Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Attempted to remove virus, symptoms remain. OTL log included.

Started by bdjsb7 , Sep 07 2011 08:44 PM

  • Please log in to reply

#1
bdjsb7
Posted 07 September 2011 - 08:44 PM

bdjsb7

    Member

  • Member
  • PipPip
  • 25 posts
Background:
A friend was using my PC while I was away. I received a call telling me it looked like I had a virus. She clicked through to scan it, and it was now asking to be purchased/authorized. I immediately knew what this meant, fearing the worst.
I had her shut down the PC, but it was too late.

Upon opening a web browser (I use firefox, but also have IE installed. I installed Chrome after the fact due to redirects), a box would pop up asking me to purchase a fake malware program, etc.

I used malwarebytes, ccleaner and a couple rootkit detectors (AVG and one I cannot remember).
Malwarebytes found 7 items. I do not remember what they were, other than them having the 'backdoor' classification. May have been WinAV or something similar. Malwarebytes cleaned/deleted all malicious content, but when the machine rebooted, my McAfee virus scan would not work (I cannot enable the on-access scan), the browsers will re-direct google results, and if I stay connected to the internet, subsequent malwarebytes scans detect more bad items.

To add insult to injury, most rootkit removers I've tried and HiJackThis will begin scanning, but will simply disappear and stop working without any sort of error. OTL seems to work fine (thankfully!!) and I'm glad there is a forum that prefers that tool instead. I posted about this on another forum, but I didn't get much help after saying HiJackThis wouldn't run.

I'm more than a week into trying to fix this on my own. I'm an IT professional, but haven't had to clean an infected machine in years, so my tactics are all out of date. Please forgive my ignorance as we go forward if I have some dumb questions :)

Without further ado, here is the OTL log:


OTL logfile created on: 9/7/2011 10:16:06 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\Justin\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.73 Mb Total Physical Memory | 409.12 Mb Available Physical Memory | 40.00% Memory free
2.41 Gb Paging File | 1.90 Gb Available in Paging File | 79.14% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 21.48 Gb Free Space | 19.22% Space Free | Partition Type: NTFS
Drive E: | 1.86 Gb Total Space | 1.86 Gb Free Space | 99.83% Space Free | Partition Type: FAT
Drive K: | 232.88 Gb Total Space | 53.94 Gb Free Space | 23.16% Space Free | Partition Type: NTFS

Computer Name: BDJSB7X | User Name: Justin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\128095406:1365990904.exe
PRC - [2011/09/07 22:12:22 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Justin\My Documents\Downloads\OTL.exe
PRC - [2011/08/30 03:50:36 | 001,017,912 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/04/12 16:40:58 | 000,660,848 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2010/12/10 08:29:00 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2010/09/17 21:14:22 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2009/04/29 20:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\shstat.exe
PRC - [2009/04/29 20:07:00 | 000,070,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2009/04/29 20:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\vstskmgr.exe
PRC - [2009/04/29 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\engineserver.exe
PRC - [2009/01/16 16:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/01/16 16:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/01/16 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/01/16 16:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/06/30 10:49:08 | 000,770,100 | ---- | M] () -- C:\Program Files\Ahead\InCD\incdsrv.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/30 03:50:34 | 000,400,440 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\Application\13.0.782.218\ppgooglenaclpluginchrome.dll
MOD - [2011/08/30 03:50:33 | 004,118,072 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\Application\13.0.782.218\pdf.dll
MOD - [2011/08/30 03:49:29 | 000,300,088 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\Application\13.0.782.218\Locales\en-US.dll
MOD - [2011/08/30 03:49:01 | 000,104,520 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\Application\13.0.782.218\avutil-50.dll
MOD - [2011/08/30 03:49:00 | 000,203,848 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\Application\13.0.782.218\avformat-52.dll
MOD - [2011/08/30 03:48:58 | 001,846,344 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\Application\13.0.782.218\avcodec-52.dll
MOD - [2011/08/30 01:50:36 | 006,338,720 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\Application\13.0.782.218\gcswf32.dll
MOD - [2010/09/17 21:14:22 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
MOD - [2010/09/17 21:13:36 | 002,826,240 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\Core.dll
MOD - [2010/09/17 21:07:18 | 000,733,184 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\qca2.dll
MOD - [2010/08/15 18:08:44 | 000,094,208 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2010/08/03 16:47:12 | 008,351,744 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtGui4.dll
MOD - [2010/08/03 16:47:12 | 002,244,608 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtCore4.dll
MOD - [2010/08/03 16:47:12 | 000,978,944 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtNetwork4.dll
MOD - [2010/08/03 16:47:12 | 000,364,544 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtXml4.dll
MOD - [2010/08/03 16:47:12 | 000,204,800 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtSql4.dll
MOD - [2009/09/04 23:15:06 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/01/16 16:00:00 | 000,057,344 | ---- | M] () -- C:\Program Files\McAfee\Common Framework\boost_thread-vc71-mt-1_32.dll
MOD - [2008/06/20 13:41:10 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2006/10/22 13:22:00 | 000,212,992 | ---- | M] () -- C:\WINDOWS\system32\nvapi.dll
MOD - [2006/05/14 00:23:40 | 000,138,752 | ---- | M] () -- C:\Program Files\7-Zip\7-zip.dll
MOD - [2005/08/22 15:38:16 | 003,264,512 | ---- | M] () -- C:\Program Files\McAfee\Common Framework\cryptocme2.dll
MOD - [2004/06/20 19:17:22 | 000,121,344 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2003/06/30 10:49:08 | 000,770,100 | ---- | M] () -- C:\Program Files\Ahead\InCD\incdsrv.exe
MOD - [2003/06/30 10:48:22 | 000,364,593 | ---- | M] () -- C:\Program Files\Ahead\InCD\incdunt.dll
MOD - [2000/05/17 15:04:54 | 000,026,624 | ---- | M] () -- C:\WINDOWS\system32\PRTmate.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/04/12 16:40:58 | 000,660,848 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2010/12/10 08:29:00 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2010/09/17 21:14:22 | 000,460,144 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2009/04/29 20:07:00 | 000,144,888 | ---- | M] () [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\mcshield.exe -- (McShield)
SRV - [2009/04/29 20:07:00 | 000,070,216 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/04/29 20:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan\vstskmgr.exe -- (McTaskManager)
SRV - [2009/04/29 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan\engineserver.exe -- (McAfeeEngineService)
SRV - [2009/01/16 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2003/06/30 10:49:08 | 000,770,100 | ---- | M] () [Auto | Running] -- C:\Program Files\Ahead\InCD\incdsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/04/12 16:10:02 | 000,026,624 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2009/04/29 20:07:00 | 000,342,128 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/04/29 20:07:00 | 000,091,640 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/04/29 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/04/29 20:07:00 | 000,065,224 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/04/29 20:07:00 | 000,063,696 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/04/29 20:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/07/09 06:05:48 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2008/07/09 06:05:48 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2008/04/04 14:49:04 | 000,136,832 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiH8000.sys -- (SaiH8000)
DRV - [2007/12/11 14:42:22 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2007/01/31 09:33:46 | 000,005,632 | ---- | M] (GRISOFT, s.r.o.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\avgarkt.sys -- (AVG Anti-Rootkit)
DRV - [2007/01/18 08:00:28 | 000,003,968 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AvgArCln.sys -- (AvgArCln)
DRV - [2005/10/15 21:15:41 | 000,027,171 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2005/10/08 18:22:38 | 000,071,512 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\toywdm.sys -- (JL2005)
DRV - [2005/09/26 01:08:10 | 000,125,568 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avcgbdr.sys -- (avcgbdr)
DRV - [2005/07/28 04:28:10 | 000,019,712 | ---- | M] (Adaptec, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avcgbfl.sys -- (avcgbfl)
DRV - [2005/04/24 22:43:58 | 000,013,225 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Razerlow.sys -- (Razerlow)
DRV - [2004/10/08 07:59:12 | 000,326,656 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)
DRV - [2004/10/08 07:57:50 | 000,022,016 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/08/06 02:26:00 | 000,016,880 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctpdusb.sys -- (Jukebox3)
DRV - [2004/07/17 05:24:20 | 000,028,352 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2004/04/07 15:11:00 | 000,038,860 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2004/04/07 15:11:00 | 000,019,908 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2003/06/30 10:51:24 | 000,028,208 | ---- | M] (Ahead Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\incdpass.sys -- (InCDPass)
DRV - [2003/06/30 10:51:00 | 000,086,496 | ---- | M] () [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\incdfs.sys -- (InCDfs)
DRV - [2003/01/27 16:37:38 | 000,286,512 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2003/01/21 05:38:12 | 000,139,968 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HAP16V2K.SYS -- (hap16v2k)
DRV - [2003/01/07 05:03:42 | 000,822,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2003/01/06 03:24:12 | 000,012,160 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctgame.sys -- (ctgame)
DRV - [2003/01/06 03:05:14 | 000,184,656 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2002/12/19 02:06:02 | 000,116,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2002/12/19 02:05:52 | 000,135,248 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2002/12/19 02:05:32 | 000,006,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTPRXY2K.SYS -- (ctprxy2k)
DRV - [2002/12/19 02:05:12 | 000,497,376 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2002/12/19 02:03:42 | 000,135,040 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTAC32K.SYS -- (ctac32k)
DRV - [2002/11/12 06:38:38 | 000,016,432 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT)
DRV - [2001/08/23 15:00:00 | 000,022,400 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)
DRV - [2000/12/12 15:45:52 | 000,008,679 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SCI0PL.SYS -- (PLSCSI)
DRV - [2000/12/12 15:41:54 | 000,021,510 | ---- | M] ( ) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\SCI1PL.SYS -- (USBAtapi2000)
DRV - [2000/04/18 00:53:50 | 000,112,624 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dvc325.sys -- (DCamUSBLTN)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Justin\Application Data\Move Networks\plugins\npqmp071500000347.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2629: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Program Files\Google\Update\1.2.183.23\npGoogleOneClick8.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\Justin\Application Data\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Justin\Application Data\Move Networks\plugins\npqmp071500000347.dll (Move Networks)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Justin\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2010/03/04 19:37:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/31 00:11:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/17 21:24:45 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Documents and Settings\Justin\Application Data\Move Networks [2009/05/18 17:27:26 | 000,000,000 | ---D | M]

[2011/01/18 12:37:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Justin\Application Data\Mozilla\Extensions
[2011/01/18 12:37:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Justin\Application Data\Mozilla\Extensions\[email protected]
[2011/08/28 23:53:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\o26fuz9n.default\extensions
[2009/08/07 21:25:47 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\o26fuz9n.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/09 19:53:24 | 000,000,000 | ---D | M] (Vuze Remote Toolbar) -- C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\o26fuz9n.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2011/08/31 02:31:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/30 20:58:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2005/09/15 18:26:00 | 000,044,153 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\inspector.dll
[2009/04/29 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2011/03/30 20:57:05 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2005/05/28 17:15:00 | 000,110,592 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2006/02/02 15:56:00 | 000,225,280 | ---- | M] (Virtools SA) -- C:\Program Files\mozilla firefox\plugins\npvirtools.dll

O1 HOSTS File: ([2010/04/26 20:38:29 | 000,392,034 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 13565 more lines...
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (PaltalkWebLogin) - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll (AVM Software Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan\SHSTAT.EXE (McAfee, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O9 - Extra Button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\paltalk.exe (AVM Software Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: frame.crazywinnings.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range1 ([*] in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([windowsupdate] http in Trusted sites)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Reg Error: Key error.)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akama...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1159395208484 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://download.game...aploader_v5.cab (PopCapLoader Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/...SetupClient.cab (JuniperSetupClientControl Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4E5FB9FD-EF7B-49B1-BEC9-50AF68A889E3}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/03 16:07:01 | 000,002,247 | ---- | M] () - C:\AutoAssault.log -- [ NTFS ]
O33 - MountPoints2\{01d6c352-7c9b-11df-be02-0007e95e8e19}\Shell\AutoRun\command - "" = E:\Setup_FlipShare.exe
O33 - MountPoints2\{01d6c352-7c9b-11df-be02-0007e95e8e19}\Shell\Setup FlipShare\command - "" = E:\Setup_FlipShare.exe
O33 - MountPoints2\{1a22907b-2aa2-11e0-bf6a-0007e95e8e19}\Shell - "" = AutoRun
O33 - MountPoints2\{1a22907b-2aa2-11e0-bf6a-0007e95e8e19}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1a22907b-2aa2-11e0-bf6a-0007e95e8e19}\Shell\AutoRun\command - "" = F:\LaunchU3.exe
O33 - MountPoints2\{69c6f11e-231f-11e0-bf5d-0007e95e8e19}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe
O33 - MountPoints2\{c1634335-3396-11de-9223-0007e95e8e19}\Shell - "" = AutoRun
O33 - MountPoints2\{c1634335-3396-11de-9223-0007e95e8e19}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c1634335-3396-11de-9223-0007e95e8e19}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{f343b9fa-038e-11e0-bf22-0007e95e8e19}\Shell\AutoRun\command - "" = E:\io3yalc.exe
O33 - MountPoints2\{f343b9fa-038e-11e0-bf22-0007e95e8e19}\Shell\open\Command - "" = E:\io3yalc.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/06 19:20:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Start Menu\Programs\HiJackThis
[2011/09/06 07:14:53 | 000,075,704 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2011/09/06 07:14:53 | 000,065,224 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2011/09/06 07:14:53 | 000,043,288 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2011/09/06 07:14:52 | 000,342,128 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2011/09/06 07:14:52 | 000,091,640 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2011/09/06 07:14:52 | 000,063,696 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdik.sys
[2011/09/06 07:14:51 | 000,070,216 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2011/09/06 07:14:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/09/06 07:13:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2011/09/06 07:06:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG Anti-Rootkit Free
[2011/09/06 07:06:30 | 000,003,968 | ---- | C] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\drivers\AvgArCln.sys
[2011/09/06 07:06:26 | 000,000,000 | ---D | C] -- C:\Program Files\GRISOFT
[2011/09/01 18:36:23 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Justin\Recent
[2011/09/01 07:50:32 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/01 07:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/01 07:50:25 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/01 07:50:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/01 07:46:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Desktop\Current pass
[2011/08/31 21:12:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Desktop\TMRBLog
[2011/08/31 21:12:00 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/08/31 21:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Desktop\log
[2011/08/31 21:11:59 | 000,065,808 | ---- | C] (trend_company_name) -- C:\WINDOWS\System32\drivers\tmrkb.sys
[2011/08/31 20:56:11 | 002,002,320 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Justin\Desktop\HousecallLauncher.exe
[2011/08/31 20:39:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Start Menu\Programs\Google Chrome
[2011/08/31 02:09:01 | 122,890,824 | ---- | C] (McAfee, Inc.) -- C:\Documents and Settings\Justin\Desktop\sdat.exe
[2011/08/27 19:29:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Desktop\Jaggery and Fox
[2011/08/26 10:48:07 | 000,000,000 | ---D | C] -- C:\iPod Photo Cache
[2003/09/03 18:26:18 | 000,021,510 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\SCI1PL.SYS
[2003/09/03 18:26:18 | 000,008,679 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\SCI0PL.SYS
[2003/08/26 18:43:04 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[56 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
[20 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1913 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/07 22:13:16 | 000,000,632 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\Shortcut to OTL.exe.lnk
[2011/09/07 22:00:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/07 22:00:05 | 000,087,446 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/09/07 22:00:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/07 22:00:01 | 000,000,000 | ---- | M] () -- C:\WINDOWS\128095406
[2011/09/07 22:00:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/07 21:59:58 | 1072,484,352 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/07 21:12:40 | 000,030,180 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000003-00000000-00000002-00001102-00000004-10071102}.rfx
[2011/09/07 21:12:40 | 000,030,180 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000003-00000000-00000002-00001102-00000004-10071102}.rfx
[2011/09/07 21:12:40 | 000,030,168 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000003-00000000-00000002-00001102-00000004-10071102}.rfx
[2011/09/07 21:12:40 | 000,030,168 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000003-00000000-00000002-00001102-00000004-10071102}.rfx
[2011/09/07 21:12:40 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2011/09/07 21:12:40 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2011/09/07 21:12:40 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000003-00000000-00000002-00001102-00000004-10071102}.dat
[2011/09/07 21:12:40 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000003-00000000-00000002-00001102-00000004-10071102}.dat
[2011/09/06 19:20:56 | 000,001,986 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\HiJackThis.lnk
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At92.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At68.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At188.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At164.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At140.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At116.job
[2011/09/06 18:46:17 | 000,043,408 | -HS- | M] () -- C:\WINDOWS\System32\c_65712.nl_
[2011/09/06 18:43:17 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-854245398-725345543-1003UA.job
[2011/09/06 18:42:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/06 10:37:52 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\HijackThis.msi
[2011/09/06 07:06:31 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Anti-Rootkit Free.lnk
[2011/09/01 07:50:32 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/31 21:11:59 | 000,065,808 | ---- | M] (trend_company_name) -- C:\WINDOWS\System32\drivers\tmrkb.sys
[2011/08/31 21:11:58 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/08/31 21:03:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At94.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At70.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At190.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At166.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At142.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At118.job
[2011/08/31 20:57:50 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\housecall.guid.cache
[2011/08/31 20:56:15 | 002,002,320 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Justin\Desktop\HousecallLauncher.exe
[2011/08/31 20:43:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-854245398-725345543-1003Core.job
[2011/08/31 20:39:20 | 000,002,293 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\Google Chrome.lnk
[2011/08/31 20:39:20 | 000,002,271 | ---- | M] () -- C:\Documents and Settings\Justin\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/31 02:12:51 | 122,890,824 | ---- | M] (McAfee, Inc.) -- C:\Documents and Settings\Justin\Desktop\sdat.exe
[2011/08/31 02:11:46 | 090,266,112 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\vscan87.exe
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At99.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At75.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At51.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At171.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At147.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At123.job
[2011/08/31 00:23:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At97.job
[2011/08/31 00:22:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At169.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At84.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At60.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At180.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At156.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At132.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At108.job
[2011/08/30 10:59:56 | 004,194,304 | ---- | M] () -- C:\WINDOWS\System32\srlaetav.dll
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At83.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At59.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At179.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At155.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At131.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At107.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At80.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At56.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At176.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At152.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At128.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At104.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At79.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At55.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At175.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At151.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At127.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At103.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At78.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At54.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At174.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At150.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At126.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At102.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At77.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At53.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At173.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At149.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At125.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At101.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At76.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At52.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At172.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At148.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At124.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At100.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At98.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At74.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At50.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At170.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At146.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At122.job
[2011/08/30 00:58:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At73.job
[2011/08/30 00:54:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2011/08/30 00:48:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At121.job
[2011/08/30 00:45:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At49.job
[2011/08/30 00:45:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At145.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At96.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At72.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At192.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At168.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At144.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At120.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At95.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At71.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At191.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At167.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At143.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At119.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At93.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At69.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At189.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At165.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At141.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At117.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At91.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At67.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At187.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At163.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At139.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At115.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At90.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At66.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At186.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At162.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At138.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At114.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At89.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At65.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At185.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At161.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At137.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At113.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At88.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At64.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At184.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At160.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At136.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At112.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At87.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At63.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At183.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At159.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At135.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At111.job
[2011/08/29 13:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At86.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At62.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At182.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At158.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At134.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At110.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At85.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At61.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At181.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At157.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At133.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At109.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At82.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At58.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At178.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At154.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At130.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At106.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At81.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At57.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At177.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At153.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At129.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At105.job
[2011/08/28 10:06:22 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/28 10:06:14 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/08/12 12:32:00 | 008,570,384 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\RootkitBuster.exe
[20 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1913 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/07 22:13:16 | 000,000,632 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\Shortcut to OTL.exe.lnk
[2011/09/07 21:06:40 | 1072,484,352 | -HS- | C] () -- C:\hiberfil.sys
[2011/09/06 19:20:56 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\HiJackThis.lnk
[2011/09/06 07:06:31 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Anti-Rootkit Free.lnk
[2011/09/01 07:50:32 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/31 21:11:52 | 008,570,384 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\RootkitBuster.exe
[2011/08/31 20:57:50 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\housecall.guid.cache
[2011/08/31 20:48:38 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\HijackThis.msi
[2011/08/31 20:39:20 | 000,002,293 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\Google Chrome.lnk
[2011/08/31 20:39:20 | 000,002,271 | ---- | C] () -- C:\Documents and Settings\Justin\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/31 20:38:15 | 000,000,982 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-854245398-725345543-1003UA.job
[2011/08/31 20:38:15 | 000,000,930 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-854245398-725345543-1003Core.job
[2011/08/31 02:08:34 | 090,266,112 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\vscan87.exe
[2011/08/30 20:30:05 | 000,043,408 | -HS- | C] () -- C:\WINDOWS\System32\c_65712.nl_
[2011/08/30 10:59:56 | 004,194,304 | ---- | C] () -- C:\WINDOWS\System32\srlaetav.dll
[2011/08/30 10:59:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\128095406
[2011/02/18 06:54:29 | 000,000,185 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/16 19:51:00 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\O6UB3GR1.dat
[2010/04/26 18:38:22 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\0jf5835bS5a
[2010/04/26 18:38:22 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0jf5835bS5a
[2010/04/24 13:12:22 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/23 19:17:00 | 000,005,532 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\L055Jl5Jk1DTE
[2010/04/23 19:16:59 | 000,005,532 | -HS- | C] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\L055Jl5Jk1DTE
[2010/01/31 14:02:57 | 000,063,900 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/08/18 14:34:50 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Justin\Application Data\mcs.rma
[2009/08/18 14:34:50 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Justin\Application Data\D031BF
[2009/08/09 10:58:42 | 000,000,943 | ---- | C] () -- C:\WINDOWS\TATCALL.INI
[2009/08/09 10:58:42 | 000,000,020 | ---- | C] () -- C:\WINDOWS\TATVER.INI
[2009/08/09 10:58:41 | 000,000,260 | ---- | C] () -- C:\WINDOWS\TATUNINS.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/06/01 20:12:11 | 000,147,456 | ---- | C] () -- C:\Documents and Settings\Justin\Application Data\JuniperSetup.exe
[2009/06/01 20:12:10 | 000,001,697 | ---- | C] () -- C:\Documents and Settings\Justin\Application Data\Juniper Network Connect 6.3.0.ini
[2009/05/05 12:08:06 | 000,000,119 | -H-- | C] () -- C:\WINDOWS\popcreg.dat
[2009/05/04 18:49:55 | 000,000,043 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2008/11/16 21:05:00 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/13 20:27:35 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/11/13 20:27:35 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/11/13 20:27:35 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/11/13 20:27:35 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/11/13 20:27:35 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/11/13 20:27:35 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/10/19 09:53:40 | 000,000,060 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/07/25 00:39:42 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2008/07/15 19:29:28 | 000,000,000 | ---- | C] () -- C:\Program Files\temp01
[2008/04/04 14:49:04 | 001,282,048 | ---- | C] () -- C:\WINDOWS\System32\SaiC8000.Dll
[2008/04/04 14:49:04 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\SaiC8000_0C.dll
[2008/04/04 14:49:04 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC8000_10.dll
[2008/04/04 14:49:04 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC8000_0A.dll
[2008/04/04 14:49:04 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC8000_07.dll
[2008/04/04 14:49:04 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\SaiC8000_09.dll
[2008/04/04 14:49:04 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\SaiC8000_0402.dll
[2008/04/04 14:49:04 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\SaiC8000_11.dll
[2008/02/19 02:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2007/10/15 21:05:47 | 000,000,056 | ---- | C] () -- C:\WINDOWS\kgt2k.INI
[2007/03/03 07:12:44 | 000,000,473 | ---- | C] () -- C:\WINDOWS\vsp.ini
[2007/02/14 21:46:25 | 000,000,123 | ---- | C] () -- C:\WINDOWS\win96.INI
[2007/02/14 19:17:46 | 000,000,065 | ---- | C] () -- C:\WINDOWS\namedts.INI
[2007/01/30 20:31:46 | 000,002,795 | ---- | C] () -- C:\WINDOWS\EaseAudioConverter.ini
[2007/01/24 19:21:32 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/01/22 21:01:28 | 000,003,885 | ---- | C] () -- C:\WINDOWS\SCWRITER.INI
[2006/09/17 01:37:30 | 000,080,384 | ---- | C] () -- C:\WINDOWS\gamedelete.exe
[2006/07/09 23:36:01 | 000,099,840 | ---- | C] () -- C:\WINDOWS\System32\UnCasino5.exe
[2006/04/14 11:37:26 | 000,000,032 | ---- | C] () -- C:\WINDOWS\aceg.ini
[2006/03/25 09:05:25 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2006/03/13 16:19:23 | 000,006,812 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/03/13 16:05:18 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\InstMed.exe
[2006/03/09 09:01:20 | 000,001,603 | ---- | C] () -- C:\WINDOWS\kd330lan.ini
[2006/03/09 09:01:20 | 000,001,403 | ---- | C] () -- C:\WINDOWS\Dvc325.ini
[2006/01/14 11:57:56 | 000,002,564 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/12/27 13:24:31 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/12/18 14:02:27 | 000,090,624 | ---- | C] () -- C:\WINDOWS\VSUNINST.EXE
[2005/10/16 20:23:27 | 000,096,768 | ---- | C] () -- C:\WINDOWS\System32\UnPoker.exe
[2005/07/08 14:26:09 | 000,000,032 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/06/21 23:57:21 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/06/03 09:21:42 | 001,456,640 | ---- | C] () -- C:\Program Files\Common Files\Auto Assault.msi
[2005/05/12 00:34:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/05/12 00:34:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2005/05/12 00:34:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/05/12 00:34:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2005/05/12 00:34:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/05/12 00:34:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/05/12 00:34:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/05/12 00:34:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2005/05/12 00:34:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2005/05/12 00:34:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/04/13 19:11:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/04/13 19:11:23 | 000,099,965 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2005/04/13 19:11:11 | 000,006,400 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/03/28 22:13:30 | 000,000,003 | ---- | C] () -- C:\WINDOWS\sw_app.sys
[2005/03/28 22:13:30 | 000,000,003 | ---- | C] () -- C:\WINDOWS\approval.dat
[2005/03/28 22:13:03 | 000,000,003 | ---- | C] () -- C:\WINDOWS\sw_ver.dat
[2005/01/17 08:32:50 | 000,002,840 | ---- | C] () -- C:\WINDOWS\System32\vp.dat
[2005/01/17 08:32:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\vg.dat
[2005/01/17 08:32:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\v.dat
[2005/01/15 17:02:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lqybd.dat
[2005/01/04 22:51:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\apiyi.exe
[2005/01/02 11:19:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\sysxq.exe
[2004/12/26 23:26:25 | 000,000,125 | ---- | C] () -- C:\WINDOWS\WinFrotz.INI
[2004/12/20 08:08:04 | 000,001,234 | ---- | C] () -- C:\WINDOWS\ARCHPR.INI
[2004/12/19 09:05:53 | 000,000,021 | ---- | C] () -- C:\WINDOWS\progman.ini
[2004/12/19 09:05:41 | 000,000,082 | ---- | C] () -- C:\WINDOWS\swcmpc.ini
[2004/12/18 10:33:28 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\KMVIDC32.DLL
[2004/11/19 00:37:34 | 000,000,292 | ---- | C] () -- C:\WINDOWS\vtmb.ini
[2004/11/18 23:12:27 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/09/26 09:19:27 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/24 08:34:26 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\fusioncache.dat
[2004/07/31 16:07:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/07/19 18:14:44 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\PdeSrvps.dll
[2004/07/19 18:14:42 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/05/23 19:52:44 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/04/21 23:37:39 | 000,000,167 | ---- | C] () -- C:\WINDOWS\Recorder.dat
[2004/03/13 10:00:02 | 000,087,040 | ---- | C] () -- C:\WINDOWS\UnGins.exe
[2004/03/12 18:17:59 | 000,000,103 | ---- | C] () -- C:\WINDOWS\BJ.INI
[2004/02/28 01:20:15 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2004/02/22 21:55:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MOTO.INI
[2004/02/21 10:13:04 | 000,000,017 | ---- | C] () -- C:\WINDOWS\BICYCLE.INI
[2004/02/21 10:11:50 | 000,000,332 | ---- | C] () -- C:\WINDOWS\BP.INI
[2004/02/21 10:05:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\BA.INI
[2003/09/25 06:46:39 | 000,000,070 | ---- | C] () -- C:\WINDOWS\nero.INI
[2003/09/13 07:38:51 | 000,220,160 | ---- | C] () -- C:\WINDOWS\PRINTERS.EXE
[2003/09/13 07:38:51 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\PRTmate.dll
[2003/09/07 14:47:41 | 000,115,085 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2003/09/07 07:29:09 | 000,049,664 | ---- | C] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/09/06 11:47:13 | 000,000,083 | ---- | C] () -- C:\WINDOWS\wa.INI
[2003/09/06 10:38:51 | 000,000,761 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2003/09/06 08:52:49 | 000,001,645 | ---- | C] () -- C:\WINDOWS\yahtzee.ini
[2003/09/04 22:04:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2003/09/04 18:57:53 | 000,000,604 | ---- | C] () -- C:\WINDOWS\Sof2.INI
[2003/09/03 20:33:05 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2003/09/03 18:31:51 | 000,001,110 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2003/08/28 15:10:36 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/08/27 09:17:11 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/08/27 09:13:47 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/08/27 09:05:42 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2003/08/27 09:05:42 | 000,002,398 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/08/27 09:05:30 | 000,022,040 | ---- | C] () -- C:\WINDOWS\System32\_006671_.tmp.dll
[2003/08/27 09:05:29 | 000,444,286 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/08/27 09:05:29 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/08/27 09:05:29 | 000,072,440 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/08/27 09:05:29 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/08/27 09:05:28 | 000,004,742 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/08/27 09:05:27 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/08/27 09:05:27 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/08/27 09:05:25 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/08/27 09:05:25 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/08/27 09:05:24 | 000,249,270 | ---- | C] () -- C:\WINDOWS\System32\_006703_.tmp.dll
[2003/08/27 09:05:20 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/08/27 09:05:18 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/08/27 02:09:18 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/08/27 02:08:39 | 000,278,944 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/08/26 18:49:01 | 000,000,288 | ---- | C] () -- C:\WINDOWS\System32\DVCStateBkp-{00000003-00000000-00000002-00001102-00000004-10071102}.dat
[2003/08/26 18:49:01 | 000,000,288 | ---- | C] () -- C:\WINDOWS\System32\DVCState-{00000003-00000000-00000002-00001102-00000004-10071102}.dat
[2003/08/26 18:43:59 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2003/08/26 18:43:58 | 001,048,576 | ---- | C] () -- C:\WINDOWS\System32\SFMAN.DAT
[2003/08/26 18:43:17 | 000,066,980 | ---- | C] () -- C:\WINDOWS\System32\Emu10kx.ini
[2003/08/26 18:43:17 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2003/08/26 18:43:13 | 000,248,091 | ---- | C] () -- C:\WINDOWS\System32\ctsbas2w.dat
[2003/08/26 18:43:13 | 000,232,723 | ---- | C] () -- C:\WINDOWS\System32\ctstatic.dat
[2003/08/26 18:43:13 | 000,224,644 | ---- | C] () -- C:\WINDOWS\System32\CTSBASW.DAT
[2003/08/26 18:43:13 | 000,190,720 | ---- | C] () -- C:\WINDOWS\System32\ctdlang.dat
[2003/08/26 18:43:13 | 000,138,816 | ---- | C] () -- C:\WINDOWS\System32\ctbas2w.dat
[2003/08/26 18:43:13 | 000,110,820 | ---- | C] () -- C:\WINDOWS\System32\CTBASICW.DAT
[2003/08/26 18:43:13 | 000,053,674 | ---- | C] () -- C:\WINDOWS\System32\ctdaught.dat
[2003/08/26 18:43:08 | 000,184,320 | ---- | C] () -- C:\WINDOWS\PSCONV.EXE
[2003/08/26 18:43:08 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\KILLAPPS.EXE
[2003/08/26 18:43:08 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\REGPLIB.EXE
[2003/08/26 18:43:08 | 000,005,515 | ---- | C] () -- C:\WINDOWS\System32\ENSDEF.INI
[2003/08/26 18:43:08 | 000,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2003/08/26 18:42:56 | 000,000,184 | ---- | C] () -- C:\WINDOWS\System32\e000001.dat
[2003/08/26 18:42:45 | 000,831,600 | ---- | C] () -- C:\WINDOWS\System32\Ctaa1.dat
[2003/08/26 18:41:48 | 000,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2003/08/26 18:24:09 | 000,007,264 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2003/08/26 18:23:50 | 000,086,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\incdfs.sys
[2003/08/19 16:22:19 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.DLL
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/07 00:19:16 | 000,454,656 | ---- | C] () -- C:\WINDOWS\System32\PaintX.dll
[2001/08/23 15:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[2000/03/29 22:00:00 | 000,125,440 | ---- | C] () -- C:\WINDOWS\System32\UNZDLL.DLL
[1999/12/07 01:00:00 | 000,024,976 | ---- | C] () -- C:\WINDOWS\twain_16.dll
[1999/10/23 18:29:44 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\UNRAR.DLL
[1999/08/11 15:28:02 | 000,101,888 | ---- | C] () -- C:\WINDOWS\System32\LIBBZ2.DLL
[1999/05/21 21:10:00 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ZIPDLL.DLL
[1999/01/27 14:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1998/01/28 00:06:04 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\UNACE.DLL
[1997/11/17 18:13:16 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[1997/06/13 08:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2008/12/20 16:29:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2DBoy
[2007/10/16 21:01:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Armagetron
[2009/04/02 22:06:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Comcast
[2010/05/04 22:35:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/06/20 14:39:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2008/07/15 19:48:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grey Alien Games
[2008/11/15 01:28:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo
[2010/04/25 10:30:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2005/12/22 20:10:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lionhead Studios
[2003/12/15 01:20:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN Messenger 6.1.0203
[2011/09/01 07:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2007/02/28 20:30:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2004/08/10 16:42:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/05/04 18:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/09/05 00:54:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
[2009/03/21 21:01:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/05/07 16:44:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/01/18 12:39:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2005/03/05 15:08:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/22 16:49:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/04/02 19:06:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/03 18:43:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2005/06/25 23:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\.bittorrent
[2006/10/26 21:18:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Activision
[2004/10/27 00:45:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Aim
[2005/10/03 06:59:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Arctic
[2007/10/16 21:03:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Armagetron
[2011/08/31 00:35:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Azureus
[2009/09/22 21:35:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2007/12/17 21:01:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\CopyTrans
[2006/02/26 09:26:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\CrystalApp
[2006/02/26 09:26:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\CrystalSpace
[2010/06/24 22:22:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Facebook
[2011/08/31 00:35:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\FileZilla
[2007/06/24 16:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Flickr
[2006/03/13 16:06:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\FotoWire
[2008/10/19 09:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\gtk-2.0
[2003/08/26 18:32:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\InterTrust
[2008/11/13 20:28:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Intervideo
[2010/04/25 10:31:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Juniper Networks
[2004/12/12 02:42:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Leadertech
[2005/12/22 20:34:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Lionhead Studios
[2006/02/26 16:09:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\My Games
[2007/05/06 10:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\NCH Swift Sound
[2007/01/04 23:32:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Paltalk
[2009/05/05 12:09:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\PopCapv1002
[2004/08/21 15:07:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\RhinoSoft.com
[2008/02/26 20:43:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\SecondLife
[2007/05/06 11:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Softplicity
[2011/01/18 12:37:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\TomTom
[2007/10/16 22:00:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\uqm
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At100.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At101.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At102.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At103.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At104.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At105.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At106.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At107.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At108.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At109.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At110.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At111.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At112.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At113.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At114.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At115.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At116.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At117.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At118.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At119.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At120.job
[2011/08/30 00:48:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At121.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At122.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At123.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At124.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At125.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At126.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At127.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At128.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At129.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At130.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At131.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At132.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At133.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At134.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At135.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At136.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At137.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At138.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At139.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At140.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At141.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At142.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At143.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At144.job
[2011/08/30 00:45:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At145.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At146.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At147.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At148.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At149.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At150.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At151.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At152.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At153.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At154.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At155.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At156.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At157.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At158.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At159.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At160.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At161.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At162.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At163.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At164.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At165.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At166.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At167.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At168.job
[2011/08/31 00:22:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At169.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At170.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At171.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At172.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At173.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At174.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At175.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At176.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At177.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At178.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At179.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At180.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At181.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At182.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At183.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At184.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At185.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At186.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At187.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At188.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At189.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At190.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At191.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At192.job
[2011/08/30 00:54:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2011/08/30 00:45:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At49.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At50.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At51.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At52.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At53.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At54.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At55.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At56.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At57.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At58.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At59.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At60.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At61.job
[2011/08/29 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At62.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At63.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At64.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At65.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At66.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At67.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At68.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At69.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At70.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At71.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At72.job
[2011/08/30 00:58:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At73.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At74.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At75.job
[2011/08/30 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At76.job
[2011/08/30 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At77.job
[2011/08/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At78.job
[2011/08/30 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At79.job
[2011/08/30 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At80.job
[2011/08/29 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At81.job
[2011/08/29 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At82.job
[2011/08/30 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At83.job
[2011/08/30 11:00:30 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At84.job
[2011/08/29 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At85.job
[2011/08/29 13:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At86.job
[2011/08/29 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At87.job
[2011/08/29 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At88.job
[2011/08/29 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At89.job
[2011/08/29 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At90.job
[2011/08/29 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At91.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At92.job
[2011/08/29 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At93.job
[2011/08/31 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At94.job
[2011/08/29 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At95.job
[2011/08/29 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At96.job
[2011/08/31 00:23:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At97.job
[2011/08/30 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At98.job
[2011/08/31 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At99.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\128095406:1365990904.exe
@Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:93F3E4C9
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:364682BC
@Alternate Data Stream - 11591 bytes -> C:\WINDOWS\uninst.exe:amfjyl

< End of report >


A huge THANK YOU to anyone who is willing to help me through this.
  • 0

Advertisements

#2
RKinner
Posted 07 September 2011 - 11:59 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Sounds like Zero Access rootkit which is relatively new but your OTL log also shows another infection that's been there for a long time.

You have something on the E:\ that's some kind of worm.
O33 - MountPoints2\{f343b9fa-038e-11e0-bf22-0007e95e8e19}\Shell\AutoRun\command - "" = E:\io3yalc.exe
O33 - MountPoints2\{f343b9fa-038e-11e0-bf22-0007e95e8e19}\Shell\open\Command - "" = E:\io3yalc.exe

Then you have the at*.job malware tasks. Like these:
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At92.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At68.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At188.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At164.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At140.job
[2011/09/06 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At116.job
(there are lots more)

Don't know what they are up to but I'm sure it's no good. Probably a good idea to turn off the task scheduler service. (Start, Run, services.msc, OK then find Task Scheduler and right click and Properties then change Startup Type to Disabled then Apply and Stop the service.) Then delete all of the at*.job files in c:\windows\tasks

Then the visible part of zero access:
[2011/08/30 10:59:56 | 004,194,304 | ---- | C] () -- C:\WINDOWS\System32\srlaetav.dll
[2011/08/30 10:59:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\128095406
(I would leave these two until after you run Combofix)

and then last year's infection (which probably started the at*.job business:

[2010/05/16 19:51:00 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\O6UB3GR1.dat
[2010/04/26 18:38:22 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\0jf5835bS5a
[2010/04/26 18:38:22 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0jf5835bS5a
[2010/04/23 19:17:00 | 000,005,532 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\L055Jl5Jk1DTE
[2010/04/23 19:16:59 | 000,005,532 | -HS- | C] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\L055Jl5Jk1DTE
(You can delete these if you want to)

You can try the zeroaccess removal tool:

http://anywhere.webr...izeroaccess.exe

Just download it, save it and run it. See if it works. I usually run it after Combofix and then it doesn't find anything so I want to give it a chance to prove itself.




Let's see what happens with Combofix:

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

change the a-v scan to None.
uncheck trace disk IO calls
Click the "Scan" button to start scan


On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply


AVP is also catching some ZA rootkits so let's try it too.
Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.


Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

Ron
  • 0

#3
bdjsb7
Posted 08 September 2011 - 07:34 AM

bdjsb7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Ron, thanks for the prompt response.
I began going through the steps before I had to head in to work today. I ended up running into a snag, and I do not know how to proceed.


I deleted the files from last year's infection after turning off Task Scheduler and deleting all the at* jobs.

Next, I ran ZeroAccess. The rootkit was found and cleaned. It suggested I reboot to ensure that it was gone, but I immediately ran Combofix instead.

In preparing to run ComboFix, I checked my AV settings. McAfee VirusScan had already been disabled by the malware, so there was nothing for me to disable.

I downloaded a new version of ComboFix to the desktop and ran it.

While ComboFix was at the stage of extracting files, it shut down with no errors (disappeared! like what happens when I run HijackThis)
I decided to reboot the machine and try again. When the OS loaded back up, the ComboFix icon showed a blank icon image. I was unable to run it (received an error).
(this also happens when running HiJackThis and a few other tools I had tried)
I am unable to delete this blank Combofix.exe, even in safe mode. It tells me Access is denied, and to make sure the disk is not full/write-protected.

I should mention that my E drive, which showed a worm, was a USB flash stick. I did not need it anymore, so I threw it away.

At that point, I had to leave for work, so I thought I would post this report. I do not know if I should run through the rest of the steps you listed, or if I should hold off until we can get ComboFix to run correctly.

Thanks, and I look forward to hearing back!
-Justin
  • 0

#4
RKinner
Posted 08 September 2011 - 09:08 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
I think you should have done the reboot before combofix. Reboots are required to get rid of files that are in use.

Turn off mcafee. Actually you might as well uninstall it and run the mcafee removal utility. One of the cute tricks of the ZA rootkit is to replace the anti-virus with itself:

Download the McAfee Removal tool
http://download.mcaf...atches/MCPR.exe
(If you think you might want to reinstall McAfee later then follow the instructions here to save your license info:
http://service.mcafe...spx?id=TS100507 )
Uninstall McAfee, run the McAfee uninstall tool, reboot.

The other cute trick is that it messes with the permissions on a program that attacks it. Right click on Combofix and select Properties then Security. Go in and take ownership of the file and then set the permissions so you have write permissions then it should let you delete it.


Rerun the za removal tool. Reboot when it tells you to.

Redownload Combofix but this time change the file name to george.exe and try it again.

then reboot when it finishes and continue on with the other programs. Once you have gone through all of them then download the free version of Avast!
Download and Save the free Avast installer.
http://www.avast.com...ivirus-download

Install Avast. (Register when it asks you - they will try to talk you in to buying the full product but the free version is what we want.)

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
I think on XP systems the log file can be found in text form in C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\boot.txt so copy and paste that into your next reply.

Ron
  • 0

#5
bdjsb7
Posted 08 September 2011 - 08:22 PM

bdjsb7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
More snags... This time much more serious.

Uninstalled mcafee, ran combofix. iexplore crashed almost immediately, but combofix ran and found a rootkit. Wanted to reboot. It hung at "windows is shutting down" for over an hour, so I manually powered it off. Turned on. Scan started During the scan, on phase 2, pev.3rd crashed with "encountered problem" pop-up. Not wanting to touch the mouse, I let it sit an hour. Nothing happened so I pressed "don't send" which closed the error box and made combofix resume.

Combofix rebooted again and it hung once more. I Manually shut down.
This time it finished and produced a log. I set it aside to post later.

Ran tdskiller. It finished and produced a log.

RAn aswMBR, but it disappeared/crashed before completion. Ran kaspersky and it installed but then never ran (seemed to disappear too). I tried a second time and it failed, suggesting I restart. I did.

When the os came back, the desktop showed a plain black background and only a white mouse cursor (which moves fine). I rebooted to the same result. Tried safe mode and got the same thing. Went back to normal start, same thing. Chose "last known good configuration" and got the same blank black screen. Keyboard shortcuts like ctrl alt del do not work.

In this state, I am unable to post the logs I saved... Or do much else.
I'm extremely worried now. Any ideas?
Thanks!
  • 0

#6
RKinner
Posted 09 September 2011 - 12:06 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Did you let Combofix install the Recovery Console? Did that part work before the scan started?

Can you boot into Safe Mode with Command Prompt? You will get a black screen with a prompt. Type

sfc /scannow

(space before \ . When that finishes try )

taskmgr

(or)

explorer

(Do either of them come up?)

(You can try a system restore from here)

C:\windows\system32\restore\rstrui.exe

Ron
  • 0

#7
bdjsb7
Posted 09 September 2011 - 12:58 AM

bdjsb7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
It occurs to me that ComboFix did not offer me the option to install the recovery console before the scan started. Maybe because Windows Explorer crashed when I started Combofix up?

Safe mode with command prompt brings me to the same blank desktop screen as normal Safe Mode. I've never seen that happen before.
I'm guessing this is a pretty bad sign...
  • 0

#8
RKinner
Posted 09 September 2011 - 08:36 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Let's see if you can create and run the AVG Rescue disk:

http://www.geekstogo...ystem-tutorial/

Also create a Hiren's BOOTCD 14.1 http://www.hirensbootcd.org/download/

Ron
  • 0

#9
bdjsb7
Posted 09 September 2011 - 12:47 PM

bdjsb7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I created and ran AVG. It found some infections. I renamed them all.
After a reboot, it still gave me the black screen w/ pointer.

I am currently running Hiren's, and have used it to locate the combofix and TDSkiller logs.
Here they are below:

ComboFix 11-09-08.03 - Justin 09/08/2011 18:54:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.678 [GMT -4:00]
Running from: c:\documents and settings\Justin\Desktop\George.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Justin\Application Data\JuniperSetup.exe
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\AppPatcher.exe.bab90289.ini
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\Bloodmasters.exe.6b80247a.ini
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\BMLauncher.exe.33ae93ae.ini
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\CityGameTracker.exe.8c1817dc.ini
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\COH Demo Launcher.exe.e0592955.ini
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\CoHCoVStatus.exe.a218dc87.ini
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\DungeonEULADisplayer.exe.29f129ea.ini
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\launcher.exe.20f9e861.ini
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Justin\Local Settings\Application Data\ApplicationHistory\Raptor.exe.ce0c6485.ini
c:\documents and settings\Justin\WINDOWS
c:\program files\Internet Explorer\SETD0F.tmp
c:\program files\messenger\msmsgsin.exe
c:\windows\$NtUninstallKB62316$\2949437957
c:\windows\~
c:\windows\128095406
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\help\wmplayer.bak
c:\windows\system32\_004115_.tmp.dll
c:\windows\system32\_004116_.tmp.dll
c:\windows\system32\_004117_.tmp.dll
c:\windows\system32\_004118_.tmp.dll
c:\windows\system32\_004125_.tmp.dll
c:\windows\system32\_004126_.tmp.dll
c:\windows\system32\_004127_.tmp.dll
c:\windows\system32\_004128_.tmp.dll
c:\windows\system32\_004129_.tmp.dll
c:\windows\system32\_004130_.tmp.dll
c:\windows\system32\_004131_.tmp.dll
c:\windows\system32\_004132_.tmp.dll
c:\windows\system32\_004133_.tmp.dll
c:\windows\system32\_004134_.tmp.dll
c:\windows\system32\_004135_.tmp.dll
c:\windows\system32\_004136_.tmp.dll
c:\windows\system32\_004137_.tmp.dll
c:\windows\system32\_004138_.tmp.dll
c:\windows\system32\_004139_.tmp.dll
c:\windows\system32\_004140_.tmp.dll
c:\windows\system32\_004141_.tmp.dll
c:\windows\system32\_004142_.tmp.dll
c:\windows\system32\_004143_.tmp.dll
c:\windows\system32\_004144_.tmp.dll
c:\windows\system32\_004145_.tmp.dll
c:\windows\system32\_004147_.tmp.dll
c:\windows\system32\_004148_.tmp.dll
c:\windows\system32\_004149_.tmp.dll
c:\windows\system32\_004150_.tmp.dll
c:\windows\system32\_004151_.tmp.dll
c:\windows\system32\_004152_.tmp.dll
c:\windows\system32\_004153_.tmp.dll
c:\windows\system32\_004154_.tmp.dll
c:\windows\system32\_004155_.tmp.dll
c:\windows\system32\_004156_.tmp.dll
c:\windows\system32\_004157_.tmp.dll
c:\windows\system32\_004158_.tmp.dll
c:\windows\system32\_004159_.tmp.dll
c:\windows\system32\_004160_.tmp.dll
c:\windows\system32\_004161_.tmp.dll
c:\windows\system32\_004162_.tmp.dll
c:\windows\system32\_004163_.tmp.dll
c:\windows\system32\_004164_.tmp.dll
c:\windows\system32\_004165_.tmp.dll
c:\windows\system32\_004166_.tmp.dll
c:\windows\system32\_004167_.tmp.dll
c:\windows\system32\_004168_.tmp.dll
c:\windows\system32\_004169_.tmp.dll
c:\windows\system32\_004170_.tmp.dll
c:\windows\system32\_004171_.tmp.dll
c:\windows\system32\_004172_.tmp.dll
c:\windows\system32\_004173_.tmp.dll
c:\windows\system32\_004174_.tmp.dll
c:\windows\system32\_004175_.tmp.dll
c:\windows\system32\_004176_.tmp.dll
c:\windows\system32\_004177_.tmp.dll
c:\windows\system32\_004178_.tmp.dll
c:\windows\system32\_004179_.tmp.dll
c:\windows\system32\_004180_.tmp.dll
c:\windows\system32\_004181_.tmp.dll
c:\windows\system32\_004182_.tmp.dll
c:\windows\system32\_004183_.tmp.dll
c:\windows\system32\_004184_.tmp.dll
c:\windows\system32\_004185_.tmp.dll
c:\windows\system32\_004186_.tmp.dll
c:\windows\system32\_004187_.tmp.dll
c:\windows\system32\_004188_.tmp.dll
c:\windows\system32\_004189_.tmp.dll
c:\windows\system32\_004191_.tmp.dll
c:\windows\system32\_004192_.tmp.dll
c:\windows\system32\_004193_.tmp.dll
c:\windows\system32\_004194_.tmp.dll
c:\windows\system32\_004195_.tmp.dll
c:\windows\system32\_004196_.tmp.dll
c:\windows\system32\_004197_.tmp.dll
c:\windows\system32\_004199_.tmp.dll
c:\windows\system32\_004200_.tmp.dll
c:\windows\system32\_004201_.tmp.dll
c:\windows\system32\_004202_.tmp.dll
c:\windows\system32\_004203_.tmp.dll
c:\windows\system32\_004204_.tmp.dll
c:\windows\system32\_004205_.tmp.dll
c:\windows\system32\_004206_.tmp.dll
c:\windows\system32\_004208_.tmp.dll
c:\windows\system32\_004209_.tmp.dll
c:\windows\system32\_004210_.tmp.dll
c:\windows\system32\_004211_.tmp.dll
c:\windows\system32\_004212_.tmp.dll
c:\windows\system32\_004213_.tmp.dll
c:\windows\system32\_004214_.tmp.dll
c:\windows\system32\_004216_.tmp.dll
c:\windows\system32\_004217_.tmp.dll
c:\windows\system32\_004218_.tmp.dll
c:\windows\system32\_004219_.tmp.dll
c:\windows\system32\_004221_.tmp.dll
c:\windows\system32\_004223_.tmp.dll
c:\windows\system32\_004224_.tmp.dll
c:\windows\system32\_004225_.tmp.dll
c:\windows\system32\_004226_.tmp.dll
c:\windows\system32\_004227_.tmp.dll
c:\windows\system32\_004228_.tmp.dll
c:\windows\system32\_004229_.tmp.dll
c:\windows\system32\_004230_.tmp.dll
c:\windows\system32\_004231_.tmp.dll
c:\windows\system32\_004232_.tmp.dll
c:\windows\system32\_004233_.tmp.dll
c:\windows\system32\_004234_.tmp.dll
c:\windows\system32\_004235_.tmp.dll
c:\windows\system32\_004236_.tmp.dll
c:\windows\system32\_004237_.tmp.dll
c:\windows\system32\_004238_.tmp.dll
c:\windows\system32\_004239_.tmp.dll
c:\windows\system32\_004240_.tmp.dll
c:\windows\system32\_004241_.tmp.dll
c:\windows\system32\_004243_.tmp.dll
c:\windows\system32\_004244_.tmp.dll
c:\windows\system32\_004245_.tmp.dll
c:\windows\system32\_004246_.tmp.dll
c:\windows\system32\_004247_.tmp.dll
c:\windows\system32\_004250_.tmp.dll
c:\windows\system32\_004251_.tmp.dll
c:\windows\system32\_004252_.tmp.dll
c:\windows\system32\_004253_.tmp.dll
c:\windows\system32\_004254_.tmp.dll
c:\windows\system32\_004256_.tmp.dll
c:\windows\system32\_004257_.tmp.dll
c:\windows\system32\_004258_.tmp.dll
c:\windows\system32\_004259_.tmp.dll
c:\windows\system32\_004260_.tmp.dll
c:\windows\system32\_004261_.tmp.dll
c:\windows\system32\_004262_.tmp.dll
c:\windows\system32\_004263_.tmp.dll
c:\windows\system32\_004264_.tmp.dll
c:\windows\system32\_004265_.tmp.dll
c:\windows\system32\_004266_.tmp.dll
c:\windows\system32\_004267_.tmp.dll
c:\windows\system32\_004268_.tmp.dll
c:\windows\system32\_004270_.tmp.dll
c:\windows\system32\_004273_.tmp.dll
c:\windows\system32\_004274_.tmp.dll
c:\windows\system32\_004275_.tmp.dll
c:\windows\system32\_004276_.tmp.dll
c:\windows\system32\_004277_.tmp.dll
c:\windows\system32\_004281_.tmp.dll
c:\windows\system32\_004282_.tmp.dll
c:\windows\system32\_004284_.tmp.dll
c:\windows\system32\_004287_.tmp.dll
c:\windows\system32\_004289_.tmp.dll
c:\windows\system32\_004290_.tmp.dll
c:\windows\system32\_004291_.tmp.dll
c:\windows\system32\_004292_.tmp.dll
c:\windows\system32\_004295_.tmp.dll
c:\windows\system32\_004296_.tmp.dll
c:\windows\system32\_004297_.tmp.dll
c:\windows\system32\_004298_.tmp.dll
c:\windows\system32\_004299_.tmp.dll
c:\windows\system32\_004304_.tmp.dll
c:\windows\system32\_004306_.tmp.dll
c:\windows\system32\_004307_.tmp.dll
c:\windows\system32\_005069_.tmp.dll
c:\windows\system32\_005070_.tmp.dll
c:\windows\system32\_005071_.tmp.dll
c:\windows\system32\_005072_.tmp.dll
c:\windows\system32\_005079_.tmp.dll
c:\windows\system32\_005080_.tmp.dll
c:\windows\system32\_005081_.tmp.dll
c:\windows\system32\_005082_.tmp.dll
c:\windows\system32\_005083_.tmp.dll
c:\windows\system32\_005084_.tmp.dll
c:\windows\system32\_005085_.tmp.dll
c:\windows\system32\_005086_.tmp.dll
c:\windows\system32\_005087_.tmp.dll
c:\windows\system32\_005088_.tmp.dll
c:\windows\system32\_005089_.tmp.dll
c:\windows\system32\_005090_.tmp.dll
c:\windows\system32\_005091_.tmp.dll
c:\windows\system32\_005092_.tmp.dll
c:\windows\system32\_005094_.tmp.dll
c:\windows\system32\_005097_.tmp.dll
c:\windows\system32\_005098_.tmp.dll
c:\windows\system32\_005102_.tmp.dll
c:\windows\system32\_005103_.tmp.dll
c:\windows\system32\_005104_.tmp.dll
c:\windows\system32\_005105_.tmp.dll
c:\windows\system32\_005106_.tmp.dll
c:\windows\system32\_005107_.tmp.dll
c:\windows\system32\_005108_.tmp.dll
c:\windows\system32\_005110_.tmp.dll
c:\windows\system32\_005111_.tmp.dll
c:\windows\system32\_005112_.tmp.dll
c:\windows\system32\_005113_.tmp.dll
c:\windows\system32\_005114_.tmp.dll
c:\windows\system32\_005115_.tmp.dll
c:\windows\system32\_005116_.tmp.dll
c:\windows\system32\_005117_.tmp.dll
c:\windows\system32\_005118_.tmp.dll
c:\windows\system32\_005119_.tmp.dll
c:\windows\system32\_005120_.tmp.dll
c:\windows\system32\_005123_.tmp.dll
c:\windows\system32\_005124_.tmp.dll
c:\windows\system32\_005125_.tmp.dll
c:\windows\system32\_005127_.tmp.dll
c:\windows\system32\_005128_.tmp.dll
c:\windows\system32\_005129_.tmp.dll
c:\windows\system32\_005130_.tmp.dll
c:\windows\system32\_005131_.tmp.dll
c:\windows\system32\_005133_.tmp.dll
c:\windows\system32\_005136_.tmp.dll
c:\windows\system32\_005137_.tmp.dll
c:\windows\system32\_005141_.tmp.dll
c:\windows\system32\_005142_.tmp.dll
c:\windows\system32\_005144_.tmp.dll
c:\windows\system32\_005147_.tmp.dll
c:\windows\system32\_005149_.tmp.dll
c:\windows\system32\_005150_.tmp.dll
c:\windows\system32\_005151_.tmp.dll
c:\windows\system32\_005152_.tmp.dll
c:\windows\system32\_005155_.tmp.dll
c:\windows\system32\_005156_.tmp.dll
c:\windows\system32\_005157_.tmp.dll
c:\windows\system32\_005158_.tmp.dll
c:\windows\system32\_005159_.tmp.dll
c:\windows\system32\_005164_.tmp.dll
c:\windows\system32\_005166_.tmp.dll
c:\windows\system32\_005167_.tmp.dll
c:\windows\system32\_006660_.tmp.dll
c:\windows\system32\_006661_.tmp.dll
c:\windows\system32\_006662_.tmp.dll
c:\windows\system32\_006663_.tmp.dll
c:\windows\system32\_006670_.tmp.dll
c:\windows\system32\_006671_.tmp.dll
c:\windows\system32\_006672_.tmp.dll
c:\windows\system32\_006673_.tmp.dll
c:\windows\system32\_006675_.tmp.dll
c:\windows\system32\_006676_.tmp.dll
c:\windows\system32\_006679_.tmp.dll
c:\windows\system32\_006680_.tmp.dll
c:\windows\system32\_006682_.tmp.dll
c:\windows\system32\_006683_.tmp.dll
c:\windows\system32\_006684_.tmp.dll
c:\windows\system32\_006686_.tmp.dll
c:\windows\system32\_006689_.tmp.dll
c:\windows\system32\_006690_.tmp.dll
c:\windows\system32\_006694_.tmp.dll
c:\windows\system32\_006695_.tmp.dll
c:\windows\system32\_006697_.tmp.dll
c:\windows\system32\_006700_.tmp.dll
c:\windows\system32\_006702_.tmp.dll
c:\windows\system32\_006703_.tmp.dll
c:\windows\system32\_006704_.tmp.dll
c:\windows\system32\_006705_.tmp.dll
c:\windows\system32\_006706_.tmp.dll
c:\windows\system32\_006709_.tmp.dll
c:\windows\system32\_006710_.tmp.dll
c:\windows\system32\_006711_.tmp.dll
c:\windows\system32\_006712_.tmp.dll
c:\windows\system32\_006713_.tmp.dll
c:\windows\system32\_006718_.tmp.dll
c:\windows\system32\_006720_.tmp.dll
c:\windows\system32\_006721_.tmp.dll
c:\windows\system32\s.bat
c:\windows\twain_16.dll
c:\windows\$NtUninstallKB62316$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\msiexec.exe
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ZESOFT
-------\Service_.i8042prt
-------\Service_Ias
.
.
((((((((((((((((((((((((( Files Created from 2011-08-09 to 2011-09-09 )))))))))))))))))))))))))))))))
.
.
2011-09-06 23:20 . 2011-09-06 23:20 388096 ----a-r- c:\documents and settings\Justin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-06 11:06 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2011-09-01 11:50 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-01 11:50 . 2011-09-01 11:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-01 11:50 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-01 01:12 . 2011-09-01 01:11 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-09-01 01:11 . 2011-09-01 01:11 65808 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-08-31 00:30 . 2011-09-08 11:36 50112 --sha-w- c:\windows\system32\c_65712.nl_
2011-08-26 14:48 . 2011-08-26 14:48 -------- d-----w- C:\iPod Photo Cache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-08 11:14 . 2010-09-05 05:17 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-06 22:45 . 2010-09-05 05:17 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-06 22:45 . 2010-09-05 05:17 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-31 06:10 . 2010-11-18 23:47 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-08-31 05:49 . 2005-11-07 16:04 98304 ----a-w- c:\windows\DUMP8b96.tmp
2011-06-22 00:08 . 2011-05-16 05:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2005-04-25 18:20 . 2005-06-03 13:21 1456640 -c--a-w- c:\program files\Common Files\Auto Assault.msi
2005-09-15 22:26 . 2005-04-13 23:11 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
.
<pre>
c:\program files\Ahead\InCD\InCD .exe
</pre>
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[7] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\svchost.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Vuze_Remote\prxtbVuz2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bdjsb7\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [12/10/2010 8:29 AM 92008]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [8/26/2003 6:43 PM 12160]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [3/9/2006 9:01 AM 112624]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 JL2005;JL2005A Camera;c:\windows\system32\drivers\toywdm.sys [10/8/2005 6:22 PM 71512]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/1/2011 7:50 AM 41272]
S3 pnicml;pnicml;\??\c:\docume~1\Justin\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Justin\LOCALS~1\Temp\pnicml.sys [?]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [5/27/2006 2:09 AM 13225]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [7/30/2004 10:25 AM 136832]
S4 gupdate1c96b3e6afb0570;Google Update Service (gupdate1c96b3e6afb0570);c:\program files\Google\Update\GoogleUpdate.exe [12/31/2008 7:53 AM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-31 11:53]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-31 11:53]
.
2011-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-854245398-725345543-1003Core.job
- c:\documents and settings\Justin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-01 00:38]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-854245398-725345543-1003UA.job
- c:\documents and settings\Justin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-01 00:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.comcast.net/
mSearch Bar =
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: frame.crazywinnings.com
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\o26fuz9n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59083&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - %profile%\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: [email protected] - c:\documents and settings\Justin\Application Data\Move Networks
.
- - - - ORPHANS REMOVED - - - -
.
Notify-dimsntfy - (no file)
SafeBoot-67512449.sys
AddRemove-conduitEngine - c:\program files\ConduitEngine\ConduitEngineUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-08 21:01
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1757981266-854245398-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:96,0a,2c,f5,36,7c,56,a5,ba,24,8e,66,8f,90,0f,39,a7,bd,7e,18,8e,71,32,
02,9a,cc,e5,a3,43,30,ec,23,de,5b,c3,c2,13,99,57,72,52,64,d8,91,26,59,ec,92,\
"??"=hex:28,06,8e,81,36,da,59,86,31,0d,8d,c4,2c,3d,e1,63
.
[HKEY_USERS\S-1-5-21-1757981266-854245398-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:07,d3,0e,31,1d,b6,7e,ed,58,28,1e,35,ca,5c,0e,a5,24,7c,fd,54,dd,
72,f6,00,b2,de,54,41,de,07,7b,d7,86,ae,5a,e0,2a,2b,41,66,3a,e4,0d,18,70,ea,\
"rkeysecu"=hex:73,84,43,dc,82,74,62,f7,07,9c,00,1b,e4,6a,a6,3c
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3036)
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\ftpxext.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\PCHealth\HelpCtr\Binaries\HelpSvc.exe
.
**************************************************************************
.
Completion time: 2011-09-08 21:10:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-09 01:10
.
Pre-Run: 22,947,995,648 bytes free
Post-Run: 23,844,179,968 bytes free
.
- - End Of File - - E2816081333EC76C6A320C2B6889D928



2011/09/08 21:17:15.0265 0844 TDSS rootkit removing tool 2.5.20.0 Sep 7 2011 16:44:34
2011/09/08 21:17:15.0515 0844 ================================================================================
2011/09/08 21:17:15.0515 0844 SystemInfo:
2011/09/08 21:17:15.0515 0844
2011/09/08 21:17:15.0515 0844 OS Version: 5.1.2600 ServicePack: 2.0
2011/09/08 21:17:15.0515 0844 Product type: Workstation
2011/09/08 21:17:15.0515 0844 ComputerName: BDJSB7X
2011/09/08 21:17:15.0515 0844 UserName: Justin
2011/09/08 21:17:15.0515 0844 Windows directory: C:\WINDOWS
2011/09/08 21:17:15.0515 0844 System windows directory: C:\WINDOWS
2011/09/08 21:17:15.0515 0844 Processor architecture: Intel x86
2011/09/08 21:17:15.0515 0844 Number of processors: 2
2011/09/08 21:17:15.0515 0844 Page size: 0x1000
2011/09/08 21:17:15.0515 0844 Boot type: Normal boot
2011/09/08 21:17:15.0515 0844 ================================================================================
2011/09/08 21:17:16.0578 0844 Initialize success
2011/09/08 21:17:22.0812 0388 ================================================================================
2011/09/08 21:17:22.0812 0388 Scan started
2011/09/08 21:17:22.0812 0388 Mode: Manual;
2011/09/08 21:17:22.0812 0388 ================================================================================
2011/09/08 21:17:24.0937 0388 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/08 21:17:25.0000 0388 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/08 21:17:25.0140 0388 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/09/08 21:17:25.0187 0388 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/09/08 21:17:25.0250 0388 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/09/08 21:17:25.0593 0388 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/08 21:17:25.0812 0388 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/08 21:17:25.0875 0388 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/08 21:17:25.0968 0388 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/08 21:17:26.0078 0388 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/08 21:17:26.0140 0388 avcgbdr (de95593d8699d96beeb0ba2e6ecb8313) C:\WINDOWS\system32\drivers\avcgbdr.sys
2011/09/08 21:17:26.0203 0388 avcgbfl (187f906eb9f4d647ced63bf57bf96545) C:\WINDOWS\system32\Drivers\avcgbfl.sys
2011/09/08 21:17:26.0359 0388 AVG Anti-Rootkit (e8054a423e5d2bdae6062bab6da159c4) C:\WINDOWS\system32\DRIVERS\avgarkt.sys
2011/09/08 21:17:26.0671 0388 AvgArCln (ec08d1625f5c6cf2a57b79eb35186f8c) C:\WINDOWS\system32\DRIVERS\AvgArCln.sys
2011/09/08 21:17:27.0000 0388 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/08 21:17:27.0140 0388 Bridge (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/09/08 21:17:27.0156 0388 BridgeMP (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/09/08 21:17:27.0250 0388 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2011/09/08 21:17:27.0343 0388 CamDrL (cba8bce5bf67a3c619d5ce540bed9cf7) C:\WINDOWS\system32\DRIVERS\Camdrl.sys
2011/09/08 21:17:27.0453 0388 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/08 21:17:27.0531 0388 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/08 21:17:27.0656 0388 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/08 21:17:27.0703 0388 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/08 21:17:27.0781 0388 Cdr4_xp (223dea13c9d064babc882b4727f6f905) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/09/08 21:17:27.0843 0388 Cdralw2k (9e26599599d178e71afb5599e146031a) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/09/08 21:17:27.0890 0388 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/08 21:17:28.0171 0388 ctac32k (96018877b005220f5778e5d03b40fd0e) C:\WINDOWS\system32\drivers\ctac32k.sys
2011/09/08 21:17:28.0234 0388 ctaud2k (77065de7508e6565bd650e9005e6dd2a) C:\WINDOWS\system32\drivers\ctaud2k.sys
2011/09/08 21:17:28.0343 0388 ctdvda2k (9ca38a4b791a75e6b10b362c5ca767f9) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2011/09/08 21:17:28.0390 0388 ctgame (bfc40092329cf4ab838cc4a6f2fad659) C:\WINDOWS\system32\DRIVERS\ctgame.sys
2011/09/08 21:17:28.0453 0388 ctprxy2k (80094bf478c6c314c14187e3ef4d61e6) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2011/09/08 21:17:28.0531 0388 ctsfm2k (5a2a2c6a2676db21ab12146928dc2415) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2011/09/08 21:17:28.0703 0388 DCamUSBLTN (f4964fa3a9b607176e8fe50b33f5e429) C:\WINDOWS\system32\DRIVERS\dvc325.sys
2011/09/08 21:17:28.0812 0388 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/08 21:17:28.0937 0388 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/08 21:17:29.0031 0388 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/08 21:17:29.0109 0388 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/08 21:17:29.0171 0388 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/08 21:17:29.0281 0388 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/08 21:17:29.0343 0388 dsNcAdpt (b2c3f71b86e25c3df78339ddb40a7562) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
2011/09/08 21:17:29.0453 0388 E1000 (2476936f4994e9084ccfe75ed4f6226a) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2011/09/08 21:17:29.0578 0388 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/09/08 21:17:29.0656 0388 emupia (63bc4e9f583439d81b33604f76385902) C:\WINDOWS\system32\drivers\emupia2k.sys
2011/09/08 21:17:29.0750 0388 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/08 21:17:29.0812 0388 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/08 21:17:29.0859 0388 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/08 21:17:29.0906 0388 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/08 21:17:30.0000 0388 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/08 21:17:30.0078 0388 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/08 21:17:30.0156 0388 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/08 21:17:30.0218 0388 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/09/08 21:17:30.0296 0388 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/08 21:17:30.0421 0388 ha10kx2k (b79f128a51d00eb111ff690830786b38) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2011/09/08 21:17:30.0515 0388 hap16v2k (23f66d96371e17145116227bab799d8b) C:\WINDOWS\system32\drivers\hap16v2k.sys
2011/09/08 21:17:30.0625 0388 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/08 21:17:30.0734 0388 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/08 21:17:30.0921 0388 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/08 21:17:31.0000 0388 Imapi (9d0015f882d2162f26c6c1afcb4a3742) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/08 21:17:31.0000 0388 Imapi - detected Rootkit.Win32.ZAccess.e (0)
2011/09/08 21:17:31.0078 0388 InCDfs (194d7f492578b248e42b0baeeea3c093) C:\WINDOWS\system32\drivers\InCDfs.sys
2011/09/08 21:17:31.0140 0388 InCDPass (68af694a9b2991b276186306241a058a) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
2011/09/08 21:17:31.0203 0388 InCDrec (a6a6da7ccd4a4d5bdd607d9e42425184) C:\WINDOWS\system32\drivers\InCDrec.sys
2011/09/08 21:17:31.0359 0388 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/08 21:17:31.0437 0388 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/08 21:17:31.0515 0388 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/08 21:17:31.0578 0388 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/08 21:17:31.0640 0388 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/08 21:17:31.0703 0388 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/08 21:17:31.0765 0388 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/08 21:17:31.0843 0388 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/08 21:17:31.0906 0388 Iviaspi (cd8abfff1387e0f42cf6c6d7cdc19f0d) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/09/08 21:17:31.0984 0388 JL2005 (cb6c8b0bcc707f0dcb04ac5bbc126c22) C:\WINDOWS\system32\Drivers\toywdm.sys
2011/09/08 21:17:32.0062 0388 Jukebox3 (5115389d059e64556dc72d24e31d783a) C:\WINDOWS\system32\DRIVERS\ctpdusb.sys
2011/09/08 21:17:32.0125 0388 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/08 21:17:32.0187 0388 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/08 21:17:32.0250 0388 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/08 21:17:32.0312 0388 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/08 21:17:32.0468 0388 LVUSBSta (90259f3a20fbaec1a08d74ef5415b9d8) C:\WINDOWS\system32\drivers\lvusbsta.sys
2011/09/08 21:17:32.0546 0388 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/09/08 21:17:32.0703 0388 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/08 21:17:32.0781 0388 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/08 21:17:32.0828 0388 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/08 21:17:32.0906 0388 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/08 21:17:32.0953 0388 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/08 21:17:33.0062 0388 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/08 21:17:33.0156 0388 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/08 21:17:33.0250 0388 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/08 21:17:33.0312 0388 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/08 21:17:33.0375 0388 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/08 21:17:33.0468 0388 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/08 21:17:33.0531 0388 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/08 21:17:33.0609 0388 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/08 21:17:33.0656 0388 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/08 21:17:33.0750 0388 MxlW2k (a1520761f42dbb06db7929d6fa9753ea) C:\WINDOWS\system32\drivers\MxlW2k.sys
2011/09/08 21:17:33.0812 0388 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/08 21:17:33.0875 0388 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/08 21:17:33.0937 0388 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/08 21:17:34.0000 0388 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/08 21:17:34.0046 0388 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/08 21:17:34.0109 0388 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/08 21:17:34.0171 0388 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/08 21:17:34.0218 0388 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/08 21:17:34.0265 0388 NetBT (69c84dfd9cc9ab979a5b7d3769596479) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/08 21:17:34.0281 0388 NetBT - detected Rootkit.Win32.ZAccess.e (0)
2011/09/08 21:17:34.0375 0388 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/08 21:17:34.0437 0388 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/08 21:17:34.0515 0388 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/08 21:17:34.0640 0388 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/08 21:17:34.0828 0388 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/09/08 21:17:35.0000 0388 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/08 21:17:35.0062 0388 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/08 21:17:35.0125 0388 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/08 21:17:35.0218 0388 ossrv (0304878cc20c34734c40092b277c6679) C:\WINDOWS\system32\drivers\ctoss2k.sys
2011/09/08 21:17:35.0296 0388 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/08 21:17:35.0343 0388 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/08 21:17:35.0421 0388 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/08 21:17:35.0484 0388 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/08 21:17:35.0640 0388 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/08 21:17:35.0703 0388 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/08 21:17:36.0109 0388 PfModNT (5c125deac835c9927f7ab3e8a270fde7) C:\WINDOWS\System32\PfModNT.sys
2011/09/08 21:17:36.0187 0388 PLSCSI (0876a00be67460b732ba57d1530fd1c9) C:\WINDOWS\system32\DRIVERS\sci0pl.sys
2011/09/08 21:17:36.0375 0388 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/08 21:17:36.0656 0388 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/09/08 21:17:36.0734 0388 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/08 21:17:36.0796 0388 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/08 21:17:36.0890 0388 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/08 21:17:37.0203 0388 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/08 21:17:37.0281 0388 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/08 21:17:37.0328 0388 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/08 21:17:37.0375 0388 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/08 21:17:37.0468 0388 Razerlow (116c340acf37602d12cac6de6b8107cd) C:\WINDOWS\system32\Drivers\Razerlow.sys
2011/09/08 21:17:37.0531 0388 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/08 21:17:37.0625 0388 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/08 21:17:37.0687 0388 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/08 21:17:37.0765 0388 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/08 21:17:37.0828 0388 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/08 21:17:37.0937 0388 SaiH8000 (34ea7d80b2e7899b99bd525428cdce94) C:\WINDOWS\system32\DRIVERS\SaiH8000.sys
2011/09/08 21:17:38.0015 0388 SbcpHid (30d94039a729571146eb9d736ec1aadd) C:\WINDOWS\system32\Drivers\SbcpHid.sys
2011/09/08 21:17:38.0093 0388 SCDEmu (85a26c37b91b1187550c99b046840691) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/09/08 21:17:38.0171 0388 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/08 21:17:38.0250 0388 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/08 21:17:38.0343 0388 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/08 21:17:38.0421 0388 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/09/08 21:17:38.0562 0388 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/08 21:17:38.0640 0388 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/09/08 21:17:38.0750 0388 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/08 21:17:38.0859 0388 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/08 21:17:38.0937 0388 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/08 21:17:39.0031 0388 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/08 21:17:39.0093 0388 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/08 21:17:39.0140 0388 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/08 21:17:39.0421 0388 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/08 21:17:39.0500 0388 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/08 21:17:39.0562 0388 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/08 21:17:39.0656 0388 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/08 21:17:39.0718 0388 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/08 21:17:39.0890 0388 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/08 21:17:40.0015 0388 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/08 21:17:40.0109 0388 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/08 21:17:40.0187 0388 USBAtapi2000 (59d65b6b73ad9f721f67f4e0d03b3bce) C:\WINDOWS\system32\DRIVERS\sci1pl.sys
2011/09/08 21:17:40.0250 0388 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/09/08 21:17:40.0328 0388 usbbus (3ebb87e9839606662e0c3b91b553dbf7) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/09/08 21:17:40.0421 0388 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/08 21:17:40.0484 0388 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/08 21:17:40.0546 0388 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/08 21:17:40.0625 0388 USBModem (0351aca1b1cfb4918fb1cc9bebc8cc53) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/09/08 21:17:40.0687 0388 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/08 21:17:40.0765 0388 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/08 21:17:40.0843 0388 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/08 21:17:40.0921 0388 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/09/08 21:17:41.0046 0388 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/08 21:17:41.0125 0388 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/08 21:17:41.0234 0388 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/08 21:17:41.0390 0388 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/09/08 21:17:41.0484 0388 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/09/08 21:17:41.0546 0388 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/08 21:17:41.0640 0388 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/08 21:17:41.0703 0388 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/08 21:17:41.0781 0388 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/08 21:17:41.0953 0388 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
2011/09/08 21:17:41.0968 0388 Boot (0x1200) (11475cfc8af3b302fd00d295b10ce791) \Device\Harddisk0\DR0\Partition0
2011/09/08 21:17:41.0984 0388 Boot (0x1200) (55406d226334540739eb01288cc06dcb) \Device\Harddisk1\DR1\Partition0
2011/09/08 21:17:42.0000 0388 ================================================================================
2011/09/08 21:17:42.0000 0388 Scan finished
2011/09/08 21:17:42.0000 0388 ================================================================================
2011/09/08 21:17:42.0015 4092 Detected object count: 2
2011/09/08 21:17:42.0015 4092 Actual detected object count: 2
2011/09/08 21:17:51.0703 4092 Imapi (9d0015f882d2162f26c6c1afcb4a3742) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/08 21:17:51.0703 4092 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\imapi.sys) error 1813
2011/09/08 21:17:52.0390 4092 Backup copy found, using it..
2011/09/08 21:17:52.0406 4092 C:\WINDOWS\system32\DRIVERS\imapi.sys - will be cured after reboot
2011/09/08 21:17:52.0406 4092 Rootkit.Win32.ZAccess.e(Imapi) - User select action: Cure
2011/09/08 21:17:52.0546 4092 NetBT (69c84dfd9cc9ab979a5b7d3769596479) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/08 21:17:52.0546 4092 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\netbt.sys) error 1813
2011/09/08 21:17:52.0890 4092 Backup copy found, using it..
2011/09/08 21:17:52.0906 4092 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured after reboot
2011/09/08 21:17:52.0906 4092 Rootkit.Win32.ZAccess.e(NetBT) - User select action: Cure
2011/09/08 21:17:58.0015 4044 Deinitialize success
  • 0

#10
RKinner
Posted 09 September 2011 - 02:15 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Delete these files (if they still exist):

c:\windows\system32\diskchk.sys
c:\docume~1\Justin\LOCALS~1\Temp\pnicml.sys
c:\program files\Ahead\InCD\InCD .exe
(note the space between the inDC and the .exe)

and this folder:

c:\windows\$NtUninstallKB62316$

Verify that the following files are present:

c:\boot.ini
c:\Ntldr
c:\Ntdetect.com
c:\windows\system32\Ntoskrnl.exe
C:\windows\System32\Config\System
C:\windows\System32\Winlogon.exe
C:\windows\explorer.exe
C:\windows\system32\csrss.exe
C:\windows\system32\userint.exe
C:\windows\system32\user32.dll
C:\windows\system32\hal.dll
c:\windows\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\netbt.sys
C:\WINDOWS\system32\DRIVERS\imapi.sys
c:\windows\system32\msiexec.exe
c:\windows\system32\wuauclt.exe



Ron
  • 0

Advertisements

#11
bdjsb7
Posted 10 September 2011 - 07:44 AM

bdjsb7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Only inCD .exe was present, so I deleted it.

All files you listed are present and accounted for except there was no userint.exe. Hoping that was just a type-o, as there IS a userinit.exe.
  • 0

#12
bdjsb7
Posted 10 September 2011 - 07:46 AM

bdjsb7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Oh! I forgot to mention: the NT Uninstall folder did not seem to fully delete. After I deleted it, the folder still appeared in Explorer, but showed it empty and told me it didn't exist when I tried to open it.
  • 0

#13
RKinner
Posted 10 September 2011 - 09:05 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
It was a typo sorry.

ZA is a nasty bug that is still evolving. I'm wondering how it holds on to the folder. Can you go into Command Prompt? (Start, All Programs, Accessories, Command Prompt) or just boot into DOS with Hiren.

Type each line with an Enter at the end:


C:

(to switch to the C: drive)

cd  \windows

(to move to the C:\windows folder)

attrib  -r  -h  -s  $NtUninstallKB62316$

(remove any attributes from the folder)

cd  $NtUninstallKB62316$

(Try to move to the folder)

attrib  -r  -h  -s  *.*

attrib  -r  -h  -s  *

(removing any attributes from all files)
dir  /a

(looking for files.  If it doesn't say: 0 files 0 bytes then)

del  *.*

del  *

(try to remove any files)  

cd  \windows

(go back to \windows)

rmdir  $NtUninstallKB62316$

(try to remove the folder)

(I use two spaces in the code box so you can be sure to see where one space goes)



This bug has been known to create its own hidden partition. Hiren's also has some partition management programs. See if you can figure out how to use one of the tools like

Partition Wizard Home Edition 6.0 to see if there are any hidden partitions or even hidden drives. Don't automatically delete them as they may be benign depending on who makes your PC.

Also we can try backing up the mbr and replacing it with a standard XP MBR and see if that helps. Hiren's has a section
MBR (Master Boot Record) Tools

MBRWizard 3.0.73 looks like it should work. Try to access it from the MiniXP.

MBRWiz /list
(should show disk and partition details)

MBRWiz /save=\oldmbr.dat

(should save the old mbr)

MBRWiz /repair=1

(should replace it with a standard XP MBR)



Also what does c:\boot.ini say. You should be able to open it in notepad.

Can you access the C:\System Volume Information folder? Is there anything in it?


Can you run OTL from the MiniXP on Hiren's. Not sure what we will see but worth a shot.

Ron
  • 0

#14
bdjsb7
Posted 10 September 2011 - 11:04 AM

bdjsb7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Using the command prompt, I removed attributes to $NtUninstallKB62316$
When I try to move to the folder, I get "The file cannot be accessed by the system"
I skipped down to rmdir, and it tells me the directory is not empty.

Partition Wizard 6 shows only my C and D partitions. They look right.

I'm not sure if I was using the MBR Wizard the right way, but I did get the /list command to work (it too showed only the C and D partitions.
When typing MBRWiz /save=\oldmbr.dat, I get the message "Error 105: invalid or incomplete switch: /save=\oldmbr.dat"

Because I could not back up, I did not attempt the repair.


Here is the boot.ini:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Attached is a screen shot of the System Volume Information folder

I tried opening OTL from miniXP, and nothing happened.

Attached Thumbnails

  • SysVolInfo.jpg

  • 0

#15
RKinner
Posted 10 September 2011 - 12:30 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
I would be happier if the stupid folder would go away. Did you try it from the MiniXP command prompt or from the DOS that comes with Hiren's? The DOS should be more powerful.

I was just guessing at the format for the MBRWiz before. I found an example page:
http://mbrwizard.com/examples.php#save

See if that works for you.

Then the reference page is here: http://mbrwizard.com/reference.php


Judging by the contents of your System Volume Information folder you have some System Restore points we could use. There is a method of doing a System Restore manually:

First back up the existing registry files:
(From a Command Prompt)
c:
md \windows\tmp
(folder may already exist)
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

Now Open one of the RP3xx folders (seen in the screenshot you just posted). Make sure it has dates from before the problem started.

Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder:
C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot
From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder:

_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM

Rename the files in the C:\Windows\Tmp folder as follows:

Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM

del c:\windows\system32\config\sam

del c:\windows\system32\config\security

del c:\windows\system32\config\software

del c:\windows\system32\config\default

del c:\windows\system32\config\system

copy c:\windows\tmp\software c:\windows\system32\config\software

copy c:\windows\tmp\system c:\windows\system32\config\system

copy c:\windows\tmp\sam c:\windows\system32\config\sam

copy c:\windows\tmp\security c:\windows\system32\config\security

copy c:\windows\tmp\default c:\windows\system32\config\default

exit

The system should restart. Remove the CD and see if it will work now.

(The above comes from http://support.microsoft.com/kb/307545 but I extracted the parts that I think you need. I'm assuming that the MiniXP is able to open the RP3xx folders. This is just going to restore the registry. If it's a file that is the problem then it won't help.)

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP