Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rootkit bubnix problem and more


  • Please log in to reply

#1
tetley

tetley

    Member

  • Member
  • PipPip
  • 25 posts
I would appreciate any assistance. I am trying to help a neighbour clean his computer as its had multiple infections and running very slow. I have exhausted all my knowledge up to this point in cleaning the remaining viruses and 'nasties' and am hoping that someone would be kind enough to see me through the final stages of cleaning this. Originally, this system had mywebsearch, trojan.vundo, microsoft security centre, trojan.hiloti, trojan.agent, rootkit.bubnix, asx/wimangen!1...just to name a few. The rootkit.bubnix seems to keep coming back and I suspect there's more on here that Malwarebytes and other scans no longer seem to pick up. I have attached the most recent logs...

Malwarebytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4624

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/15/2010 9:41:44 PM
mbam-log-2010-09-15 (21-41-44).txt

Scan type: Quick scan
Objects scanned: 136380
Time elapsed: 23 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Gmer Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-16 12:58:11
Windows 5.1.2600 Service Pack 3
Running: remg.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\kwaorfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwClose [0xA0CA1A00]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xA0CA1730]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xA0CA18A0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xA0CA2340]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xA0CA1F90]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateThread [0xA0CA2C60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwDuplicateObject [0xA0CA1B60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xA0C9FF80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenProcess [0xA0CA1520]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xA0CA2170]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xA0CA2910]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xA0CA2C10]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xA0CA2F90]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xA0CA3560]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xA0C9EC40]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xA0CA2BC0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xA0CA02F0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwTerminateProcess [0xA0CA2760]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwWriteVirtualMemory [0xA0CA1A20]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[284] [0xA0C9DD40]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[285] [0xA0C9DD50]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[286] [0xA0C9DD60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[287] [0xA0C9DD80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[288] [0xA0C9DDA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[289] [0xA0C9DDD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[290] [0xA0C9DDE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[291] [0xA0C9DE00]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[292] [0xA0C9DE10]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[293] [0xA0C9DED0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[294] [0xA0C9DFA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[295] [0xA0C9DFE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[296] [0xA0C9E020]

Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9FA0 5 Bytes JMP A0CA3980 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE87E 2 Bytes JMP A0CA3E80 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous + 3 804EE881 2 Bytes [7B, 20] {JNP 0x22}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)

---- EOF - GMER 1.0.15 ----



OTL Log:

OTL logfile created on: 9/16/2010 12:59:06 PM - Run 2
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Compaq_Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 141.00 Mb Available Physical Memory | 28.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.79 Gb Total Space | 118.39 Gb Free Space | 82.34% Space Free | Partition Type: NTFS
Drive D: | 5.25 Gb Total Space | 0.56 Gb Free Space | 10.61% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4F1261A8E5
Current User Name: Compaq_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/14 18:38:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/10/02 03:51:36 | 000,968,024 | ---- | M] (Intuit Canada) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/30 11:50:42 | 000,205,480 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2006/07/07 19:14:38 | 000,576,320 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2004/10/14 02:17:06 | 002,742,272 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
PRC - [2004/10/14 00:01:50 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2002/04/12 01:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
PRC - [2001/12/13 01:01:00 | 000,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe


========== Modules (SafeList) ==========

MOD - [2010/09/14 18:38:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/01 15:51:28 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/10/02 01:20:06 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$ACT7) SQL Server (ACT7)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/03/24 08:36:36 | 001,251,720 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2006/11/09 19:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2002/04/12 01:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\smserial.sys -- (smserial)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\fkiv.sys -- (erik)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2010/01/14 11:27:32 | 000,186,128 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2008/04/13 14:36:41 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/01 14:15:36 | 000,560,896 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2005/04/25 12:10:20 | 000,033,538 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Capt905c.sys -- (SQTECH905C)
DRV - [2004/10/15 12:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2004/10/14 03:33:20 | 002,287,104 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/08/04 16:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2004/06/29 20:07:18 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/03/18 03:10:40 | 000,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2003/03/14 01:04:20 | 000,061,952 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrSerWdm.sys -- (BrSerWDM)
DRV - [2002/10/04 20:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2002/07/30 00:43:50 | 000,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2001/08/18 00:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:20 | 000,011,008 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-401763243-667491769-3167818076-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
IE - HKU\S-1-5-21-401763243-667491769-3167818076-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKU\S-1-5-21-401763243-667491769-3167818076-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-401763243-667491769-3167818076-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2010/09/14 21:03:17 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
O3 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\Tracker.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-401763243-667491769-3167818076-1009..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Canada)
O4 - Startup: C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk File not found
O9 - Extra 'Tools' menuitem : Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk File not found
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/download/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1174963029453 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} http://mobileapps.bl...re/AxLoader.cab (AxLoaderPassword Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 () - http://www.infotecbu...es/eagle_01.gif
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/10/15 13:38:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 14:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\Ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\Ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/09/15 21:15:08 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/09/15 21:04:44 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/09/15 20:54:12 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Compaq_Owner\Desktop\erunt-setup.exe
[2010/09/15 20:52:17 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\TFC.exe
[2010/09/15 20:39:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/09/14 20:40:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/14 20:40:51 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/14 20:40:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/14 20:40:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/14 20:40:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/14 20:37:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/14 18:38:19 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
[2010/09/14 18:21:31 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/09/14 17:46:28 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/09/14 17:38:12 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2010/09/14 17:36:59 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2010/09/14 17:32:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Desktop\tdsskiller
[2010/09/14 17:03:56 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Compaq_Owner\Recent
[2010/09/13 19:50:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/09/13 19:50:16 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/09/13 12:31:07 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/09/13 12:30:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
[2010/09/13 12:30:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/13 12:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/13 12:30:11 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/13 12:30:09 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/12 16:17:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/09/12 16:01:50 | 000,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdhid.sys
[2010/09/12 16:00:49 | 000,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys
[2010/09/12 16:00:31 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidserv.dll
[2010/09/12 15:41:25 | 000,010,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidusb.sys
[2010/08/29 00:59:51 | 000,186,128 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2010/08/29 00:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
[2010/08/29 00:53:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ParetoLogic
[2010/08/29 00:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/08/28 23:01:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations
[2010/08/28 22:31:40 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/28 22:31:40 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/28 22:31:40 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

========== Files - Modified Within 30 Days ==========

[2010/09/16 12:58:44 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{01A290DB-7C62-4749-A2C3-6871D5CE7BCB}.job
[2010/09/16 12:58:19 | 006,030,112 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/09/16 12:58:16 | 000,155,168 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/09/15 21:17:07 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/09/15 21:15:21 | 000,000,619 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\NTREGOPT.lnk
[2010/09/15 21:15:21 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\ERUNT.lnk
[2010/09/15 21:10:20 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/15 21:09:41 | 000,000,247 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2010/09/15 21:08:59 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/15 21:08:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/15 21:08:40 | 527,814,656 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/15 21:06:32 | 000,015,356 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/09/15 21:06:31 | 000,081,572 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/09/15 21:05:50 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\Compaq_Owner\NTUSER.DAT
[2010/09/15 21:05:50 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Compaq_Owner\ntuser.ini
[2010/09/15 20:55:37 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Compaq_Owner\Desktop\erunt-setup.exe
[2010/09/15 20:52:56 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\TFC.exe
[2010/09/15 20:40:26 | 001,930,896 | -H-- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\IconCache.db
[2010/09/15 20:35:48 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/14 21:03:17 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/14 19:46:45 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/14 18:38:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
[2010/09/14 17:46:42 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/09/14 17:38:26 | 000,104,016 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/09/14 17:22:18 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\remg.exe
[2010/09/14 17:19:49 | 003,845,016 | R--- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
[2010/09/14 17:05:28 | 000,163,718 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\cc_20100914_170522.reg
[2010/09/14 16:59:59 | 000,361,728 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/14 12:51:16 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/09/13 21:37:10 | 000,278,120 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\cc_20100913_213705.reg
[2010/09/13 21:30:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\ka.ini
[2010/09/13 20:23:44 | 000,001,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/09/13 20:18:31 | 000,024,273 | ---- | M] () -- C:\rollback.ini
[2010/09/13 12:31:16 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\CCleaner.lnk
[2010/09/13 12:30:25 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/13 12:23:37 | 000,489,940 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/13 12:23:37 | 000,089,654 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/13 12:23:36 | 000,590,324 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/12 16:23:18 | 000,000,996 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/12 16:23:18 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/09/12 15:36:22 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Uwoxovoxadosex.bin
[2010/09/06 21:43:18 | 008,892,928 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/09/06 08:23:24 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Gjezej.dat
[2010/08/31 12:57:34 | 000,084,215 | ---- | M] () -- C:\logfile
[2010/08/27 16:31:18 | 000,000,300 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Rodney, Ontario - Forecast - Environment Canada.url
[2010/08/20 21:34:41 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/20 21:32:29 | 000,000,431 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Shortcut to IMG_0234.lnk
[2010/08/20 21:29:15 | 000,000,780 | ---- | M] () -- C:\WINDOWS\orun32.ini
[2010/08/20 21:22:57 | 005,947,392 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/08/20 21:22:56 | 012,191,744 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb

========== Files Created - No Company Name ==========

[2010/09/15 21:15:21 | 000,000,619 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\NTREGOPT.lnk
[2010/09/15 21:15:21 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\ERUNT.lnk
[2010/09/15 20:42:52 | 527,814,656 | -HS- | C] () -- C:\hiberfil.sys
[2010/09/14 20:40:52 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 20:40:51 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 20:40:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 20:40:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 20:40:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/14 20:31:01 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/09/14 19:19:50 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/09/14 17:46:42 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/09/14 17:22:16 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\remg.exe
[2010/09/14 17:19:37 | 003,845,016 | R--- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
[2010/09/14 17:05:25 | 000,163,718 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\cc_20100914_170522.reg
[2010/09/13 21:37:07 | 000,278,120 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\cc_20100913_213705.reg
[2010/09/13 20:23:43 | 000,001,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/09/13 12:31:15 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\CCleaner.lnk
[2010/09/13 12:30:25 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/06 21:42:56 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/08/29 02:07:15 | 006,030,112 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/08/29 02:07:15 | 000,155,168 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/08/29 02:07:15 | 000,081,572 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/08/29 02:07:15 | 000,015,356 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/08/29 02:06:42 | 000,024,273 | ---- | C] () -- C:\rollback.ini
[2010/08/28 22:27:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Uwoxovoxadosex.bin
[2010/08/28 22:27:36 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Gjezej.dat
[2010/08/20 21:32:29 | 000,000,431 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Shortcut to IMG_0234.lnk
[2009/03/16 23:17:55 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2007/08/10 11:10:48 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\1AB2CAB6C7.sys
[2007/08/10 11:10:47 | 000,001,682 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/08/10 11:04:42 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\ActUpdate.log
[2007/04/04 13:46:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2007/03/26 22:28:34 | 000,000,210 | ---- | C] () -- C:\WINDOWS\System32\sr2spec.ini
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/26 20:59:27 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2007/01/30 21:01:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ka.ini
[2007/01/19 20:28:45 | 000,000,100 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/09/18 15:38:26 | 000,000,212 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2006/07/19 22:25:44 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2006/07/19 22:20:21 | 000,001,894 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
[2006/03/21 12:02:58 | 000,001,897 | ---- | C] () -- C:\WINDOWS\cussta32.ini
[2006/03/14 12:54:13 | 000,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2006/02/12 17:55:57 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\Implode.dll
[2006/01/11 22:49:24 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/12/21 12:30:43 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/12/04 22:24:59 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2005/12/01 22:44:29 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2005/12/01 22:44:09 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[2005/12/01 22:41:59 | 000,000,378 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/12/01 22:35:53 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\rsUtil.dll
[2005/12/01 22:33:22 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2005/12/01 22:33:11 | 000,002,188 | ---- | C] () -- C:\WINDOWS\BRMFBIDI.INI
[2005/12/01 22:32:59 | 000,000,463 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2005/12/01 22:32:59 | 000,000,268 | ---- | C] () -- C:\WINDOWS\Brpcfx.ini
[2005/12/01 22:32:59 | 000,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2005/11/30 16:17:48 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
[2005/02/16 15:06:49 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/02/16 14:33:59 | 000,013,974 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2005/02/16 14:33:54 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2005/02/16 14:33:33 | 000,002,154 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2005/02/16 14:30:49 | 000,002,429 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/02/16 14:19:11 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/02/16 14:16:13 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/02/16 14:06:48 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/01/29 00:30:48 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/08/20 06:14:46 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/08/20 06:14:46 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/06/16 07:38:02 | 000,000,537 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/04/11 02:04:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2002/08/12 09:19:42 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\Welsof32.dll
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1996/11/17 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/17 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/17 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2005/12/27 22:47:15 | 000,000,428 | ---- | M] () -- C:\2.txt
[2010/02/24 12:04:17 | 001,955,784 | ---- | M] (Adobe Systems Incorporated) -- C:\9dfb00d609531231819b56283b19
[2007/02/18 20:44:48 | 000,000,111 | ---- | M] () -- C:\ace.log
[2005/12/10 19:48:44 | 000,000,040 | ---- | M] () -- C:\Auth.prof
[2004/10/15 13:38:18 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2005/11/30 16:16:45 | 000,000,213 | RHS- | M] () -- C:\BOOT.BAK
[2010/09/12 16:23:18 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2006/09/18 15:39:28 | 000,000,025 | ---- | M] () -- C:\Brxpinst.log
[2004/08/04 00:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/09/15 20:39:14 | 000,016,549 | ---- | M] () -- C:\ComboFix.txt
[2004/10/15 13:38:18 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/12/19 18:04:09 | 000,658,405 | ---- | M] () -- C:\EasyShareInstall.log
[2007/09/26 01:25:03 | 004,562,137 | ---- | M] () -- C:\Event16_091807_flyer_english.pdf
[2006/12/04 18:12:11 | 000,004,805 | -H-- | M] () -- C:\ffastun.ffa
[2006/12/04 18:12:11 | 000,753,664 | -H-- | M] () -- C:\ffastun.ffl
[2006/12/04 18:12:11 | 000,188,416 | -H-- | M] () -- C:\ffastun.ffo
[2006/12/04 18:12:10 | 001,404,928 | -H-- | M] () -- C:\ffastun0.ffx
[2006/12/06 20:31:43 | 000,753,664 | ---- | M] () -- C:\ffastunT.ffl
[2010/09/15 21:08:40 | 527,814,656 | -HS- | M] () -- C:\hiberfil.sys
[2005/01/29 00:30:48 | 000,000,002 | -H-- | M] () -- C:\hpbi.log
[2004/10/15 13:38:18 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/08/31 12:57:34 | 000,084,215 | ---- | M] () -- C:\logfile
[2004/10/15 13:38:18 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 00:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/05/10 12:55:07 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/15 21:08:23 | 792,723,456 | -HS- | M] () -- C:\pagefile.sys
[2010/09/13 20:18:31 | 000,024,273 | ---- | M] () -- C:\rollback.ini
[2010/09/14 17:37:30 | 000,039,866 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_14.09.2010_17.32.21_log.txt
[2010/09/15 13:00:01 | 000,038,412 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_15.09.2010_12.58.36_log.txt
[2010/09/15 20:25:39 | 000,038,412 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_15.09.2010_19.48.07_log.txt
[2010/09/14 20:20:47 | 000,000,136 | ---- | M] () -- C:\VundoFix.txt

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2004/10/15 06:29:40 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/10/15 06:29:40 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/10/15 06:29:40 | 000,868,352 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-09-16 07:02:50
< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,709 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
O3 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-401763243-667491769-3167818076-1009\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O9 - Extra Button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk File not found
O9 - Extra 'Tools' menuitem : Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
[2010/08/28 22:27:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Uwoxovoxadosex.bin
[2010/08/28 22:27:36 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Gjezej.dat

:Files
C:\WINDOWS\Uwoxovoxadosex.bin
C:\WINDOWS\Gjezej.dat

:Services
winachsf
smserial
RimUsb
HSFHWBS2
HSF_DP
erik
catchme
     
:Commands
[purity]
[emptytemp]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

  • Go to this page and Download TDSSKiller.zip to your Desktop.
  • Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  • Double click on TDSSKiller.exe
  • If TDSSKiller alerts you that the system needs to reboot, please consent.
  • When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Run the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a report option. Click on it and copy and paste the report (even if it says nothing found).


Ron
  • 0

#3
tetley

tetley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks for the help! The computer already seems more responsive. As per your requests, here are the logs:

First OTL Log:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
Registry value HKEY_USERS\S-1-5-21-401763243-667491769-3167818076-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-401763243-667491769-3167818076-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-401763243-667491769-3167818076-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5E638779-1818-4754-A595-EF1C63B87A56}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E638779-1818-4754-A595-EF1C63B87A56}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5E638779-1818-4754-A595-EF1C63B87A56}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E638779-1818-4754-A595-EF1C63B87A56}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
AppMgmt removed from NetSvcs value successfully!
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
C:\WINDOWS\Uwoxovoxadosex.bin moved successfully.
C:\WINDOWS\Gjezej.dat moved successfully.
========== FILES ==========
File\Folder C:\WINDOWS\Uwoxovoxadosex.bin not found.
File\Folder C:\WINDOWS\Gjezej.dat not found.
========== SERVICES/DRIVERS ==========
Service winachsf stopped successfully!
Service winachsf deleted successfully!
Service smserial stopped successfully!
Service smserial deleted successfully!
Service RimUsb stopped successfully!
Service RimUsb deleted successfully!
Service HSFHWBS2 stopped successfully!
Service HSFHWBS2 deleted successfully!


Second OTL Log:

OTL logfile created on: 9/17/2010 12:34:46 PM - Run 3
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Compaq_Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 182.00 Mb Available Physical Memory | 36.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.79 Gb Total Space | 118.35 Gb Free Space | 82.31% Space Free | Partition Type: NTFS
Drive D: | 5.25 Gb Total Space | 0.56 Gb Free Space | 10.61% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4F1261A8E5
Current User Name: Compaq_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/14 18:38:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/10/02 03:51:36 | 000,968,024 | ---- | M] (Intuit Canada) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/30 11:50:42 | 000,205,480 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2006/07/07 19:14:38 | 000,576,320 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2004/10/14 02:17:06 | 002,742,272 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
PRC - [2004/10/14 00:01:50 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2002/04/12 01:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
PRC - [2001/12/13 01:01:00 | 000,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe


========== Modules (SafeList) ==========

MOD - [2010/09/14 18:38:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
SRV - [2010/09/01 15:51:28 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/10/02 01:20:06 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$ACT7) SQL Server (ACT7)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/03/24 08:36:36 | 001,251,720 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2006/11/09 19:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2002/04/12 01:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2010/01/14 11:27:32 | 000,186,128 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2008/04/13 14:36:41 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/01 14:15:36 | 000,560,896 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2005/04/25 12:10:20 | 000,033,538 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Capt905c.sys -- (SQTECH905C)
DRV - [2004/10/15 12:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2004/10/14 03:33:20 | 002,287,104 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/08/04 16:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2004/06/29 20:07:18 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/03/18 03:10:40 | 000,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2003/03/14 01:04:20 | 000,061,952 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrSerWdm.sys -- (BrSerWDM)
DRV - [2002/10/04 20:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2002/07/30 00:43:50 | 000,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2001/08/18 00:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:12:20 | 000,011,008 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2001/08/17 14:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2010/09/14 21:03:17 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\Tracker.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Canada)
O4 - Startup: C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/download/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1174963029453 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} http://mobileapps.bl...re/AxLoader.cab (AxLoaderPassword Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 () - http://www.infotecbu...es/eagle_01.gif
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/10/15 13:38:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 14:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/17 12:23:07 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/09/15 21:15:08 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/09/15 21:04:44 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/09/15 20:54:12 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Compaq_Owner\Desktop\erunt-setup.exe
[2010/09/15 20:52:17 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\TFC.exe
[2010/09/15 20:39:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/09/14 20:40:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/14 20:40:51 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/14 20:40:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/14 20:40:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/14 20:40:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/14 20:37:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/14 18:38:19 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
[2010/09/14 18:21:31 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/09/14 17:46:28 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/09/14 17:38:12 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2010/09/14 17:36:59 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2010/09/14 17:32:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Desktop\tdsskiller
[2010/09/14 17:03:56 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Compaq_Owner\Recent
[2010/09/13 19:50:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/09/13 19:50:16 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/09/13 12:31:07 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/09/13 12:30:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
[2010/09/13 12:30:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/13 12:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/13 12:30:11 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/13 12:30:09 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/12 16:17:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/08/29 00:59:51 | 000,186,128 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2010/08/29 00:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
[2010/08/29 00:53:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ParetoLogic
[2010/08/29 00:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/08/28 23:01:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations

========== Files - Modified Within 90 Days ==========

[2010/09/17 12:45:41 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{01A290DB-7C62-4749-A2C3-6871D5CE7BCB}.job
[2010/09/17 12:42:45 | 006,056,992 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/09/17 12:40:45 | 000,157,984 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/09/17 12:35:00 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/09/17 12:32:55 | 000,000,247 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2010/09/17 12:30:09 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/17 12:29:00 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/17 12:28:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/17 12:28:47 | 527,814,656 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/17 12:27:00 | 000,082,124 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/09/17 12:27:00 | 000,015,812 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/09/17 12:26:08 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\Compaq_Owner\NTUSER.DAT
[2010/09/17 12:26:08 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Compaq_Owner\ntuser.ini
[2010/09/16 17:41:43 | 004,298,356 | -H-- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\IconCache.db
[2010/09/15 21:15:21 | 000,000,619 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\NTREGOPT.lnk
[2010/09/15 21:15:21 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\ERUNT.lnk
[2010/09/15 20:55:37 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Compaq_Owner\Desktop\erunt-setup.exe
[2010/09/15 20:52:56 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\TFC.exe
[2010/09/15 20:35:48 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/14 21:03:17 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/14 19:46:45 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/14 18:38:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
[2010/09/14 17:46:42 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/09/14 17:38:26 | 000,104,016 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/09/14 17:22:18 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\remg.exe
[2010/09/14 17:19:49 | 003,845,016 | R--- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
[2010/09/14 17:05:28 | 000,163,718 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\cc_20100914_170522.reg
[2010/09/14 16:59:59 | 000,361,728 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/14 12:51:16 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/09/13 21:37:10 | 000,278,120 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\cc_20100913_213705.reg
[2010/09/13 21:30:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\ka.ini
[2010/09/13 20:23:44 | 000,001,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/09/13 20:18:31 | 000,024,273 | ---- | M] () -- C:\rollback.ini
[2010/09/13 12:31:16 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\CCleaner.lnk
[2010/09/13 12:30:25 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/13 12:23:37 | 000,489,940 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/13 12:23:37 | 000,089,654 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/13 12:23:36 | 000,590,324 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/12 16:23:18 | 000,000,996 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/12 16:23:18 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/09/06 21:43:18 | 008,892,928 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/08/31 12:57:34 | 000,084,215 | ---- | M] () -- C:\logfile
[2010/08/27 16:31:18 | 000,000,300 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Rodney, Ontario - Forecast - Environment Canada.url
[2010/08/20 21:34:41 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/20 21:32:29 | 000,000,431 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Shortcut to IMG_0234.lnk
[2010/08/20 21:29:15 | 000,000,780 | ---- | M] () -- C:\WINDOWS\orun32.ini
[2010/08/20 21:22:57 | 005,947,392 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/08/20 21:22:56 | 012,191,744 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/08/12 17:45:06 | 000,056,832 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Nellie Oliveira.doc
[2010/08/12 17:41:45 | 000,000,033 | ---- | M] () -- C:\WINDOWS\System32\MSIN6854.RHC
[2010/08/12 17:41:45 | 000,000,033 | ---- | M] () -- C:\WINDOWS\System32\MSIN0508.RHC
[2010/08/04 19:49:33 | 015,938,048 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Natural Touch Landscape Contracting (Backup May 24, 2010 10 45 PM).QBB
[2010/07/27 18:02:25 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Nellie.doc
[2010/07/20 15:06:09 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\BMO Bank of Montreal gift letter.doc
[2010/07/18 07:05:29 | 000,539,387 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\LoaderBackup-(2010-07-18).ipd
[2010/07/18 07:03:13 | 000,539,273 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\Backup-(2010-07-18).ipd

========== Files Created - No Company Name ==========

[2010/09/15 21:15:21 | 000,000,619 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\NTREGOPT.lnk
[2010/09/15 21:15:21 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\ERUNT.lnk
[2010/09/15 20:42:52 | 527,814,656 | -HS- | C] () -- C:\hiberfil.sys
[2010/09/14 20:40:52 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 20:40:51 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 20:40:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 20:40:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 20:40:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/14 20:31:01 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/09/14 19:19:50 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/09/14 17:46:42 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/09/14 17:22:16 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\remg.exe
[2010/09/14 17:19:37 | 003,845,016 | R--- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
[2010/09/14 17:05:25 | 000,163,718 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\cc_20100914_170522.reg
[2010/09/13 21:37:07 | 000,278,120 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\cc_20100913_213705.reg
[2010/09/13 20:23:43 | 000,001,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/09/13 12:31:15 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\CCleaner.lnk
[2010/09/13 12:30:25 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/06 21:42:56 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/08/29 02:07:15 | 006,055,200 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/08/29 02:07:15 | 000,157,728 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/08/29 02:07:15 | 000,082,124 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/08/29 02:07:15 | 000,015,812 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/08/29 02:06:42 | 000,024,273 | ---- | C] () -- C:\rollback.ini
[2010/08/20 21:32:29 | 000,000,431 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Shortcut to IMG_0234.lnk
[2010/07/27 17:49:31 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Nellie.doc
[2010/07/18 07:05:29 | 000,539,387 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\LoaderBackup-(2010-07-18).ipd
[2010/07/18 07:03:13 | 000,539,273 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\Backup-(2010-07-18).ipd
[2010/07/15 21:41:13 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\BMO Bank of Montreal gift letter.doc
[2009/03/16 23:17:55 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2007/08/10 11:10:48 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\1AB2CAB6C7.sys
[2007/08/10 11:10:47 | 000,001,682 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/08/10 11:04:42 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\ActUpdate.log
[2007/04/04 13:46:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2007/03/26 22:28:34 | 000,000,210 | ---- | C] () -- C:\WINDOWS\System32\sr2spec.ini
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/26 20:59:27 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2007/01/30 21:01:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ka.ini
[2007/01/19 20:28:45 | 000,000,100 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/09/18 15:38:26 | 000,000,212 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2006/07/19 22:25:44 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2006/07/19 22:20:21 | 000,001,894 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
[2006/03/21 12:02:58 | 000,001,897 | ---- | C] () -- C:\WINDOWS\cussta32.ini
[2006/03/14 12:54:13 | 000,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2006/02/12 17:55:57 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\Implode.dll
[2006/01/11 22:49:24 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/12/21 12:30:43 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/12/04 22:24:59 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2005/12/01 22:44:29 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2005/12/01 22:44:09 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[2005/12/01 22:41:59 | 000,000,378 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/12/01 22:35:53 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\rsUtil.dll
[2005/12/01 22:33:22 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2005/12/01 22:33:11 | 000,002,188 | ---- | C] () -- C:\WINDOWS\BRMFBIDI.INI
[2005/12/01 22:32:59 | 000,000,463 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2005/12/01 22:32:59 | 000,000,268 | ---- | C] () -- C:\WINDOWS\Brpcfx.ini
[2005/12/01 22:32:59 | 000,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2005/11/30 16:17:48 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
[2005/02/16 15:06:49 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/02/16 14:33:59 | 000,013,974 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2005/02/16 14:33:54 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2005/02/16 14:33:33 | 000,002,154 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2005/02/16 14:30:49 | 000,002,429 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/02/16 14:19:11 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/02/16 14:16:13 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/02/16 14:06:48 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/01/29 00:30:48 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/08/20 06:14:46 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/08/20 06:14:46 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/06/16 07:38:02 | 000,000,537 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/04/11 02:04:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2002/08/12 09:19:42 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\Welsof32.dll
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1996/11/17 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/17 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/17 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2006/09/19 18:56:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avery
[2009/09/14 16:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
[2008/07/11 22:13:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2010/09/14 09:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/08/29 00:53:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
[2005/12/06 21:47:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/09/14 16:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2006/03/14 12:57:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SUIIMAGE
[2007/08/10 10:35:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\ACT
[2009/12/13 02:20:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\com.golariat.dubli.cinch.EB20C3E94FFB8C218903DEEE83BDD14DD92A49C8.1
[2005/12/10 19:48:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\InterVideo
[2007/08/10 11:05:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\IsolatedStorage
[2005/12/10 19:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Leadertech
[2007/04/28 20:30:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\OfficeUpdate12
[2005/02/16 14:44:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\SampleView
[2010/09/14 16:50:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\ScanSoft
[2009/04/08 19:23:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\SmartDraw
[2006/07/19 22:25:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Template
[2010/09/17 12:35:00 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/09/17 12:45:41 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{01A290DB-7C62-4749-A2C3-6871D5CE7BCB}.job

========== Purity Check ==========


< End of report >




ComboFix Log:

ComboFix 10-09-16.07 - Compaq_Owner 09/17/2010 13:00:38.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.144 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\George.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-17 16:23 . 2010-09-17 16:23 -------- d-----w- C:\_OTL
2010-09-14 22:21 . 2010-09-14 22:21 -------- d-----w- C:\VundoFix Backups
2010-09-14 21:46 . 2010-09-14 21:49 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-09-14 21:38 . 2010-09-14 21:38 -------- d-----w- c:\program files\Windows Defender
2010-09-14 21:36 . 2010-09-14 21:36 -------- d-----w- C:\TDSSKiller_Quarantine
2010-09-13 23:52 . 2010-09-13 23:52 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-09-13 23:50 . 2010-09-13 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-09-13 23:50 . 2010-09-13 23:50 -------- d-----w- c:\program files\NOS
2010-09-13 16:31 . 2010-09-13 16:31 -------- d-----w- c:\program files\CCleaner
2010-09-13 16:30 . 2010-09-13 16:30 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2010-09-13 16:30 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-13 16:30 . 2010-09-13 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-13 16:30 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-13 16:30 . 2010-09-13 16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-12 20:01 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-09-12 20:01 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-09-12 20:00 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-12 20:00 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-09-12 20:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-09-12 20:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-09-12 19:41 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-09-12 19:41 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-08-29 06:16 . 2010-08-29 06:16 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-08-29 06:07 . 2010-09-17 20:23 6123296 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-29 06:07 . 2010-09-17 20:23 161568 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-08-29 04:53 . 2010-09-14 13:11 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-08-29 04:53 . 2010-09-14 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-08-29 04:53 . 2010-08-29 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-08-29 03:01 . 2010-08-29 03:01 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 16:27 . 2010-08-29 06:07 82124 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-17 16:27 . 2010-08-29 06:07 15812 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-16 01:15 . 2010-09-16 01:15 -------- d-----w- c:\program files\ERUNT
2010-09-14 21:38 . 2006-07-20 02:20 104016 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-14 20:59 . 2005-12-02 02:32 -------- d-----w- c:\program files\Brother
2010-09-14 20:50 . 2006-03-14 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-09-14 20:50 . 2006-10-19 14:50 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\ScanSoft
2010-09-14 20:47 . 2005-02-16 18:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-14 17:06 . 2008-04-07 13:27 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-09-14 17:06 . 2008-04-07 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-09-14 16:58 . 2008-12-24 02:11 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-09-14 16:53 . 2008-04-07 13:17 -------- d-----w- c:\program files\Research In Motion
2010-09-14 16:51 . 2008-04-08 05:03 256 ----a-w- c:\windows\system32\pool.bin
2010-09-14 13:18 . 2005-02-16 19:02 -------- d-----w- c:\program files\InterVideo
2010-09-14 13:18 . 2005-12-02 02:37 -------- d-----w- c:\program files\Kodak
2010-09-14 13:14 . 2005-02-16 18:31 -------- d-----w- c:\program files\QuickTime
2010-09-14 13:13 . 2005-02-16 18:25 -------- d-----w- c:\program files\Common Files\Real
2010-09-14 01:42 . 2008-02-23 13:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-14 01:30 . 2005-12-02 03:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-13 22:46 . 2009-07-04 21:15 -------- d-----w- c:\program files\RealArcade
2010-09-13 22:44 . 2005-02-16 18:26 -------- d-----w- c:\program files\WildTangent
2010-09-13 22:44 . 2005-02-16 18:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-13 22:41 . 2007-08-03 02:32 -------- d-----w- c:\program files\Google
2010-09-07 01:43 . 2010-09-07 01:42 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2010-09-03 04:23 . 2008-07-12 03:48 2963 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2010-08-29 02:32 . 2005-02-16 18:10 -------- d-----w- c:\program files\Common Files\Java
2010-08-29 02:31 . 2005-02-16 18:10 -------- d-----w- c:\program files\Java
2010-08-29 02:24 . 2010-08-29 02:24 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\hngmfc.dat
2010-08-17 13:17 . 2004-08-04 18:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-08 16:54 . 2010-08-08 16:54 503808 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-417e3474-n\msvcp71.dll
2010-08-08 16:54 . 2010-08-08 16:54 499712 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-417e3474-n\jmc.dll
2010-08-08 16:54 . 2010-08-08 16:54 348160 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-417e3474-n\msvcr71.dll
2010-08-08 16:54 . 2010-08-08 16:54 61440 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5fc07cf6-n\decora-sse.dll
2010-08-08 16:54 . 2010-08-08 16:54 12800 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5fc07cf6-n\decora-d3d.dll
2010-07-22 15:49 . 2004-08-04 18:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 01:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:00 . 2010-04-25 11:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31 . 2004-08-04 18:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 18:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 18:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2005-02-16 09:17 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2005-06-21 03:57 . 2005-11-30 18:48 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2007-08-10 15:10 . 2007-08-10 15:10 88 --sh--r- c:\windows\system32\1AB2CAB6C7.sys
2007-08-10 15:10 . 2007-08-10 15:10 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_01.03.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-17 16:29 . 2010-09-17 16:29 16384 c:\windows\temp\Perflib_Perfdata_290.dat
+ 2010-09-17 16:29 . 2010-09-17 16:29 16384 c:\windows\temp\Perflib_Perfdata_244.dat
+ 2010-09-16 01:17 . 2010-09-16 01:17 274432 c:\windows\ERDNT\9-15-2010\Users\00000002\UsrClass.dat
+ 2010-09-16 01:17 . 2005-10-20 16:02 163328 c:\windows\ERDNT\9-15-2010\ERDNT.EXE
+ 2010-09-16 01:17 . 2010-09-16 01:17 4374528 c:\windows\ERDNT\9-15-2010\Users\00000001\NTUSER.DAT
+ 2009-05-27 16:06 . 2009-05-27 16:06 10011648 c:\windows\Installer\46c921c.msp
+ 2009-05-27 16:06 . 2009-05-27 16:06 10011648 c:\windows\Installer\1456e5d.msp
+ 2009-05-27 16:06 . 2009-05-27 16:06 10011648 c:\windows\Installer\13c38b2.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"SoundMan"="SOUNDMAN.EXE" [2004-10-14 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-14 2742272]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"Tracker"="c:\program files\MySoftware\MyInvoices\tracker.exe" [2001-12-04 94208]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-10-2 968024]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S0 tfmjsku;tfmjsku; [x]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/1/2005 10:33 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/1/2005 10:32 PM 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [12/1/2005 10:33 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [12/1/2005 10:33 PM 10368]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 2:00 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-09-17 c:\windows\Tasks\User_Feed_Synchronization-{01A290DB-7C62-4749-A2C3-6871D5CE7BCB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q105&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-17 16:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2592)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-17 16:27:42
ComboFix-quarantined-files.txt 2010-09-17 20:27
ComboFix2.txt 2010-09-16 00:39
ComboFix3.txt 2010-09-15 01:09

Pre-Run: 127,006,330,880 bytes free
Post-Run: 127,003,099,136 bytes free

- - End Of File - - 931F7F7446004623C214F3F38AA525F9



MBRCHeck Log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF89B3000 \WINDOWS\system32\KDCOM.DLL
0xF88C3000 \WINDOWS\system32\BOOTVID.dll
0xF8384000 ACPI.sys
0xF89B5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8373000 pci.sys
0xF84B3000 isapnp.sys
0xF89B7000 intelide.sys
0xF8733000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF84C3000 MountMgr.sys
0xF8354000 ftdisk.sys
0xF873B000 PartMgr.sys
0xF84D3000 VolSnap.sys
0xF833C000 atapi.sys
0xF84E3000 disk.sys
0xF84F3000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF831C000 fltmgr.sys
0xF830A000 sr.sys
0xF8503000 PxHelp20.sys
0xF82F3000 KSecDD.sys
0xF8266000 Ntfs.sys
0xF8239000 NDIS.sys
0xF8513000 ohci1394.sys
0xF8523000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF821F000 Mup.sys
0xF8533000 gagp30kx.sys
0xF8663000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7796000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7782000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF775A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF87DB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7736000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF87E3000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF8673000 \SystemRoot\system32\DRIVERS\R8139n51.SYS
0xF7600000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF87EB000 \SystemRoot\System32\Drivers\Modem.SYS
0xF75EC000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8683000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8693000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF86A3000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF75C9000 \SystemRoot\system32\DRIVERS\ks.sys
0xF8B07000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF86B3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF89AB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF75B2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF86C3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF86D3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF87F3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF75A1000 \SystemRoot\system32\DRIVERS\psched.sys
0xF86E3000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF87FB000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8803000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF86F3000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF880B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8813000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF89E5000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7543000 \SystemRoot\system32\DRIVERS\update.sys
0xF7D55000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7853000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA9A53000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA99F5000 \SystemRoot\system32\drivers\portcls.sys
0xF78A3000 \SystemRoot\system32\drivers\drmk.sys
0xAA612000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8A2B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA8489000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xA8C88000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAA602000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA8D22000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF888B000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF889B000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA6294000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA6140000 \SystemRoot\system32\DRIVERS\point32.sys
0xF8A33000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA4FF1000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A35000 \SystemRoot\System32\Drivers\Beep.SYS
0xA5B69000 \SystemRoot\System32\drivers\vga.sys
0xF8A37000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A39000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA5171000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA5169000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA5723000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA49F7000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA499E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA4976000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA4954000 \SystemRoot\System32\drivers\afd.sys
0xA52B4000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA4929000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA48B9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA487B000 \SystemRoot\System32\DRIVERS\klif.sys
0xA4AAA000 \SystemRoot\System32\Drivers\Fips.SYS
0xA4855000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA4A8A000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA4831000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA9C86000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA4819000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8A41000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8D6C000 \SystemRoot\System32\drivers\Dxapi.sys
0xA5151000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B8F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF068000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA8D7C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA4684000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA4647000 \SystemRoot\system32\drivers\wdmaud.sys
0xA52A4000 \SystemRoot\system32\drivers\sysaudio.sys
0xA4590000 \SystemRoot\System32\Drivers\HTTP.sys
0xA44E9000 \SystemRoot\system32\DRIVERS\srv.sys
0xA4311000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA60F0000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xA5161000 \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys
0xA5BA1000 \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\mbr.sys
0xA3AC1000 \SystemRoot\system32\DRIVERS\rt2870.sys
0xA3A96000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
472 C:\WINDOWS\system32\smss.exe
700 csrss.exe
728 C:\WINDOWS\system32\winlogon.exe
772 C:\WINDOWS\system32\services.exe
784 C:\WINDOWS\system32\lsass.exe
928 C:\WINDOWS\system32\svchost.exe
992 svchost.exe
1028 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1108 C:\WINDOWS\system32\svchost.exe
1212 svchost.exe
1300 svchost.exe
1772 C:\WINDOWS\system32\brss01a.exe
1784 C:\WINDOWS\system32\spoolsv.exe
2032 svchost.exe
568 C:\WINDOWS\system32\svchost.exe
580 C:\Program Files\Java\jre6\bin\jqs.exe
624 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
656 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
936 sqlbrowser.exe
1172 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
1412 C:\WINDOWS\system32\svchost.exe
2404 alg.exe
2460 C:\WINDOWS\system32\wscntfy.exe
3732 C:\WINDOWS\system\hpsysdrv.exe
4008 C:\WINDOWS\system32\hkcmd.exe
4056 C:\WINDOWS\AGRSMMSG.exe
376 C:\WINDOWS\SOUNDMAN.EXE
2044 C:\WINDOWS\ALCWZRD.EXE
368 C:\Program Files\Microsoft IntelliType Pro\itype.exe
1080 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
1448 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1864 C:\Program Files\Microsoft Security Essentials\msseces.exe
2000 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
1048 C:\WINDOWS\system32\ctfmon.exe
348 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
2176 C:\WINDOWS\system32\wuauclt.exe
2868 wmpnetwk.exe
2592 C:\WINDOWS\explorer.exe
3696 C:\Documents and Settings\Compaq_Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`50612000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST3160023AS, Rev: 3.43

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972


Done!



TDDS Killer Log:

2010/09/17 16:34:08.0031 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/17 16:34:08.0031 ================================================================================
2010/09/17 16:34:08.0031 SystemInfo:
2010/09/17 16:34:08.0031
2010/09/17 16:34:08.0031 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/17 16:34:08.0031 Product type: Workstation
2010/09/17 16:34:08.0031 ComputerName: YOUR-4F1261A8E5
2010/09/17 16:34:08.0031 UserName: Compaq_Owner
2010/09/17 16:34:08.0031 Windows directory: C:\WINDOWS
2010/09/17 16:34:08.0031 System windows directory: C:\WINDOWS
2010/09/17 16:34:08.0031 Processor architecture: Intel x86
2010/09/17 16:34:08.0031 Number of processors: 1
2010/09/17 16:34:08.0031 Page size: 0x1000
2010/09/17 16:34:08.0031 Boot type: Normal boot
2010/09/17 16:34:08.0031 ================================================================================
2010/09/17 16:34:08.0343 Initialize success
2010/09/17 16:34:11.0625 ================================================================================
2010/09/17 16:34:11.0625 Scan started
2010/09/17 16:34:11.0625 Mode: Manual;
2010/09/17 16:34:11.0625 ================================================================================
2010/09/17 16:34:13.0843 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/17 16:34:14.0234 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/17 16:34:14.0906 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/17 16:34:15.0343 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/17 16:34:16.0171 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/09/17 16:34:18.0515 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/09/17 16:34:19.0750 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/17 16:34:20.0156 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/17 16:34:20.0812 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/17 16:34:21.0140 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/17 16:34:21.0484 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/17 16:34:21.0828 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys
2010/09/17 16:34:22.0171 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
2010/09/17 16:34:22.0531 BrSerWDM (791ef93168dcf057715493d607e37983) C:\WINDOWS\system32\Drivers\BrSerWdm.sys
2010/09/17 16:34:23.0031 BrUsbMdm (37e2d0b12ddf536cd64af6eb3b580ef8) C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
2010/09/17 16:34:23.0343 BrUsbScn (1c5f014048e5b2748c1a8ad297c50b6f) C:\WINDOWS\system32\Drivers\BrUsbScn.sys
2010/09/17 16:34:23.0859 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/17 16:34:24.0203 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/09/17 16:34:24.0843 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/17 16:34:25.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/17 16:34:25.0656 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/17 16:34:27.0562 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/17 16:34:28.0234 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/17 16:34:28.0968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/17 16:34:29.0359 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/17 16:34:29.0796 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/17 16:34:30.0468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/17 16:34:30.0875 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/17 16:34:31.0265 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/17 16:34:31.0687 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/17 16:34:32.0046 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/17 16:34:32.0515 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/17 16:34:32.0921 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/17 16:34:33.0281 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/17 16:34:33.0656 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
2010/09/17 16:34:34.0015 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/17 16:34:34.0390 HdAudAddService (160b24fd894e79e71c983ea403a6e6e7) C:\WINDOWS\system32\drivers\HdAudio.sys
2010/09/17 16:34:34.0796 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/09/17 16:34:35.0218 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/17 16:34:35.0953 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/17 16:34:37.0000 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/17 16:34:37.0625 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/09/17 16:34:38.0265 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/17 16:34:39.0812 IntcAzAudAddService (a4481d615f09df12dec8e0a079a09ad0) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/09/17 16:34:41.0062 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/17 16:34:41.0515 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/17 16:34:41.0984 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/17 16:34:42.0343 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/17 16:34:42.0687 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/17 16:34:43.0062 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/17 16:34:43.0453 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/17 16:34:43.0812 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/17 16:34:44.0156 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/17 16:34:44.0484 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/17 16:34:44.0843 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/17 16:34:45.0281 KLIF (52b115b2be8987038d56b3b2aeb445f5) C:\WINDOWS\system32\DRIVERS\klif.sys
2010/09/17 16:34:45.0750 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/17 16:34:46.0171 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/17 16:34:46.0890 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
2010/09/17 16:34:47.0234 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/17 16:34:47.0546 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/17 16:34:47.0953 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/09/17 16:34:48.0281 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/17 16:34:48.0640 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/17 16:34:48.0968 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/17 16:34:49.0359 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/09/17 16:34:50.0125 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/17 16:34:50.0718 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/17 16:34:51.0359 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/17 16:34:51.0687 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/17 16:34:52.0015 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/17 16:34:52.0421 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/17 16:34:52.0750 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/17 16:34:53.0187 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/09/17 16:34:53.0546 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/17 16:34:54.0046 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/09/17 16:34:54.0484 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/17 16:34:54.0953 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/09/17 16:34:55.0343 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/17 16:34:55.0687 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/17 16:34:56.0046 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/17 16:34:56.0500 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/17 16:34:56.0843 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/17 16:34:57.0265 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/17 16:34:57.0687 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/09/17 16:34:58.0062 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/17 16:34:58.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/17 16:34:59.0140 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/17 16:34:59.0468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/17 16:34:59.0906 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/17 16:35:00.0296 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/09/17 16:35:00.0734 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/17 16:35:01.0093 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/17 16:35:01.0453 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/17 16:35:01.0796 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/17 16:35:02.0421 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/17 16:35:02.0781 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/17 16:35:04.0937 Point32 (5c71f7cdd1b4ba5f00b87ca05e414aea) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/09/17 16:35:05.0312 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/17 16:35:05.0656 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/09/17 16:35:06.0000 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys
2010/09/17 16:35:06.0375 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/17 16:35:06.0734 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/17 16:35:07.0093 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/17 16:35:08.0921 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/17 16:35:09.0281 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/17 16:35:09.0640 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/17 16:35:09.0968 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/17 16:35:10.0375 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/17 16:35:10.0765 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/17 16:35:11.0218 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/17 16:35:11.0609 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/17 16:35:11.0968 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/09/17 16:35:12.0328 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/09/17 16:35:12.0875 rt2870 (4311d22a38f7e403475aa2c338768c11) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2010/09/17 16:35:13.0406 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
2010/09/17 16:35:13.0750 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/17 16:35:14.0109 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/17 16:35:14.0453 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/17 16:35:14.0812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/09/17 16:35:15.0437 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
2010/09/17 16:35:15.0781 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/09/17 16:35:16.0421 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/17 16:35:16.0781 SQTECH905C (ef8bd02ad9110c17e0f0e6f9b1479ad5) C:\WINDOWS\system32\Drivers\Capt905c.sys
2010/09/17 16:35:17.0187 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/17 16:35:18.0562 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/17 16:35:19.0171 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/09/17 16:35:19.0531 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/17 16:35:19.0859 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/17 16:35:21.0546 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/17 16:35:22.0046 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/17 16:35:22.0500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/17 16:35:22.0843 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/17 16:35:23.0187 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/17 16:35:24.0375 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/17 16:35:25.0171 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/17 16:35:25.0703 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/17 16:35:26.0046 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/17 16:35:26.0390 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/17 16:35:26.0734 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/09/17 16:35:27.0078 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/17 16:35:27.0406 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/17 16:35:27.0750 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/17 16:35:28.0062 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/17 16:35:28.0390 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/17 16:35:28.0734 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/09/17 16:35:29.0078 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/17 16:35:29.0437 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/17 16:35:30.0093 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/17 16:35:30.0515 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/09/17 16:35:30.0921 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/17 16:35:31.0296 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/17 16:35:31.0421 ================================================================================
2010/09/17 16:35:31.0421 Scan finished
2010/09/17 16:35:31.0421 ================================================================================



BitDefender Log:


QuickScan Beta 32-bit v0.9.9.38
-------------------------------
Scan date: Fri Sep 17 16:37:21 2010
Machine ID: 49835B0



No infection found.
-------------------



Processes
---------
Agere SoftModem Messaging Applet 4056 C:\WINDOWS\AGRSMMSG.exe
ALCWZRD 2044 C:\WINDOWS\ALCWZRD.EXE
brother Industries Ltd brss01a.exe 1772 C:\WINDOWS\system32\brss01a.exe
hpsysdrv 3732 C:\WINDOWS\system\hpsysdrv.exe
Intel® Common User Interface 4008 C:\WINDOWS\system32\hkcmd.exe
Java™ Platform SE 6 U21 580 C:\Program Files\Java\jre6\bin\jqs.exe
Java™ Platform SE Auto Updater 2 0 1448 C:\Program Files\Common Files\Java\Java Update\jusched.exe
Microsoft IntelliPoint 1080 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
Microsoft IntelliType Pro 368 C:\Program Files\Microsoft IntelliType Pro\itype.exe
Microsoft Malware Protection 1028 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
Microsoft Security Essentials 1864 C:\Program Files\Microsoft Security Essentials\msseces.exe
Microsoft SQL Server 936 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
Microsoft SQL Server 1172 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
Microsoft SQL Server 656 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
Microsoft® Visual Studio .NET 624 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
Microsoft® Windows® Operating System 2868 C:\Program Files\Windows Media Player\wmpnetwk.exe
Microsoft® Windows® Operating System 2592 C:\WINDOWS\explorer.exe
Microsoft® Windows® Operating System 2404 C:\WINDOWS\system32\alg.exe
Microsoft® Windows® Operating System 700 C:\WINDOWS\system32\csrss.exe
Microsoft® Windows® Operating System 1048 C:\WINDOWS\system32\ctfmon.exe
Microsoft® Windows® Operating System 784 C:\WINDOWS\system32\lsass.exe
Microsoft® Windows® Operating System 772 C:\WINDOWS\system32\services.exe
Microsoft® Windows® Operating System 472 C:\WINDOWS\system32\smss.exe
Microsoft® Windows® Operating System 1784 C:\WINDOWS\system32\spoolsv.exe
Microsoft® Windows® Operating System 928 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 2032 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 992 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1108 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1212 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1300 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1412 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 568 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 728 C:\WINDOWS\system32\winlogon.exe
Microsoft® Windows® Operating System 2460 C:\WINDOWS\system32\wscntfy.exe
Microsoft® Windows® Operating System 2176 C:\WINDOWS\system32\wuauclt.exe
QuickBooks Automatic Update 348 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Realtek HD Sound Manager 376 C:\WINDOWS\SOUNDMAN.EXE
Software Manager 2000 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
Windows® Internet Explorer 3464 C:\Program Files\Internet Explorer\iexplore.exe
Windows® Internet Explorer 2180 C:\Program Files\Internet Explorer\iexplore.exe


Network activity
----------------
Process iexplore.exe (3464) connected on port 80 (HTTP) --> 96.16.44.20
Process iexplore.exe (3464) connected on port 80 (HTTP) --> 173.194.32.100
Process iexplore.exe (3464) connected on port 80 (HTTP) --> 96.7.205.115
Process iexplore.exe (3464) connected on port 80 (HTTP) --> 173.194.32.100
Process iexplore.exe (3464) connected on port 80 (HTTP) --> 64.39.179.56

Process sqlservr.exe (656) listens on ports: 1191
Process svchost.exe (992) listens on ports: 135 (RPC)
Process svchost.exe (1300) listens on ports: 2869 (SSDP event notification, UPNP)


Autoruns and critical files
---------------------------
Agere SoftModem Messaging Applet C:\WINDOWS\AGRSMMSG.exe
ALCWZRD C:\WINDOWS\ALCWZRD.EXE
FINDFAST.EXE C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
hpsysdrv C:\WINDOWS\system\hpsysdrv.exe
Intel® Common User Interface C:\WINDOWS\system32\hkcmd.exe
Intel® Common User Interface C:\WINDOWS\system32\igfxsrvc.dll
Java™ Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
LightScribe c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
Microsoft IntelliPoint C:\Program Files\Microsoft IntelliPoint\ipoint.exe
Microsoft IntelliType Pro C:\Program Files\Microsoft IntelliType Pro\itype.exe
Microsoft Malware Protection c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
Microsoft Security Essentials C:\Program Files\Microsoft Security Essentials\msseces.exe
Microsoft® Windows® Operating System C:\Program Files\Windows Media Player\WMPNSCFG.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\HDAudPropShortcut.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
QuickBooks Automatic Update C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Realtek HD Sound Manager C:\WINDOWS\SOUNDMAN.EXE
Recguard Application C:\WINDOWS\SMINST\RECGUARD.EXE
Software Manager C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
Tracker Application C:\Program Files\MySoftware\MyInvoices\tracker.exe
Windows Defender c:\program files\windows defender\mpshhook.dll
Windows Defender C:\Program Files\Windows Defender\MSASCui.exe
Windows Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
Windows® Internet Explorer C:\WINDOWS\system32\msfeedssync.exe
Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll


Browser plugins
---------------
AcroIEHelperShim Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
AxLoader Module C:\WINDOWS\Downloaded Program Files\axloader.dll
BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll
Facebook Photo Uploader 4 C:\WINDOWS\Downloaded Program Files\ImageUploader4.1.ocx
Facebook Photo Uploader 5 C:\WINDOWS\Downloaded Program Files\PhotoUploader55.ocx
getPlus+® C:\WINDOWS\Downloaded Program Files\gp.ocx
getPlusPlus for Adobe 16291 C:\Program Files\NOS\bin\np_gp.dll
IEAWSDC.DLL C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
iPIXX ActiveX Control Module C:\WINDOWS\Downloaded Program Files\ipixx.ocx
Java™ Platform SE 6 U21 C:\Program Files\Java\jre6\bin\jp2ssv.dll
Java™ Platform SE 6 U21 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
Java™ Platform SE 6 U21 C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Messenger C:\Program Files\Messenger\msmsgs.exe
Microsoft® Windows Live Login Helper C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\CONFLICT.1\PURen-ca.dll
MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\CONFLICT.1\PURen-us.dll
MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\PURen-ca.dll
MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\PURen-us.dll
MSN® Games by Zone.com C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
Silverlight Plug-In c:\Program Files\Microsoft Silverlight\4.0.50826.0\npctrl.dll
Software Manager C:\WINDOWS\Downloaded Program Files\isusweb.dll
Symantec Shared Components C:\WINDOWS\Downloaded Program Files\symdlmgr.dll
Windows Live Photo Upload Control C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MsnPUpld.dll
Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll


Missing files
-------------
File not found: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys
--> HKLM\System\ControlSet001\services\catchme\"ImagePath"

File not found: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\mbr.sys
--> HKLM\System\ControlSet001\services\mbr\"ImagePath"

File not found: C:\WINDOWS\System32\appmgmts.dll
--> HKLM\System\ControlSet001\services\AppMgmt\Parameters\"ServiceDll"


Scan
----

The following file(s) must be uploaded for server-side scanning:
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Upload started - 1 file(s)
FINDFAST.EXE (111376)
Upload speed - 18 KB/s
Upload finished - 1 uploaded, 0 failed

The uploaded file(s) were found clean.

Scan finished - communication took 7 sec
Total traffic - 0.13 MB sent, 0.69 KB recvd
Scanned 749 files and modules - 160 seconds

==============================================================================
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,709 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

DirLook::
C:\Program Files\Common
%user%\library

File::
C:\WINDOWS\Downloaded Program Files\symdlmgr.dll

Driver::
tfmjsku
catchme
mbr
AppMgmt
CLTNetCnService
RoxLiveShare9



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.


Start, Run, eventvwr.msc, OK to bring up the Event Viewer. (In Vista, next select Windows Logs) Right click on System and Clear Log, No (we don't want to save the old log), OK. Repeat for Application. Reboot.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#5
tetley

tetley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Once again, thank you for the help. Unsure if this is important or not, but before I ran the latest software programs as per your last instructions, I had finally got Windows Update to work and had installed some fixes, patches and updates from it. I just wanted you to be aware of that. Anyway, here are the logs as requested.

The "George" Log:

ComboFix 10-09-16.07 - Compaq_Owner 09/17/2010 19:18:24.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.282 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\George.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\Downloaded Program Files\symdlmgr.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\symdlmgr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CATCHME
-------\Service_catchme
-------\Service_tfmjsku


((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-17 22:24 . 2010-09-17 22:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-17 22:23 . 2010-09-17 22:23 -------- d-----w- c:\windows\system32\winrm
2010-09-17 22:23 . 2010-09-17 22:23 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-09-17 22:22 . 2010-09-17 22:22 -------- d-----w- c:\program files\LSI SoftModem
2010-09-17 22:22 . 2010-09-17 22:22 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Windows Desktop Search
2010-09-17 22:21 . 2010-09-17 22:21 -------- d-----w- c:\program files\Windows Desktop Search
2010-09-17 22:21 . 2010-09-17 22:21 -------- d-----w- c:\windows\system32\GroupPolicy
2010-09-17 22:19 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2010-09-17 22:19 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2010-09-17 22:19 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2010-09-17 21:52 . 2010-09-17 23:17 -------- d-----w- c:\windows\system32\CatRoot2
2010-09-17 20:37 . 2010-09-17 20:37 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\QuickScan
2010-09-17 16:23 . 2010-09-17 16:23 -------- d-----w- C:\_OTL
2010-09-16 01:15 . 2010-09-16 01:15 -------- d-----w- c:\program files\ERUNT
2010-09-14 22:21 . 2010-09-14 22:21 -------- d-----w- C:\VundoFix Backups
2010-09-14 21:46 . 2010-09-14 21:49 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-09-14 21:38 . 2010-09-14 21:38 -------- d-----w- c:\program files\Windows Defender
2010-09-14 21:36 . 2010-09-14 21:36 -------- d-----w- C:\TDSSKiller_Quarantine
2010-09-13 23:52 . 2010-09-13 23:52 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-09-13 23:50 . 2010-09-13 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-09-13 23:50 . 2010-09-13 23:50 -------- d-----w- c:\program files\NOS
2010-09-13 16:31 . 2010-09-13 16:31 -------- d-----w- c:\program files\CCleaner
2010-09-13 16:30 . 2010-09-13 16:30 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2010-09-13 16:30 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-13 16:30 . 2010-09-13 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-13 16:30 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-13 16:30 . 2010-09-13 16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-12 20:01 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-09-12 20:01 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-09-12 20:00 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-12 20:00 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-09-12 20:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-09-12 20:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-09-12 19:41 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-09-12 19:41 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-08-29 06:16 . 2010-08-29 06:16 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-08-29 06:07 . 2010-09-17 23:48 6438688 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-29 06:07 . 2010-09-17 23:46 189216 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-08-29 04:53 . 2010-09-14 13:11 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-08-29 04:53 . 2010-09-14 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-08-29 04:53 . 2010-08-29 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-08-29 03:01 . 2010-08-29 03:01 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 23:46 . 2010-08-29 06:07 87236 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-17 23:46 . 2010-08-29 06:07 18788 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-17 22:31 . 2007-08-10 14:45 -------- d-----w- c:\program files\Microsoft.NET
2010-09-14 21:38 . 2006-07-20 02:20 104016 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-14 20:59 . 2005-12-02 02:32 -------- d-----w- c:\program files\Brother
2010-09-14 20:50 . 2006-03-14 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-09-14 20:50 . 2006-10-19 14:50 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\ScanSoft
2010-09-14 20:47 . 2005-02-16 18:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-14 17:06 . 2008-04-07 13:27 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-09-14 17:06 . 2008-04-07 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-09-14 16:58 . 2008-12-24 02:11 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-09-14 16:53 . 2008-04-07 13:17 -------- d-----w- c:\program files\Research In Motion
2010-09-14 16:51 . 2008-04-08 05:03 256 ----a-w- c:\windows\system32\pool.bin
2010-09-14 13:18 . 2005-02-16 19:02 -------- d-----w- c:\program files\InterVideo
2010-09-14 13:18 . 2005-12-02 02:37 -------- d-----w- c:\program files\Kodak
2010-09-14 13:14 . 2005-02-16 18:31 -------- d-----w- c:\program files\QuickTime
2010-09-14 13:13 . 2005-02-16 18:25 -------- d-----w- c:\program files\Common Files\Real
2010-09-14 01:42 . 2008-02-23 13:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-14 01:30 . 2005-12-02 03:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-13 22:46 . 2009-07-04 21:15 -------- d-----w- c:\program files\RealArcade
2010-09-13 22:44 . 2005-02-16 18:26 -------- d-----w- c:\program files\WildTangent
2010-09-13 22:44 . 2005-02-16 18:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-13 22:41 . 2007-08-03 02:32 -------- d-----w- c:\program files\Google
2010-09-07 01:43 . 2010-09-07 01:42 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2010-09-03 04:23 . 2008-07-12 03:48 2963 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2010-08-29 02:32 . 2005-02-16 18:10 -------- d-----w- c:\program files\Common Files\Java
2010-08-29 02:31 . 2005-02-16 18:10 -------- d-----w- c:\program files\Java
2010-08-29 02:24 . 2010-08-29 02:24 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\hngmfc.dat
2010-08-17 13:17 . 2004-08-04 18:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-08 16:54 . 2010-08-08 16:54 503808 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-417e3474-n\msvcp71.dll
2010-08-08 16:54 . 2010-08-08 16:54 499712 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-417e3474-n\jmc.dll
2010-08-08 16:54 . 2010-08-08 16:54 348160 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-417e3474-n\msvcr71.dll
2010-08-08 16:54 . 2010-08-08 16:54 61440 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5fc07cf6-n\decora-sse.dll
2010-08-08 16:54 . 2010-08-08 16:54 12800 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5fc07cf6-n\decora-d3d.dll
2010-07-22 15:49 . 2004-08-04 18:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 01:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:00 . 2010-04-25 11:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31 . 2004-08-04 18:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 18:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 18:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2005-02-16 09:17 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2005-06-21 03:57 . 2005-11-30 18:48 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2007-08-10 15:10 . 2007-08-10 15:10 88 --sh--r- c:\windows\system32\1AB2CAB6C7.sys
2007-08-10 15:10 . 2007-08-10 15:10 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----


---- Directory of c:\program files\Common ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"Tracker"="c:\program files\MySoftware\MyInvoices\tracker.exe" [2001-12-04 94208]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SoundMan"="SOUNDMAN.EXE" [2004-10-14 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-14 2742272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-10-2 968024]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/1/2005 10:33 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/1/2005 10:32 PM 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [12/1/2005 10:33 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [12/1/2005 10:33 PM 10368]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 2:00 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-09-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-09-17 c:\windows\Tasks\User_Feed_Synchronization-{01A290DB-7C62-4749-A2C3-6871D5CE7BCB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q105&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-LSI Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-17 19:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(928)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\brss01a.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-09-17 19:59:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-17 23:59
ComboFix2.txt 2010-09-17 20:27
ComboFix3.txt 2010-09-16 00:39
ComboFix4.txt 2010-09-15 01:09

Pre-Run: 125,844,234,240 bytes free
Post-Run: 125,711,851,520 bytes free

- - End Of File - - AD456380ABC603E76BCBD8067F383227



Signature Verification Log (I am going to try and attach the log file of this as its quite extensive)


Event Viewer #1:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 17/09/2010 9:01:37 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/09/2010 8:55:35 PM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 17/09/2010 8:42:41 PM
Type: error Category: 0
Event: 10010 Source: DCOM
The server {FFF2D28F-E4EE-44D9-8104-8E71556757F6} did not register with DCOM within the required timeout.

Log: 'System' Date/Time: 17/09/2010 8:06:16 PM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The HID Input Service service terminated with the following error: The specified module could not be found.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/09/2010 8:55:33 PM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0022B0035959. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.



Event Viewer #2:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 17/09/2010 9:02:45 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 17/09/2010 8:55:32 PM
Type: warning Category: 0
Event: 3 Source: SQLBrowser
The configuration of the AdminConnection\TCP protocol in the SQL instance ACT7 is not valid.

Log: 'Application' Date/Time: 17/09/2010 8:06:12 PM
Type: warning Category: 0
Event: 3 Source: SQLBrowser
The configuration of the AdminConnection\TCP protocol in the SQL instance ACT7 is not valid.

Attached Files


  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,709 posts
  • MVP
Start, Run, services.msc, OK then find the Human Interface Devices (HID) service and right click on it and change the Startup Type: to Disabled then OK.

The other System error is something to do with DWUpdateService. I don't see an Extras log so can't tell what is installed that might use it.

Under Applications you have some kind of problem with the configuration of the SQL Server. Not sure why you have this on your PC. If you don't need it then uninstall it.

Otherwise it looks pretty clean now. Are you still seeing signs of a rootkit?

Ron
  • 0

#7
tetley

tetley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Good morning Ron. Thank you for all your help. I disabled the HID as suggested. Unsure what the DWUPdate Service is about so left it. And I removed all the SQL Server software (I assume it was there because it looks like he was using Sage ACT at one point...which I do not believe he's using now) If he needs it again, I'll just reinstall it. I had to remove MS Security Essentials because it truly bogs down the system. Any suggestions on a very LIGHT virus protection program? Even if its one to be paid for, that will not be a problem. Just with this computer being so old and slow...and minimal memory...it moves to a crawl easily.

Hard to know just yet whether any signs of rootkit activity exist. I will scan and monitor more over the next couple of days and then hand it back to the guy who uses it all the time and see if he believes it's improved or not (always hard to know when you work on someone else's system that you don't use to see if there is improvement)

At any rate, I truly want to thank you for all your assistance
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,709 posts
  • MVP
I like the free Avast!
http://www.avast.com...avast-home.html
but a lot of the guys like Avira:
http://www.free-av.com/

I think the major problem with your PC is a lack of RAM. I find that XP SP3 is happiest with at least 1 G of RAM. (You've only got 512M) Anything less and it takes forever to boot and browsing is also slow.

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 18.1 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://oldmcdonald.w...orun-eater-v25/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) and No Script are two others you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password!

Ron
  • 0

#9
tetley

tetley

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks again for all your help and assistance. It was very appreciated. His computer seems clean and is improved. I tried to find extra RAM around from my spare parts for his system but unfortunately did not have anything compatible to add to it. I had told him before his ram was too low but since his computer is already outdated, I didn't know if I'd recommend adding anymore to it. Instead, I suggested he consider purchasing a new system for his business and personal use and consider giving that old computer to his young kids to use.
I added Avast as well as the other programs and changed you recommended. Hopefully he'll be more careful on what he clicks upon.
Thanks again!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP