Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32/Olmarik.AJL Trojan

Started by eddyeddy , Apr 07 2011 10:17 AM

Please log in to reply

#1
eddyeddy

Posted 07 April 2011 - 10:17 AM

New Member

Member
4 posts

Hello,

Seems people are getting awesome help here with this evil trojan!

ESET says its in my system when I boot but scans using ESET, ccleaner, malwarebyte's, and spybot come up clean.

ESET cannot clean or delete the problem either.

Below are my OTL.txt and Extras.txt.

I didn't want to just do what other people have done since solutions seem to be PC-specific.

Thanks a million in advance!!

OTL logfile created on: 4/8/2011 12:07:29 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 165.00 Mb Available Physical Memory | 32.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 2.89 Gb Free Space | 7.76% Space Free | Partition Type: NTFS
Drive F: | 232.83 Gb Total Space | 30.15 Gb Free Space | 12.95% Space Free | Partition Type: FAT32

Computer Name: homepc | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/08 12:05:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/03/26 10:46:46 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/09/25 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/10/07 09:16:50 | 000,472,280 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/10/07 09:15:42 | 001,461,080 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/09/23 16:45:50 | 001,287,176 | ---- | M] (Panda Security) -- C:\Program Files\Panda USB Vaccine\USBVaccine.exe
PRC - [2003/05/08 07:34:32 | 000,069,632 | ---- | M] (adi) -- C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
PRC - [2003/05/05 04:57:30 | 000,143,360 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
PRC - [2002/09/20 12:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (SafeList) ==========

MOD - [2011/04/08 12:05:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/09/25 08:00:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2009/10/07 09:21:14 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/10/07 09:16:50 | 000,472,280 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2002/09/20 12:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - [2010/09/25 08:00:00 | 000,005,632 | ---- | M] (Marvell Semiconductor Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\mvxxmm.sys -- (mvxxmm)
DRV - [2010/09/25 08:00:00 | 000,005,632 | ---- | M] (Marvell Semiconductor Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\mv61xxmm.sys -- (mv61xxmm)
DRV - [2010/07/30 11:36:12 | 000,224,808 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2009/10/07 09:18:34 | 000,055,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2009/10/07 09:18:34 | 000,032,072 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2009/10/07 09:18:30 | 000,073,760 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2009/10/07 09:12:22 | 000,054,184 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)
DRV - [2009/10/07 09:11:10 | 000,040,824 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.5
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.0.1
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 52020
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/26 10:47:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/26 10:47:00 | 000,000,000 | ---D | M]

[2011/01/06 18:16:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/04/08 07:55:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1mede6l2.default\extensions
[2011/04/06 12:35:12 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1mede6l2.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/04/03 19:41:54 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1mede6l2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/04/05 20:58:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2011/04/05 22:26:25 | 000,431,262 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 14854 more lines...
O2 - BHO: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 16895
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Desktop\zooms.gif
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/01/05 10:30:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/10/25 21:28:48 | 000,000,016 | -H-- | M] () - F:\AUTORUN.INF -- [ FAT32 ]
O33 - MountPoints2\{161f5f94-476a-11e0-9fc7-001185f022db}\Shell - "" = AutoRun
O33 - MountPoints2\{161f5f94-476a-11e0-9fc7-001185f022db}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{161f5f94-476a-11e0-9fc7-001185f022db}\Shell\AutoRun\command - "" = G:\Startme.exe
O33 - MountPoints2\{41a9ceb4-21b3-11e0-9fc1-001185f022db}\Shell - "" = AutoRun
O33 - MountPoints2\{41a9ceb4-21b3-11e0-9fc1-001185f022db}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{41a9ceb4-21b3-11e0-9fc1-001185f022db}\Shell\AutoRun\command - "" = G:\HPLauncher.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/08 12:05:25 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/07 19:36:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/07 19:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/07 19:36:31 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/07 07:59:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ESET
[2011/04/07 07:59:20 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/04/07 07:47:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2011/04/07 07:47:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Panda Security
[2011/04/07 07:47:24 | 000,000,000 | ---D | C] -- C:\Program Files\Panda USB Vaccine
[2011/04/06 22:14:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ESET
[2011/04/06 22:13:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\ESET
[2011/04/06 22:10:54 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/06 22:10:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011/04/06 17:00:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\QuickScan
[2011/04/06 07:51:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/04/06 07:49:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/04/06 07:49:16 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/04/06 07:45:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/04/06 07:45:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/06 07:45:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/05 21:28:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/05 21:28:18 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/05 21:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/05 20:56:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2011/04/05 20:42:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/05 20:42:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/05 20:01:11 | 000,000,000 | ---D | C] -- C:\Microsoft
[2011/04/04 22:01:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\GoldWave
[2011/04/04 22:01:24 | 000,000,000 | ---D | C] -- C:\Program Files\GoldWave
[2011/04/03 18:21:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
[2011/04/03 18:21:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2011/04/03 18:21:05 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
[2011/04/03 17:55:25 | 000,000,000 | ---D | C] -- C:\SWSetup
[2011/04/02 20:14:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\nview
[2011/04/02 20:14:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
[2011/04/02 20:13:26 | 000,000,000 | ---D | C] -- C:\NVIDIA
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/08 12:05:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/08 12:01:01 | 000,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/04/08 07:25:34 | 000,000,510 | ---- | M] () -- C:\WINDOWS\tasks\PandaUSBVaccine.job
[2011/04/08 07:25:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/07 20:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2011/04/07 20:00:00 | 000,000,378 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/04/07 18:44:32 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2011/04/06 21:39:08 | 000,023,785 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\zooms.gif
[2011/04/06 20:24:48 | 000,111,775 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
[2011/04/06 19:21:43 | 000,000,710 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\search_result.xml
[2011/04/06 12:27:07 | 000,026,450 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\cc_20110406_122647.reg
[2011/04/06 07:38:35 | 000,011,478 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\F1E2.CA0
[2011/04/05 23:55:42 | 000,000,245 | -HS- | M] () -- C:\boot.ini
[2011/04/05 22:26:25 | 000,431,262 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/05 22:22:11 | 000,431,262 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110405-222625.backup
[2011/04/05 22:16:18 | 000,000,128 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/04/05 20:50:33 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/05 20:47:02 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/05 20:33:38 | 000,000,472 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110405-222211.backup
[2011/04/02 17:01:43 | 000,309,424 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/02 17:01:43 | 000,038,926 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/26 11:23:47 | 577,175,402 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Real.Time.with.Bill.Maher.2011.03.25.HDTV.XviD-FQM.[VTV].avi
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/07 18:44:32 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2011/04/07 07:47:25 | 000,000,510 | ---- | C] () -- C:\WINDOWS\tasks\PandaUSBVaccine.job
[2011/04/06 21:39:06 | 000,023,785 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\zooms.gif
[2011/04/06 19:21:42 | 000,000,710 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\search_result.xml
[2011/04/06 16:31:36 | 000,111,775 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
[2011/04/06 12:26:50 | 000,026,450 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\cc_20110406_122647.reg
[2011/04/05 22:16:18 | 000,000,128 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/04/05 20:50:42 | 000,011,478 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\F1E2.CA0
[2011/04/05 16:50:03 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Downloads.lnk
[2011/04/04 22:01:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2011/04/04 22:01:09 | 000,000,378 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2011/04/02 20:24:42 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/02 20:14:15 | 000,088,691 | ---- | C] () -- C:\WINDOWS\System32\nvapps.xml
[2011/04/02 20:14:12 | 000,017,056 | ---- | C] () -- C:\WINDOWS\System32\nvdisp.nvu
[2011/02/02 18:39:55 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\winscp.rnd
[2011/01/08 13:11:01 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2011/01/06 18:48:17 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/01/06 18:16:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/01/05 10:34:30 | 000,155,720 | ---- | C] () -- C:\WINDOWS\System32\CDR.exe
[2011/01/05 10:34:30 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\cdimage.exe
[2011/01/05 10:30:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/01/05 10:27:16 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/01/05 10:21:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/01/05 10:18:43 | 000,191,384 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/25 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2010/09/25 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2010/09/25 08:00:00 | 000,309,424 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/25 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2010/09/25 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2010/09/25 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2010/09/25 08:00:00 | 000,038,926 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/25 08:00:00 | 000,031,232 | ---- | C] () -- C:\WINDOWS\System32\cmdow.exe
[2010/09/25 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2010/09/25 08:00:00 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\FontReg.exe
[2010/09/25 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2010/09/25 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2010/09/25 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2010/07/08 10:37:14 | 000,101,544 | ---- | C] () -- C:\Program Files\Common Files\LinkInstaller.exe
[2006/10/22 12:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 12:22:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/10/22 12:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 12:22:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/10/22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 12:22:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/10/22 12:22:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 12:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll

========== LOP Check ==========

[2011/04/06 22:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ESET
[2011/01/06 19:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit Software
[2011/01/21 21:27:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ImgBurn
[2011/04/06 17:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\QuickScan
[2011/04/03 18:21:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
[2011/04/07 18:16:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2011/04/06 22:10:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011/04/07 07:47:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2011/04/05 20:54:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2011/04/03 18:21:05 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
[2011/01/06 18:49:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/04/07 20:00:00 | 000,000,378 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2011/04/07 20:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2011/04/08 07:25:34 | 000,000,510 | ---- | M] () -- C:\WINDOWS\Tasks\PandaUSBVaccine.job
[2011/04/08 12:01:01 | 000,000,250 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========

< End of report >

XOXOXXOXOXOXOXOXOXOXOXOXOXOXOXXOXOXOXOXOXOXOXOXOXOXOXOXOXXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXXOXOXOXOXOXOXOXO

OTL Extras logfile created on: 4/8/2011 12:07:29 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 165.00 Mb Available Physical Memory | 32.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 2.89 Gb Free Space | 7.76% Space Free | Partition Type: NTFS
Drive F: | 232.83 Gb Total Space | 30.15 Gb Free Space | 12.95% Space Free | Partition Type: FAT32

Computer Name: homepc | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [openNew] -- explorer %1 (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{55A41219-9B22-4098-BAE7-AE289B3C569A}_is1" = Panda USB Vaccine 1.0.1.4
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{76F21300-9ECC-40F2-8314-362FC1D47348}" = ESET Smart Security
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"7-Zip" = 7-Zip 9.20
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Foxit Reader" = Foxit Reader
"GoldWave v5.58" = GoldWave v5.58
"ImgBurn" = ImgBurn
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"NVIDIA Drivers" = NVIDIA Drivers
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.5
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.2.9

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/7/2011 7:59:27 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:52 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: A connection with the server could not be established

Error - 4/7/2011 7:59:54 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:55 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:55 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:56 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:56 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:57 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 8:00:34 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 4/7/2011 8:01:04 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

[ System Events ]
Error - 4/6/2011 8:24:38 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for DeleteFlag with the following
error: %%5

Error - 4/6/2011 8:27:57 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7000
Description = The Trufos service failed to start due to the following error: %%2

Error - 4/6/2011 8:27:57 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/6/2011 8:29:13 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/6/2011 8:36:03 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7034
Description = The BitDefender Virus Shield service terminated unexpectedly. It
has done this 1 time(s).

Error - 4/6/2011 8:47:30 PM | Computer Name = homepc | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/6/2011 8:48:24 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 4/6/2011 8:48:24 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 4/6/2011 8:48:24 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 4/6/2011 8:48:24 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

< End of report >

Edited by eddyeddy, 07 April 2011 - 01:44 PM.

#2
RKinner

Posted 09 April 2011 - 11:09 AM

Malware Expert

Expert
24,624 posts

Uninstall:

Ask Toolbar
µTorrent

Copy the text in the code box by highlighting and Ctrl + c


:Services
HidServ

:OTL
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 52020
O2 - BHO: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O32 - AutoRun File - [2010/10/25 21:28:48 | 000,000,016 | -H-- | M] () - F:\AUTORUN.INF -- [ FAT32 ]
O33 - MountPoints2\{161f5f94-476a-11e0-9fc7-001185f022db}\Shell - "" = AutoRun
O33 - MountPoints2\{161f5f94-476a-11e0-9fc7-001185f022db}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{161f5f94-476a-11e0-9fc7-001185f022db}\Shell\AutoRun\command - "" = G:\Startme.exe
O33 - MountPoints2\{41a9ceb4-21b3-11e0-9fc1-001185f022db}\Shell - "" = AutoRun
O33 - MountPoints2\{41a9ceb4-21b3-11e0-9fc1-001185f022db}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{41a9ceb4-21b3-11e0-9fc1-001185f022db}\Shell\AutoRun\command - "" = G:\HPLauncher.exe
[2011/04/08 12:01:01 | 000,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/04/06 19:21:42 | 000,000,710 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\search_result.xml
[2011/04/06 16:31:36 | 000,111,775 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
[2011/04/06 12:26:50 | 000,026,450 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\cc_20110406_122647.reg
[2011/04/05 22:16:18 | 000,000,128 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/04/05 20:50:42 | 000,011,478 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\F1E2.CA0
[2011/04/05 16:50:03 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Downloads.lnk
[2011/04/04 22:01:10 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2011/04/04 22:01:09 | 000,000,378 | ---- | C] () -- C:\WINDOWS\tasks\At1.job

:Files
C:\WINDOWS\tasks\At*.job
     
:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then double click and Run it.

If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

Are you still getting Olmarik warnings?

Ron

#3
eddyeddy

Posted 13 April 2011 - 09:29 PM

New Member

Topic Starter
Member
4 posts

Hi Ron,

Thanks for getting back to me and sorry for the late reply but I haven't had time to tinker with this system. Bear with me please, here are all the logs from the various programs... there's lots!

OTL.txt:

OTL logfile created on: 4/13/2011 7:22:05 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 678.00 Mb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 4.88 Gb Free Space | 13.09% Space Free | Partition Type: NTFS

Computer Name: homepc | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/08 12:05:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/09/25 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/10/07 09:16:50 | 000,472,280 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/10/07 09:15:42 | 001,461,080 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/09/23 16:45:50 | 001,287,176 | ---- | M] (Panda Security) -- C:\Program Files\Panda USB Vaccine\USBVaccine.exe
PRC - [2003/05/08 07:34:32 | 000,069,632 | ---- | M] (adi) -- C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
PRC - [2003/05/05 04:57:30 | 000,143,360 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
PRC - [2002/09/20 12:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (SafeList) ==========

MOD - [2011/04/08 12:05:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/09/25 08:00:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/10/07 09:21:14 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/10/07 09:16:50 | 000,472,280 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2002/09/20 12:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - [2010/09/25 08:00:00 | 000,005,632 | ---- | M] (Marvell Semiconductor Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\mvxxmm.sys -- (mvxxmm)
DRV - [2010/09/25 08:00:00 | 000,005,632 | ---- | M] (Marvell Semiconductor Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\mv61xxmm.sys -- (mv61xxmm)
DRV - [2010/07/30 11:36:12 | 000,224,808 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2009/10/07 09:18:34 | 000,055,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2009/10/07 09:18:34 | 000,032,072 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2009/10/07 09:18:30 | 000,073,760 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2009/10/07 09:12:22 | 000,054,184 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)
DRV - [2009/10/07 09:11:10 | 000,040,824 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/home.php"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.0.1
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/10 19:48:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/26 10:47:00 | 000,000,000 | ---D | M]

[2011/01/06 18:16:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/04/12 11:16:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1mede6l2.default\extensions
[2011/04/06 12:35:12 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1mede6l2.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/04/08 20:34:25 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1mede6l2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/04/05 20:58:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2011/04/10 17:14:45 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 16895
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Desktop\zooms.gif
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/01/05 10:30:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/12 16:55:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/04/10 17:14:37 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/10 17:14:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\page__pid__1993412_files
[2011/04/10 10:56:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Field Studies (2008)
[2011/04/08 12:05:25 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/07 19:36:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/07 19:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/07 19:36:31 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/07 07:59:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ESET
[2011/04/07 07:47:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2011/04/07 07:47:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Panda Security
[2011/04/07 07:47:24 | 000,000,000 | ---D | C] -- C:\Program Files\Panda USB Vaccine
[2011/04/06 22:14:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ESET
[2011/04/06 22:13:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\ESET
[2011/04/06 22:10:54 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/06 22:10:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011/04/06 22:09:51 | 000,108,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mswinsck.ocx
[2011/04/06 17:00:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\QuickScan
[2011/04/06 07:51:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/04/06 07:49:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/04/06 07:49:16 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/04/06 07:45:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/04/06 07:45:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/06 07:45:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/05 21:28:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/05 21:28:18 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/05 21:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/05 20:56:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2011/04/05 20:42:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/05 20:42:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/05 20:01:11 | 000,000,000 | ---D | C] -- C:\Microsoft
[2011/04/03 18:21:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
[2011/04/03 18:21:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2011/04/03 18:21:05 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
[2011/04/03 17:55:25 | 000,000,000 | ---D | C] -- C:\SWSetup
[2011/04/02 20:14:12 | 000,208,896 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvudisp.exe
[2011/04/02 20:14:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\nview
[2011/04/02 20:14:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
[2011/04/02 20:13:51 | 000,208,896 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\NVUNINST.EXE
[2011/04/02 20:13:26 | 000,000,000 | ---D | C] -- C:\NVIDIA

========== Files - Modified Within 30 Days ==========

[2011/04/12 21:36:52 | 000,000,510 | ---- | M] () -- C:\WINDOWS\tasks\PandaUSBVaccine.job
[2011/04/12 21:36:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/12 16:45:47 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/10 17:14:45 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/04/10 17:14:33 | 000,140,694 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\page__pid__1993412.htm
[2011/04/08 12:26:52 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/04/08 12:05:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/07 18:44:32 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2011/04/06 22:09:51 | 000,108,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mswinsck.ocx
[2011/04/06 21:42:43 | 000,052,619 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\portrait_serge_gainsbourg_067.jpg
[2011/04/06 21:40:57 | 000,009,892 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\portrait_serge_gainsbourg_139.jpg
[2011/04/06 21:39:46 | 000,015,224 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gainsbourg-petit.jpg
[2011/04/06 21:39:08 | 000,023,785 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\zooms.gif
[2011/04/05 23:55:42 | 000,000,245 | -HS- | M] () -- C:\boot.ini
[2011/04/05 22:22:11 | 000,431,262 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110405-222625.backup
[2011/04/05 20:47:02 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/05 20:33:38 | 000,000,472 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110405-222211.backup
[2011/04/02 17:01:43 | 000,309,424 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/02 17:01:43 | 000,038,926 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2011/04/10 17:14:18 | 000,140,694 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\page__pid__1993412.htm
[2011/04/08 12:26:35 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/04/07 18:44:32 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2011/04/07 07:47:25 | 000,000,510 | ---- | C] () -- C:\WINDOWS\tasks\PandaUSBVaccine.job
[2011/04/02 20:24:42 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/02 20:14:15 | 000,088,691 | ---- | C] () -- C:\WINDOWS\System32\nvapps.xml
[2011/04/02 20:14:12 | 000,017,056 | ---- | C] () -- C:\WINDOWS\System32\nvdisp.nvu
[2011/02/02 18:39:55 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\winscp.rnd
[2011/01/08 13:11:01 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2011/01/06 18:48:17 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/01/06 18:16:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/01/05 10:34:30 | 000,155,720 | ---- | C] () -- C:\WINDOWS\System32\CDR.exe
[2011/01/05 10:34:30 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\cdimage.exe
[2011/01/05 10:30:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/01/05 10:27:16 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/01/05 10:21:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/01/05 10:18:43 | 000,191,384 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/25 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2010/09/25 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2010/09/25 08:00:00 | 000,309,424 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/25 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2010/09/25 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2010/09/25 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2010/09/25 08:00:00 | 000,038,926 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/25 08:00:00 | 000,031,232 | ---- | C] () -- C:\WINDOWS\System32\cmdow.exe
[2010/09/25 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2010/09/25 08:00:00 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\FontReg.exe
[2010/09/25 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2010/09/25 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2010/09/25 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2010/07/08 10:37:14 | 000,101,544 | ---- | C] () -- C:\Program Files\Common Files\LinkInstaller.exe
[2006/10/22 12:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 12:22:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/10/22 12:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 12:22:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/10/22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 12:22:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/10/22 12:22:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 12:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll

< End of report >

Extras.txt:

OTL Extras logfile created on: 4/8/2011 12:07:29 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 165.00 Mb Available Physical Memory | 32.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 2.89 Gb Free Space | 7.76% Space Free | Partition Type: NTFS
Drive F: | 232.83 Gb Total Space | 30.15 Gb Free Space | 12.95% Space Free | Partition Type: FAT32

Computer Name: homepc | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [openNew] -- explorer %1 (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{55A41219-9B22-4098-BAE7-AE289B3C569A}_is1" = Panda USB Vaccine 1.0.1.4
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{76F21300-9ECC-40F2-8314-362FC1D47348}" = ESET Smart Security
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"7-Zip" = 7-Zip 9.20
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Foxit Reader" = Foxit Reader
"ImgBurn" = ImgBurn
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"NVIDIA Drivers" = NVIDIA Drivers
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.5
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.2.9

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/7/2011 7:59:27 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:52 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: A connection with the server could not be established

Error - 4/7/2011 7:59:54 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:55 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:55 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:56 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:56 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 7:59:57 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 4/7/2011 8:00:34 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 4/7/2011 8:01:04 AM | Computer Name = homepc | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

[ System Events ]
Error - 4/6/2011 8:24:38 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for DeleteFlag with the following
error: %%5

Error - 4/6/2011 8:27:57 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7000
Description = The Trufos service failed to start due to the following error: %%2

Error - 4/6/2011 8:27:57 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/6/2011 8:29:13 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/6/2011 8:36:03 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7034
Description = The BitDefender Virus Shield service terminated unexpectedly. It
has done this 1 time(s).

Error - 4/6/2011 8:47:30 PM | Computer Name = homepc | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/6/2011 8:48:24 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 4/6/2011 8:48:24 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 4/6/2011 8:48:24 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 4/6/2011 8:48:24 PM | Computer Name = homepc | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

< End of report >

nbam-log.txt

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6291

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/12/2011 10:25:28 PM
mbam-log-2011-04-12 (22-25-28).txt

Scan type: Full scan (C:\|)
Objects scanned: 151424
Time elapsed: 47 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix.txt:

ComboFix 11-04-13.03 - Administrator 04/14/2011 23:04:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.680 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\george.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Microsoft
.
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-15 02:23 . 2011-04-15 02:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-10 21:14 . 2011-04-10 21:14 -------- d-----w- C:\_OTL
2011-04-07 23:36 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 23:36 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 11:47 . 2011-04-07 11:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-04-07 11:47 . 2011-04-07 11:47 -------- d-----w- c:\program files\Panda USB Vaccine
2011-04-07 02:14 . 2011-04-07 02:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2011-04-07 02:13 . 2011-04-07 02:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\ESET
2011-04-07 02:10 . 2011-04-07 02:10 -------- d-----w- c:\program files\ESET
2011-04-07 02:10 . 2011-04-07 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-04-07 02:09 . 2011-04-07 02:09 108336 ----a-w- c:\windows\system32\mswinsck.ocx
2011-04-06 21:18 . 2011-04-06 21:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-06 21:00 . 2011-04-06 21:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2011-04-06 11:49 . 2011-04-06 11:49 -------- d-----w- c:\program files\CCleaner
2011-04-06 11:45 . 2011-04-06 11:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-06 11:45 . 2011-04-06 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-06 11:45 . 2011-04-07 23:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-06 01:28 . 2011-04-06 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-06 01:28 . 2011-04-06 01:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-05 02:01 . 2011-04-05 02:01 -------- d-----w- c:\program files\GoldWave
2011-04-03 22:21 . 2011-04-03 22:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2011-04-03 22:21 . 2011-04-06 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2011-04-03 22:21 . 2011-04-03 22:21 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2011-04-03 21:55 . 2011-04-03 21:58 -------- d-----w- C:\SWSetup
2011-04-03 00:14 . 2011-04-03 00:17 -------- d-----w- c:\windows\nview
2011-04-03 00:14 . 2006-10-22 16:22 208896 ----a-w- c:\windows\system32\nvudisp.exe
2011-04-03 00:13 . 2006-10-22 19:06 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-04-03 00:13 . 2003-11-10 22:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2011-04-03 00:13 . 2003-11-10 22:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2011-04-03 00:13 . 2003-11-10 22:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2011-04-03 00:13 . 2003-11-10 22:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2011-04-03 00:13 . 2003-11-10 22:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2011-04-03 00:13 . 2003-11-10 22:10 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-04-03 00:13 . 2011-04-03 00:13 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2011-04-03 00:13 . 2011-04-03 00:13 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2011-04-03 00:13 . 2011-04-03 00:13 -------- d-----w- C:\NVIDIA
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 14:37 . 2010-07-08 14:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
.
.
------- Sigcheck -------
.
[-] 2010-09-25 . EA22DA5C7AE7192A12E37A7C546220C6 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-09-25 128512]
"RunNarrator"="Narrator.exe" [2010-09-25 53760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe"
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [9/25/2010 8:00 AM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [9/25/2010 8:00 AM 5632]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/7/2009 9:16 AM 472280]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\PandaUSBVaccine.job
- c:\program files\Panda USB Vaccine\RunInteractiveWin.exe [2011-04-07 20:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1mede6l2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2011\bdagent.exe
MSConfigStartUp-BitDefender Antiphishing Helper - c:\program files\BitDefender\BitDefender 2011\ieshow.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-14 23:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1715567821-839522115-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a2,2f,4c,4c,73,46,3b,40,99,f5,6c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a2,2f,4c,4c,73,46,3b,40,99,f5,6c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-14 23:09:39
ComboFix-quarantined-files.txt 2011-04-15 03:09
.
Pre-Run: 5,140,279,296 bytes free
Post-Run: 5,103,448,064 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - DE2B2C5549BE72D4DD2074AAA4018ADB

TDSSKiller.txt

2011/04/14 23:15:22.0296 2232 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/14 23:15:23.0109 2232 ================================================================================
2011/04/14 23:15:23.0109 2232 SystemInfo:
2011/04/14 23:15:23.0109 2232
2011/04/14 23:15:23.0109 2232 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/14 23:15:23.0109 2232 Product type: Workstation
2011/04/14 23:15:23.0109 2232 ComputerName: homepc
2011/04/14 23:15:23.0109 2232 UserName: Administrator
2011/04/14 23:15:23.0109 2232 Windows directory: C:\WINDOWS
2011/04/14 23:15:23.0109 2232 System windows directory: C:\WINDOWS
2011/04/14 23:15:23.0109 2232 Processor architecture: Intel x86
2011/04/14 23:15:23.0109 2232 Number of processors: 1
2011/04/14 23:15:23.0109 2232 Page size: 0x1000
2011/04/14 23:15:23.0109 2232 Boot type: Normal boot
2011/04/14 23:15:23.0109 2232 ================================================================================
2011/04/14 23:15:23.0375 2232 Initialize success
2011/04/14 23:15:27.0796 0236 ================================================================================
2011/04/14 23:15:27.0796 0236 Scan started
2011/04/14 23:15:27.0796 0236 Mode: Manual;
2011/04/14 23:15:27.0796 0236 ================================================================================
2011/04/14 23:15:31.0046 0236 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/14 23:15:31.0796 0236 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/14 23:15:33.0328 0236 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/04/14 23:15:34.0109 0236 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/14 23:15:34.0921 0236 AFD (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys
2011/04/14 23:15:35.0687 0236 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/14 23:15:42.0375 0236 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/14 23:15:43.0140 0236 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/14 23:15:44.0718 0236 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/14 23:15:45.0484 0236 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/14 23:15:46.0218 0236 b57w2k (bf9c01a3040d75bfb95beffa216173df) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/04/14 23:15:46.0953 0236 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/14 23:15:47.0812 0236 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/14 23:15:49.0328 0236 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/14 23:15:50.0109 0236 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/14 23:15:50.0859 0236 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/14 23:15:55.0296 0236 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/14 23:15:56.0046 0236 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/14 23:15:56.0828 0236 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/14 23:15:57.0562 0236 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/14 23:15:58.0312 0236 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/14 23:15:59.0796 0236 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/14 23:16:00.0562 0236 eamon (a777d095402b31b0aafe7f19c89fb3a1) C:\WINDOWS\system32\DRIVERS\eamon.sys
2011/04/14 23:16:01.0359 0236 easdrv (e6dffb60bdbd91749eab4d45bc8926a9) C:\WINDOWS\system32\DRIVERS\easdrv.sys
2011/04/14 23:16:02.0437 0236 epfw (a0da5645ead0656dcd589f7819dd8082) C:\WINDOWS\system32\DRIVERS\epfw.sys
2011/04/14 23:16:04.0953 0236 Epfwndis (9bfd0c86e3522d1522ec77f862de555c) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
2011/04/14 23:16:06.0343 0236 epfwtdi (0bded81831115973f7ddd7b532e4ced2) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
2011/04/14 23:16:07.0234 0236 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
2011/04/14 23:16:08.0203 0236 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/14 23:16:09.0062 0236 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/14 23:16:09.0968 0236 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/14 23:16:10.0828 0236 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/14 23:16:11.0812 0236 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/14 23:16:12.0843 0236 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/14 23:16:13.0906 0236 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/14 23:16:14.0968 0236 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/14 23:16:15.0937 0236 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/14 23:16:16.0812 0236 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/14 23:16:18.0671 0236 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/14 23:16:21.0546 0236 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/14 23:16:22.0484 0236 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/14 23:16:25.0125 0236 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/14 23:16:26.0062 0236 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/14 23:16:26.0968 0236 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/14 23:16:27.0875 0236 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/14 23:16:28.0796 0236 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/14 23:16:29.0671 0236 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/14 23:16:30.0546 0236 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/14 23:16:31.0531 0236 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/14 23:16:32.0390 0236 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/14 23:16:33.0265 0236 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/14 23:16:34.0125 0236 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/14 23:16:36.0125 0236 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/14 23:16:37.0187 0236 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/14 23:16:38.0015 0236 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/14 23:16:38.0890 0236 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/14 23:16:39.0718 0236 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/14 23:16:41.0343 0236 MRxDAV (4fefd389d71126ee581b9f9cb2918be4) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/14 23:16:42.0234 0236 MRxSmb (0af15a971f120246c9eef2c46e290539) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/14 23:16:43.0093 0236 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/14 23:16:43.0937 0236 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/14 23:16:44.0765 0236 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/14 23:16:45.0562 0236 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/14 23:16:46.0921 0236 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/14 23:16:50.0140 0236 Mup (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/14 23:16:52.0984 0236 mv61xxmm (354a04bf1603cb4b07346c470ea52e73) C:\WINDOWS\system32\drivers\mv61xxmm.sys
2011/04/14 23:16:54.0046 0236 mvxxmm (cfef13ba3dc5c6001d2066d3a596cd1b) C:\WINDOWS\system32\drivers\mvxxmm.sys
2011/04/14 23:16:54.0906 0236 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/14 23:16:55.0734 0236 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/14 23:16:56.0812 0236 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/14 23:16:57.0578 0236 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/14 23:16:58.0359 0236 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/14 23:16:59.0093 0236 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/14 23:16:59.0812 0236 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/14 23:17:00.0578 0236 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/14 23:17:01.0343 0236 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/14 23:17:02.0140 0236 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/14 23:17:02.0968 0236 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/14 23:17:03.0875 0236 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/14 23:17:04.0656 0236 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/14 23:17:05.0437 0236 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/14 23:17:06.0218 0236 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/14 23:17:06.0968 0236 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/14 23:17:07.0765 0236 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/14 23:17:09.0328 0236 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/14 23:17:10.0078 0236 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/04/14 23:17:15.0390 0236 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/14 23:17:16.0171 0236 PSched (d8e11d311785f89f1d70a28b0e879127) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/14 23:17:16.0968 0236 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/14 23:17:21.0421 0236 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/14 23:17:22.0203 0236 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/14 23:17:22.0984 0236 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/14 23:17:23.0750 0236 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/14 23:17:24.0546 0236 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/14 23:17:25.0328 0236 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/14 23:17:26.0109 0236 rdpdr (47ea20320e3d6fdc7b7bb22b2b881ca6) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/14 23:17:26.0875 0236 RDPWD (e8e3107243b16a549b88d145ec051b06) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/14 23:17:27.0640 0236 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/14 23:17:28.0421 0236 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2011/04/14 23:17:29.0234 0236 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/14 23:17:30.0125 0236 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/14 23:17:30.0937 0236 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/14 23:17:31.0734 0236 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/14 23:17:33.0281 0236 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
2011/04/14 23:17:34.0859 0236 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/14 23:17:35.0640 0236 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/14 23:17:36.0453 0236 Srv (422e4508508015c7d12f40bf9763f158) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/14 23:17:37.0265 0236 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/14 23:17:38.0062 0236 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/14 23:17:41.0859 0236 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/14 23:17:42.0656 0236 Tcpip (ea22da5c7ae7192a12e37a7c546220c6) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/14 23:17:43.0437 0236 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/14 23:17:44.0218 0236 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/14 23:17:44.0968 0236 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/14 23:17:46.0546 0236 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/14 23:17:48.0046 0236 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/14 23:17:48.0828 0236 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/04/14 23:17:49.0562 0236 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/14 23:17:50.0328 0236 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/14 23:17:51.0109 0236 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/14 23:17:51.0921 0236 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/14 23:17:52.0703 0236 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/14 23:17:54.0265 0236 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/14 23:17:55.0031 0236 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/14 23:17:56.0609 0236 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/14 23:17:57.0437 0236 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/14 23:17:58.0218 0236 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/14 23:17:58.0265 0236 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/14 23:17:58.0265 0236 ================================================================================
2011/04/14 23:17:58.0265 0236 Scan finished
2011/04/14 23:17:58.0265 0236 ================================================================================
2011/04/14 23:17:58.0281 1732 Detected object count: 1
2011/04/14 23:18:29.0796 1732 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/14 23:18:29.0796 1732 \HardDisk0 - ok
2011/04/14 23:18:29.0796 1732 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/14 23:18:45.0906 2128 Deinitialize success

MBRCheck.txt

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7D2E000 \WINDOWS\system32\KDCOM.DLL
0xF7C3E000 \WINDOWS\system32\BOOTVID.dll
0xF77DF000 ACPI.sys
0xF7D30000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF77CE000 pci.sys
0xF782E000 isapnp.sys
0xF7DF6000 pciide.sys
0xF7AAE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF77B0000 pcmcia.sys
0xF783E000 MountMgr.sys
0xF7791000 ftdisk.sys
0xF7D32000 dmload.sys
0xF776B000 dmio.sys
0xF7AB6000 PartMgr.sys
0xF784E000 VolSnap.sys
0xF7753000 atapi.sys
0xF7ABE000 mv61xxmm.sys
0xF7AC6000 mvxxmm.sys
0xF785E000 disk.sys
0xF786E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7733000 fltMgr.sys
0xF7721000 sr.sys
0xF770A000 KSecDD.sys
0xF767D000 Ntfs.sys
0xF7650000 NDIS.sys
0xF7636000 Mup.sys
0xF787E000 agp440.sys
0xF741E000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF740A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7B0E000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF73E6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B16000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF73AC000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF796E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B1E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B26000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7398000 \SystemRoot\system32\DRIVERS\parport.sys
0xF797E000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7CC6000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7B2E000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF798E000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF799E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF79AE000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7375000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7B36000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF72E7000 \SystemRoot\system32\drivers\smwdm.sys
0xF72C3000 \SystemRoot\system32\drivers\portcls.sys
0xF79BE000 \SystemRoot\system32\drivers\drmk.sys
0xF72AB000 \SystemRoot\system32\drivers\aeaudio.sys
0xF79CE000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF79DE000 \SystemRoot\system32\DRIVERS\Epfwndis.sys
0xF7F11000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF79EE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7CCE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7294000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF79FE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7A0E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7B3E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7282000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7A1E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7B46000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7B4E000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7223000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7A2E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7D40000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF71C5000 \SystemRoot\system32\DRIVERS\update.sys
0xF7CEA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7A3E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7A4E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7D46000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B56000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7D22000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7F16000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D48000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A7E000 \SystemRoot\system32\DRIVERS\easdrv.sys
0xF7D2A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7A8E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7B66000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7B6E000 \SystemRoot\System32\drivers\vga.sys
0xF7D4A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D4C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7B76000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7B7E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7612000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF5FA2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF5F49000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF5F37000 \SystemRoot\system32\DRIVERS\epfwtdi.sys
0xF5F11000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7A9E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7606000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF5EE9000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF5EC7000 \SystemRoot\System32\drivers\afd.sys
0xF788E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF5E9C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF5E2C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF789E000 \SystemRoot\System32\Drivers\Fips.SYS
0xF78BE000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF5DEC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7D4E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF60C1000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B86000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E0E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xF4BF8000 \SystemRoot\system32\DRIVERS\epfw.sys
0xF4C58000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF5DCC000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xF398B000 \SystemRoot\system32\drivers\wdmaud.sys
0xF4B00000 \SystemRoot\system32\drivers\sysaudio.sys
0xF2CD7000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF2CAB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7DAC000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF2C36000 \SystemRoot\system32\DRIVERS\eamon.sys
0xF2B17000 \SystemRoot\system32\DRIVERS\srv.sys
0xF2996000 \SystemRoot\System32\Drivers\HTTP.sys
0xF2803000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 27):
0 System Idle Process
4 System
768 C:\WINDOWS\system32\smss.exe
864 csrss.exe
888 C:\WINDOWS\system32\winlogon.exe
932 C:\WINDOWS\system32\services.exe
944 C:\WINDOWS\system32\lsass.exe
1108 C:\WINDOWS\system32\svchost.exe
1192 svchost.exe
1312 C:\WINDOWS\system32\svchost.exe
1364 svchost.exe
1636 svchost.exe
1960 C:\WINDOWS\system32\spoolsv.exe
260 C:\WINDOWS\explorer.exe
316 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
324 C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
332 C:\Program Files\ESET\ESET Smart Security\egui.exe
496 C:\WINDOWS\system32\ctfmon.exe
544 C:\Program Files\Panda USB Vaccine\USBVaccine.exe
632 svchost.exe
112 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
732 C:\Program Files\ESET\ESET Smart Security\ekrn.exe
852 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
1304 C:\WINDOWS\system32\wuauclt.exe
448 alg.exe
1116 wmiprvse.exe
1652 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor6E040L0, Rev: NAR61HA0

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Also On the last reboot, ESET did not mention anything about Olmarik! Is the problem solved???

Thanks again,

JR

#4
RKinner

Posted 13 April 2011 - 11:29 PM

Malware Expert

Expert
24,624 posts

TDSSKiller said it found something and would clean it on the next reboot so that was probably what ESET was seeing. Run TDSSKiller again to make sure.

Combofix says we are not done yet. Two problem files. One has a bad checksum and the other is missing. I think the easiest way to fix them is to send you clean copies. I will send them to you via a PM. Download the two files and save them to C:\
then:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

FCopy::
c:\tcpip.txt | C:\windows\system32\dllcache\tcpip.sys
c:\wscntfy.txt | c:\windows\system32\dllcache\wscntfy.exe
c:\tcpip.txt | C:\windows\system32\drivers\tcpip.sys
c:\wscntfy.txt | c:\windows\system32\wscntfy.exe

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to george and let go and combofix should start.

Post the new log.

Ron

#5
eddyeddy

Posted 15 April 2011 - 05:53 AM

New Member

Topic Starter
Member
4 posts

Hi Ron,

TDSSKiller came up clean this time.

Here is the new CFScript log:

ComboFix 11-04-14.01 - Administrator 04/15/2011 22:10:10.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.688 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\george.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\tcpip.txt
C:\wscntfy.txt
.
.
--------------- FCopy ---------------
.
c:\tcpip.txt --> c:\windows\system32\dllcache\tcpip.sys
c:\wscntfy.txt --> c:\windows\system32\dllcache\wscntfy.exe
c:\tcpip.txt --> c:\windows\system32\drivers\tcpip.sys
c:\wscntfy.txt --> c:\windows\system32\wscntfy.exe
.
((((((((((((((((((((((((( Files Created from 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))))
.
.
2011-04-16 01:44 . 2011-04-16 02:06 13824 ----a-w- c:\windows\system32\wscntfy.exe
2011-04-16 01:44 . 2011-04-16 02:06 13824 ----a-w- c:\windows\system32\dllcache\wscntfy.exe
2011-04-16 01:44 . 2011-04-16 02:06 361600 ----a-w- c:\windows\system32\dllcache\tcpip.sys
2011-04-15 03:20 . 2011-04-15 03:20 -------- d-----w- c:\windows\system32\wbem\snmp
2011-04-15 03:19 . 2011-04-15 03:19 -------- d-----w- c:\windows\system32\xircom
2011-04-15 03:19 . 2011-04-15 03:19 -------- d-----w- c:\windows\srchasst
2011-04-15 03:19 . 2011-04-15 03:19 -------- d-----w- c:\program files\microsoft frontpage
2011-04-15 02:23 . 2011-04-15 02:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-10 21:14 . 2011-04-10 21:14 -------- d-----w- C:\_OTL
2011-04-07 23:36 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 23:36 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 11:47 . 2011-04-07 11:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-04-07 11:47 . 2011-04-07 11:47 -------- d-----w- c:\program files\Panda USB Vaccine
2011-04-07 02:14 . 2011-04-07 02:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2011-04-07 02:13 . 2011-04-07 02:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\ESET
2011-04-07 02:10 . 2011-04-07 02:10 -------- d-----w- c:\program files\ESET
2011-04-07 02:10 . 2011-04-07 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-04-07 02:09 . 2011-04-07 02:09 108336 ----a-w- c:\windows\system32\mswinsck.ocx
2011-04-06 21:18 . 2011-04-06 21:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-06 21:00 . 2011-04-06 21:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2011-04-06 11:49 . 2011-04-06 11:49 -------- d-----w- c:\program files\CCleaner
2011-04-06 11:45 . 2011-04-06 11:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-06 11:45 . 2011-04-06 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-06 11:45 . 2011-04-07 23:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-06 01:28 . 2011-04-06 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-06 01:28 . 2011-04-06 01:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-03 22:21 . 2011-04-03 22:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2011-04-03 22:21 . 2011-04-06 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2011-04-03 22:21 . 2011-04-03 22:21 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2011-04-03 21:55 . 2011-04-03 21:58 -------- d-----w- C:\SWSetup
2011-04-03 00:14 . 2011-04-03 00:17 -------- d-----w- c:\windows\nview
2011-04-03 00:14 . 2006-10-22 16:22 208896 ----a-w- c:\windows\system32\nvudisp.exe
2011-04-03 00:13 . 2006-10-22 19:06 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-04-03 00:13 . 2003-11-10 22:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2011-04-03 00:13 . 2003-11-10 22:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2011-04-03 00:13 . 2003-11-10 22:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2011-04-03 00:13 . 2003-11-10 22:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2011-04-03 00:13 . 2003-11-10 22:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2011-04-03 00:13 . 2003-11-10 22:10 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-04-03 00:13 . 2011-04-03 00:13 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2011-04-03 00:13 . 2011-04-03 00:13 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2011-04-03 00:13 . 2011-04-03 00:13 -------- d-----w- C:\NVIDIA
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-16 02:06 . 2010-09-25 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-07-08 14:37 . 2010-07-08 14:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
.
.
------- Sigcheck -------
.
[-] 2011-04-16 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2011-04-16 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2011-04-15_03.07.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-15 02:23 . 2011-04-16 02:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2011-04-15 02:23 . 2011-04-15 02:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-15 02:23 . 2011-04-16 02:15 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-04-15 02:23 . 2011-04-15 02:23 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-04-15 02:23 . 2011-04-15 02:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2011-04-15 02:23 . 2011-04-16 02:15 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2011-04-15 02:23 . 2011-04-16 02:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-04-15 02:23 . 2011-04-15 02:23 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-09-25 128512]
"RunNarrator"="Narrator.exe" [2010-09-25 53760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe"
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [9/25/2010 8:00 AM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [9/25/2010 8:00 AM 5632]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/7/2009 9:16 AM 472280]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-16 c:\windows\Tasks\PandaUSBVaccine.job
- c:\program files\Panda USB Vaccine\RunInteractiveWin.exe [2011-04-07 20:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1mede6l2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 22:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1715567821-839522115-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a2,2f,4c,4c,73,46,3b,40,99,f5,6c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a2,2f,4c,4c,73,46,3b,40,99,f5,6c,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Panda USB Vaccine\USBVaccine.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2011-04-15 22:18:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-16 02:18
.
Pre-Run: 5,035,954,176 bytes free
Post-Run: 5,030,334,464 bytes free
.
- - End Of File - - 50C02ABCE1D8505FBBC10ED35C7C64DA

Thankgs again.

#6
RKinner

Posted 15 April 2011 - 08:50 AM

Malware Expert

Expert
24,624 posts

Looks like it worked. Combofix is no longer complaining about the wscntfy.exe being missing. It's not so happy with tcpip.sys but the MD5 is a good one so it may just be expected a slightly different version on your PC. Obviously it works OK since you are on line.

I think that was the last of it unless you have some other problems. You should check to see if you can get updates from microsoft.

We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java (Java™ 6 Update 24 or higher). Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://download.cnet...4-10752777.html
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password!

Ron

#7
eddyeddy

Posted 16 April 2011 - 11:30 AM

New Member

Topic Starter
Member
4 posts

Ron thanks so much for your help!!

I hope I don't have to come back here but I feel like I am really well protected now!

Thank you again, you guys have a wonderful community here! Good to know the internet is still a friendly place!

JR