Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit TDSS, trojans, etc. Can't make it go away for good


  • This topic is locked This topic is locked

#1
ph1290

ph1290

    Member

  • Member
  • PipPip
  • 58 posts
MBAM catches a few things, have run some other malware programs that catch a few things, but they reappear quickly. Sometimes i lose my sound, sometimes i lose my internet, sometimes, it messes with a program I run; redirect on searches., etc. Please help before I blow up my computer.
  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello ph1290 and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
Step 2

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply
Step 3

Download OTL to your Desktop

  • Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
    . Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.
Step 4

Please don't forget to include these items in your reply:

  • TDSSKiller log
  • aswMBR log
  • OTL log
  • OTL Extras log
It would be helpful if you could post each log in separate post
  • 0

#3
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
could not get TDSSKiller to download from your link. I get a connection error. I got the others to download. I then went to the Kapersky site direct and downloaded the zip file and extracted. Program will not run when I click on it. Should I go ahead and run OTL and AsMBR ?
  • 0

#4
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Yes. Please run the other two and post logs.
  • 0

#5
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
aswmbr log copied below...
aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-21 09:16:09
-----------------------------
09:16:09.140 OS Version: Windows 5.1.2600 Service Pack 3
09:16:09.140 Number of processors: 2 586 0x1706
09:16:09.140 ComputerName: 7-51896 UserName:
09:16:11.859 Initialize success
09:16:36.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
09:16:36.171 Disk 0 Vendor: HITACHI_HTS543216L9SA00 FB2ZC48C Size: 152627MB BusType: 3
09:16:38.187 Disk 0 MBR read successfully
09:16:38.187 Disk 0 MBR scan
09:16:38.187 Disk 0 Windows XP default MBR code
09:16:40.187 Disk 0 scanning sectors +312575760
09:16:40.218 Disk 0 scanning C:\WINDOWS\system32\drivers
09:16:54.968 Service scanning
09:16:56.296 Disk 0 trace - called modules:
09:16:56.328 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8afd41ed]<<
09:16:56.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b058ab8]
09:16:56.328 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000099[0x8b02d9e8]
09:16:56.328 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8b059d98]
09:16:56.328 \Driver\atapi[0x8b12d2d0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8afd41ed
09:16:56.656 Scan finished successfully
09:17:12.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\harrisap\Desktop\MBR.dat"
09:17:12.218 The log file has been saved successfully to "C:\Documents and Settings\harrisap\Desktop\aswMBR.txt"
  • 0

#6
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
OTL.txt log; no Extras log came up

OTL logfile created on: 6/21/2011 9:18:25 AM - Run 11
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\harrisap\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.98 Gb Total Physical Memory | 1.98 Gb Available Physical Memory | 66.47% Memory free
4.82 Gb Paging File | 3.90 Gb Available in Paging File | 80.84% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 89.41 Gb Free Space | 59.98% Space Free | Partition Type: NTFS
Drive D: | 3.84 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: 7-51896 | User Name: harrisap | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/21 08:45:10 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.scr
PRC - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\wifeman32.exe
PRC - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\mqrtdep32.exe
PRC - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\mciole3232.exe
PRC - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\loadperf32.exe
PRC - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\kbdbu32.exe
PRC - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\ipxwan32.exe
PRC - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\dpnmodem32.exe
PRC - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\atioglx232.exe
PRC - [2011/06/10 12:26:00 | 002,424,192 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2011/05/28 10:34:27 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2009/05/14 11:43:12 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) -- C:\WINDOWS\system32\F5InstallerService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
PRC - [2007/10/07 21:48:40 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2007/05/29 17:33:22 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) -- C:\Notes\ntmulti.exe


========== Modules (SafeList) ==========

MOD - [2011/06/21 08:45:10 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.scr
MOD - [2008/04/14 05:42:52 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 05:42:06 | 000,005,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\security.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ThreatFire)
SRV - File not found [Auto | Stopped] -- -- (KodakSvc)
SRV - File not found [Auto | Stopped] -- -- (Kodak AiO Network Discovery Service)
SRV - File not found [Auto | Stopped] -- -- (itlperf)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\ipxwan32.exe -- (WmiApSrv32)
SRV - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\atioglx232.exe -- (SUService32)
SRV - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\mciole3232.exe -- (SamSs32)
SRV - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\wifeman32.exe -- (PolicyAgent32)
SRV - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\loadperf32.exe -- (Netlogon32)
SRV - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\mqrtdep32.exe -- (lanmanserver32)
SRV - [2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\dpnmodem32.exe -- (Eventlog32)
SRV - [2011/05/28 10:34:27 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/20 11:36:40 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/06/04 09:51:06 | 000,262,784 | ---- | M] (F5 Networks) [Auto | Running] -- C:\WINDOWS\system32\F5InstallerService.exe -- (F5 Networks Component Installer)
SRV - [2007/12/21 14:30:40 | 000,131,072 | ---- | M] (Visioneer Inc.) [Auto | Running] -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2007/10/07 21:48:36 | 000,116,664 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/10/07 21:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/10/07 21:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/09/26 18:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/08/28 20:04:25 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/27 18:14:00 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/12/01 08:35:58 | 000,057,393 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Notes\ntmulti.exe -- (Multi-user Cleanup Service)
SRV - [2004/08/04 04:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2000/10/19 12:55:50 | 000,411,244 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache)


========== Driver Services (SafeList) ==========

DRV - [2011/06/15 12:15:34 | 001,542,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110620.004\navex15.sys -- (NAVEX15)
DRV - [2011/06/15 12:15:34 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110620.004\naveng.sys -- (NAVENG)
DRV - [2011/05/16 11:50:14 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/05/10 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/10/09 23:15:18 | 000,033,920 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2009/10/09 23:15:13 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2009/05/14 11:43:09 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2009/05/14 11:43:09 | 000,764,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2009/05/14 11:43:09 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2009/05/14 11:43:09 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2009/05/14 11:43:08 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009/05/14 11:42:46 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2009/05/14 11:42:43 | 003,103,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/05/14 11:41:43 | 003,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2009/05/14 11:41:40 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2009/05/14 11:41:37 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/05/14 11:41:36 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2009/03/20 20:03:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/07/07 13:23:56 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/06/02 17:28:50 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/05/09 12:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2007/12/26 10:49:59 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/08/27 18:13:36 | 000,189,320 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/08/27 18:13:32 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/07/26 20:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/02/19 01:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/06/27 03:50:00 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 95 BE DD 01 2C 1B 1A 41 AF 1F D5 B2 85 18 6F 8C [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{08B8D53F-FB61-4EC8-8614-ECA2133A48D4}\ [2010/07/02 12:22:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{7F407392-4F54-4B22-B018-7C448707CE31}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{7F407392-4F54-4B22-B018-7C448707CE31}\ [2010/07/02 13:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A4423967-0FE1-45A0-A02F-24676A38EC26}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{A4423967-0FE1-45A0-A02F-24676A38EC26}\ [2010/07/02 14:36:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{656599F9-402B-4ABD-B3DD-B465296C0D22}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{656599F9-402B-4ABD-B3DD-B465296C0D22}\ [2010/07/02 14:39:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{2DE55286-1FBD-4B5E-A2FD-A80A0E7026AF}\ [2010/07/03 08:50:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{9DA59007-FBFE-4153-8AF3-F9C396AC0403}\ [2010/07/03 09:01:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A19F0325-B322-4DC2-97B2-521B259F25C5}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{A19F0325-B322-4DC2-97B2-521B259F25C5}\ [2010/07/03 12:02:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1A8548C6-50F1-463B-9802-225F5F94F67F}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{1A8548C6-50F1-463B-9802-225F5F94F67F}\ [2010/07/03 13:29:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBD154CF-3450-438A-A1ED-432C3082042C}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{BBD154CF-3450-438A-A1ED-432C3082042C}\ [2010/07/06 16:32:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{CCCB28FC-4068-4917-96E5-3983EF42704B}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{CCCB28FC-4068-4917-96E5-3983EF42704B}\ [2010/07/07 07:39:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6512AF10-2BD9-4242-83CE-3086EA813335}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{6512AF10-2BD9-4242-83CE-3086EA813335}\ [2010/07/07 07:44:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{95ADF2BD-4B22-46D3-AFE6-4E78ABE2E962}\ [2010/07/07 07:46:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{4B5AF1D8-7AA8-4B62-B2F7-6F370DD89CAB}\ [2010/07/07 09:42:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{DE5B9F1B-D5DE-4F59-9D5B-E2CAA777EF01}\ [2010/07/07 09:43:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{0A61CEF3-C718-4B50-889F-5D23F129ACCB}\ [2010/07/07 09:47:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{8D783363-3AE6-4CDD-B954-3B2301C786C7}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{8D783363-3AE6-4CDD-B954-3B2301C786C7}\ [2010/07/07 09:53:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{588A3060-1F7E-4B99-88A4-3A1C6BA0322E}\ [2010/07/07 11:27:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{3437F035-FDD2-4241-9294-7F0F1BB28DAB}\ [2010/07/07 11:36:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{F815F000-7EE3-4952-B739-09F30DAB8CE3}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{F815F000-7EE3-4952-B739-09F30DAB8CE3}\ [2010/07/07 12:15:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{AE76301C-C986-4B42-8668-AC7A26389266}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{AE76301C-C986-4B42-8668-AC7A26389266}\ [2010/07/07 12:24:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{B4379ACC-5F74-456A-A7EE-ECB02CBD8B7D}\ [2010/07/07 15:27:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}: C:\Documents and Settings\harrisap\Local Settings\Application Data\{186FE95C-BF73-4B29-8447-ED6E2D4837EF}\ [2010/07/07 16:46:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/04/17 11:02:36 | 000,000,000 | ---D | M]

[2010/04/24 17:44:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions
[2010/04/24 17:44:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\harrisap\Application Data\Mozilla\Extensions\[email protected]
File not found (No name found) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\[email protected]

O1 HOSTS File: ([2011/06/21 09:15:07 | 000,000,003 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O2 - BHO: (no name) - {01DDBE95-1B2C-411A-AF1F-D5B285186F8c} - C:\WINDOWS\system32\atioglx232.dll (CrypKey Inc.)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (6445a8bf) - {BE61E684-882B-DAF4-9C2B-6E858EB6E708} - C:\WINDOWS\system32\mciqtz3232.dll (CrypKey Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\YspService.exe (Yahoo! Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: centra.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: Clientelligent.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: dhl-usa.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: employeeedge.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: eyeadvisor.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: gabrobins.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: gabrobinsna.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: genesyshcm.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: learn.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: mygabr.com ([]* in My Computer)
O15 - HKCU\..Trusted Domains: virtela.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([]* in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} https://gabrobins1.c...,2010,1215,1100 (F5 Networks VPN Manager)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.c...pport/acpir.cab (IASRunner Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} http://uspsy16m.gabr...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://gabrobins1.c...,2010,1215,1053 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} https://gabrobins1.c...,2010,0617,2017 (F5 Networks Auto Update)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab (F5 Networks Policy Agent Host Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1228492840640 (WUWebControl Class)
O16 - DPF: {68132570-CED6-11D5-91AE-000039F5040E} http://www.employeee...m/NAVUPDPRJ.CAB (NAVUPDPRJ.NAVUPDCTL)
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} https://gabrobins1.c...,2008,0404,2134 (F5 Networks Static Application Tunnel Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1228491044515 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab (F5 Virtual Sandbox Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.su...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.h...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} https://gabrobins1.c...1,2010,617,2010 (F5 Networks SuperHost Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://gabrobins1.c...31,2010,902,806 (F5 Networks Host Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab (URVNCX Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GABNA-AD.local
O20 - AppInit_DLLs: (C:\WINDOWS\system32\mciqtz3232.dll) - C:\WINDOWS\system32\mciqtz3232.dll (CrypKey Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\harrisap\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/15 12:50:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/02/10 23:29:31 | 000,000,027 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2011/06/21 08:58:10 | 001,441,584 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\harrisap\Desktop\abc123.exe
[2011/06/21 08:45:09 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.scr
[2011/06/21 08:44:29 | 001,904,128 | ---- | C] (AVAST Software) -- C:\Documents and Settings\harrisap\Desktop\aswMBR.exe
[2011/06/20 23:06:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\xactimate backup 06.20.11
[2011/06/20 10:01:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\SUPERAntiSpyware.com
[2011/06/20 10:01:28 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/06/20 10:00:29 | 011,442,336 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\harrisap\Desktop\SUPERAntiSpyware.exe
[2011/06/19 23:51:14 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\dpnmodem32.exe
[2011/06/19 23:09:04 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\wifeman32.exe
[2011/06/19 22:52:04 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\ipxwan32.exe
[2011/06/18 23:08:26 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\mciole3232.exe
[2011/06/18 00:14:33 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\atioglx232.exe
[2011/06/17 22:59:11 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\kbdbu32.exe
[2011/06/17 22:59:10 | 000,169,472 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\mciqtz3232.dll
[2011/06/17 22:59:08 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\mqrtdep32.exe
[2011/06/17 22:59:08 | 000,764,416 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\loadperf32.exe
[2011/06/17 22:59:06 | 000,349,696 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\atioglx232.dll
[2011/06/15 08:12:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\tdsskiller
[2011/06/13 18:31:40 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/13 14:24:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\xactimate data
[2011/06/13 01:37:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Xactware
[2011/06/13 01:29:28 | 000,000,000 | ---D | C] -- C:\Program Files\Xactware
[2011/06/12 08:59:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Application Data\SPE
[2011/06/12 08:58:54 | 005,610,848 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\harrisap\My Documents\Sep_SupportTool.exe
[2011/06/12 01:34:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\harrisap\Recent
[2011/06/12 01:11:02 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/12 01:11:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/12 00:02:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Start Menu\Programs\Windows XP Restore
[2011/06/05 23:48:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\PIF
[2011/06/05 10:17:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/06/01 13:43:10 | 000,000,000 | ---D | C] -- C:\Program Files\File Type Assistant
[2011/05/30 22:29:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\FORMS
[2011/05/30 22:25:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\CLIENTS
[2011/05/30 22:21:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\SECURITY_ANTIVIRUS
[2011/05/30 21:50:32 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/28 22:12:34 | 000,000,000 | ---D | C] -- C:\tdsskiller
[2011/05/27 12:50:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2011/05/27 07:58:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\harrisap\Desktop\expense reprots
[2011/05/26 21:15:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/05/26 17:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/05/26 16:36:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2011/05/26 16:36:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/05/23 20:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2011/05/23 20:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011/05/23 08:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!
[2011/05/23 08:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\HPAppData
[2011/05/23 08:25:11 | 000,000,000 | ---D | C] -- C:\Program Files\Search Toolbar
[2011/05/22 10:30:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\harrisap\IECompatCache
[2011/05/22 10:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/22 10:20:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[1 C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp -> ]
[1 C:\Documents and Settings\harrisap\Desktop\*.tmp files -> C:\Documents and Settings\harrisap\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\harrisap\*.tmp files -> C:\Documents and Settings\harrisap\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/21 09:19:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/21 09:17:12 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\MBR.dat
[2011/06/21 09:15:07 | 000,000,003 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/06/21 08:58:10 | 001,441,584 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\harrisap\Desktop\abc123.exe
[2011/06/21 08:53:50 | 000,000,062 | ---- | M] () -- C:\WINDOWS\System32\44b6ffed
[2011/06/21 08:45:10 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\harrisap\Desktop\OTL.scr
[2011/06/21 08:44:29 | 001,904,128 | ---- | M] (AVAST Software) -- C:\Documents and Settings\harrisap\Desktop\aswMBR.exe
[2011/06/21 07:56:21 | 000,002,219 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\GAB SSL.lnk
[2011/06/21 07:54:24 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\LinkUp USA (2).url
[2011/06/21 07:04:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/21 07:02:54 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2011/06/21 07:02:51 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2011/06/21 07:01:59 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/21 07:01:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/20 22:26:28 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2011/06/20 10:00:41 | 011,442,336 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\harrisap\Desktop\SUPERAntiSpyware.exe
[2011/06/20 09:44:12 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/19 23:51:14 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\1855516573
[2011/06/18 00:51:53 | 000,000,282 | -HS- | M] () -- C:\boot.ini
[2011/06/17 22:59:10 | 000,169,472 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\mciqtz3232.dll
[2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\wifeman32.exe
[2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\mqrtdep32.exe
[2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\mciole3232.exe
[2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\loadperf32.exe
[2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\kbdbu32.exe
[2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\ipxwan32.exe
[2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\dpnmodem32.exe
[2011/06/17 22:59:06 | 000,764,416 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\atioglx232.exe
[2011/06/17 22:59:06 | 000,349,696 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\atioglx232.dll
[2011/06/17 12:29:37 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/16 21:07:38 | 000,268,226 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\0.845687920038846.exe
[2011/06/15 02:07:01 | 000,000,330 | ---- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/06/13 15:03:08 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\Show desktop.scf
[2011/06/13 14:30:38 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\LinkUp USA (4).url
[2011/06/12 10:40:59 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\LinkUp USA (3).url
[2011/06/12 10:40:25 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\My Computer (2).lnk
[2011/06/12 10:40:22 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer (2).lnk
[2011/06/12 10:40:17 | 000,002,219 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\GAB SSL (2).lnk
[2011/06/12 08:58:38 | 005,610,848 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\harrisap\My Documents\Sep_SupportTool.exe
[2011/06/12 00:50:56 | 001,007,120 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\iExplore.exe
[2011/06/12 00:02:44 | 000,000,128 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~17162020r
[2011/06/12 00:02:44 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~17162020
[2011/06/12 00:02:36 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\17162020
[2011/06/10 12:20:02 | 000,002,237 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\GAB SSL.lnk
[2011/06/07 10:07:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/06/06 21:27:03 | 000,000,736 | ---- | M] () -- C:\WINDOWS\SamsungMaster.INI
[2011/06/05 23:55:19 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\LinkUp USA (2).url
[2011/06/05 23:47:26 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/06/05 10:17:10 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/06/03 12:37:05 | 000,000,765 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\Shortcut to MoffFreeCalc.exe.lnk
[2011/05/31 09:39:59 | 000,001,380 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Show desktop.lnk
[2011/05/31 09:19:33 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\My Computer.lnk
[2011/05/31 09:14:48 | 000,000,849 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\Samsung.lnk
[2011/05/31 08:39:58 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\My Computer.lnk
[2011/05/31 08:39:50 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2011/05/30 22:25:00 | 000,000,539 | ---- | M] () -- C:\Documents and Settings\harrisap\Desktop\CLAIM FILES.lnk
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/28 10:34:33 | 000,013,160 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\Upgrd.exe
[2011/05/28 10:34:27 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.exe
[1 C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\harrisap\Local Settings\Application Data\*.tmp -> ]
[1 C:\Documents and Settings\harrisap\Desktop\*.tmp files -> C:\Documents and Settings\harrisap\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\harrisap\*.tmp files -> C:\Documents and Settings\harrisap\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/21 09:17:12 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\MBR.dat
[2011/06/18 00:50:44 | 000,000,062 | ---- | C] () -- C:\WINDOWS\System32\44b6ffed
[2011/06/17 22:59:08 | 000,000,098 | ---- | C] () -- C:\WINDOWS\System32\1855516573
[2011/06/17 12:24:23 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/16 21:07:21 | 000,268,226 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\0.845687920038846.exe
[2011/06/13 15:03:08 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\Show desktop.scf
[2011/06/13 14:30:38 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\LinkUp USA (4).url
[2011/06/12 10:40:59 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\LinkUp USA (3).url
[2011/06/12 10:40:25 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\My Computer (2).lnk
[2011/06/12 10:40:22 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer (2).lnk
[2011/06/12 10:40:17 | 000,002,219 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\GAB SSL (2).lnk
[2011/06/12 00:50:54 | 001,007,120 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\iExplore.exe
[2011/06/12 00:47:24 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/06/12 00:47:24 | 000,001,380 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Show desktop.lnk
[2011/06/12 00:47:24 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\LinkUp USA (2).url
[2011/06/12 00:47:24 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\My Computer.lnk
[2011/06/12 00:47:24 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2011/06/12 00:47:23 | 000,002,237 | ---- | C] () -- C:\Documents and Settings\harrisap\Application Data\Microsoft\Internet Explorer\Quick Launch\GAB SSL.lnk
[2011/06/12 00:47:23 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/06/12 00:47:23 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/06/12 00:02:44 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17162020r
[2011/06/12 00:02:44 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17162020
[2011/06/12 00:02:36 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17162020
[2011/06/06 21:27:03 | 000,000,736 | ---- | C] () -- C:\WINDOWS\SamsungMaster.INI
[2011/06/03 12:37:05 | 000,000,765 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\Shortcut to MoffFreeCalc.exe.lnk
[2011/05/31 09:19:33 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\My Computer.lnk
[2011/05/31 09:14:48 | 000,000,849 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\Samsung.lnk
[2011/05/30 22:25:00 | 000,000,539 | ---- | C] () -- C:\Documents and Settings\harrisap\Desktop\CLAIM FILES.lnk
[2011/04/17 11:00:42 | 000,023,126 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2011/04/15 08:29:31 | 000,174,256 | ---- | C] () -- C:\WINDOWS\hpoins43.dat
[2011/04/15 08:29:31 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat
[2011/04/15 01:15:46 | 000,362,904 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/04/06 13:13:49 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/06 13:13:49 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/06 13:13:49 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/06 11:59:27 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/28 14:49:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/28 14:49:21 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/27 15:10:20 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/02/22 22:18:36 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/22 22:18:36 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/02/22 22:18:36 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\vidccleaner.exe
[2010/02/14 10:44:45 | 000,030,548 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/17 06:48:09 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\DM510.dll
[2009/12/12 16:29:07 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/30 22:46:45 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2009/06/19 15:23:17 | 000,157,263 | ---- | C] () -- C:\WINDOWS\hphins25.dat
[2009/06/19 15:23:17 | 000,000,879 | ---- | C] () -- C:\WINDOWS\hphmdl25.dat
[2009/06/12 10:44:28 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\harrisap\Local Settings\Application Data\fusioncache.dat
[2009/06/12 09:42:21 | 000,118,641 | ---- | C] () -- C:\WINDOWS\hpoins09.dat
[2009/05/27 22:04:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/05/14 11:42:44 | 000,172,033 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/05/14 11:41:33 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Atibrtmon.exe
[2009/05/14 11:41:06 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/05/14 11:39:33 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2009/05/14 11:37:47 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2009/05/14 11:34:22 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ibmpmsvc.exe
[2009/05/14 11:34:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2008/03/18 11:58:05 | 000,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/12/26 12:18:32 | 000,000,455 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2007/11/28 15:39:06 | 000,000,029 | ---- | C] () -- C:\WINDOWS\vdialer.INI
[2007/11/28 12:12:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/11/16 15:25:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/11/16 15:23:19 | 000,003,981 | ---- | C] () -- C:\WINDOWS\RDSWIN.INI
[2007/11/16 12:47:22 | 000,000,033 | ---- | C] () -- C:\WINDOWS\WDTCPCON.INI
[2007/11/16 12:32:18 | 000,003,635 | ---- | C] () -- C:\WINDOWS\~WDINS.INI
[2007/11/16 10:06:19 | 000,000,555 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/15 15:55:40 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/11/15 12:58:54 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2007/11/15 12:47:12 | 000,023,444 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/11/15 06:12:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/11/15 06:11:50 | 000,152,384 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/11/15 06:11:46 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.exe
[2006/03/09 13:28:40 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat
[2006/01/26 16:42:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/03 20:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 09:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/06/17 01:53:02 | 000,000,702 | ---- | C] () -- C:\WINDOWS\Cm3.ini
[2001/08/23 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 12:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 11:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 11:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 11:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 11:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 11:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,491,116 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,090,342 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/07/30 09:24:34 | 000,000,218 | ---- | C] () -- C:\WINDOWS\oraodbc.ini

========== LOP Check ==========

[2009/08/30 22:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2009/09/01 20:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2011/06/13 01:47:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Old Xactware
[2009/09/10 22:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/09/10 22:35:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/03/18 11:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2011/04/15 16:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2010/04/24 17:45:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2010/07/11 09:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/14 10:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/12/02 12:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\F5 Networks
[2008/03/18 12:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\Leadertech
[2009/12/17 06:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\LinkManager 4.0
[2010/05/06 09:58:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\RecoveryFix for Windows
[2011/06/12 08:59:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\SPE
[2010/04/24 17:44:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\harrisap\Application Data\TomTom
[2011/06/15 02:07:01 | 000,000,330 | ---- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/07/10 07:00:36 | 000,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2004/08/03 19:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 01:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2004/08/03 19:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2005/08/16 02:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\harrisap\Local Settings\temp\RarSFX3\h\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/03 19:56:58 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2004/08/03 19:56:58 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\ERDNT\cache\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/03 19:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2004/08/03 19:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe
[2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\harrisap\Local Settings\temp\RarSFX3\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/03 19:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2004/08/04 01:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtUninstallKB896613$\winlogon.exe
[2004/08/03 19:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\harrisap\Local Settings\temp\RarSFX3\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2010/05/05 09:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2010/05/05 09:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2010/05/05 09:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2010/05/05 09:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2010/05/05 09:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2010/05/05 09:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< >

< End of report >
  • 0

#7
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi ph1290,

Step 1

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\\ComboFix.txt log in your next reply.

Step 2

Try TDSSKiller now and post log here for me.

Step 3

Please don't forget to include these items in your reply:

  • Combofix log
  • TDSSKiller log
It would be helpful if you could post each log in separate post
  • 0

#8
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
As an FYI, I did run symantec's power eraser when symantec quarantined a couple of viruses before I could run combo fix. It noted:

File c:\windows\system32\autocheck.exe
Registry value: HKEY_LOCAL_MACHINE\System\Current Control Set\Control\System manager\"Boot Execute"
It noted it could not remove the item as it could make the system unstable.

I did run combo-fix. It noted that it found a rootkit involving volsnap.sys and rebooted. It then ran. during its running Symantec found Backdoor.Tidserv!inf and quarantined it (I did have symantec disabled in my tray at the bottom of the screen). After running combofix, i was able to run TDSSRootkiller. First the combo-fix log


ComboFix 11-06-25.05 - harrisap 06/25/2011 18:47:26.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3050.2353 [GMT -4:00]
Running from: c:\documents and settings\harrisap\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\harrisap\Application Data\Adobe\plugs
c:\documents and settings\harrisap\Application Data\Adobe\shed
c:\documents and settings\harrisap\Start Menu\Programs\Windows XP Restore
c:\documents and settings\harrisap\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Restore.lnk
c:\documents and settings\harrisap\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
c:\documents and settings\LocalService\Application Data\020000004280165e1270C.manifest
c:\documents and settings\LocalService\Application Data\020000004280165e1270O.manifest
c:\documents and settings\LocalService\Application Data\020000004280165e1270P.manifest
c:\documents and settings\LocalService\Application Data\020000004280165e1270S.manifest
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\mciqtz3232.dll
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Legacy_WMIAPSRV32
-------\Service_6to4
-------\Service_itlperf
-------\Service_WmiApSrv32
.
.
((((((((((((((((((((((((( Files Created from 2011-05-25 to 2011-06-25 )))))))))))))))))))))))))))))))
.
.
2011-06-25 22:56 . 2011-06-25 22:56 169472 ----a-w- c:\windows\system32\mciole1632.dll
2011-06-25 18:34 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
2011-06-25 18:34 . 2011-03-19 19:00 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-06-25 18:34 . 2010-11-03 18:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-06-25 18:34 . 2008-09-24 18:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-06-25 18:34 . 2011-06-16 08:00 73216 ----a-w- c:\windows\system32\ff_vfw.dll
2011-06-25 18:34 . 2011-06-25 18:35 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-06-23 01:57 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\win87em32.exe
2011-06-23 00:46 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\ir41_qc32.exe
2011-06-21 18:13 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\kbdcz132.exe
2011-06-21 14:37 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\mciqtz323232.exe
2011-06-20 14:01 . 2011-06-20 14:01 -------- d-----w- c:\documents and settings\harrisap\Application Data\SUPERAntiSpyware.com
2011-06-20 14:01 . 2011-06-21 01:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-20 03:51 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\dpnmodem32.exe
2011-06-20 03:09 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\wifeman32.exe
2011-06-20 02:52 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\ipxwan32.exe
2011-06-19 03:08 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\mciole3232.exe
2011-06-18 04:14 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\atioglx232.exe
2011-06-18 04:06 . 2011-06-18 04:06 0 ---ha-w- c:\documents and settings\harrisap\pftwgunibm.tmp
2011-06-18 02:59 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\kbdbu32.exe
2011-06-18 02:59 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\mqrtdep32.exe
2011-06-18 02:59 . 2011-06-18 02:59 764416 ----a-w- c:\windows\system32\loadperf32.exe
2011-06-18 02:59 . 2011-06-18 02:59 349696 ----a-w- c:\windows\system32\atioglx232.dll
2011-06-13 22:31 . 2011-06-13 22:31 -------- d-----w- c:\program files\ESET
2011-06-13 05:29 . 2011-06-21 03:40 -------- d-----w- c:\program files\Xactware
2011-06-12 12:59 . 2011-06-12 12:59 -------- d-----w- c:\documents and settings\harrisap\Application Data\SPE
2011-06-12 05:11 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-06 03:48 . 2011-06-06 03:48 -------- d-----w- c:\windows\PIF
2011-06-01 17:43 . 2011-06-01 17:43 -------- d-----w- c:\program files\File Type Assistant
2011-05-27 16:50 . 2011-06-14 21:17 -------- d-----w- c:\windows\system32\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-25 22:56 . 2007-11-15 10:11 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-06-25 22:56 . 2007-11-15 19:11 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-06-24 01:23 . 2007-11-15 16:58 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-06-02 00:15 . 2010-02-23 02:18 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2011-06-02 00:10 . 2010-02-23 02:18 644608 ----a-w- c:\windows\system32\xvidcore.dll
2011-05-28 14:34 . 2010-07-26 11:10 13160 ----a-w- c:\windows\system32\Upgrd.exe
2011-05-28 14:34 . 2007-11-15 19:11 58288 ------w- c:\windows\system32\rpcnet.exe
2011-05-26 21:19 . 2011-05-26 21:19 0 ----a-w- c:\documents and settings\harrisap\Local Settings\Application Data\BIT5A.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01DDBE95-1B2C-411A-AF1F-D5B285186F8c}]
2011-06-18 02:59 349696 ----a-w- c:\windows\system32\atioglx232.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-04-01 243000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-05-14 1323008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-06-12 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrintNow.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrintNow.lnk
backup=c:\windows\pss\PrintNow.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 09:42 27648 ----a-w- c:\windows\system32\conime.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2009-04-07 21:27 1511424 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Dispatcher v1]
2003-07-11 01:19 380928 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\fppdis1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Dispatcher v3]
2009-06-12 19:39 606208 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-06-10 16:26 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%programfiles%\UltaVnc\winvnc.exe"= %programfiles%\UltaVnc\winvnc.exe:LocalSubNet,192.168.24.0/255.255.255.0,199.231.8.0/255.255.255.0,192.168.151.0/255.255.255.0:enabled:UltraVnc
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\WINDOWS\\system32\\loadperf32.exe"=
"c:\\WINDOWS\\system32\\mqrtdep32.exe"=
"c:\\WINDOWS\\system32\\atioglx232.exe"=
"c:\\WINDOWS\\system32\\mciole3232.exe"=
"c:\\WINDOWS\\system32\\ipxwan32.exe"=
"c:\\WINDOWS\\system32\\wifeman32.exe"=
"c:\\WINDOWS\\system32\\dpnmodem32.exe"=
"c:\\WINDOWS\\system32\\mciqtz323232.exe"=
"c:\\WINDOWS\\system32\\kbdcz132.exe"=
"c:\\WINDOWS\\system32\\ir41_qc32.exe"=
"c:\\WINDOWS\\system32\\win87em32.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:199.231.8.0/255.255.255.0:Enabled:NAV10.1
"5900:TCP"= 5900:TCP:LocalSubNet,192.168.24.0/255.255.255.0,199.231.8.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:UltraVnc-Port
"2967:UDP"= 2967:UDP:199.231.8.0/255.255.255.0:Enabled:NAV9.1
"38293:UDP"= 38293:UDP:199.231.8.0/255.255.255.0:Enabled:NAV9.2
"139:TCP"= 139:TCP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22002
"3389:TCP"= 3389:TCP:LocalSubnet,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0,199.231.8.0/255.255.255.0:Enabled:@xpsp2res.dll,-22009
"2568:TCP"= 2568:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-CliHealth
"2701:TCP"= 2701:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-Ping
"2702:TCP"= 2702:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-RemoteControl
"2703:TCP"= 2703:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-Chat
"2704:TCP"= 2704:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-FileXfr
"9322:TCP"= 9322:TCP:EKDiscovery
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)
"RemoteAddresses"= *
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 DcomLaunch32;DCOM Server Process Launcher ;c:\windows\system32\win87em32.exe [6/22/2011 9:57 PM 764416]
R2 Eventlog32;Event Log ;c:\windows\system32\dpnmodem32.exe [6/19/2011 11:51 PM 764416]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [6/4/2008 9:51 AM 262784]
R2 lanmanserver32;Server ;c:\windows\system32\mqrtdep32.exe [6/17/2011 10:59 PM 764416]
R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [8/5/2008 5:58 PM 29184016]
R2 Netlogon32;Net Logon ;c:\windows\system32\loadperf32.exe [6/17/2011 10:59 PM 764416]
R2 OneTouch 4.0 Monitor32;OneTouch 4.0 Monitor ;c:\windows\system32\mciqtz323232.exe [6/21/2011 10:37 AM 764416]
R2 PolicyAgent32;IPSEC Services ;c:\windows\system32\wifeman32.exe [6/19/2011 11:09 PM 764416]
R2 SamSs32;Security Accounts Manager ;c:\windows\system32\mciole3232.exe [6/18/2011 11:08 PM 764416]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 9:48 PM 116664]
R2 SUService32;System Update ;c:\windows\system32\atioglx232.exe [6/18/2011 12:14 AM 764416]
R2 WMPNetworkSvc32;Windows Media Player Network Sharing Service ;c:\windows\system32\ir41_qc32.exe [6/22/2011 8:46 PM 764416]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [5/14/2009 11:41 AM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/9/2011 7:13 AM 105592]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [5/14/2009 6:19 PM 33920]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 8:59 AM 136176]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe --> c:\program files\Kodak\AiO\Center\EKDiscovery.exe [?]
S2 KodakSvc;Kodak AiO Device Service;"c:\program files\Kodak\AiO\center\KodakSvc.exe" --> c:\program files\Kodak\AiO\center\KodakSvc.exe [?]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/14/2009 11:41 AM 475520]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [12/2/2008 12:07 PM 10752]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 8:59 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/12/2011 1:11 AM 39984]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 1:23 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 12:08 PM 174336]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [10/19/2000 12:55 PM 411244]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [7/8/2010 4:43 PM 229376]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 12:59]
.
2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 12:59]
.
2011-06-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
2009-07-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: adp.com
Trusted Zone: centra.com
Trusted Zone: dhl-usa.com
Trusted Zone: learn.com
Trusted Zone: microsoft.com
Trusted Zone: virtela.net
Trusted Zone: windowsupdate.com
TCP: DhcpNameServer = 97.64.209.36 97.64.168.13
TCP: Interfaces\{BD21A35D-410C-445D-8CDC-301D6B859268}: DhcpNameServer = 97.64.209.36 97.64.168.13
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {68132570-CED6-11D5-91AE-000039F5040E} - hxxp://www.employeeedge.com/NAVUPDPRJ.CAB
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{BE61E684-882B-DAF4-9C2B-6E858EB6E708} - c:\windows\system32\mciqtz3232.dll
MSConfigStartUp-TomTomHOME - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-25 18:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\kbdbu32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\notes\ntmulti.exe
c:\program files\Visioneer\OneTouch 4.0\OtService.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-06-25 19:03:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-25 23:03
.
Pre-Run: 97,130,287,104 bytes free
Post-Run: 97,163,976,704 bytes free
.
Current=5 Default=5 Failed=4 LastKnownGood=2 Sets=1,2,3,4,5
- - End Of File - - E9F9B960F6D3E12902B1554E6D9B9B8C
  • 0

#9
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Here is the TDSSKiller log


2011/06/25 19:08:54.0812 3560 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/25 19:08:55.0453 3560 ================================================================================
2011/06/25 19:08:55.0453 3560 SystemInfo:
2011/06/25 19:08:55.0453 3560
2011/06/25 19:08:55.0453 3560 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/25 19:08:55.0453 3560 Product type: Workstation
2011/06/25 19:08:55.0453 3560 ComputerName: 7-51896
2011/06/25 19:08:55.0453 3560 UserName: harrisap
2011/06/25 19:08:55.0468 3560 Windows directory: C:\WINDOWS
2011/06/25 19:08:55.0468 3560 System windows directory: C:\WINDOWS
2011/06/25 19:08:55.0468 3560 Processor architecture: Intel x86
2011/06/25 19:08:55.0468 3560 Number of processors: 2
2011/06/25 19:08:55.0468 3560 Page size: 0x1000
2011/06/25 19:08:55.0468 3560 Boot type: Normal boot
2011/06/25 19:08:55.0468 3560 ================================================================================
2011/06/25 19:08:57.0125 3560 Initialize success
2011/06/25 19:09:03.0171 1344 ================================================================================
2011/06/25 19:09:03.0171 1344 Scan started
2011/06/25 19:09:03.0171 1344 Mode: Manual;
2011/06/25 19:09:03.0171 1344 ================================================================================
2011/06/25 19:09:03.0937 1344 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/25 19:09:03.0984 1344 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/06/25 19:09:04.0062 1344 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/25 19:09:04.0156 1344 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/06/25 19:09:04.0406 1344 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/06/25 19:09:04.0546 1344 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/25 19:09:04.0593 1344 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/25 19:09:04.0796 1344 ati2mtag (1e980a3848067cc5f5d2212f7f7510d8) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/06/25 19:09:04.0984 1344 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/25 19:09:05.0062 1344 ATSwpWDF (a9f9d1d24441889beb1aa2b917457e23) C:\WINDOWS\system32\Drivers\ATSwpWDF.sys
2011/06/25 19:09:05.0234 1344 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/25 19:09:05.0296 1344 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/25 19:09:05.0390 1344 BTWUSB (d5af663711660d32ec230c6aaf7b6b83) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/06/25 19:09:05.0468 1344 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/25 19:09:05.0671 1344 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/25 19:09:05.0750 1344 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/25 19:09:05.0796 1344 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/25 19:09:05.0859 1344 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/06/25 19:09:05.0968 1344 CnxtHdAudService (74d5c90052e936622e077d94121ec2c9) C:\WINDOWS\system32\drivers\CHDAU32.sys
2011/06/25 19:09:06.0125 1344 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/06/25 19:09:06.0296 1344 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/25 19:09:06.0421 1344 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/25 19:09:06.0578 1344 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/06/25 19:09:06.0625 1344 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/25 19:09:06.0671 1344 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/25 19:09:06.0718 1344 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/25 19:09:06.0765 1344 E1000 (4beb6f44b0dc94af9fb20e97ab7ad47c) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2011/06/25 19:09:06.0906 1344 e1yexpress (6a738bee58ff3d2f237157082e799de8) C:\WINDOWS\system32\DRIVERS\e1y5132.sys
2011/06/25 19:09:07.0078 1344 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/06/25 19:09:07.0109 1344 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/06/25 19:09:07.0187 1344 f5ipfw (655b4da37044be6f58cd700426b2e242) C:\WINDOWS\system32\drivers\urfltw2k.sys
2011/06/25 19:09:07.0312 1344 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/25 19:09:07.0375 1344 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/25 19:09:07.0421 1344 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/25 19:09:07.0484 1344 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/06/25 19:09:07.0546 1344 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/06/25 19:09:07.0671 1344 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/25 19:09:07.0703 1344 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/25 19:09:07.0765 1344 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/06/25 19:09:07.0812 1344 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/25 19:09:07.0875 1344 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/06/25 19:09:08.0031 1344 HECI (2df64415a28ce036ac6acec7645a996f) C:\WINDOWS\system32\DRIVERS\HECI.sys
2011/06/25 19:09:08.0093 1344 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/25 19:09:08.0218 1344 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/06/25 19:09:08.0250 1344 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/06/25 19:09:08.0312 1344 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/06/25 19:09:08.0453 1344 HSFHWAZL (03a51d7d5666df3d4331581b3a3109dc) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/06/25 19:09:08.0531 1344 HSF_DPV (d92272a376bba4a0ed61f92280d71a10) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/06/25 19:09:08.0703 1344 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/25 19:09:08.0828 1344 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/25 19:09:08.0906 1344 iastor (baabb0301949774a66b955c65319635a) C:\WINDOWS\system32\Drivers\iaStor.sys
2011/06/25 19:09:08.0953 1344 IBMPMDRV (6207f110f2530f187bf876012ebec664) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
2011/06/25 19:09:09.0000 1344 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/25 19:09:09.0062 1344 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/25 19:09:09.0093 1344 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/25 19:09:09.0234 1344 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/06/25 19:09:09.0281 1344 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/25 19:09:09.0312 1344 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/25 19:09:09.0343 1344 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/25 19:09:09.0453 1344 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/25 19:09:09.0484 1344 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/25 19:09:09.0546 1344 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/25 19:09:09.0562 1344 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/06/25 19:09:09.0593 1344 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/25 19:09:09.0625 1344 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/25 19:09:09.0718 1344 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/06/25 19:09:09.0843 1344 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/06/25 19:09:09.0906 1344 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/25 19:09:09.0968 1344 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/25 19:09:10.0000 1344 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/25 19:09:10.0062 1344 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/25 19:09:10.0187 1344 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/25 19:09:10.0218 1344 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/25 19:09:10.0296 1344 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/25 19:09:10.0437 1344 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/25 19:09:10.0500 1344 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/25 19:09:10.0546 1344 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/25 19:09:10.0593 1344 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/25 19:09:10.0671 1344 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/25 19:09:10.0828 1344 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/25 19:09:11.0031 1344 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110624.002\naveng.sys
2011/06/25 19:09:11.0125 1344 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110624.002\navex15.sys
2011/06/25 19:09:11.0296 1344 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/25 19:09:11.0359 1344 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/25 19:09:11.0390 1344 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/25 19:09:11.0421 1344 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/25 19:09:11.0468 1344 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/25 19:09:11.0500 1344 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/25 19:09:11.0640 1344 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/25 19:09:11.0890 1344 NETw5x32 (cfe1981a47a2f7650a1ef8917dc4d1c3) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/06/25 19:09:12.0109 1344 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/06/25 19:09:12.0156 1344 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/25 19:09:12.0187 1344 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/25 19:09:12.0328 1344 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/25 19:09:12.0390 1344 NWADI (0973c0c696780161f4526586d5eac422) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
2011/06/25 19:09:12.0453 1344 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/25 19:09:12.0531 1344 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/25 19:09:12.0578 1344 NWUSBCDFIL (1fde5b2d61d97d803594df4b3bc28c4b) C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys
2011/06/25 19:09:12.0703 1344 NWUSBModem (65b471bb7e57c416a1e685ec07d4abfa) C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
2011/06/25 19:09:12.0781 1344 NWUSBPort (65b471bb7e57c416a1e685ec07d4abfa) C:\WINDOWS\system32\DRIVERS\nwusbser.sys
2011/06/25 19:09:12.0843 1344 NWUSBPort2 (65b471bb7e57c416a1e685ec07d4abfa) C:\WINDOWS\system32\DRIVERS\nwusbser2.sys
2011/06/25 19:09:12.0906 1344 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/06/25 19:09:13.0062 1344 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/25 19:09:13.0093 1344 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/25 19:09:13.0156 1344 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/25 19:09:13.0187 1344 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/25 19:09:13.0250 1344 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/06/25 19:09:13.0281 1344 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/06/25 19:09:13.0437 1344 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/25 19:09:13.0531 1344 prepdrvr (f6c80bd6f2a5c1ccc1c2519f02d99bf2) C:\WINDOWS\system32\CCM\prepdrv.sys
2011/06/25 19:09:13.0656 1344 psadd (651d3abc1d82d61b6cfb40cb947b3db3) C:\WINDOWS\system32\DRIVERS\psadd.sys
2011/06/25 19:09:13.0703 1344 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/25 19:09:13.0750 1344 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/25 19:09:13.0812 1344 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/25 19:09:13.0937 1344 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/25 19:09:14.0078 1344 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/25 19:09:14.0093 1344 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/25 19:09:14.0109 1344 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/25 19:09:14.0140 1344 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/25 19:09:14.0171 1344 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/25 19:09:14.0187 1344 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/25 19:09:14.0234 1344 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/25 19:09:14.0265 1344 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/25 19:09:14.0375 1344 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/06/25 19:09:14.0390 1344 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/06/25 19:09:14.0453 1344 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/06/25 19:09:14.0468 1344 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/06/25 19:09:14.0625 1344 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/25 19:09:14.0734 1344 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/25 19:09:14.0750 1344 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/25 19:09:14.0796 1344 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/06/25 19:09:14.0953 1344 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
2011/06/25 19:09:15.0125 1344 SPBBCDrv (60053e9c1fc4f6887c296c19cb825244) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/06/25 19:09:15.0265 1344 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/25 19:09:15.0296 1344 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/25 19:09:15.0343 1344 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/25 19:09:15.0421 1344 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/06/25 19:09:15.0453 1344 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/25 19:09:15.0578 1344 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/25 19:09:15.0687 1344 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/06/25 19:09:15.0750 1344 SYMREDRV (e919f0922248a826964428f479a3dc24) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/06/25 19:09:15.0796 1344 SYMTDI (c177d5a655af572c456ec977582b9bc0) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/06/25 19:09:15.0890 1344 SynTP (820d28f30ac01ce86860a35dcc7bfaab) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/06/25 19:09:16.0031 1344 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/25 19:09:16.0109 1344 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/25 19:09:16.0171 1344 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/25 19:09:16.0203 1344 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/25 19:09:16.0328 1344 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/25 19:09:16.0468 1344 tpm (3724dff72b0f5307cf761cc91c2bb9f7) C:\WINDOWS\system32\DRIVERS\tpm.sys
2011/06/25 19:09:16.0515 1344 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/25 19:09:16.0593 1344 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/25 19:09:16.0640 1344 urvpndrv (b023b2516339f6a8d054b69f6b996364) C:\WINDOWS\system32\DRIVERS\covpndrv.sys
2011/06/25 19:09:16.0750 1344 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/06/25 19:09:16.0796 1344 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/25 19:09:16.0828 1344 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/25 19:09:16.0890 1344 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/25 19:09:16.0953 1344 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/25 19:09:17.0062 1344 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/25 19:09:17.0093 1344 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/25 19:09:17.0125 1344 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/25 19:09:17.0187 1344 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/25 19:09:17.0281 1344 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/25 19:09:17.0421 1344 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/25 19:09:17.0500 1344 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/06/25 19:09:17.0640 1344 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/25 19:09:17.0734 1344 winachsf (ed10a3d367dd5596506022d5e2a3cba0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/06/25 19:09:17.0921 1344 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/06/25 19:09:17.0984 1344 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/06/25 19:09:18.0046 1344 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/06/25 19:09:18.0125 1344 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/25 19:09:18.0234 1344 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/25 19:09:18.0312 1344 MBR (0x1B8) (ece27f86ac86c571e8b0daab133195cc) \Device\Harddisk0\DR0
2011/06/25 19:09:18.0468 1344 ================================================================================
2011/06/25 19:09:18.0468 1344 Scan finished
2011/06/25 19:09:18.0468 1344 ================================================================================
2011/06/25 19:09:18.0500 0736 Detected object count: 0
2011/06/25 19:09:18.0500 0736 Actual detected object count: 0
2011/06/25 19:09:59.0984 2208 Deinitialize success
  • 0

#10
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi ph1290,

Nice! I think we did it! What problems you have now?
  • 0

Advertisements


#11
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Had an issue connecting to my wireless which seemed unusual, but not sure if it was related. I ran MBAM and it found about 10 items (I will include log); my wireless seems okay now. I did have an internet shortcut on my desktop that has been working fine. Now, I am told that the computer can't find it, however, if I click on it on my favorites list it will connect. I deleted the old shortcuts and added a new shortcut, but still can't access through the shortcut. Not sure if it is virus related, but it is something I noticed.

Here is the MBAM log

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6949

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/27/2011 3:49:33 PM
mbam-log-2011-06-27 (15-49-33).txt

Scan type: Quick scan
Objects scanned: 215680
Time elapsed: 9 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANSERVER32 (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\localservice\application data\020000004280165e1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000004280165e1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000004280165e1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000004280165e1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000004280165e1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000004280165e1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000004280165e1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000004280165e1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
  • 0

#12
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi ph1290,

I don't think it's malware related. Sometimes system does this things. Let's do one more scan.

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Confirm deletion to all infection AVP finds
Once it has finished select report and post that.

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
  • 0

#13
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Here is a partial log

Popups from the program noted finding viruses and at one point rebooted to delete then started running again. The attached report is for those items removed. The program continued to run and finding mainly additional examples of Trojan-Dropper.Win32.Agent.eytf in different locations. When it finished, the report screen froze and I could not copy from it, nor did it produce a new .txt file.

As an fyi, just before starting this, i did get 1 redirect, but didn't see another one on several tries


Autoscan: stopped 14 minutes ago (events: 3, objects: 163, time: 00:05:07)
6/28/2011 7:07:57 AM Task started
6/28/2011 7:11:53 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\win87em32.exe
6/28/2011 7:13:04 AM Task stopped
Disinfect active threats: completed 5 minutes ago (events: 30, objects: 4481, time: 00:09:36)
6/28/2011 7:13:04 AM Task started
6/28/2011 7:13:05 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\win87em32.exe
6/28/2011 7:13:35 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\win87em32.exe
6/28/2011 7:14:21 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\win87em32.exe
6/28/2011 7:15:24 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\win87em32.exe
6/28/2011 7:15:25 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\kbdbu32.exe
6/28/2011 7:15:34 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\kbdbu32.exe
6/28/2011 7:15:34 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\dpnmodem32.exe
6/28/2011 7:15:54 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\dpnmodem32.exe
6/28/2011 7:15:57 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\mqrtdep32.exe
6/28/2011 7:16:15 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\mqrtdep32.exe
6/28/2011 7:16:16 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\loadperf32.exe
6/28/2011 7:16:44 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\loadperf32.exe
6/28/2011 7:16:44 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\mciqtz323232.exe
6/28/2011 7:17:04 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\mciqtz323232.exe
6/28/2011 7:17:04 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\wifeman32.exe
6/28/2011 7:17:30 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\wifeman32.exe
6/28/2011 7:17:31 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\mciole3232.exe
6/28/2011 7:17:57 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\mciole3232.exe
6/28/2011 7:17:58 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\atioglx232.exe
6/28/2011 7:18:20 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\atioglx232.exe
6/28/2011 7:18:21 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\ir41_qc32.exe
6/28/2011 7:18:42 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\ir41_qc32.exe
6/28/2011 7:21:00 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\ipxwan32.exe
6/28/2011 7:21:23 AM Cannot be deleted: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\ipxwan32.exe Object is locked
6/28/2011 7:21:23 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\ipxwan32.exe
6/28/2011 7:21:24 AM Detected: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\kbdcz132.exe
6/28/2011 7:21:47 AM Cannot be deleted: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\kbdcz132.exe Object is locked
6/28/2011 7:21:47 AM Will be deleted on system restart: Trojan-Dropper.Win32.Agent.eytf C:\WINDOWS\system32\kbdcz132.exe
6/28/2011 7:22:40 AM Task completed
  • 0

#14
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi ph1290,

Just as I taught... I think we did it this time but please test your system for one day and let me know if you get redirected.
  • 0

#15
ph1290

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
will do
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP