Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

zaccess rootkit identified by TDSSKiller


  • This topic is locked This topic is locked

#1
karen.gtg

karen.gtg

    Member

  • Member
  • PipPip
  • 33 posts
I thought I could eradicate the problems with this computer, but after considerable effort, I realize the problems are beyond my ability to resolve. Here's the history:
The first indication I had that something was wrong was warnings from McAfee that threats were detected. However, the programs targeted by McAfee were all legit programs e.g. executables from Intuit, Acronis, LogMeIn, etc. I assumed that a McAfee update was causing a problem with false positives, and also assumed that McAfee would rapidly correct the problem. The threat detection warnings stopped, but a couple days later one of the people who uses the computer started experiencing browser redirects. When I investigated further I discovered that McAfee had actually quarantined itself (McSvHost.exe), so it wasn't protecting squat.
After that discovery I ran MBAM which didn't find any problems.
Next I ran SuperAntispyware. It found and repaired 2 items: Trojan.SmitFraud variant and unclassified.Unknown Origin (c:\windows\system32:cuaa.dll)

I have also run TDSSKiller multiple times. It found a Rootkit.Win32.ZAccess.c infection several of the times it was run:
1st run: it found and cured Rootkit.Win32.ZAccess.c in C:\WINDOWS\system32\DRIVERS\serial.sys
2nd run: it found and cured Rootkit.Win32.ZAccess.c in C:\WINDOWS\system32\DRIVERS\usbhub.sys
3rd run: it didn't find anything
4th run: it found and cured Rootkit.Win32.ZAccess.c in C:\WINDOWS\system32\DRIVERS\update.sys
5th run: it found and cured Rootkit.Win32.ZAccess.c in C:\WINDOWS\system32\drivers\Ntfs.sys
6th run: it found and cured Rootkit.Win32.ZAccess.c in C:\WINDOWS\system32\DRIVERS\ipsec.sys
7th run: it didn't find anything
8th run: it didn't find anything
9th run: it didn't find anything
10th run: it didn't find anything

After learning about OTL, I see that I'm still in doodoo.
I should have seeked out you guys way before I reached this point, but I just didn't know how much I didn't know! Now I know!!!
Your help will be immensely appreciated!

OTL logfile created on: 6/3/2011 12:27:43 AM - Run 3
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Don\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.00 Mb Total Physical Memory | 717.20 Mb Available Physical Memory | 70.11% Memory free
1.28 Gb Paging File | 1.08 Gb Available in Paging File | 84.69% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 80.62 Gb Free Space | 82.55% Space Free | Partition Type: NTFS
Drive M: | 58.59 Gb Total Space | 25.06 Gb Free Space | 42.77% Space Free | Partition Type: NTFS
Drive N: | 39.06 Gb Total Space | 1.04 Gb Free Space | 2.66% Space Free | Partition Type: NTFS

Computer Name: FRED | User Name: Don | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/02 23:58:37 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
PRC - [2011/05/02 15:09:18 | 001,306,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/03 16:09:34 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/04/12 20:59:48 | 000,198,184 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
PRC - [2006/06/21 00:31:46 | 001,106,386 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2006/06/20 12:02:12 | 001,848,150 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2006/06/20 12:01:38 | 000,126,976 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2005/06/07 00:46:24 | 000,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2004/04/13 18:03:10 | 000,299,008 | ---- | M] (Palm, Inc.) -- C:\Program Files\palmOne\HOTSYNC.EXE
PRC - [2003/04/06 02:06:58 | 000,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/06 01:55:04 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/06 01:45:10 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2003/04/06 01:37:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe


========== Modules (SafeList) ==========

MOD - [2011/06/02 23:58:37 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/04/12 20:59:56 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprthook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (NVSvc)
SRV - File not found [Auto | Stopped] -- -- (McProxy)
SRV - File not found [Auto | Stopped] -- -- (McNASvc)
SRV - File not found [Auto | Stopped] -- -- (McNaiAnn)
SRV - File not found [Disabled | Stopped] -- -- (mcmscsvc)
SRV - File not found [Auto | Stopped] -- -- (McMPFSvc)
SRV - File not found [Auto | Stopped] -- -- (LMIMaint)
SRV - File not found [Auto | Stopped] -- -- (LMIGuardianSvc)
SRV - File not found [On_Demand | Stopped] -- -- (iPod Service)
SRV - File not found [Auto | Stopped] -- -- (IntuitUpdateService)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (AcrSch2Svc)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2003/03/09 16:31:02 | 000,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,089,368 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/12/13 22:12:47 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/07/15 08:44:20 | 000,013,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv)
DRV - [2010/07/15 08:44:20 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2010/05/31 11:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/05/31 11:31:10 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2007/12/02 12:51:42 | 000,040,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2007/11/22 06:44:04 | 000,033,832 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2007/07/13 09:20:24 | 000,113,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2006/06/26 16:25:26 | 000,388,000 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2006/06/26 16:25:26 | 000,032,288 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2006/06/26 16:25:14 | 000,099,776 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2004/10/07 21:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CE A4 DC 02 CF 1A CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Crawler Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.order.1: "Crawler Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..keyword.URL: "http://www.crawler.c...bid=60644&qkw="
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/10 10:16:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/23 13:52:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.0.0\Extensions\\Components: C:\Program Files\\Netscape\\Netscape Browser\Components [2007/08/08 17:56:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.0.0\Extensions\\Plugins: C:\Program Files\\Netscape\\Netscape Browser\Plugins [2011/05/18 11:47:35 | 000,000,000 | ---D | M]

[2011/03/28 17:55:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Don\Application Data\Mozilla\Extensions
[2011/04/11 17:08:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Don\Application Data\Mozilla\Firefox\Profiles\rdo0gw09.default\extensions
[2006/10/06 09:26:02 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Don\Application Data\Mozilla\Firefox\Profiles\rdo0gw09.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/04/10 14:19:12 | 000,002,292 | ---- | M] () -- C:\Documents and Settings\Don\Application Data\Mozilla\Firefox\Profiles\rdo0gw09.default\searchplugins\inbox-search.xml
[2011/03/28 17:54:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2006/10/06 09:11:04 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
File not found (No name found) --
[2010/10/25 13:28:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/05/03 05:52:44 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
[2009/09/21 12:24:16 | 000,001,329 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\crawlersrch.xml

O1 HOSTS File: ([2002/09/03 15:39:21 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110602224409.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Companion) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Companion) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Don\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (Palm, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} http://download.micr...0367/wmavax.CAB (Reg Error: Key error.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} https://picasaweb.go...2/uploader2.cab (UploadListView Class)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...96/mcinsctl.cab (McAfee.com Operating System Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,26/mcgdmgr.cab (DwnldGroupMgr Class)
O16 - DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_11)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} https://www.laserapp...t/lavdetect.ocx (LASDetectX Control)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://investools.w...bex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/24 17:48:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/03 00:17:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\Desktop\logs
[2011/06/02 23:58:37 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
[2011/06/02 23:30:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Don\Start Menu\Programs\Administrative Tools
[2011/06/02 23:27:15 | 000,606,778 | R--- | C] (Swearware) -- C:\Documents and Settings\Don\Desktop\dds.scr
[2011/06/02 22:43:44 | 000,148,520 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2011/06/02 22:41:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/06/02 19:52:52 | 007,286,791 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Don\Desktop\stinger10101629.exe
[2011/06/02 19:25:46 | 004,111,594 | ---- | C] (Swearware) -- C:\Documents and Settings\Don\Desktop\comfix.exe
[2011/06/02 17:29:38 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/02 17:28:43 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Don\Desktop\esetsmartinstaller_enu.exe
[2011/06/02 11:08:41 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Don\Desktop\tdsskiller.exe
[2011/05/31 22:50:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\Application Data\SUPERAntiSpyware.com
[2011/05/31 22:50:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/05/31 22:49:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/05/31 22:49:49 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/05/31 20:05:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/05/31 19:53:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\Application Data\McAfee
[2011/05/31 19:46:55 | 000,458,096 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Don\Desktop\MVTInstaller.exe
[2011/05/18 11:54:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\Local Settings\Application Data\Temp
[2011/05/18 11:50:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2011/05/18 11:48:26 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2005/12/27 22:17:01 | 020,921,040 | ---- | C] ( ) -- C:\Program Files\AdbeRdr705_enu_full.exe
[2005/12/27 22:16:36 | 007,050,552 | ---- | C] (Adobe Systems, Inc. ) -- C:\Program Files\psa30se_en_us.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[13 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Don\*.tmp files -> C:\Documents and Settings\Don\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/03 00:25:42 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/03 00:25:39 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/03 00:25:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/03 00:25:17 | 1072,766,976 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/03 00:04:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/02 23:58:37 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
[2011/06/02 23:27:15 | 000,606,778 | R--- | M] (Swearware) -- C:\Documents and Settings\Don\Desktop\dds.scr
[2011/06/02 22:57:39 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk
[2011/06/02 22:03:45 | 000,182,572 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\MVTHealthCheck.html
[2011/06/02 21:21:03 | 015,292,928 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\logmein.msi
[2011/06/02 21:06:30 | 000,000,017 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\stinger10101629.opt
[2011/06/02 19:53:08 | 007,286,791 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Don\Desktop\stinger10101629.exe
[2011/06/02 19:25:54 | 004,111,594 | ---- | M] (Swearware) -- C:\Documents and Settings\Don\Desktop\comfix.exe
[2011/06/02 17:28:43 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Don\Desktop\esetsmartinstaller_enu.exe
[2011/06/02 11:14:51 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\2jdhdh55.exe
[2011/06/02 11:08:45 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Don\Desktop\tdsskiller.exe
[2011/05/31 22:49:52 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/31 22:42:54 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/05/31 21:38:06 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/31 19:46:55 | 000,458,096 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Don\Desktop\MVTInstaller.exe
[2011/05/30 21:14:34 | 008,080,776 | ---- | M] () -- C:\Gacomp_20100926.QDF
[2011/05/30 21:14:34 | 001,179,829 | ---- | M] () -- C:\Gacomp_20100926.IDX
[2011/05/30 21:14:33 | 000,029,696 | ---- | M] () -- C:\Gacomp_20100926.QEL
[2011/05/30 13:36:53 | 000,000,000 | ---- | M] () -- C:\hpfr5550.xml
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/28 20:53:48 | 000,002,507 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\Microsoft Outlook.lnk
[2011/05/27 08:00:08 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/05/23 20:20:24 | 000,002,525 | ---- | M] () -- C:\Documents and Settings\Don\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2011/05/21 14:16:46 | 008,080,776 | ---- | M] () -- C:\Gacomp_20100926_20110521.QDF
[2011/05/20 15:02:33 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\Microsoft Word.lnk
[2011/05/18 11:50:39 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\Don\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/05/18 11:48:26 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/15 01:07:34 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[13 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Don\*.tmp files -> C:\Documents and Settings\Don\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/02 22:03:45 | 000,182,572 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\MVTHealthCheck.html
[2011/06/02 21:52:11 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Virtual Technician.lnk
[2011/06/02 21:20:23 | 015,292,928 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\logmein.msi
[2011/06/02 21:06:30 | 000,000,017 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\stinger10101629.opt
[2011/06/02 17:02:23 | 1072,766,976 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/02 11:14:50 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\2jdhdh55.exe
[2011/05/31 22:49:52 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/30 21:14:34 | 001,179,829 | ---- | C] () -- C:\Gacomp_20100926.IDX
[2011/05/23 13:44:31 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk
[2011/05/21 14:16:45 | 008,080,776 | ---- | C] () -- C:\Gacomp_20100926_20110521.QDF
[2011/05/18 11:50:39 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/05/18 11:50:39 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\Don\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/05/18 11:49:59 | 000,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/18 11:49:58 | 000,000,876 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/21 14:29:57 | 007,852,664 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/14 13:49:16 | 001,774,720 | ---- | C] () -- C:\WINDOWS\System32\BootMan.exe
[2010/10/14 13:49:16 | 000,086,408 | ---- | C] () -- C:\WINDOWS\System32\setupempdrv03.exe
[2010/10/14 13:49:16 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2010/10/14 13:49:16 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2010/10/14 13:49:16 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2008/03/17 17:34:43 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2007/11/24 19:53:29 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Don\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/09/12 10:19:56 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/06/26 12:42:13 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Don\Local Settings\Application Data\fusioncache.dat
[2006/10/07 21:44:43 | 000,000,161 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/06/01 18:10:25 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/04/29 11:34:54 | 000,003,531 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/04/29 11:20:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/04/25 19:04:29 | 000,000,525 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/04/05 21:17:13 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/01/27 15:52:41 | 000,046,345 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2005/12/27 22:16:32 | 000,762,512 | ---- | C] () -- C:\Program Files\ytb612_efgsip.exe
[2005/07/25 02:51:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\winil32.exe
[2005/06/19 10:19:59 | 000,197,751 | ---- | C] () -- C:\WINDOWS\nhvbs.dat
[2005/06/15 17:41:49 | 000,197,751 | ---- | C] () -- C:\WINDOWS\nikkw.dat
[2005/03/21 15:02:49 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/03/21 14:08:18 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/02/15 17:06:24 | 000,000,423 | ---- | C] () -- C:\WINDOWS\PERWIN.INI
[2005/02/07 14:17:45 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/02/03 23:46:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2005/01/28 13:14:48 | 000,020,454 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2005/01/28 13:14:48 | 000,016,618 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2005/01/25 13:03:31 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2005/01/25 13:01:49 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2005/01/25 13:01:49 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2005/01/24 17:51:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/01/24 17:45:18 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/01/24 12:34:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/01/24 12:33:25 | 000,258,248 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/10/06 15:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/03/09 16:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2002/09/03 16:07:03 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 16:07:00 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/09/03 15:51:48 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/09/03 15:51:47 | 000,432,916 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/09/03 15:51:46 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/09/03 15:51:44 | 000,067,490 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/09/03 15:50:11 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/09/03 15:44:25 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/09/03 15:44:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/09/03 15:37:19 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/09/03 15:36:07 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

========== Alternate Data Streams ==========

@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default.pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default.pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(9).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(9).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(8).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(8).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(7).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(7).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(6).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(6).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(5).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(5).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(4).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(4).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(3).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(3).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(2).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(2).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(13).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(13).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(12).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(12).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(11).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(11).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(10).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(10).pif:jxreng

< End of report >
  • 0

Advertisements


#2
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
Hi,

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:

    Click me

    If you can't disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
karen.gtg

karen.gtg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi Gammo,

Thank you very much for your time and assistance. I truly appreciate it!

I have to be away from where the infected computer lives until Monday. I will follow your instructions and post the combofix log on Monday.

Regarding your instructions to disable AntiVirus and AntiSpyware applications, the infection seemed to have all of the computer's McAfee components disabled. The last time I had the computer running, I turned on the Windows firewall -- do you want me to disable it before I run ComboFix?

Thanks again,
Karen
  • 0

#4
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
No, you can leave the Windows Firewall on.
  • 0

#5
karen.gtg

karen.gtg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I downloaded ComboFix and started it successfully. It displayed the disclaimer message and then went through the part of its install where it extracts files, but then it displayed a message saying:
Not safe to continue.
Contents of ComboFix package has been compromised.
Download fresh copy from http://www.bleepingc...to-use-combofix
May be infected with a file patching virus "Virut"

I downloaded another copy of ComboFix from the page specified in the message, but I had the same results.
  • 0

#6
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
Hi,

Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: C:\WINDOWS\explorer.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.



Do the same with these files:
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
  • 0

#7
karen.gtg

karen.gtg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Thanks very much for your response. I thought that was probably going to be the next step, but I figured I should wait for your instructions before taking any action. I will get the info you requested tomorrow morning. I have to travel about an hour to where the infected computer is located, and I don't go there every day. I understand that the next steps will depend greatly on what the VirusTotal scan shows. 2 questions:
If the VirusTotal scan shows that Virut is present on the computer, are there steps you will be able to help me take other than reformat/reinstall?
Can you tell me what the next step(s) will be if the VirusTotal scan does not show a Virut infection? That way I will be able to proceed while I am visiting the sick computer tomorrow.

Thanks again!
  • 0

#8
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts

If the VirusTotal scan shows that Virut is present on the computer, are there steps you will be able to help me take other than reformat/reinstall?

No, I'm afraid not. Reformat/reinstall is the only real solution there is to this infection.

Can you tell me what the next step(s) will be if the VirusTotal scan does not show a Virut infection?

You said this earlier:

However, the programs targeted by McAfee were all legit programs e.g. executables from Intuit, Acronis, LogMeIn, etc.

That, plus the fact that ComboFix reports Virut, probably means Virut is present on your PC I'm afraid.
  • 0

#9
karen.gtg

karen.gtg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
The VirusTotal scans didn't identify anything for any of the 3 files. Here's the results:


explorer.exe
Antivirus Version Last Update Result
AhnLab-V3 2011.06.15.00 2011.06.14 -
AntiVir 7.11.9.212 2011.06.15 -
Antiy-AVL 2.0.3.7 2011.06.15 -
Avast 4.8.1351.0 2011.06.15 -
Avast5 5.0.677.0 2011.06.15 -
AVG 10.0.0.1190 2011.06.15 -
BitDefender 7.2 2011.06.15 -
CAT-QuickHeal 11.00 2011.06.15 -
ClamAV 0.97.0.0 2011.06.15 -
Commtouch 5.3.2.6 2011.06.15 -
Comodo 9074 2011.06.15 -
DrWeb 5.0.2.03300 2011.06.15 -
Emsisoft 5.1.0.8 2011.06.15 -
eSafe 7.0.17.0 2011.06.15 -
eTrust-Vet 36.1.8387 2011.06.15 -
F-Prot 4.6.2.117 2011.06.15 -
F-Secure 9.0.16440.0 2011.06.15 -
Fortinet 4.2.257.0 2011.06.15 -
GData 22 2011.06.15 -
Ikarus T3.1.1.104.0 2011.06.15 -
Jiangmin 13.0.900 2011.06.14 -
K7AntiVirus 9.106.4812 2011.06.14 -
Kaspersky 9.0.0.837 2011.06.15 -
McAfee 5.400.0.1158 2011.06.15 -
McAfee-GW-Edition 2010.1D 2011.06.15 -
Microsoft 1.6903 2011.06.13 -
NOD32 6210 2011.06.15 -
Norman 6.07.10 2011.06.15 -
nProtect 2011-06-15.02 2011.06.15 -
Panda 10.0.3.5 2011.06.15 -
PCTools 7.0.3.5 2011.06.15 -
Prevx 3.0 2011.06.15 -
Rising 23.62.02.05 2011.06.15 -
Sophos 4.66.0 2011.06.15 -
SUPERAntiSpyware 4.40.0.1006 2011.06.15 -
Symantec 20111.1.0.186 2011.06.15 -
TheHacker 6.7.0.1.230 2011.06.14 -
TrendMicro 9.200.0.1012 2011.06.15 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.15 -
VBA32 3.12.16.1 2011.06.15 -
VIPRE 9589 2011.06.15 -
ViRobot 2011.6.15.4513 2011.06.15 -
VirusBuster 14.0.81.0 2011.06.15 -


svchost.exe
Antivirus Version Last Update Result
AhnLab-V3 2011.06.15.00 2011.06.14 -
AntiVir 7.11.9.212 2011.06.15 -
Antiy-AVL 2.0.3.7 2011.06.15 -
Avast 4.8.1351.0 2011.06.15 -
Avast5 5.0.677.0 2011.06.15 -
AVG 10.0.0.1190 2011.06.15 -
BitDefender 7.2 2011.06.15 -
CAT-QuickHeal 11.00 2011.06.15 -
ClamAV 0.97.0.0 2011.06.15 -
Commtouch 5.3.2.6 2011.06.15 -
Comodo 9074 2011.06.15 -
DrWeb 5.0.2.03300 2011.06.15 -
eSafe 7.0.17.0 2011.06.15 -
eTrust-Vet 36.1.8387 2011.06.15 -
F-Prot 4.6.2.117 2011.06.15 -
F-Secure 9.0.16440.0 2011.06.15 -
Fortinet 4.2.257.0 2011.06.15 -
GData 22 2011.06.15 -
Ikarus T3.1.1.104.0 2011.06.15 -
Jiangmin 13.0.900 2011.06.15 -
K7AntiVirus 9.106.4812 2011.06.14 -
Kaspersky 9.0.0.837 2011.06.15 -
McAfee 5.400.0.1158 2011.06.15 -
McAfee-GW-Edition 2010.1D 2011.06.15 -
Microsoft 1.6903 2011.06.13 -
NOD32 6210 2011.06.15 -
Norman 6.07.10 2011.06.15 -
nProtect 2011-06-15.02 2011.06.15 -
Panda 10.0.3.5 2011.06.15 -
PCTools 7.0.3.5 2011.06.15 -
Prevx 3.0 2011.06.15 -
Rising 23.62.02.05 2011.06.15 -
Sophos 4.66.0 2011.06.15 -
SUPERAntiSpyware 4.40.0.1006 2011.06.15 -
Symantec 20111.1.0.186 2011.06.15 -
TheHacker 6.7.0.1.230 2011.06.14 -
TrendMicro 9.200.0.1012 2011.06.15 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.15 -
VBA32 3.12.16.1 2011.06.15 -
VIPRE 9589 2011.06.15 -
ViRobot 2011.6.15.4513 2011.06.15 -
VirusBuster 14.0.81.0 2011.06.15 -


userinit.exe
Antivirus Version Last Update Result
AhnLab-V3 2011.06.15.00 2011.06.14 -
AntiVir 7.11.9.212 2011.06.15 -
Antiy-AVL 2.0.3.7 2011.06.15 -
Avast 4.8.1351.0 2011.06.15 -
Avast5 5.0.677.0 2011.06.15 -
AVG 10.0.0.1190 2011.06.15 -
BitDefender 7.2 2011.06.15 -
CAT-QuickHeal 11.00 2011.06.15 -
ClamAV 0.97.0.0 2011.06.15 -
Commtouch 5.3.2.6 2011.06.15 -
Comodo 9074 2011.06.15 -
DrWeb 5.0.2.03300 2011.06.15 -
Emsisoft 5.1.0.8 2011.06.15 -
eSafe 7.0.17.0 2011.06.15 -
eTrust-Vet 36.1.8387 2011.06.15 -
F-Prot 4.6.2.117 2011.06.15 -
F-Secure 9.0.16440.0 2011.06.15 -
Fortinet 4.2.257.0 2011.06.15 -
GData 22 2011.06.15 -
Ikarus T3.1.1.104.0 2011.06.15 -
Jiangmin 13.0.900 2011.06.15 -
K7AntiVirus 9.106.4812 2011.06.14 -
Kaspersky 9.0.0.837 2011.06.15 -
McAfee 5.400.0.1158 2011.06.15 -
McAfee-GW-Edition 2010.1D 2011.06.15 -
Microsoft 1.6903 2011.06.13 -
NOD32 6210 2011.06.15 -
Norman 6.07.10 2011.06.15 -
nProtect 2011-06-15.02 2011.06.15 -
Panda 10.0.3.5 2011.06.15 -
PCTools 7.0.3.5 2011.06.15 -
Prevx 3.0 2011.06.15 -
Rising 23.62.02.05 2011.06.15 -
Sophos 4.66.0 2011.06.15 -
SUPERAntiSpyware 4.40.0.1006 2011.06.15 -
Symantec 20111.1.0.186 2011.06.15 -
TheHacker 6.7.0.1.230 2011.06.14 -
TrendMicro 9.200.0.1012 2011.06.15 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.15 -
VBA32 3.12.16.1 2011.06.15 -
VIPRE 9589 2011.06.15 -
ViRobot 2011.6.15.4513 2011.06.15 -
VirusBuster 14.0.81.0 2011.06.15 -


What is the next step?

Thanks,
Karen
  • 0

#10
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
Hi,

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Scan archives is checked
  • Make sure that the option Remove found threats is NOT checked (very important!).
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
  • 0

Advertisements


#11
karen.gtg

karen.gtg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
An Eset scan had been performed a couple of weeks ago when this infection first became evident. (I apologize for not including that detail in my initial description -- I inadvertently overlooked that bit of info). I'll paste that log for now, although I don't know if the Advanced Settings were selected as you have requested and it appears that the option to remove found threats was checked.

- Do you need me to run Eset again as you have specified?
- If so, is there anything special I need to do to tell Eset to run a more current virus signature database?

- To run utilities that require antivirus stuff to be turned off, I have resorted to disabling McAfee through the Control Panel Services interface. Is that adequate, or should I try to uninstall McAfee? The main McAfee window indicates that all of its components are running, but when you click on the individual elements within the program, they say that they are turned off. McAfee seems to be the part of the infected system that is the most messed up at this point.

- Is there a different tool that you need me to run next?

- Is there a particular window of time that you will be available to review results and recommend further actions over the next couple of days? If so, I could plan to travel to the site of the infected computer and perhaps make more rapid progress.


Here's the results of the earlier Eset scan:

C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\jar.class-36ac7ff-7de0bfc1.class a variant of Java/TrojanDownloader.OpenStream.NBV trojan cleaned by deleting - quarantined
C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-62092f16.zip probably a variant of Win32/Agent.GGSDYQG trojan deleted - quarantined
C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\mndrtdsf.jar-4017acd-181f605e.zip multiple threats deleted - quarantined
C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-74249065-30d186e5.zip probably a variant of Win32/Agent.GGSDYQG trojan deleted - quarantined
C:\Documents and Settings\Don\Local Settings\Temp\033bb0e9.cpl Win32/Agent.SOE trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe Win32/Patched.HK trojan error while cleaning
C:\Program Files\iPod\bin\iPodService(2).exe Win32/Patched.HN trojan cleaned - quarantined
C:\Program Files\LogMeIn\x86\LMIGuardianSvc(2).exe Win32/Patched.HN trojan cleaned - quarantined
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe Win32/Patched.HK trojan error while cleaning
C:\Program Files\LogMeIn\x86\LogMeIn.exe Win32/Patched.HK trojan cleaned - quarantined
C:\Program Files\LogMeIn\x86\ramaint.exe Win32/Patched.HK trojan error while cleaning
C:\WINDOWS\system32\wuauclt.exe.tmp Win32/Patched.HN trojan cleaned - quarantined
C:\WINDOWS\system32\drivers\update.sys Win32/Rootkit.Agent.NUS trojan unable to clean
Operating memory Win32/Patched.HK trojan
  • 0

#12
karen.gtg

karen.gtg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Addendum to above:
Regarding the Eset scan's detection of Win32/Rootkit.Agent.NUS trojan in update.sys -- one of the TDSSKiller scans that I mentioned in my initial posting was run after the Eset scan posted above. It reported the following:
2011/06/02 19:35:45.0218 1732 Update (afa1f5077e06cbb15113d8e980bb73e2) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/02 19:35:45.0234 1732 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\update.sys. Real md5: afa1f5077e06cbb15113d8e980bb73e2, Fake md5: 402ddc88356b1bac0ee3dd1580c76a31
2011/06/02 19:35:45.0250 1732 Update - detected Rootkit.Win32.ZAccess.c (0)

and at the end of the TDSSKiller log is the following:
================================================================================
2011/06/02 19:35:46.0359 0468 Detected object count: 1
2011/06/02 19:35:46.0359 0468 Actual detected object count: 1
2011/06/02 19:36:16.0953 0468 Update (afa1f5077e06cbb15113d8e980bb73e2) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/02 19:36:16.0953 0468 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\update.sys. Real md5: afa1f5077e06cbb15113d8e980bb73e2, Fake md5: 402ddc88356b1bac0ee3dd1580c76a31
2011/06/02 19:36:17.0593 0468 Backup copy found, using it..
2011/06/02 19:36:17.0609 0468 C:\WINDOWS\system32\DRIVERS\update.sys - will be cured after reboot
2011/06/02 19:36:17.0609 0468 Rootkit.Win32.ZAccess.c(Update) - User select action: Cure
2011/06/02 19:36:24.0375 1076 Deinitialize success

so it appears that TDSSKiller was able to resolve the bad update.sys file that Eset reported as "unable to clean".
  • 0

#13
Gammo

Gammo

    Member 2k

  • Malware Removal
  • 2,299 posts
Hi,

Download Dr.Web CureIt to the desktop.
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow Posted Image at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.
NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


After doing that:

Please delete your copy of ComboFix.exe from the desktop.

Then download the latest version of ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:

    Click me

    If you can't disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#14
karen.gtg

karen.gtg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
contents of Dr.Web log:

sprtsync.dll;c:\program files\fastaccessdsl\helpcenter43\bin;Probably DLOADER.Trojan;;
sprtsync.dll;c:\program files\fastaccessdsl\helpcenter43\bin;Probably DLOADER.Trojan;;
OTL.exe;C:\Documents and Settings\Don\Desktop;Trojan.Siggen2.33900;Incurable.Moved.;
mcinst.exe;C:\Program Files\Common Files\McAfee\Installer;Probably BACKDOOR.Trojan;Incurable.Moved.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;Incurable.Moved.;
sprtsync.dll;C:\Program Files\FastAccessDSL\HelpCenter43\bin;Probably DLOADER.Trojan;;
mcupdate.exe;C:\Program Files\McAfee.com\Agent;Probably DLOADER.Trojan;Incurable.Moved.;



OTL logfile created on: 6/20/2011 5:35:07 PM - Run 4
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\Don\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.00 Mb Total Physical Memory | 627.94 Mb Available Physical Memory | 61.38% Memory free
1.28 Gb Paging File | 0.91 Gb Available in Paging File | 71.45% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 80.56 Gb Free Space | 82.49% Space Free | Partition Type: NTFS
Drive M: | 58.59 Gb Total Space | 25.06 Gb Free Space | 42.77% Space Free | Partition Type: NTFS
Drive N: | 39.06 Gb Total Space | 1.04 Gb Free Space | 2.66% Space Free | Partition Type: NTFS

Computer Name: FRED | User Name: Don | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/20 17:32:59 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
PRC - [2011/05/02 15:09:18 | 001,306,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/03 16:09:34 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/04/12 20:59:48 | 000,198,184 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
PRC - [2006/06/21 00:31:46 | 001,106,386 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2006/06/20 12:02:12 | 001,848,150 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2006/06/20 12:01:38 | 000,126,976 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2005/06/07 00:46:24 | 000,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2004/04/13 18:03:10 | 000,299,008 | ---- | M] (Palm, Inc.) -- C:\Program Files\palmOne\HOTSYNC.EXE
PRC - [2003/04/06 02:06:58 | 000,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/06 01:55:04 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/06 01:45:10 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2003/04/06 01:37:38 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe


========== Modules (SafeList) ==========

MOD - [2011/06/20 17:32:59 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/04/12 20:59:56 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprthook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (NVSvc)
SRV - File not found [Auto | Stopped] -- -- (McProxy)
SRV - File not found [Auto | Stopped] -- -- (McNASvc)
SRV - File not found [Auto | Stopped] -- -- (McNaiAnn)
SRV - File not found [Auto | Stopped] -- -- (mcmscsvc)
SRV - File not found [Auto | Stopped] -- -- (McMPFSvc)
SRV - File not found [Auto | Stopped] -- -- (LMIMaint)
SRV - File not found [Auto | Stopped] -- -- (LMIGuardianSvc)
SRV - File not found [On_Demand | Stopped] -- -- (iPod Service)
SRV - File not found [Auto | Stopped] -- -- (IntuitUpdateService)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (AcrSch2Svc)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2003/03/09 16:31:02 | 000,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,089,368 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/12/13 22:12:47 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/07/15 08:44:20 | 000,013,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv)
DRV - [2010/07/15 08:44:20 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2010/05/31 11:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/05/31 11:31:10 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2007/12/02 12:51:42 | 000,040,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2007/11/22 06:44:04 | 000,033,832 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2007/07/13 09:20:24 | 000,113,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2006/06/26 16:25:26 | 000,388,000 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2006/06/26 16:25:26 | 000,032,288 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2006/06/26 16:25:14 | 000,099,776 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2004/10/07 21:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 5C 84 75 54 93 26 CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Crawler Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.order.1: "Crawler Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..keyword.URL: "http://www.crawler.c...bid=60644&qkw="
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/10 10:16:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/23 13:52:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.0.0\Extensions\\Components: C:\Program Files\\Netscape\\Netscape Browser\Components [2007/08/08 17:56:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.0.0\Extensions\\Plugins: C:\Program Files\\Netscape\\Netscape Browser\Plugins [2011/05/18 11:47:35 | 000,000,000 | ---D | M]

[2011/03/28 17:55:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Don\Application Data\Mozilla\Extensions
[2011/04/11 17:08:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Don\Application Data\Mozilla\Firefox\Profiles\rdo0gw09.default\extensions
[2006/10/06 09:26:02 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Don\Application Data\Mozilla\Firefox\Profiles\rdo0gw09.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/04/10 14:19:12 | 000,002,292 | ---- | M] () -- C:\Documents and Settings\Don\Application Data\Mozilla\Firefox\Profiles\rdo0gw09.default\searchplugins\inbox-search.xml
[2011/03/28 17:54:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2006/10/06 09:11:04 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
File not found (No name found) --
[2010/10/25 13:28:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/05/03 05:52:44 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
[2009/09/21 12:24:16 | 000,001,329 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\crawlersrch.xml

O1 HOSTS File: ([2002/09/03 15:39:21 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110602224409.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Companion) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Companion) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Don\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (Palm, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} http://download.micr...0367/wmavax.CAB (Reg Error: Key error.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} https://picasaweb.go...2/uploader2.cab (UploadListView Class)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...96/mcinsctl.cab (McAfee.com Operating System Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,26/mcgdmgr.cab (DwnldGroupMgr Class)
O16 - DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_11)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} https://www.laserapp...t/lavdetect.ocx (LASDetectX Control)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://investools.w...bex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/24 17:48:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/20 17:32:59 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
[2011/06/20 11:21:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\DoctorWeb
[2011/06/13 12:45:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/03 00:17:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\Desktop\logs
[2011/06/02 23:30:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Don\Start Menu\Programs\Administrative Tools
[2011/06/02 23:27:15 | 000,606,778 | R--- | C] (Swearware) -- C:\Documents and Settings\Don\Desktop\dds.scr
[2011/06/02 22:43:44 | 000,148,520 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2011/06/02 22:41:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/06/02 19:52:52 | 007,286,791 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Don\Desktop\stinger10101629.exe
[2011/06/02 17:29:38 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/02 17:28:43 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Don\Desktop\esetsmartinstaller_enu.exe
[2011/06/02 11:08:41 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Don\Desktop\tdsskiller.exe
[2011/05/31 22:50:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\Application Data\SUPERAntiSpyware.com
[2011/05/31 22:50:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/05/31 22:49:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/05/31 22:49:49 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/05/31 20:05:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/05/31 19:53:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Don\Application Data\McAfee
[2011/05/31 19:46:55 | 000,458,096 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Don\Desktop\MVTInstaller.exe
[2005/12/27 22:17:01 | 020,921,040 | ---- | C] ( ) -- C:\Program Files\AdbeRdr705_enu_full.exe
[2005/12/27 22:16:36 | 007,050,552 | ---- | C] (Adobe Systems, Inc. ) -- C:\Program Files\psa30se_en_us.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[13 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Don\*.tmp files -> C:\Documents and Settings\Don\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/20 17:32:59 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Don\Desktop\OTL.exe
[2011/06/20 17:28:21 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/20 17:28:05 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/20 17:28:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/20 17:28:02 | 1072,766,976 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/20 17:04:05 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/20 16:58:43 | 000,000,640 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\DrWeb.csv
[2011/06/20 12:06:29 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/06/20 11:16:50 | 067,137,584 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\drweb-cureit.exe
[2011/06/17 11:03:14 | 008,080,776 | ---- | M] () -- C:\Gacomp_20100926.QDF
[2011/06/17 11:03:13 | 000,029,696 | ---- | M] () -- C:\Gacomp_20100926.QEL
[2011/06/17 09:23:49 | 001,179,829 | ---- | M] () -- C:\Gacomp_20100926.IDX
[2011/06/12 08:09:43 | 000,000,000 | ---- | M] () -- C:\hpfr5550.xml
[2011/06/10 13:58:29 | 000,002,507 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\Microsoft Outlook.lnk
[2011/06/03 00:34:18 | 000,002,525 | ---- | M] () -- C:\Documents and Settings\Don\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2011/06/02 23:27:15 | 000,606,778 | R--- | M] (Swearware) -- C:\Documents and Settings\Don\Desktop\dds.scr
[2011/06/02 22:57:39 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk
[2011/06/02 22:03:45 | 000,182,572 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\MVTHealthCheck.html
[2011/06/02 21:21:03 | 015,292,928 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\logmein.msi
[2011/06/02 21:06:30 | 000,000,017 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\stinger10101629.opt
[2011/06/02 19:53:08 | 007,286,791 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Don\Desktop\stinger10101629.exe
[2011/06/02 17:28:43 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Don\Desktop\esetsmartinstaller_enu.exe
[2011/06/02 11:14:51 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Don\Desktop\2jdhdh55.exe
[2011/06/02 11:08:45 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Don\Desktop\tdsskiller.exe
[2011/05/31 22:49:52 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/31 22:42:54 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/05/31 21:38:06 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/31 19:46:55 | 000,458,096 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Don\Desktop\MVTInstaller.exe
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[13 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Don\*.tmp files -> C:\Documents and Settings\Don\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/20 16:58:43 | 000,000,640 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\DrWeb.csv
[2011/06/20 11:11:11 | 067,137,584 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\drweb-cureit.exe
[2011/06/02 22:03:45 | 000,182,572 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\MVTHealthCheck.html
[2011/06/02 21:52:11 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Virtual Technician.lnk
[2011/06/02 21:20:23 | 015,292,928 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\logmein.msi
[2011/06/02 21:06:30 | 000,000,017 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\stinger10101629.opt
[2011/06/02 17:02:23 | 1072,766,976 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/02 11:14:50 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Don\Desktop\2jdhdh55.exe
[2011/05/31 22:49:52 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/30 21:14:34 | 001,179,829 | ---- | C] () -- C:\Gacomp_20100926.IDX
[2011/05/23 13:44:31 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk
[2011/03/21 14:29:57 | 007,852,664 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/14 13:49:16 | 001,774,720 | ---- | C] () -- C:\WINDOWS\System32\BootMan.exe
[2010/10/14 13:49:16 | 000,086,408 | ---- | C] () -- C:\WINDOWS\System32\setupempdrv03.exe
[2010/10/14 13:49:16 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2010/10/14 13:49:16 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2010/10/14 13:49:16 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2008/03/17 17:34:43 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2007/11/24 19:53:29 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Don\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/09/12 10:19:56 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/06/26 12:42:13 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Don\Local Settings\Application Data\fusioncache.dat
[2006/10/07 21:44:43 | 000,000,161 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/06/01 18:10:25 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/04/29 11:34:54 | 000,003,531 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/04/29 11:20:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/04/25 19:04:29 | 000,000,525 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/04/05 21:17:13 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/01/27 15:52:41 | 000,046,345 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2005/12/27 22:16:32 | 000,762,512 | ---- | C] () -- C:\Program Files\ytb612_efgsip.exe
[2005/07/25 02:51:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\winil32.exe
[2005/06/19 10:19:59 | 000,197,751 | ---- | C] () -- C:\WINDOWS\nhvbs.dat
[2005/06/15 17:41:49 | 000,197,751 | ---- | C] () -- C:\WINDOWS\nikkw.dat
[2005/03/21 15:02:49 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/03/21 14:08:18 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/02/15 17:06:24 | 000,000,423 | ---- | C] () -- C:\WINDOWS\PERWIN.INI
[2005/02/07 14:17:45 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/02/03 23:46:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2005/01/28 13:14:48 | 000,020,454 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2005/01/28 13:14:48 | 000,016,618 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2005/01/25 13:03:31 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2005/01/25 13:01:49 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2005/01/25 13:01:49 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2005/01/24 17:51:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/01/24 17:45:18 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/01/24 12:34:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/01/24 12:33:25 | 000,258,248 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/10/06 15:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/03/09 16:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2002/09/03 16:07:03 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 16:07:00 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/09/03 15:51:48 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/09/03 15:51:47 | 000,432,916 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/09/03 15:51:46 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/09/03 15:51:44 | 000,067,490 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/09/03 15:50:11 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/09/03 15:44:25 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/09/03 15:44:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/09/03 15:37:19 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/09/03 15:36:07 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

========== LOP Check ==========

[2006/06/26 16:34:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2011/06/02 13:41:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2005/07/25 17:07:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MCA109.tmp
[2006/12/29 17:26:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TurboTax 2006
[2011/01/28 17:24:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\Centra
[2006/07/30 19:36:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\Leadertech
[2006/04/29 11:20:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\Netscape
[2011/01/28 17:25:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\Saba
[2005/01/31 17:55:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Don\Application Data\WeatherBug
[2005/04/30 10:55:59 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1106932800.job
[2011/05/15 01:07:34 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2011/05/01 01:00:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default.pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default.pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(9).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(9).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(8).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(8).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(7).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(7).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(6).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(6).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(5).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(5).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(4).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(4).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(3).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(3).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(2).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(2).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(13).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(13).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(12).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(12).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(11).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(11).pif:jxreng
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(10).pif:xpcitl
@Alternate Data Stream - 197751 bytes -> C:\WINDOWS\_default(10).pif:jxreng

< End of report >
  • 0

#15
karen.gtg

karen.gtg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
ComboFix ran successfully after the Dr.Web CureIt scan.


ComboFix 11-06-19.0r1 - Don 06/20/2011 18:18:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.622 [GMT -4:00]
Running from: c:\documents and settings\Don\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Don\WINDOWS
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\Downloaded Program Files\rave
c:\windows\Downloaded Program Files\rave\avirexe.vdm
c:\windows\Downloaded Program Files\rave\avirscr.vdm
c:\windows\Downloaded Program Files\rave\base.vdm
c:\windows\Downloaded Program Files\rave\daily.vdm
c:\windows\Downloaded Program Files\rave\daily.vdt
c:\windows\Downloaded Program Files\rave\filters.vdm
c:\windows\Downloaded Program Files\rave\kernel.vdk
c:\windows\Downloaded Program Files\rave\keyring.vdk
c:\windows\Downloaded Program Files\rave\mapi_vdm.vdm
c:\windows\Downloaded Program Files\rave\modules.vdk
c:\windows\Downloaded Program Files\rave\rav8def.vdm
c:\windows\Downloaded Program Files\rave\rufs.vdm
c:\windows\Downloaded Program Files\rave\rufsplg.vdm
c:\windows\Downloaded Program Files\rave\unarch.vdm
c:\windows\Downloaded Program Files\rave\unmail.vdm
c:\windows\Downloaded Program Files\rave\unpack.vdm
.
.
((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))
.
.
2011-06-20 15:21 . 2011-06-20 16:04 -------- d-----w- c:\documents and settings\Don\DoctorWeb
2011-06-03 02:43 . 2011-03-13 15:45 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-06-02 21:59 . 2011-06-02 21:59 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2011-06-02 21:29 . 2011-06-02 21:29 -------- d-----w- c:\program files\ESET
2011-06-01 02:50 . 2011-06-01 02:50 -------- d-----w- c:\documents and settings\Don\Application Data\SUPERAntiSpyware.com
2011-06-01 02:50 . 2011-06-01 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-01 02:49 . 2011-06-01 02:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-31 23:53 . 2011-05-31 23:53 -------- d-----w- c:\documents and settings\Don\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-03 01:31 . 2002-09-03 19:40 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-06-03 01:28 . 2002-09-03 19:50 574976 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-06-02 23:36 . 2002-09-03 20:00 384768 ----a-w- c:\windows\system32\drivers\update.sys
2011-06-02 17:59 . 2002-09-03 19:54 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-05-29 13:11 . 2010-10-25 21:23 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-10-25 21:23 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-18 15:48 . 2011-05-18 15:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-18 22:08 . 2011-04-18 22:08 1409 ----a-w- c:\windows\QTFont.for
2005-12-28 02:19 . 2005-12-28 02:17 20921040 ----a-w- c:\program files\AdbeRdr705_enu_full.exe
2005-12-28 02:17 . 2005-12-28 02:16 7050552 ----a-w- c:\program files\psa30se_en_us.exe
2005-12-28 02:16 . 2005-12-28 02:16 762512 ----a-w- c:\program files\ytb612_efgsip.exe
2011-05-03 09:52 . 2011-03-28 21:54 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2011-03-29 10:23 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-06-21 1106386]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-06-20 1848150]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-20 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"HelpCenter4.1"="c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe" [2007-04-13 198184]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-02 1306216]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
.
c:\documents and settings\Don\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-14 02:12 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FastAccessDSL\\HelpCenter43\\bin\\sprtcmd.exe"=
"c:\\Documents and Settings\\Don\\Desktop\\tdsskiller.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Don\\Desktop\\esetsmartinstaller_enu.exe"=
"c:\\Program Files\\ESET\\ESET Online Scanner\\OnlineCmdLineScanner.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\ESET\\ESET Online Scanner\\OnlineScannerApp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Don\\Desktop\\stinger10101629.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/15/2010 1:33 PM 89368]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [6/2/2011 10:43 PM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [6/2/2011 10:43 PM 148520]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/15/2010 1:33 PM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/15/2010 1:33 PM 83688]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2011 11:49 AM 136176]
S2 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\LogMeIn\x86\LMIGuardianSvc.exe" --> c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [?]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [?]
S2 ULWTRFYR;ULWTRFYR;\??\c:\windows\system32\ulwtrfyr.akp --> c:\windows\system32\ulwtrfyr.akp [?]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/15/2010 1:33 PM 57432]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10/14/2010 1:49 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10/14/2010 1:49 PM 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2011 11:49 AM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/15/2010 1:33 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/15/2010 1:33 PM 85984]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2005-04-30 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8106932800.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-18 15:49]
.
2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-18 15:49]
.
2011-05-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-10 17:32]
.
2011-05-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-10 17:32]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} - hxxps://www.laserapp.com/dev/detect/lavdetect.ocx
FF - ProfilePath - c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\rdo0gw09.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&tbid=60644&qkw=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-16985618.sys
SafeBoot-46141198.sys
SafeBoot-55975582.sys
SafeBoot-86412246.sys
AddRemove-Index.DAT - c:\program files\Index.DAT File Viewer\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-20 18:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ULWTRFYR]
"ImagePath"="\??\c:\windows\system32\ulwtrfyr.akp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1096)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(3292)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\BCMSMMSG.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2011-06-20 18:33:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-20 22:33
.
Pre-Run: 86,877,802,496 bytes free
Post-Run: 86,699,040,768 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - D8CB223AF9D2BD4A98AB45C1EF03C18D
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP