM | Computer Name = HARBOURSIDEXPS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/30/2010 7:02:18 PM | Computer Name = HARBOURSIDEXPS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm pavboot SASDIFSV SASKUTIL

Error - 8/30/2010 7:13:44 PM | Computer Name = HARBOURSIDEXPS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/31/2010 11:43:06 AM | Computer Name = HARBOURSIDEXPS | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Internet Explorer 8 for Windows XP.


< End of report >
  • 0

#5
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
:OTL
PRC - [2007/03/29 08:10:02 | 000,214,712 | ---- | M] () -- I:\WINDOWS\Temp\UY470A.EXE

:Files
I:\WINDOWS\Temp\UY470A.EXE

:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]

*******************************************************************

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:( or perhaps I: yours is a weird setup)\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:
  • 0

#6
drunkducki

drunkducki

    Member

  • Member
  • PipPip
  • 87 posts
OTL logfile created on: 9/8/2010 10:21:40 AM - Run 2
OTL by OldTimer - Version 3.2.11.0 Folder = I:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 77.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): I:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
Drive C: | 14.89 Gb Total Space | 11.35 Gb Free Space | 76.21% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 298.01 Gb Total Space | 122.70 Gb Free Space | 41.17% Space Free | Partition Type: NTFS

Computer Name: HARBOURSIDEXPS
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/07 16:18:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/08/30 14:49:08 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- I:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\explorer.exe
PRC - [2007/03/29 08:10:06 | 000,394,952 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
PRC - [2007/03/29 08:10:02 | 000,214,712 | ---- | M] () -- I:\WINDOWS\Temp\QRB7BF.EXE
PRC - [2007/03/29 08:09:38 | 000,603,856 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
PRC - [2007/03/29 08:09:36 | 000,685,776 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
PRC - [2007/03/29 08:03:16 | 000,282,704 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
PRC - [2005/07/22 17:02:40 | 000,126,464 | ---- | M] (NVIDIA Corporation) -- I:\WINDOWS\system32\nvraidservice.exe
PRC - [2005/05/26 11:38:38 | 012,275,200 | ---- | M] (Realtek Semiconductor Corp.) -- I:\WINDOWS\system32\RTDCPL.EXE
PRC - [2004/06/15 15:29:42 | 000,380,928 | ---- | M] (RealVNC Ltd.) -- I:\Program Files\RealVNC\VNC4\winvnc4.exe


========== Modules (SafeList) ==========

MOD - [2010/09/07 16:18:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/14 06:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\system32\msscript.ocx
MOD - [2006/10/22 12:22:00 | 001,470,464 | ---- | M] () -- I:\WINDOWS\system32\nview.dll
MOD - [2006/10/22 12:22:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- I:\WINDOWS\system32\nvwddi.dll


========== Win32 Services (SafeList) ==========

SRV - [2007/03/29 08:09:38 | 000,603,856 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe -- (ntrtscan)
SRV - [2007/03/29 08:09:36 | 000,685,776 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe -- (tmlisten)
SRV - [2007/03/29 08:03:16 | 000,282,704 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe -- (OfcPfwSvc)
SRV - [2004/06/15 15:29:42 | 000,380,928 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- I:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)


========== Driver Services (SafeList) ==========

DRV - [2010/05/10 11:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- I:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- I:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/02/17 11:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- I:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/04 16:39:06 | 000,230,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\tmxpflt.sys -- (TmFilter)
DRV - [2009/12/04 16:38:18 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys -- (TmPreFilter)
DRV - [2009/12/04 16:05:06 | 001,322,680 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\vsapint.sys -- (VSApiNt)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- I:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2007/12/24 18:37:00 | 000,138,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2007/03/22 10:54:58 | 001,844,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\TM_CFW.sys -- (TM_CFW)
DRV - [2006/10/22 12:22:00 | 003,994,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/07/26 18:48:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/26 18:48:28 | 000,033,664 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/07/19 22:59:26 | 000,093,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- I:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2005/07/19 14:59:28 | 000,076,544 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- I:\WINDOWS\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce™
DRV - [2005/06/14 04:38:58 | 002,802,112 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 03:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- I:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=302398"
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: I:\Program Files\Mozilla Firefox\components [2010/07/26 08:31:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: I:\Program Files\Mozilla Firefox\plugins [2010/08/05 15:25:59 | 000,000,000 | ---D | M]

[2010/04/22 09:30:39 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/04/22 09:30:39 | 000,000,000 | ---D | M] (No name found) -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/08/05 15:26:28 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions
[2010/07/08 16:08:44 | 000,000,000 | ---D | M] -- I:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/09/08 08:46:22 | 000,000,098 | ---- | M]) - I:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [IMEKRMIG6.1] I:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] I:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] I:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NvCplDaemon] I:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] I:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVRaidService] I:\WINDOWS\system32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] I:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OfficeScanNT Monitor] I:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [PHIME2002A] I:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] I:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [RTDCPL] I:\WINDOWS\System32\RTDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1272489429046 (WUWebControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - I:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - I:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - I:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: I:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: I:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - I:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/08 08:46:21 | 000,000,000 | ---D | C] -- I:\_OTL
[2010/09/07 16:18:25 | 000,574,976 | ---- | C] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/08/31 03:00:20 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\PreInstall
[2010/08/30 16:01:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- I:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/30 16:01:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- I:\WINDOWS\System32\drivers\mbam.sys
[2010/08/30 16:00:59 | 000,000,000 | ---D | C] -- I:\Program Files\Malwarebytes' Anti-Malware
[2010/08/30 15:54:53 | 000,000,000 | RH-D | C] -- I:\Documents and Settings\Administrator\Recent
[2010/08/30 15:16:13 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\SoftwareDistribution
[2010/08/30 14:47:27 | 000,446,464 | ---- | C] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/08/20 15:18:34 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- I:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe
[2010/08/20 14:18:58 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- I:\WINDOWS\System32\drivers\pavboot.sys
[2010/08/20 14:18:33 | 000,000,000 | ---D | C] -- I:\Program Files\Panda Security
[2010/08/05 14:59:34 | 000,000,000 | R--D | C] -- I:\Documents and Settings\Administrator\My Documents\My Pictures
[2010/07/21 08:43:51 | 000,000,000 | ---D | C] -- I:\Image Backup
[2010/07/08 16:09:47 | 000,000,000 | ---D | C] -- I:\Program Files\PDFCreator
[2010/07/08 16:08:44 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\appmgmt
[2010/06/10 11:53:22 | 000,000,000 | ---D | C] -- I:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/06/10 11:53:22 | 000,000,000 | ---D | C] -- I:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/06/10 11:53:17 | 000,000,000 | ---D | C] -- I:\Program Files\SUPERAntiSpyware

========== Files - Modified Within 90 Days ==========

[2010/09/08 08:48:43 | 000,275,400 | ---- | M] () -- I:\WINDOWS\System32\NvApps.xml
[2010/09/08 08:47:28 | 000,002,206 | ---- | M] () -- I:\WINDOWS\System32\wpa.dbl
[2010/09/08 08:47:08 | 000,000,006 | -H-- | M] () -- I:\WINDOWS\tasks\SA.DAT
[2010/09/08 08:47:06 | 000,002,048 | --S- | M] () -- I:\WINDOWS\bootstat.dat
[2010/09/08 08:46:31 | 001,835,008 | -H-- | M] () -- I:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/08 08:46:31 | 000,000,178 | -HS- | M] () -- I:\Documents and Settings\Administrator\ntuser.ini
[2010/09/08 08:46:22 | 000,000,098 | ---- | M] () -- I:\WINDOWS\System32\drivers\etc\Hosts
[2010/09/07 16:18:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/03 10:57:27 | 000,293,376 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\1wx24enh.exe
[2010/09/03 10:54:42 | 000,525,824 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/09/03 10:52:51 | 000,002,463 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/09/03 10:52:13 | 001,402,880 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.msi
[2010/09/01 03:17:49 | 000,311,604 | ---- | M] () -- I:\WINDOWS\System32\perfh009.dat
[2010/09/01 03:17:49 | 000,039,992 | ---- | M] () -- I:\WINDOWS\System32\perfc009.dat
[2010/09/01 03:17:48 | 000,356,120 | ---- | M] () -- I:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/01 03:15:36 | 002,692,776 | -H-- | M] () -- I:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/09/01 03:00:25 | 000,001,789 | ---- | M] () -- I:\WINDOWS\imsins.BAK
[2010/08/31 10:42:48 | 000,119,744 | ---- | M] () -- I:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/30 16:01:03 | 000,000,696 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/30 14:47:28 | 000,446,464 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/08/20 15:19:03 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- I:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe
[2010/08/11 09:02:58 | 000,008,875 | ---- | M] () -- I:\WINDOWS\cfgall.ini
[2010/08/06 15:53:11 | 1040,355,328 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\vista_6000.16386.061101-2205-LRMAIK_EN.img
[2010/08/06 09:50:24 | 001,849,343 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\WindowsServer2003-KB892778-SP1-DeployTools-x86-ENU.cab
[2010/07/29 16:39:46 | 001,015,348 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\p95v2511.zip
[2010/07/08 16:09:54 | 000,000,706 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\PDFCreator.lnk
[2010/06/10 11:53:19 | 000,001,678 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

========== Files Created - No Company Name ==========

[2010/09/03 10:57:26 | 000,293,376 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\1wx24enh.exe
[2010/09/03 10:54:40 | 000,525,824 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/09/03 10:52:44 | 000,002,463 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/09/03 10:52:09 | 001,402,880 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.msi
[2010/08/31 03:00:22 | 000,001,789 | ---- | C] () -- I:\WINDOWS\imsins.BAK
[2010/08/30 16:01:03 | 000,000,696 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/10 13:06:50 | 000,005,946 | ---- | C] () -- I:\Documents and Settings\Administrator\reset.log
[2010/08/06 14:47:00 | 1040,355,328 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\vista_6000.16386.061101-2205-LRMAIK_EN.img
[2010/08/06 09:50:20 | 001,849,343 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\WindowsServer2003-KB892778-SP1-DeployTools-x86-ENU.cab
[2010/07/29 16:39:45 | 001,015,348 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\p95v2511.zip
[2010/07/08 16:09:54 | 000,000,706 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\PDFCreator.lnk
[2010/07/08 16:09:49 | 000,116,224 | ---- | C] () -- I:\WINDOWS\System32\pdfcmnnt.dll
[2010/06/10 11:53:19 | 000,001,678 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/06 15:25:53 | 000,212,992 | ---- | C] () -- I:\WINDOWS\System32\nvapi.dll
[2010/04/06 11:45:20 | 000,000,036 | ---- | C] () -- I:\WINDOWS\webica.ini
[2009/12/22 10:45:43 | 000,008,875 | ---- | C] () -- I:\WINDOWS\cfgall.ini
[2009/12/22 10:40:10 | 000,156,672 | ---- | C] () -- I:\WINDOWS\System32\RTLCPAPI.dll
[2006/10/22 12:22:00 | 001,662,976 | ---- | C] () -- I:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 12:22:00 | 001,470,464 | ---- | C] () -- I:\WINDOWS\System32\nview.dll
[2006/10/22 12:22:00 | 001,019,904 | ---- | C] () -- I:\WINDOWS\System32\nvwimg.dll
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- I:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,466,944 | ---- | C] () -- I:\WINDOWS\System32\nvshell.dll
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- I:\WINDOWS\System32\nvnt4cpl.dll

========== LOP Check ==========

[2010/03/30 14:28:38 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\ICAClient
[2010/04/06 16:23:32 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
[2010/04/22 09:30:39 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\Thunderbird

========== Purity Check ==========


< End of report >



ComboFix 10-09-07.03 - Administrator 8/2010 Wed 10:33:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1033.18.1789.1433 [GMT -7:00]
執行位置: i:\documents and settings\Administrator\Desktop\George.exe
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {849635BA-0E5F-4EB0-ACD7-C1895B1C4860}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {849635BA-0E5F-4EB0-ACD7-C1895B1C4860}
.

((((((((((((((((((((((((( 2010-08-08 至 2010-09-08 的新的檔案 )))))))))))))))))))))))))))))))
.

2010-09-08 15:46 . 2010-09-08 15:46 -------- d-----w- I:\_OTL
2010-09-03 17:52 . 2010-09-03 17:52 388096 ----a-r- i:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-31 10:09 . 2010-06-21 15:27 354304 -c----w- i:\windows\system32\dllcache\srv.sys
2010-08-31 10:09 . 2009-10-15 16:28 81920 -c----w- i:\windows\system32\dllcache\fontsub.dll
2010-08-31 10:09 . 2009-10-15 16:28 119808 -c----w- i:\windows\system32\dllcache\t2embed.dll
2010-08-31 10:09 . 2009-06-21 21:44 153088 -c----w- i:\windows\system32\dllcache\triedit.dll
2010-08-31 10:09 . 2010-04-27 13:59 2146304 -c----w- i:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-31 10:09 . 2010-04-28 02:25 2189952 -c----w- i:\windows\system32\dllcache\ntoskrnl.exe
2010-08-31 10:09 . 2010-04-27 13:05 2066816 -c----w- i:\windows\system32\dllcache\ntkrnlpa.exe
2010-08-31 10:09 . 2010-04-27 13:05 2024448 -c----w- i:\windows\system32\dllcache\ntkrpamp.exe
2010-08-31 10:08 . 2008-05-08 14:02 203136 -c----w- i:\windows\system32\dllcache\rmcast.sys
2010-08-31 10:08 . 2008-05-01 14:33 331776 -c----w- i:\windows\system32\dllcache\msadce.dll
2010-08-31 10:07 . 2008-06-13 11:05 272128 -c----w- i:\windows\system32\dllcache\bthport.sys
2010-08-31 10:07 . 2010-02-24 13:11 455680 -c----w- i:\windows\system32\dllcache\mrxsmb.sys
2010-08-31 10:07 . 2010-06-14 14:31 744448 -c----w- i:\windows\system32\dllcache\helpsvc.exe
2010-08-31 10:05 . 2009-03-06 14:22 284160 -c----w- i:\windows\system32\dllcache\pdh.dll
2010-08-31 10:05 . 2009-02-09 12:10 473600 -c----w- i:\windows\system32\dllcache\fastprox.dll
2010-08-31 10:05 . 2009-02-09 12:10 453120 -c----w- i:\windows\system32\dllcache\wmiprvsd.dll
2010-08-31 10:05 . 2009-02-09 12:10 401408 -c----w- i:\windows\system32\dllcache\rpcss.dll
2010-08-31 10:05 . 2009-02-06 11:11 110592 -c----w- i:\windows\system32\dllcache\services.exe
2010-08-31 10:05 . 2009-02-06 10:10 227840 -c----w- i:\windows\system32\dllcache\wmiprvse.exe
2010-08-31 10:05 . 2009-02-09 12:10 714752 -c----w- i:\windows\system32\dllcache\ntdll.dll
2010-08-31 10:05 . 2009-02-09 12:10 617472 -c----w- i:\windows\system32\dllcache\advapi32.dll
2010-08-31 10:05 . 2009-11-21 15:51 471552 -c----w- i:\windows\system32\dllcache\aclayers.dll
2010-08-31 10:01 . 2010-06-18 13:36 3558912 -c----w- i:\windows\system32\dllcache\moviemk.exe
2010-08-31 10:01 . 2008-10-15 16:34 337408 -c----w- i:\windows\system32\dllcache\netapi32.dll
2010-08-31 10:01 . 2008-05-03 11:55 2560 ------w- i:\windows\system32\xpsp4res.dll
2010-08-31 10:01 . 2008-04-21 12:08 215552 -c----w- i:\windows\system32\dllcache\wordpad.exe
2010-08-30 23:01 . 2010-04-29 22:39 38224 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys
2010-08-30 23:01 . 2010-04-29 22:39 20952 ----a-w- i:\windows\system32\drivers\mbam.sys
2010-08-30 23:00 . 2010-08-30 23:01 -------- d-----w- i:\program files\Malwarebytes' Anti-Malware
2010-08-30 22:59 . 2009-08-07 02:23 274288 ----a-w- i:\windows\system32\mucltui.dll
2010-08-30 22:59 . 2009-08-07 02:23 215920 ----a-w- i:\windows\system32\muweb.dll
2010-08-30 22:20 . 2010-06-01 17:37 221568 ------w- i:\windows\system32\MpSigStub.exe
2010-08-20 21:18 . 2009-06-30 16:37 28552 ----a-w- i:\windows\system32\drivers\pavboot.sys
2010-08-20 21:18 . 2010-08-20 21:18 -------- d-----w- i:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 17:52 . 2009-12-22 17:44 -------- d-----w- i:\program files\Trend Micro
2010-08-30 21:50 . 2010-06-10 18:53 63488 ----a-w- i:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-30 21:50 . 2010-06-10 18:53 117760 ----a-w- i:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-30 21:49 . 2010-06-10 18:53 -------- d-----w- i:\program files\SUPERAntiSpyware
2010-06-30 12:31 . 2004-08-04 10:00 149504 ----a-w- i:\windows\system32\schannel.dll
2010-06-23 13:44 . 2004-08-04 10:00 1851904 ----a-w- i:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 10:00 354304 ----a-w- i:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 10:00 80384 ----a-w- i:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-12-22 17:09 744448 ----a-w- i:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 10:00 1172480 ----a-w- i:\windows\system32\msxml3.dll
2010-06-10 18:53 . 2010-06-10 18:53 52224 ----a-w- i:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="i:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-30 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="i:\windows\system32\nvraidservice.exe" [2005-07-23 126464]
"RTDCPL"="RTDCPL.EXE" [2005-05-26 12275200]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="i:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2009-12-22 149280]
"OfficeScanNT Monitor"="i:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]
"IMJPMIG8.1"="i:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="i:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-13 44032]
"MSPY2002"="i:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="i:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="i:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="i:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "i:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- i:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;i:\windows\system32\drivers\pavboot.sys [8/20/2010 2:18 PM 28552]
R1 SASDIFSV;SASDIFSV;i:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;i:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 TmPreFilter;Trend Micro PreFilter;i:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [9/27/2006 6:31 PM 36368]
S2 TmFilter;Trend Micro Filter;i:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [9/27/2006 6:31 PM 230928]
S3 MBAMSwissArmy;MBAMSwissArmy;i:\windows\system32\drivers\mbamswissarmy.sys [8/30/2010 4:01 PM 38224]
.
.
------- 而外的掃描 -------
.
uInternet Connection Wizard,ShellNext = hxxp://manuals.craftsmancollision.com/Operations/default.htm
TCP: {71B6702D-F18F-4D62-BD08-587DE9A03198} = 216.251.128.8,216.251.128.9
FF - ProfilePath - i:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

---- 火狐配置文件 ----
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Octoshape add-in for Adobe Flash Player - i:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-08 10:35
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 ...

掃描被隱藏的啟動組 ...

掃描被隱藏的文件 ...

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'(724)
i:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3804)
i:\windows\system32\nview.dll
i:\windows\system32\ieframe.dll
i:\windows\system32\OneX.DLL
i:\windows\system32\eappprxy.dll
.
完成時間: 2010-09-08 10:36:31
ComboFix-quarantined-files.txt 2010-09-08 17:36

Pre-Run: 131,683,618,816 bytes free
Post-Run: 131,646,500,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3C81F18E85A640212E0C0A06FD4F5DAE
  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
Your Trend anti-virus is outdated. If the subscription has expired, uninstall it and install the free Avast!.

http://www.avast.com...avast-home.html

  • Go to this page and Download TDSSKiller.zip to your Desktop.
  • Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  • Double click on TDSSKiller.exe to run it.
  • If TDSSKiller alerts you that the system needs to reboot, please consent.
  • When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

Ron
  • 0

#8
drunkducki

drunkducki

    Member

  • Member
  • PipPip
  • 87 posts
2010/09/08 11:22:40.0890 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/08 11:22:40.0890 ================================================================================
2010/09/08 11:22:40.0890 SystemInfo:
2010/09/08 11:22:40.0890
2010/09/08 11:22:40.0890 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/08 11:22:40.0890 Product type: Workstation
2010/09/08 11:22:40.0890 ComputerName: HARBOURSIDEXPS
2010/09/08 11:22:40.0890 UserName: Administrator
2010/09/08 11:22:40.0890 Windows directory: I:\WINDOWS
2010/09/08 11:22:40.0890 System windows directory: I:\WINDOWS
2010/09/08 11:22:40.0890 Processor architecture: Intel x86
2010/09/08 11:22:40.0890 Number of processors: 2
2010/09/08 11:22:40.0890 Page size: 0x1000
2010/09/08 11:22:40.0890 Boot type: Normal boot
2010/09/08 11:22:40.0890 ================================================================================
2010/09/08 11:22:41.0078 Initialize success
2010/09/08 11:22:44.0375 ================================================================================
2010/09/08 11:22:44.0375 Scan started
2010/09/08 11:22:44.0375 Mode: Manual;
2010/09/08 11:22:44.0375 ================================================================================
2010/09/08 11:22:44.0812 ACPI (8fd99680a539792a30e97944fdaecf17) I:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/08 11:22:44.0875 ACPIEC (9859c0f6936e723e4892d7141b1327d5) I:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/08 11:22:44.0953 aec (8bed39e3c35d6a489438b8141717a557) I:\WINDOWS\system32\drivers\aec.sys
2010/09/08 11:22:45.0031 AFD (7e775010ef291da96ad17ca4b17137d7) I:\WINDOWS\System32\drivers\afd.sys
2010/09/08 11:22:45.0265 ALCXWDM (3c297a80222d7da2697e3e6d948a9795) I:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/09/08 11:22:45.0453 Arp1394 (b5b8a80875c1dededa8b02765642c32f) I:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/09/08 11:22:45.0625 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) I:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/08 11:22:45.0656 atapi (9f3a2f5aa6875c72bf062c712cfa2674) I:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/08 11:22:45.0734 Atmarpc (9916c1225104ba14794209cfa8012159) I:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/08 11:22:45.0812 audstub (d9f724aa26c010a217c97606b160ed68) I:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/08 11:22:45.0843 Beep (da1f27d85e0d1525f6621372e7b685e9) I:\WINDOWS\system32\drivers\Beep.sys
2010/09/08 11:22:46.0000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) I:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/08 11:22:46.0078 Cdaudio (c1b486a7658353d33a10cc15211a873b) I:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/08 11:22:46.0109 Cdfs (c885b02847f5d2fd45a24e219ed93b32) I:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/08 11:22:46.0171 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) I:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/08 11:22:46.0234 cercsr6 (84853b3fd012251690570e9e7e43343f) I:\WINDOWS\system32\drivers\cercsr6.sys
2010/09/08 11:22:46.0468 Disk (044452051f3e02e7963599fc8f4f3e25) I:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/08 11:22:46.0546 dmboot (d992fe1274bde0f84ad826acae022a41) I:\WINDOWS\system32\drivers\dmboot.sys
2010/09/08 11:22:46.0625 dmio (7c824cf7bbde77d95c08005717a95f6f) I:\WINDOWS\system32\drivers\dmio.sys
2010/09/08 11:22:46.0656 dmload (e9317282a63ca4d188c0df5e09c6ac5f) I:\WINDOWS\system32\drivers\dmload.sys
2010/09/08 11:22:46.0703 DMusic (8a208dfcf89792a484e76c40e5f50b45) I:\WINDOWS\system32\drivers\DMusic.sys
2010/09/08 11:22:46.0781 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) I:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/08 11:22:46.0875 Fastfat (38d332a6d56af32635675f132548343e) I:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/08 11:22:46.0937 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) I:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/08 11:22:46.0968 Fips (d45926117eb9fa946a6af572fbe1caa3) I:\WINDOWS\system32\drivers\Fips.sys
2010/09/08 11:22:47.0031 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) I:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/08 11:22:47.0062 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) I:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/08 11:22:47.0109 FsVga (455f778ee14368468560bd7cb8c854d0) I:\WINDOWS\system32\DRIVERS\fsvga.sys
2010/09/08 11:22:47.0140 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) I:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/08 11:22:47.0187 Ftdisk (6ac26732762483366c3969c9e4d2259d) I:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/08 11:22:47.0250 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) I:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/08 11:22:47.0312 hidusb (ccf82c5ec8a7326c3066de870c06daf1) I:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/08 11:22:47.0437 HTTP (f80a415ef82cd06ffaf0d971528ead38) I:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/08 11:22:47.0531 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) I:\WINDOWS\system32\drivers\i8042prt.sys
2010/09/08 11:22:47.0578 Imapi (083a052659f5310dd8b6a6cb05edcf8e) I:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/08 11:22:47.0703 intelppm (8c953733d8f36eb2133f5bb58808b66b) I:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/08 11:22:47.0781 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) I:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/08 11:22:47.0828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) I:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/08 11:22:47.0875 IpInIp (b87ab476dcf76e72010632b5550955f5) I:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/08 11:22:47.0921 IpNat (cc748ea12c6effde940ee98098bf96bb) I:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/08 11:22:47.0968 IPSec (23c74d75e36e7158768dd63d92789a91) I:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/08 11:22:48.0015 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) I:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/08 11:22:48.0062 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) I:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/08 11:22:48.0093 Kbdclass (463c1ec80cd17420a542b7f36a36f128) I:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/08 11:22:48.0140 kbdhid (9ef487a186dea361aa06913a75b3fa99) I:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/08 11:22:48.0203 kmixer (692bcf44383d056aed41b045a323d378) I:\WINDOWS\system32\drivers\kmixer.sys
2010/09/08 11:22:48.0250 KSecDD (b467646c54cc746128904e1654c750c1) I:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/08 11:22:48.0359 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) I:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010/09/08 11:22:48.0406 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) I:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/08 11:22:48.0453 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) I:\WINDOWS\system32\drivers\Modem.sys
2010/09/08 11:22:48.0500 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) I:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/08 11:22:48.0562 mouhid (b1c303e17fb9d46e87a98e4ba6769685) I:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/08 11:22:48.0593 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) I:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/08 11:22:48.0671 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) I:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/08 11:22:48.0734 MRxSmb (f3aefb11abc521122b67095044169e98) I:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/08 11:22:48.0781 Msfs (c941ea2454ba8350021d774daf0f1027) I:\WINDOWS\system32\drivers\Msfs.sys
2010/09/08 11:22:48.0843 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) I:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/08 11:22:48.0890 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) I:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/08 11:22:48.0953 MSPQM (bad59648ba099da4a17680b39730cb3d) I:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/08 11:22:49.0000 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) I:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/08 11:22:49.0078 Mup (2f625d11385b1a94360bfc70aaefdee1) I:\WINDOWS\system32\drivers\Mup.sys
2010/09/08 11:22:49.0109 NDIS (1df7f42665c94b825322fae71721130d) I:\WINDOWS\system32\drivers\NDIS.sys
2010/09/08 11:22:49.0156 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) I:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/08 11:22:49.0218 Ndisuio (f927a4434c5028758a842943ef1a3849) I:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/08 11:22:49.0250 NdisWan (edc1531a49c80614b2cfda43ca8659ab) I:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/08 11:22:49.0312 NDProxy (6215023940cfd3702b46abc304e1d45a) I:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/08 11:22:49.0343 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) I:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/08 11:22:49.0390 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) I:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/08 11:22:49.0468 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) I:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/09/08 11:22:49.0531 Npfs (3182d64ae053d6fb034f44b6def8034a) I:\WINDOWS\system32\drivers\Npfs.sys
2010/09/08 11:22:49.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) I:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/08 11:22:49.0625 Null (73c1e1f395918bc2c6dd67af7591a3ad) I:\WINDOWS\system32\drivers\Null.sys
2010/09/08 11:22:49.0796 nv (ba1b732c1a70cfea0c1b64f2850bf44f) I:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/09/08 11:22:49.0968 nvatabus (52b64661469fa11e51c006099b251fa7) I:\WINDOWS\system32\drivers\nvatabus.sys
2010/09/08 11:22:50.0031 NVENETFD (2f4ca0052a50d122b9f0a2efa52dfa67) I:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/09/08 11:22:50.0062 nvnetbus (197779dde275445ab253667832120ea7) I:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/09/08 11:22:50.0109 nvraid (9ca8859ca78eeb39ed3346a7bc89057b) I:\WINDOWS\system32\drivers\nvraid.sys
2010/09/08 11:22:50.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) I:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/08 11:22:50.0234 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) I:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/08 11:22:50.0296 ohci1394 (ca33832df41afb202ee7aeb05145922f) I:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/09/08 11:22:50.0359 Parport (5575faf8f97ce5e713d108c2a58d7c7c) I:\WINDOWS\system32\drivers\Parport.sys
2010/09/08 11:22:50.0390 PartMgr (beb3ba25197665d82ec7065b724171c6) I:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/08 11:22:50.0437 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) I:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/08 11:22:50.0468 pavboot (3adb8bd6154a3ef87496e8fce9c22493) I:\WINDOWS\system32\drivers\pavboot.sys
2010/09/08 11:22:50.0500 PCI (a219903ccf74233761d92bef471a07b1) I:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/08 11:22:50.0546 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) I:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/08 11:22:50.0593 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) I:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/08 11:22:50.0828 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) I:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/08 11:22:50.0890 PSched (09298ec810b07e5d582cb3a3f9255424) I:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/08 11:22:50.0921 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) I:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/08 11:22:51.0046 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) I:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/08 11:22:51.0093 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) I:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/08 11:22:51.0140 RasPppoe (5bc962f2654137c9909c3d4603587dee) I:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/08 11:22:51.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) I:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/08 11:22:51.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) I:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/08 11:22:51.0234 RDPCDD (4912d5b403614ce99c28420f75353332) I:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/08 11:22:51.0281 rdpdr (15cabd0f7c00c47c70124907916af3f1) I:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/08 11:22:51.0359 RDPWD (6728e45b66f93c08f11de2e316fc70dd) I:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/08 11:22:51.0421 redbook (f828dd7e1419b6653894a8f97a0094c5) I:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/08 11:22:51.0578 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) I:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/09/08 11:22:51.0609 SASKUTIL (61db0d0756a99506207fd724e3692b25) I:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/09/08 11:22:51.0703 Secdrv (90a3935d05b494a5a39d37e71f09a677) I:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/08 11:22:51.0750 serenum (0f29512ccd6bead730039fb4bd2c85ce) I:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/08 11:22:51.0781 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) I:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/08 11:22:51.0843 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) I:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/08 11:22:51.0968 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) I:\WINDOWS\system32\drivers\splitter.sys
2010/09/08 11:22:52.0000 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) I:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/08 11:22:52.0078 Srv (da852e3e0bf1cea75d756f9866241e57) I:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/08 11:22:52.0109 swenum (3941d127aef12e93addf6fe6ee027e0f) I:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/08 11:22:52.0140 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) I:\WINDOWS\system32\drivers\swmidi.sys
2010/09/08 11:22:52.0281 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) I:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/08 11:22:52.0375 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) I:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/08 11:22:52.0437 TDPIPE (6471a66807f5e104e4885f5b67349397) I:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/08 11:22:52.0484 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) I:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/08 11:22:52.0531 TermDD (88155247177638048422893737429d9e) I:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/08 11:22:52.0640 tmcomm (eb2283c0a4dfbd2e53d14f2c4d5a1e89) I:\WINDOWS\system32\drivers\tmcomm.sys
2010/09/08 11:22:52.0734 TmFilter (3e615f370f0c7db414b6bcd1c18399d4) I:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys
2010/09/08 11:22:52.0828 TmPreFilter (c7c7959ec0940e0eddfc881fed8ec214) I:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys
2010/09/08 11:22:52.0906 TM_CFW (6ebec57eb4b4b29c8a90d3c32a588f3e) I:\Program Files\Trend Micro\Client Server Security Agent\tm_cfw.sys
2010/09/08 11:22:53.0203 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) I:\WINDOWS\system32\drivers\Udfs.sys
2010/09/08 11:22:53.0296 Update (402ddc88356b1bac0ee3dd1580c76a31) I:\WINDOWS\system32\DRIVERS\update.sys
2010/09/08 11:22:53.0390 usbccgp (173f317ce0db8e21322e71b7e60a27e8) I:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/08 11:22:53.0421 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) I:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/08 11:22:53.0453 usbhub (1ab3cdde553b6e064d2e754efe20285c) I:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/08 11:22:53.0484 usbohci (0daecce65366ea32b162f85f07c6753b) I:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/09/08 11:22:53.0546 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) I:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/08 11:22:53.0609 usbstor (a32426d9b14a089eaa1d922e0c5801a9) I:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/08 11:22:53.0640 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) I:\WINDOWS\System32\drivers\vga.sys
2010/09/08 11:22:53.0703 VolSnap (4c8fcb5cc53aab716d810740fe59d025) I:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/08 11:22:53.0750 VSApiNt (60dfbc34228ca36221b03460789f5d4e) I:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys
2010/09/08 11:22:53.0843 Wanarp (e20b95baedb550f32dd489265c1da1f6) I:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/08 11:22:53.0906 wdmaud (6768acf64b18196494413695f0c3a00f) I:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/08 11:22:54.0109 ================================================================================
2010/09/08 11:22:54.0109 Scan finished
2010/09/08 11:22:54.0109 ================================================================================






MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fd

Kernel Drivers (total 127):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB80B8000 ohci1394.sys
0xB80C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB7F10000 nvraid.sys
0xB80E8000 \WINDOWS\system32\drivers\CLASSPNP.SYS
0xB8330000 PartMgr.sys
0xB8338000 pavboot.sys
0xB80F8000 VolSnap.sys
0xB7EF8000 atapi.sys
0xB7EE1000 nvatabus.sys
0xB8340000 cercsr6.sys
0xB7EC9000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xB8108000 disk.sys
0xB7EA9000 fltmgr.sys
0xB7E97000 sr.sys
0xB7E80000 KSecDD.sys
0xB7DF3000 Ntfs.sys
0xB7DC6000 NDIS.sys
0xB7DAC000 Mup.sys
0xB8128000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB8228000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB7983000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB796F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8238000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8578000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8350000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB794B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8368000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB767D000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB763B000 \SystemRoot\system32\drivers\portcls.sys
0xB8258000 \SystemRoot\system32\drivers\drmk.sys
0xB7618000 \SystemRoot\system32\drivers\ks.sys
0xB8268000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8278000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8288000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8584000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB75AA000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB7576000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xB8588000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xB87CC000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB82A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB858C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB755F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB82D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8378000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7473000 \SystemRoot\system32\DRIVERS\psched.sys
0xB82F8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB83A8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB83B0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB3A76000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8248000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB83B8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB83C0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB8626000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB3A18000 \SystemRoot\system32\DRIVERS\update.sys
0xB6B08000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8308000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xB8318000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB7359000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB866A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB866C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB8724000 \SystemRoot\System32\Drivers\Null.SYS
0xB866E000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8408000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB8410000 \SystemRoot\System32\drivers\vga.sys
0xB85B2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85B4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8418000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8420000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB7D5F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB05D4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB057B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB0553000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB3B26000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB0531000 \SystemRoot\System32\drivers\afd.sys
0xB3B16000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB3B06000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB050F000 \??\I:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xB8428000 \??\I:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB04E4000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB0474000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB3AF6000 \SystemRoot\System32\Drivers\Fips.SYS
0xB3AC6000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB0439000 \SystemRoot\System32\Drivers\dump_nvraid.sys
0xB3AB6000 \SystemRoot\System32\Drivers\dump_CLASSPNP.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB7604000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8490000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB8763000 \SystemRoot\System32\drivers\dxgthk.sys
0xB8460000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB859C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB74E4000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB7D63000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB0470000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xB81C8000 \??\I:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys
0xAF3D1000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAF60C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAE8C4000 \SystemRoot\system32\drivers\wdmaud.sys
0xAEA41000 \SystemRoot\system32\drivers\sysaudio.sys
0xAE751000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAE6AA000 \SystemRoot\system32\DRIVERS\srv.sys
0xAE3D9000 \??\I:\Program Files\Trend Micro\Client Server Security Agent\tm_cfw.sys
0xAE168000 \SystemRoot\System32\Drivers\HTTP.sys
0xB8370000 \??\I:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
0xB85EA000 \??\I:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xB8390000 \??\I:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys
0xAD300000 \??\I:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys
0xAD2B7000 \??\I:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys
0xAD296000 \??\I:\WINDOWS\system32\drivers\tmcomm.sys
0xAD26B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 35):
0 System Idle Process
4 System
636 I:\WINDOWS\system32\smss.exe
684 csrss.exe
724 I:\WINDOWS\system32\winlogon.exe
768 I:\WINDOWS\system32\services.exe
780 I:\WINDOWS\system32\lsass.exe
984 I:\WINDOWS\system32\nvsvc32.exe
1000 I:\WINDOWS\system32\svchost.exe
1064 svchost.exe
1152 I:\WINDOWS\system32\svchost.exe
1216 svchost.exe
1348 svchost.exe
1568 I:\WINDOWS\system32\spoolsv.exe
1832 svchost.exe
1908 I:\Program Files\Java\jre6\bin\jqs.exe
184 I:\WINDOWS\system32\svchost.exe
416 I:\Program Files\RealVNC\VNC4\winvnc4.exe
3628 I:\WINDOWS\system32\nvraidservice.exe
3636 I:\WINDOWS\system32\RTDCPL.EXE
3680 I:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
3748 wmiprvse.exe
3836 I:\WINDOWS\system32\rundll32.exe
3876 I:\WINDOWS\system32\ctfmon.exe
3936 I:\WINDOWS\system32\rundll32.exe
4012 I:\WINDOWS\system32\wbem\unsecapp.exe
4084 I:\WINDOWS\system32\conime.exe
3804 I:\WINDOWS\explorer.exe
2208 I:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
1476 I:\WINDOWS\Temp\MC3EB4.EXE
3724 I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
1560 I:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
1800 I:\Program Files\Mozilla Firefox\firefox.exe
4044 I:\Program Files\Mozilla Firefox\plugin-container.exe
1724 C:\temp\MBRCheck.exe

\\.\I: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: NVIDIASTRIPE 298.02G, Rev:

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
Nothing there.

Try a Bitdefender QuickScan. Close all browsers and tab. With just one browser open, IE or Firefox, go to:

http://quickscan.bitdefender.com/

When it finishes it will offer a View Log button. Click on it and then copy and paste the log even if it says it didn't find anything.

What is the status of your Trend anti-virus? Is it able to update? Can you pause it and try MBAM again? Probably best to uninstall your current copy and get a new one from http://www.malwareby.../mbam-setup.exe

Ron
  • 0

#10
drunkducki

drunkducki

    Member

  • Member
  • PipPip
  • 87 posts
QuickScan Beta 32-bit v0.9.9.22
-------------------------------
Scan date: Wed Sep 08 14:59:18 2010
I:\Program Files\Mozilla Firefox - could not be accessed


No infection found.
-------------------



Processes
---------
<unsigned> NVIDIA® NVRAID 3628 I:\WINDOWS\system32\nvraidservice.exe
<unsigned> Trend Micro Client/Server/Messaging Sec 3724 I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
<unsigned> VNC Server 4.0 416 I:\Program Files\RealVNC\VNC4\WinVNC4.exe

<verified> Firefox 1776 I:\Program Files\Mozilla Firefox\firefox.exe
<verified> Java™ Platform SE 6 U16 1908 I:\Program Files\Java\jre6\bin\jqs.exe
<verified> MC3EB4.EXE 1476 I:\WINDOWS\TEMP\MC3EB4.EXE
<verified> Microsoft® Windows® Operating System 3804 I:\WINDOWS\explorer.exe
<verified> Microsoft® Windows® Operating System 4084 I:\WINDOWS\system32\conime.exe
<verified> Microsoft® Windows® Operating System 684 I:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 3876 I:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System 780 I:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 3836 I:\WINDOWS\system32\RUNDLL32.EXE
<verified> Microsoft® Windows® Operating System 3936 I:\WINDOWS\system32\rundll32.exe
<verified> Microsoft® Windows® Operating System 768 I:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 636 I:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 1568 I:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 184 I:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1000 I:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1064 I:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1152 I:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 1216 I:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1348 I:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1832 I:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 4012 I:\WINDOWS\system32\wbem\unsecapp.exe
<verified> Microsoft® Windows® Operating System 3748 I:\WINDOWS\system32\wbem\wmiprvse.exe
<verified> Microsoft® Windows® Operating System 724 I:\WINDOWS\system32\winlogon.exe
<verified> NVIDIA Driver Helper Service, Version 9 984 I:\WINDOWS\system32\nvsvc32.exe
<verified> Realtek AC97 Audio Control Panel 3636 I:\WINDOWS\system32\RTDCPL.EXE
<verified> Trend Micro Client/Server/Messaging Sec 1560 I:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
<verified> Trend Micro Client/Server/Messaging Sec 3680 I:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
<verified> Trend Micro Client/Server/Messaging Sec 2208 I:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe


Network activity
----------------
Process firefox.exe (1776) connected on port 80 (HTTP) --> 69.192.197.115
Process firefox.exe (1776) connected on port 80 (HTTP) --> 74.125.127.191
Process firefox.exe (1776) connected on port 80 (HTTP) --> 69.192.204.20
Process firefox.exe (1776) connected on port 80 (HTTP) --> 199.7.48.190
Process firefox.exe (1776) connected on port 80 (HTTP) --> 72.14.213.139
Process firefox.exe (1776) connected on port 80 (HTTP) --> 199.7.51.190
Process firefox.exe (1776) connected on port 80 (HTTP) --> 199.7.52.190
Process firefox.exe (1776) connected on port 80 (HTTP) --> 199.7.71.190
Process firefox.exe (1776) connected on port 80 (HTTP) --> 206.108.207.136

Process WinVNC4.exe (416) listens on ports: 5800 (VNC over HTTP), 5900 (VNC Server)
Process svchost.exe (1064) listens on ports: 135 (RPC)
Process tmlisten.exe (2208) listens on ports: 119 (NNTP (Usenet))


Autoruns and critical files
---------------------------
<unsigned> NVIDIA® NVRAID I:\WINDOWS\system32\nvraidservice.exe
<unsigned> nwiz.exe I:\WINDOWS\system32\nwiz.exe
<unsigned> SuperAntiSpyware I:\Program Files\SUPERAntiSpyware\SASSEH.DLL
<unsigned> SUPERAntiSpyware WinLogon Processor I:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

<verified> Adobe Acrobat I:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
<verified> Adobe Reader and Acrobat Manager I:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
<verified> ImScInst.exe I:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
<verified> Java™ Platform SE 6 U16 I:\Program Files\Java\jre6\bin\jusched.exe
<verified> Microsoft Genuine Advantage I:\WINDOWS\system32\WgaLogon.dll
<verified> Microsoft IME 2002 I:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
<verified> Microsoft Korean IME 2002 I:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\dimsntfy.dll
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System i:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\wlnotify.dll
<verified> NVIDIA Compatible Windows 2000 Display I:\WINDOWS\system32\nvcpl.dll
<verified> NVIDIA Media Center Library I:\WINDOWS\system32\nvmctray.dll
<verified> Realtek AC97 Audio Control Panel I:\WINDOWS\system32\RTDCPL.EXE
<verified> SUPERAntiSpyware I:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
<verified> Trend Micro Client/Server/Messaging Sec I:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
<verified> Windows® Internet Explorer I:\WINDOWS\system32\webcheck.dll
<verified> 新注音 I:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE


Browser plugins
---------------
<unsigned> Java™ Platform SE 6 U16 i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> Shockwave for Director I:\WINDOWS\system32\Adobe\Director\np32dsw.dll

<verified> AcroIEHelperShim Library i:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
<verified> Adobe Acrobat I:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified> BitDefender QuickScan I:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan I:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> Java™ Platform SE 6 U16 i:\program files\java\jre6\bin\jp2ssv.dll
<verified> Messenger I:\Program Files\Messenger\msmsgs.exe
<verified> Microsoft® Windows® Operating System I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System I:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in I:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> NPSWF32.dll I:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Panda ActiveScan 2.0 I:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll
<verified> Windows Genuine Advantage I:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
<verified> Windows® Internet Explorer I:\WINDOWS\system32\ieframe.dll


Missing files
-------------
File not found: C:\WINDOWS\system32\wuauserv.dll
referenced in: HKLM\System\ControlSet001\services\wuauserv\Parameters\"ServiceDll"

File not found: I:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
referenced in: HKLM\System\ControlSet001\services\catchme\"ImagePath"

File not found: I:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys
referenced in: HKLM\System\ControlSet001\services\mbr\"ImagePath"


Scan
----
<unsigned> MD5: 20b2c339361e82a6707533bac481fce4 I:\Program Files\7-Zip\7-zip.dll
<unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 I:\Program Files\Java\jre6\bin\msvcr71.dll
<unsigned> MD5: 37edbcc7e5e0b89e59941ff79a2f9746 i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> MD5: cc92581c25b3a83faff05a03741751d0 I:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: 4c6a03bd1b688a29e30a703145e5ebce I:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned> MD5: 9795b9b636801a7659b50b300f7a2c3d I:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: 7043ddf51d7135c1d1b83b4213dfed61 I:\Program Files\RealVNC\VNC4\WinVNC4.exe
<unsigned> MD5: 7d042213ec10b666923c72da24ee4b9e I:\Program Files\RealVNC\VNC4\wm_hooks.dll
<unsigned> MD5: d617404d119b1db10366692447d8a648 I:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
<unsigned> MD5: ecd5517a6633826057d4f050927ddf56 I:\Program Files\SUPERAntiSpyware\SASSEH.DLL
<unsigned> MD5: 482e8f6fd557d5a0df7363f72df145fe I:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
<unsigned> MD5: 7ff52d317ac08d8f632a1fb6e100dc68 I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
<unsigned> MD5: 6ebec57eb4b4b29c8a90d3c32a588f3e I:\Program Files\Trend Micro\Client Server Security Agent\tm_cfw.sys
<unsigned> MD5: 4c077b83943a056a67cc4731e86a909f I:\Program Files\Trend Micro\Client Server Security Agent\tmCfwApi.dll
<unsigned> MD5: 32a783fe8d78db883368ca851e274dbe I:\WINDOWS\system32\Adobe\Director\np32dsw.dll
<unsigned> MD5: 84853b3fd012251690570e9e7e43343f I:\WINDOWS\system32\drivers\cercsr6.sys
<unsigned> MD5: d34a3a96d399ab8c1e0a5132cd2bb274 I:\WINDOWS\system32\nview.dll
<unsigned> MD5: ddceaa2efe1238278a6864ec07c97da0 I:\WINDOWS\system32\nvraidservice.exe
<unsigned> MD5: 6ed1750bb53efb5ea806fa659c9582e8 I:\WINDOWS\system32\NvRaidSvzht.dll
<unsigned> MD5: 4450bbaf1b77f2b87ab9c5ee4e69532c I:\WINDOWS\system32\nvshell.dll
<unsigned> MD5: 0294e2a5e89bf786f24a9cc2fd753191 I:\WINDOWS\system32\nwiz.exe
<unsigned> MD5: 1574dd9d409f2dc45cf82c22b99164a4 I:\WINDOWS\system32\pdfcmnnt.dll
<unsigned> MD5: e4fece18310e23b1d8fee993e35e7a6f I:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll


No file uploaded.

Scan finished - communication took 4 sec
Total traffic - 0.05 MB sent, 2.47 KB recvd
Scanned 883 files and modules - 75 seconds

==============================================================================
  • 0
<

Advertisement


#11
drunkducki

drunkducki

    Member

  • Member
  • PipPip
  • 87 posts
i reinstalled malwarebytes and did a quick scan. It crashed again when it's scanning the system32 folder.

Don't worry about the anti-virus for now, i'll ask my friend later. Thanks.
  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
BitDefender says you are missing

wuauserv.dll from System32 folder.

This is Windows Auto Updates. Unless there is a reason you don't want it to work we should look for another one:

# Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
# Under the Custom Scan box paste this in:

/md5start
wuauserv.dll
wuauserv.exe
/md5stop

Then press the Quick Scan button. Post the log.

Ron
  • 0

#13
drunkducki

drunkducki

    Member

  • Member
  • PipPip
  • 87 posts
OTL logfile created on: 9/9/2010 8:50:13 AM - Run 3
OTL by OldTimer - Version 3.2.11.0 Folder = I:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): I:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
Drive C: | 14.89 Gb Total Space | 11.35 Gb Free Space | 76.20% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 298.01 Gb Total Space | 122.60 Gb Free Space | 41.14% Space Free | Partition Type: NTFS

Computer Name: HARBOURSIDEXPS
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/07 16:18:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/08/30 14:49:08 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- I:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\explorer.exe
PRC - [2007/03/29 08:10:06 | 000,394,952 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
PRC - [2007/03/29 08:10:02 | 000,214,712 | ---- | M] () -- I:\WINDOWS\Temp\NMB9DA.EXE
PRC - [2007/03/29 08:09:38 | 000,603,856 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
PRC - [2007/03/29 08:09:36 | 000,685,776 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
PRC - [2007/03/29 08:03:16 | 000,282,704 | ---- | M] (Trend Micro Inc.) -- I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
PRC - [2005/07/22 17:02:40 | 000,126,464 | ---- | M] (NVIDIA Corporation) -- I:\WINDOWS\system32\nvraidservice.exe
PRC - [2005/05/26 11:38:38 | 012,275,200 | ---- | M] (Realtek Semiconductor Corp.) -- I:\WINDOWS\system32\RTDCPL.EXE
PRC - [2004/08/04 03:00:00 | 000,045,568 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\system32\drwtsn32.exe
PRC - [2004/06/15 15:29:42 | 000,380,928 | ---- | M] (RealVNC Ltd.) -- I:\Program Files\RealVNC\VNC4\winvnc4.exe


========== Modules (SafeList) ==========

MOD - [2010/09/07 16:18:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/14 06:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\system32\msscript.ocx
MOD - [2006/10/22 12:22:00 | 001,470,464 | ---- | M] () -- I:\WINDOWS\system32\nview.dll
MOD - [2006/10/22 12:22:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- I:\WINDOWS\system32\nvwddi.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2007/03/29 08:09:38 | 000,603,856 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe -- (ntrtscan)
SRV - [2007/03/29 08:09:36 | 000,685,776 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe -- (tmlisten)
SRV - [2007/03/29 08:03:16 | 000,282,704 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe -- (OfcPfwSvc)
SRV - [2004/06/15 15:29:42 | 000,380,928 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- I:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)


========== Driver Services (SafeList) ==========

DRV - File not found [File_System | Unknown | Running] -- -- (pavboot)
DRV - File not found [Kernel | On_Demand | Stopped] -- I:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/05/10 11:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- I:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/02/17 11:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- I:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/04 16:39:06 | 000,230,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\tmxpflt.sys -- (TmFilter)
DRV - [2009/12/04 16:38:18 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys -- (TmPreFilter)
DRV - [2009/12/04 16:05:06 | 001,322,680 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\vsapint.sys -- (VSApiNt)
DRV - [2007/12/24 18:37:00 | 000,138,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2007/03/22 10:54:58 | 001,844,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- I:\Program Files\Trend Micro\Client Server Security Agent\TM_CFW.sys -- (TM_CFW)
DRV - [2006/10/22 12:22:00 | 003,994,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/07/26 18:48:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/26 18:48:28 | 000,033,664 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/07/19 22:59:26 | 000,093,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- I:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2005/07/19 14:59:28 | 000,076,544 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- I:\WINDOWS\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce™
DRV - [2005/06/14 04:38:58 | 002,802,112 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 03:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- I:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=302398"
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.34

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Components: I:\Program Files\Mozilla Firefox\components [2010/09/08 14:58:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Plugins: I:\Program Files\Mozilla Firefox\plugins [2010/09/08 14:58:59 | 000,000,000 | ---D | M]

[2010/04/22 09:30:39 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/04/22 09:30:39 | 000,000,000 | ---D | M] (No name found) -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/09/08 14:59:08 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions
[2010/09/08 14:59:04 | 000,000,000 | ---D | M] (No name found) -- I:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2010/07/08 16:08:44 | 000,000,000 | ---D | M] -- I:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/09/08 08:46:22 | 000,000,098 | ---- | M]) - I:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [IMEKRMIG6.1] I:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] I:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] I:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NvCplDaemon] I:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] I:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVRaidService] I:\WINDOWS\system32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] I:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OfficeScanNT Monitor] I:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [PHIME2002A] I:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] I:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [RTDCPL] I:\WINDOWS\System32\RTDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [SUPERAntiSpyware] I:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] I:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1272489429046 (WUWebControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - I:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - I:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - I:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: I:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: I:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - I:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/08 15:11:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- I:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/08 15:11:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- I:\WINDOWS\System32\drivers\mbam.sys
[2010/09/08 15:11:11 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- I:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46(2).exe
[2010/09/08 14:59:10 | 000,000,000 | ---D | C] -- I:\Documents and Settings\Administrator\Application Data\QuickScan
[2010/09/08 10:44:37 | 000,000,000 | -HSD | C] -- I:\RECYCLER
[2010/09/08 10:32:45 | 000,000,000 | RHSD | C] -- I:\cmdcons
[2010/09/08 10:32:06 | 000,212,480 | ---- | C] (SteelWerX) -- I:\WINDOWS\SWXCACLS.exe
[2010/09/08 10:32:06 | 000,161,792 | ---- | C] (SteelWerX) -- I:\WINDOWS\SWREG.exe
[2010/09/08 10:32:06 | 000,136,704 | ---- | C] (SteelWerX) -- I:\WINDOWS\SWSC.exe
[2010/09/08 10:32:06 | 000,031,232 | ---- | C] (NirSoft) -- I:\WINDOWS\NIRCMD.exe
[2010/09/08 10:32:01 | 000,000,000 | ---D | C] -- I:\WINDOWS\ERDNT
[2010/09/08 10:31:52 | 000,000,000 | ---D | C] -- I:\Qoobox
[2010/09/08 08:46:21 | 000,000,000 | ---D | C] -- I:\_OTL
[2010/09/07 16:18:25 | 000,574,976 | ---- | C] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/07 14:44:52 | 001,293,400 | ---- | C] (Kaspersky Lab ZAO) -- I:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/08/31 03:00:20 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\PreInstall
[2010/08/30 16:00:59 | 000,000,000 | ---D | C] -- I:\Program Files\Malwarebytes' Anti-Malware
[2010/08/30 15:54:53 | 000,000,000 | RH-D | C] -- I:\Documents and Settings\Administrator\Recent
[2010/08/30 15:16:13 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\SoftwareDistribution
[2010/08/30 14:47:27 | 000,446,464 | ---- | C] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/08/20 14:18:33 | 000,000,000 | ---D | C] -- I:\Program Files\Panda Security
[2010/08/05 14:59:34 | 000,000,000 | R--D | C] -- I:\Documents and Settings\Administrator\My Documents\My Pictures
[2010/07/21 08:43:51 | 000,000,000 | ---D | C] -- I:\Image Backup
[2010/07/08 16:09:47 | 000,000,000 | ---D | C] -- I:\Program Files\PDFCreator
[2010/07/08 16:08:44 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\appmgmt

========== Files - Modified Within 90 Days ==========

[2010/09/08 15:32:11 | 001,835,008 | -H-- | M] () -- I:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/08 15:13:54 | 000,356,120 | ---- | M] () -- I:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/08 15:13:54 | 000,311,604 | ---- | M] () -- I:\WINDOWS\System32\perfh009.dat
[2010/09/08 15:13:54 | 000,039,992 | ---- | M] () -- I:\WINDOWS\System32\perfc009.dat
[2010/09/08 15:11:51 | 000,000,696 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/08 15:11:30 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- I:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46(2).exe
[2010/09/08 15:09:59 | 000,002,206 | ---- | M] () -- I:\WINDOWS\System32\wpa.dbl
[2010/09/08 15:09:48 | 000,275,400 | ---- | M] () -- I:\WINDOWS\System32\NvApps.xml
[2010/09/08 15:09:43 | 000,000,006 | -H-- | M] () -- I:\WINDOWS\tasks\SA.DAT
[2010/09/08 15:09:41 | 000,002,048 | --S- | M] () -- I:\WINDOWS\bootstat.dat
[2010/09/08 15:08:48 | 000,000,178 | -HS- | M] () -- I:\Documents and Settings\Administrator\ntuser.ini
[2010/09/08 15:08:43 | 003,755,922 | -H-- | M] () -- I:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/09/08 11:22:23 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- I:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/09/08 10:35:12 | 000,000,227 | ---- | M] () -- I:\WINDOWS\system.ini
[2010/09/08 10:32:48 | 000,000,327 | RHS- | M] () -- I:\boot.ini
[2010/09/08 08:46:22 | 000,000,098 | ---- | M] () -- I:\WINDOWS\System32\drivers\etc\Hosts
[2010/09/07 16:18:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/03 10:57:27 | 000,293,376 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\1wx24enh.exe
[2010/09/03 10:54:42 | 000,525,824 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/09/03 10:52:51 | 000,002,463 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/09/03 10:52:13 | 001,402,880 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.msi
[2010/09/01 03:00:25 | 000,001,789 | ---- | M] () -- I:\WINDOWS\imsins.BAK
[2010/08/31 10:42:48 | 000,119,744 | ---- | M] () -- I:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/30 14:47:28 | 000,446,464 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/08/11 09:02:58 | 000,008,875 | ---- | M] () -- I:\WINDOWS\cfgall.ini
[2010/08/06 15:53:11 | 1040,355,328 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\vista_6000.16386.061101-2205-LRMAIK_EN.img
[2010/08/06 09:50:24 | 001,849,343 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\WindowsServer2003-KB892778-SP1-DeployTools-x86-ENU.cab
[2010/07/29 16:39:46 | 001,015,348 | ---- | M] () -- I:\Documents and Settings\Administrator\Desktop\p95v2511.zip
[2010/07/08 16:09:54 | 000,000,706 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\PDFCreator.lnk

========== Files Created - No Company Name ==========

[2010/09/08 15:11:51 | 000,000,696 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/08 10:32:48 | 000,000,210 | ---- | C] () -- I:\Boot.bak
[2010/09/08 10:32:46 | 000,260,272 | RHS- | C] () -- I:\cmldr
[2010/09/08 10:32:06 | 000,256,512 | ---- | C] () -- I:\WINDOWS\PEV.exe
[2010/09/08 10:32:06 | 000,098,816 | ---- | C] () -- I:\WINDOWS\sed.exe
[2010/09/08 10:32:06 | 000,080,412 | ---- | C] () -- I:\WINDOWS\grep.exe
[2010/09/08 10:32:06 | 000,077,312 | ---- | C] () -- I:\WINDOWS\MBR.exe
[2010/09/08 10:32:06 | 000,068,096 | ---- | C] () -- I:\WINDOWS\zip.exe
[2010/09/03 10:57:26 | 000,293,376 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\1wx24enh.exe
[2010/09/03 10:54:40 | 000,525,824 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/09/03 10:52:44 | 000,002,463 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/09/03 10:52:09 | 001,402,880 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\HiJackThis.msi
[2010/08/31 03:00:22 | 000,001,789 | ---- | C] () -- I:\WINDOWS\imsins.BAK
[2010/08/10 13:06:50 | 000,005,946 | ---- | C] () -- I:\Documents and Settings\Administrator\reset.log
[2010/08/06 14:47:00 | 1040,355,328 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\vista_6000.16386.061101-2205-LRMAIK_EN.img
[2010/08/06 09:50:20 | 001,849,343 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\WindowsServer2003-KB892778-SP1-DeployTools-x86-ENU.cab
[2010/07/29 16:39:45 | 001,015,348 | ---- | C] () -- I:\Documents and Settings\Administrator\Desktop\p95v2511.zip
[2010/07/08 16:09:54 | 000,000,706 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\PDFCreator.lnk
[2010/07/08 16:09:49 | 000,116,224 | ---- | C] () -- I:\WINDOWS\System32\pdfcmnnt.dll
[2010/04/06 15:25:53 | 000,212,992 | ---- | C] () -- I:\WINDOWS\System32\nvapi.dll
[2010/04/06 11:45:20 | 000,000,036 | ---- | C] () -- I:\WINDOWS\webica.ini
[2009/12/22 10:45:43 | 000,008,875 | ---- | C] () -- I:\WINDOWS\cfgall.ini
[2009/12/22 10:40:10 | 000,156,672 | ---- | C] () -- I:\WINDOWS\System32\RTLCPAPI.dll
[2006/10/22 12:22:00 | 001,662,976 | ---- | C] () -- I:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 12:22:00 | 001,470,464 | ---- | C] () -- I:\WINDOWS\System32\nview.dll
[2006/10/22 12:22:00 | 001,019,904 | ---- | C] () -- I:\WINDOWS\System32\nvwimg.dll
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- I:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,466,944 | ---- | C] () -- I:\WINDOWS\System32\nvshell.dll
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- I:\WINDOWS\System32\nvnt4cpl.dll

========== LOP Check ==========

[2010/03/30 14:28:38 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\ICAClient
[2010/09/08 15:00:33 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\QuickScan
[2010/04/06 16:23:32 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
[2010/04/22 09:30:39 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Administrator\Application Data\Thunderbird

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: WUAUSERV.DLL >
[2004/08/04 03:00:00 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=13D72740963CBA12D9FF76A7F218BCD8 -- I:\WINDOWS\$NtServicePackUninstall$\wuauserv.dll
[2008/04/14 06:42:12 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=35321FB577CDC98CE3EB3A3EB9E4610A -- I:\WINDOWS\ServicePackFiles\i386\wuauserv.dll
[2008/04/14 06:42:12 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=35321FB577CDC98CE3EB3A3EB9E4610A -- I:\WINDOWS\system32\wuauserv.dll
< End of report >
  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************


FCopy::
I:\WINDOWS\ServicePackFiles\i386\wuauserv.dll | I:\windows\system32\wuauserv.dll



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

It might be wise to register the dll just to make sure the system knows it is there:

Start, Run, cmd, OK

cd  \windows\system32

regsvr32  wuauserv.dll

(We can try to start the service)

services.msc



(I use two spaces in the code box so you can see where one goes.)

The services window should open. Find Windows Automatic Update service and right click and select Properties. Then make sure the Startup Type is set to Automatic then START the service. Do you get an error?

Close the services window then go back to the command window and type:

net  start  >  junk.txt
notepad  junk.txt

Copy the text from Notepad and paste it into a reply.

Ron
  • 0

#15
drunkducki

drunkducki

    Member

  • Member
  • PipPip
  • 87 posts
ComboFix 10-09-08.03 - Administrator 9/2010 Thu 12:25:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1033.18.1789.1279 [GMT -7:00]
執行位置: i:\documents and settings\Administrator\Desktop\George.exe
Command switches used :: i:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {849635BA-0E5F-4EB0-ACD7-C1895B1C4860}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {849635BA-0E5F-4EB0-ACD7-C1895B1C4860}
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

i:\windows\ServicePackFiles\i386\wuauserv.dll --> i:\windows\system32\wuauserv.dll
.
((((((((((((((((((((((((( 2010-08-09 至 2010-09-09 的新的檔案 )))))))))))))))))))))))))))))))
.

2010-09-08 22:11 . 2010-04-29 22:39 38224 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys
2010-09-08 22:11 . 2010-04-29 22:39 20952 ----a-w- i:\windows\system32\drivers\mbam.sys
2010-09-08 21:59 . 2010-09-08 22:00 -------- d-----w- i:\documents and settings\Administrator\Application Data\QuickScan
2010-09-08 21:59 . 2010-08-25 23:25 614544 ----a-w- i:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-09-08 21:59 . 2010-08-25 23:25 314816 ----a-w- i:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-09-08 15:46 . 2010-09-08 15:46 -------- d-----w- I:\_OTL
2010-09-03 17:52 . 2010-09-03 17:52 388096 ----a-r- i:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-31 10:09 . 2010-06-21 15:27 354304 -c----w- i:\windows\system32\dllcache\srv.sys
2010-08-31 10:09 . 2009-10-15 16:28 81920 -c----w- i:\windows\system32\dllcache\fontsub.dll
2010-08-31 10:09 . 2009-10-15 16:28 119808 -c----w- i:\windows\system32\dllcache\t2embed.dll
2010-08-31 10:09 . 2009-06-21 21:44 153088 -c----w- i:\windows\system32\dllcache\triedit.dll
2010-08-31 10:09 . 2010-04-27 13:59 2146304 -c----w- i:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-31 10:09 . 2010-04-28 02:25 2189952 -c----w- i:\windows\system32\dllcache\ntoskrnl.exe
2010-08-31 10:09 . 2010-04-27 13:05 2066816 -c----w- i:\windows\system32\dllcache\ntkrnlpa.exe
2010-08-31 10:09 . 2010-04-27 13:05 2024448 -c----w- i:\windows\system32\dllcache\ntkrpamp.exe
2010-08-31 10:08 . 2008-05-08 14:02 203136 -c----w- i:\windows\system32\dllcache\rmcast.sys
2010-08-31 10:08 . 2008-05-01 14:33 331776 -c----w- i:\windows\system32\dllcache\msadce.dll
2010-08-31 10:07 . 2008-06-13 11:05 272128 -c----w- i:\windows\system32\dllcache\bthport.sys
2010-08-31 10:07 . 2010-02-24 13:11 455680 -c----w- i:\windows\system32\dllcache\mrxsmb.sys
2010-08-31 10:07 . 2010-06-14 14:31 744448 -c----w- i:\windows\system32\dllcache\helpsvc.exe
2010-08-31 10:05 . 2009-03-06 14:22 284160 -c----w- i:\windows\system32\dllcache\pdh.dll
2010-08-31 10:05 . 2009-02-09 12:10 473600 -c----w- i:\windows\system32\dllcache\fastprox.dll
2010-08-31 10:05 . 2009-02-09 12:10 453120 -c----w- i:\windows\system32\dllcache\wmiprvsd.dll
2010-08-31 10:05 . 2009-02-09 12:10 401408 -c----w- i:\windows\system32\dllcache\rpcss.dll
2010-08-31 10:05 . 2009-02-06 11:11 110592 -c----w- i:\windows\system32\dllcache\services.exe
2010-08-31 10:05 . 2009-02-06 10:10 227840 -c----w- i:\windows\system32\dllcache\wmiprvse.exe
2010-08-31 10:05 . 2009-02-09 12:10 714752 -c----w- i:\windows\system32\dllcache\ntdll.dll
2010-08-31 10:05 . 2009-02-09 12:10 617472 -c----w- i:\windows\system32\dllcache\advapi32.dll
2010-08-31 10:05 . 2009-11-21 15:51 471552 -c----w- i:\windows\system32\dllcache\aclayers.dll
2010-08-31 10:01 . 2010-06-18 13:36 3558912 -c----w- i:\windows\system32\dllcache\moviemk.exe
2010-08-31 10:01 . 2008-10-15 16:34 337408 -c----w- i:\windows\system32\dllcache\netapi32.dll
2010-08-31 10:01 . 2008-05-03 11:55 2560 ------w- i:\windows\system32\xpsp4res.dll
2010-08-31 10:01 . 2008-04-21 12:08 215552 -c----w- i:\windows\system32\dllcache\wordpad.exe
2010-08-30 23:00 . 2010-09-08 22:11 -------- d-----w- i:\program files\Malwarebytes' Anti-Malware
2010-08-30 22:59 . 2009-08-07 02:23 274288 ----a-w- i:\windows\system32\mucltui.dll
2010-08-30 22:59 . 2009-08-07 02:23 215920 ----a-w- i:\windows\system32\muweb.dll
2010-08-30 22:20 . 2010-06-01 17:37 221568 ------w- i:\windows\system32\MpSigStub.exe
2010-08-20 21:18 . 2010-09-08 22:31 -------- d-----w- i:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 17:52 . 2009-12-22 17:44 -------- d-----w- i:\program files\Trend Micro
2010-08-30 21:50 . 2010-06-10 18:53 63488 ----a-w- i:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-30 21:50 . 2010-06-10 18:53 117760 ----a-w- i:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-30 21:49 . 2010-06-10 18:53 -------- d-----w- i:\program files\SUPERAntiSpyware
2010-06-30 12:31 . 2004-08-04 10:00 149504 ----a-w- i:\windows\system32\schannel.dll
2010-06-23 13:44 . 2004-08-04 10:00 1851904 ----a-w- i:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 10:00 354304 ----a-w- i:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 10:00 80384 ----a-w- i:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-12-22 17:09 744448 ----a-w- i:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 10:00 1172480 ----a-w- i:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-08_17.35.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-08 22:09 . 2010-09-08 22:09 16384 i:\windows\Temp\Perflib_Perfdata_1e0.dat
+ 2004-08-04 10:00 . 2010-09-08 22:13 39992 i:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-09-01 10:17 39992 i:\windows\system32\perfc009.dat
+ 2009-12-22 17:09 . 2008-04-14 13:42 6656 i:\windows\system32\dllcache\wuauserv.dll
+ 2004-08-04 10:00 . 2010-09-08 22:13 311604 i:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-09-01 10:17 311604 i:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="i:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-30 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="i:\windows\system32\nvraidservice.exe" [2005-07-23 126464]
"RTDCPL"="RTDCPL.EXE" [2005-05-26 12275200]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="i:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2009-12-22 149280]
"OfficeScanNT Monitor"="i:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]
"IMJPMIG8.1"="i:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="i:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-13 44032]
"MSPY2002"="i:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="i:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="i:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="i:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "i:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- i:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;i:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;i:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 TmPreFilter;Trend Micro PreFilter;i:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [9/27/2006 6:31 PM 36368]
R3 MBAMSwissArmy;MBAMSwissArmy;i:\windows\system32\drivers\mbamswissarmy.sys [9/8/2010 3:11 PM 38224]
S2 TmFilter;Trend Micro Filter;i:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [9/27/2006 6:31 PM 230928]
.
.
------- 而外的掃描 -------
.
uInternet Connection Wizard,ShellNext = hxxp://manuals.craftsmancollision.com/Operations/default.htm
TCP: {71B6702D-F18F-4D62-BD08-587DE9A03198} = 216.251.128.8,216.251.128.9
FF - ProfilePath - i:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: i:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: i:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zb9x1bc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- 火狐配置文件 ----
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 12:27
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 ...

掃描被隱藏的啟動組 ...

掃描被隱藏的文件 ...

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'(724)
i:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(2720)
i:\windows\system32\nview.dll
i:\windows\system32\ieframe.dll
i:\windows\system32\OneX.DLL
i:\windows\system32\eappprxy.dll
.
完成時間: 2010-09-09 12:28:13
ComboFix-quarantined-files.txt 2010-09-09 19:28
ComboFix2.txt 2010-09-08 17:36

Pre-Run: 131,614,711,808 bytes free
Post-Run: 131,629,084,672 bytes free

- - End Of File - - 6BACD744B96AAFC3987BDA865F300EC3
  • 0

Advertisement



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured