Another Win32/Zbot.G infection

Inactive
By Drena Designs
Feb 23, 2011
Topic Status:
Not open for further replies.
  1. Hi all, I hope you can help me.

    My friend has asked me to try to fix his laptop, which seems to have the Win32/Zbot.G virus, or so AVG says. As with the other examples I've read up on, IE won't load and AVG doesn't work properly. At first I tried Malware Bytes, which got rid of a lot of stuff but this didn't fix it.

    I then read some threads here, uninstalled AVG, ran RKill and ComboFix and.....the problems still remain. I attempted to reinstall AVG to see if it worked but it took and age and I cancelled, assuming I may need to do something with ComboFix again.

    I will attempt to get onto the internet on the laptop (via Windows Explorer, which still seems to let me) and post the logs from both ComboFix and Malware Bytes for you next.
  2. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    ComboFix 11-02-23.02 - Swifter 23/02/2011 20:28:41.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.502.242 [GMT 0:00]
    Running from: c:\documents and settings\Swifter\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Swifter\Application Data\inst.exe
    C:\ksdfghk.Bin
    c:\ksdfghk.bin\config.bin
    c:\ksdfghk.bin\ksdfghk.Bin.exe
    c:\windows\system32\f3PSSavr.scr

    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MYWEBSEARCHSERVICE
    -------\Legacy_USNJSVC
    -------\Service_usnjsvc


    ((((((((((((((((((((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))))))))))))))))))))))))))
    .

    2011-02-23 20:13 . 2011-02-23 20:15 -------- d-----r- C:\32788R22FWJFW
    2011-02-23 19:17 . 2011-02-23 19:17 -------- d-----w- c:\documents and settings\Swifter\Application Data\Malwarebytes
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-02-23 18:53 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-23 18:53 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-18 20:04 . 2011-02-18 21:18 152051 ----a-w- c:\windows\Explorermgr.exe
    2011-02-18 12:04 . 2011-02-18 12:04 -------- d-----w- c:\documents and settings\Swifter\Application Data\AVG10
    2011-02-18 12:02 . 2011-02-18 12:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-02-18 11:57 . 2011-02-23 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-02-18 11:15 . 2011-02-23 20:43 -------- d-----w- c:\program files\ayirbhrn
    2011-02-18 11:15 . 2011-02-18 11:15 -------- d-----w- c:\documents and settings\Swifter\cs
    2011-02-13 20:39 . 2011-02-18 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-02-09 13:32 . 2006-12-15 03:09 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
    2011-02-07 21:44 . 2011-02-08 19:16 -------- d-----w- c:\documents and settings\Swifter\Local Settings\Application Data\AskToolbar
    2011-02-07 21:27 . 2011-02-17 12:31 -------- d-----w- c:\documents and settings\Swifter\Application Data\FrostWire
    2011-02-07 21:27 . 2011-02-18 11:15 -------- d-----w- c:\program files\Ask.com
    2011-02-07 21:26 . 2011-02-18 12:18 -------- d-----w- c:\program files\FrostWire
    2011-02-07 21:10 . 2011-02-18 15:46 -------- d-----w- c:\program files\Blinkx
    2011-01-28 21:40 . 2011-01-28 21:40 -------- d-----w- c:\windows\system32\wbem\Repository

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-26 08:22 . 2010-11-26 08:22 458752 ----a-w- c:\windows\system32\ssblinkx.scr
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-09-28 22:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
    "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 205169]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 561568]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 950798]
    "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ayirbhrn\ifahlkbe.exe"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SoundMAX"=c:\program files\Analog Devices\SoundMAX\Smax4.exe /tray
    "SoundMAXPnP"=c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
    "AGRSMMSG"=AGRSMMSG.exe
    "Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "17166:TCP"= 17166:TCP:BitComet 17166 TCP
    "17166:UDP"= 17166:UDP:BitComet 17166 UDP
    "22136:TCP"= 22136:TCP:BitComet 22136 TCP
    "22136:UDP"= 22136:UDP:BitComet 22136 UDP

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/08/2007 22:40 685816]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2011-02-18 c:\windows\Tasks\Epson Printer Software Downloader.job
    - c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 11:43]

    2011-02-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-09-28 22:44]

    2011-02-23 c:\windows\Tasks\User_Feed_Synchronization-{6C5A829B-00FC-4AB1-BEFD-3BE4BA8BD8C6}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    TCP: {060000B6-B48C-4731-86DC-5733EA900558} = 192.168.0.1
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKCU-Run-ksdfghk.Bin.exe - c:\ksdfghk.bin\ksdfghk.Bin.exe
    HKLM-Run-Apoint - c:\program files\Apoint2K\Apoint.exe
    HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    HKLM-Run-LVCOMS - c:\program files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    ShellExecuteHooks-{56F9679E-7826-4C84-81F3-532071A8BCC5} - (no file)
    MSConfigStartUp-LogitechGalleryRepair - c:\program files\Logitech\ImageStudio\ISStart.exe
    MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    MSConfigStartUp-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
    AddRemove-InstallShield_{612DC38A-B36A-4699-88EB-12C7394DE2FC} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-23 20:48
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwQueryDirectoryFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?4?5?0??????? ???B???????????????B? ??????

    scanning hidden files ...


    c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe 152051 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST9402113A rev.3.02 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82826EC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x81dd1872; SUB DWORD [EBP-0x4], 0x81dd112e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82B0D9C0]
    3 CLASSPNP[0xF8513FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000077[0x82B54D80]
    5 ACPI[0xF82A8620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B6A4C8]
    [0x827E9B10] -> IRP_MJ_CREATE -> 0x82826EC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST9402113A______________________________3.02____#5&170c2549&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x82826AEA
    user & kernel MBR OK
    sectors 78140158 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(848)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(908)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(3140)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Internet Explorer\IEXPLORE.EXE
    c:\program files\Internet Explorer\IEXPLORE.EXE
    c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
    c:\program files\Kontiki\KService.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\windows\system32\rundll32.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-23 21:01:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-23 21:00

    Pre-Run: 21,641,289,728 bytes free
    Post-Run: 22,287,347,712 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - ABA0B8ECB6EEB059321002918077CED6
  3. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5855

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    23/02/2011 21:14:57
    mbam-log-2011-02-23 (21-14-57).txt

    Scan type: Quick scan
    Objects scanned: 151216
    Time elapsed: 7 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  4. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    Just a quick update. I rebooted the machine and the Internet Connection (Wireless) went down. I couldn't disable/re-enable and it wouldn't search for any networks.

    I also got the following messages...

    apdproxy.exe - Unable to Locate Component
    This application has failed to start because apdboot.dll was not found. Re-installing the application may fix this problem.

    Quick Launch Buttons
    The following file EABINST.DLL is missing or corrupted. Re-install Quick Launch Buttons.

    Rebooted again and the wireless seems to be working again. I've just run GMER, having read the 8-step guide in this forum (sorry I didn't do this first). Log below.
  5. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-23 21:59:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST9402113A rev.3.02
    Running: wvwx6fpx.exe; Driver: C:\DOCUME~1\Swifter\LOCALS~1\Temp\uxldypod.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 78139904 (+255): rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    SSDT sptd.sys ZwEnumerateKey [0xF82CFFB2]
    SSDT sptd.sys ZwEnumerateValueKey [0xF82D0340]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82836AEA
    Device \Driver\atapi \Device\Ide\IdePort0 [F8226B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 82836AEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F8226B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \FileSystem\Ntfs \Ntfs 82BD91E8
    Device \FileSystem\Fastfat \Fat 81FC21E8

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

    Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST9402113A______________________________3.02____#5&170c2549&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
  6. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    Finally, DDS logs...


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Swifter at 22:08:52.51 on 23/02/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.502.190 [GMT 0:00]

    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
    C:\WINDOWS\system32\svchost.exe -k bthsvcs
    C:\Program Files\Kontiki\KService.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\alg.exe
    C:\Documents and Settings\Swifter\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = <local>
    uURLSearchHooks: H - No File
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\ayirbhrn\ifahlkbe.exe,
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - No File
    BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
    BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
    BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - No File
    TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
    TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
    TB: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - No File
    TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
    mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
    mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WMEtNQy1FOVZVVy1FVzBWQS1VVTNYTC1GRVc5Ny0wVTZF"&"inst=NzYtNzEzNDM1MDc0LVQxLVU4NSsxLUJBKzEtS1YzKzctWEwrMS1VQ0FMTCsxLVVDQUxMMisyLVRCOCsyLUZMKzgtRjhNOUErMy1GOE0xMUMrMS1VUEcrMjAxMQ"&"prod=90"&"ver=10.0.1204
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    TCP: {060000B6-B48C-4731-86DC-5733EA900558} = 192.168.0.1
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2011-02-23 21:57:30 152051 ----a-w- c:\windows\system32\taskmgrmgr.exe
    2011-02-23 20:19:26 -------- d-sha-r- C:\cmdcons
    2011-02-23 20:16:14 98816 ----a-w- c:\windows\sed.exe
    2011-02-23 20:16:14 89088 ----a-w- c:\windows\MBR.exe
    2011-02-23 20:16:14 256512 ----a-w- c:\windows\PEV.exe
    2011-02-23 20:16:14 161792 ----a-w- c:\windows\SWREG.exe
    2011-02-23 19:17:27 -------- d-----w- c:\docume~1\swifter\applic~1\Malwarebytes
    2011-02-23 18:53:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-23 18:53:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-02-23 18:53:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-23 18:53:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-18 20:04:49 152051 ----a-w- c:\windows\Explorermgr.exe
    2011-02-18 12:04:33 -------- d-----w- c:\docume~1\swifter\applic~1\AVG10
    2011-02-18 12:02:13 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2011-02-18 11:57:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2011-02-18 11:15:51 -------- d-----w- c:\program files\ayirbhrn
    2011-02-18 11:15:44 -------- d-----w- c:\documents and settings\swifter\cs
    2011-02-13 20:39:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2011-02-09 13:32:34 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
    2011-02-07 21:44:58 -------- d-----w- c:\docume~1\swifter\locals~1\applic~1\AskToolbar
    2011-02-07 21:27:56 -------- d-----w- c:\docume~1\swifter\applic~1\FrostWire
    2011-02-07 21:27:05 -------- d-----w- c:\program files\Ask.com
    2011-02-07 21:26:13 -------- d-----w- c:\program files\FrostWire
    2011-02-07 21:10:19 -------- d-----w- c:\program files\Blinkx
    2011-01-28 21:40:56 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-01-28 21:40:56 -------- d-----w- c:\windows\system32\wbem\Repository

    ==================== Find3M ====================

    2010-11-26 08:22:28 458752 ----a-w- c:\windows\system32\ssblinkx.scr

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST9402113A rev.3.02 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8284DEC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x81dd1872; SUB DWORD [EBP-0x4], 0x81dd112e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82B555E0]
    3 CLASSPNP[0xF84F4FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000076[0x82B6B4A0]
    5 ACPI[0xF8289620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B55B58]
    [0x82B288D0] -> IRP_MJ_CREATE -> 0x8284DEC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST9402113A______________________________3.02____#5&170c2549&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8284DAEA
    user & kernel MBR OK
    sectors 78140158 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 22:11:03.42 ===============





    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 25/02/2006 20:37:25
    System Uptime: 23/02/2011 22:01:32 (0 hours ago)

    Motherboard: Hewlett-Packard | | 308C
    Processor: Intel(R) Celeron(R) M processor 1.50GHz | U1 | 1496/400mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 37 GiB total, 22.779 GiB free.
    D: is CDROM ()
    E: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP175: 23/02/2011 20:16:52 - ComboFix created restore point
    RP176: 23/02/2011 21:31:10 - Installed AVG 2011
    RP177: 23/02/2011 21:46:14 - Installed AVG 2011
    RP178: 23/02/2011 21:47:48 - Removed AVG 2011

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.3
    Adobe® Photoshop® Album Starter Edition 3.2
    Agere Systems AC'97 Modem
    ALPS Touch Pad Driver
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    BBC iPlayer Download Manager
    blinkx beat
    Broadcom 802.11 Wireless LAN Adapter
    CCleaner (remove only)
    Critical Update for Windows Media Player 11 (KB959772)
    Drive Manager
    Epson Easy Photo Print 2
    Epson Event Manager
    Epson Printer Software Downloader
    EPSON Scan
    Epson Stylus SX110_TX110 Manual
    EPSON SX110 Series Printer Uninstall
    EPSON Web-To-Page
    FrostWire 4.21.3
    Google Toolbar for Internet Explorer
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Help and Support
    HP Software Update
    HP Update
    HP Wireless Assistant 1.01 A3
    HpSdpAppCoreApp
    Intel(R) Graphics Media Accelerator Driver for Mobile
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    Malwarebytes' Anti-Malware
    Media Library Management Wizard
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional with FrontPage
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MpcStar 4.9
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    neroxml
    Quick Launch Buttons 5.20 H1
    REALTEK Gigabit and Fast Ethernet NIC Driver
    SAGEM F@st 800-840
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Serif WebPlus SE
    Sonic Audio Module
    Sonic Copy Module
    Sonic Data Module
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic Update Manager
    SoundMAX
    TIxx21
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC_MergeModuleToMSI
    WebFldrs XP
    Windows Desktop Search
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live installer
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    23/02/2011 21:55:08, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
    23/02/2011 21:53:42, error: Service Control Manager [7000] - The Wireless Zero Configuration service failed to start due to the following error: The I/O operation has been aborted because of either a thread exit or an application request.
    23/02/2011 21:53:42, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service has not been started.
    23/02/2011 19:53:03, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eabfiltr Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Tcpip6
    23/02/2011 19:44:18, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}
    23/02/2011 19:19:11, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
    23/02/2011 19:16:12, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    23/02/2011 18:13:41, error: Service Control Manager [7000] - The EPSON V3 Service4(01) service failed to start due to the following error: The system cannot find the file specified.
    19/02/2011 16:24:30, error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: Access is denied.
    19/02/2011 16:24:30, error: Service Control Manager [7000] - The EPSON V5 Service4(01) service failed to start due to the following error: The system cannot find the file specified.
    19/02/2011 16:22:57, error: Dhcp [1002] - The IP address lease 10.0.0.4 for the Network Card with network address 0014A527FC9D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    18/02/2011 21:07:15, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    18/02/2011 21:03:51, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 eabfiltr Fips intelppm
    18/02/2011 20:54:52, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
    18/02/2011 20:54:52, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    18/02/2011 20:54:52, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "-Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    18/02/2011 20:40:10, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    18/02/2011 20:38:10, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    18/02/2011 20:37:50, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    18/02/2011 20:17:27, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
    18/02/2011 20:17:27, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    18/02/2011 20:15:09, error: Service Control Manager [7000] - The EPSON V5 Service4(01) service failed to start due to the following error: Access is denied.
    18/02/2011 20:15:09, error: Service Control Manager [7000] - The EPSON V3 Service4(01) service failed to start due to the following error: Access is denied.
    18/02/2011 20:02:05, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
    18/02/2011 20:01:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    18/02/2011 20:00:59, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix eabfiltr Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Tcpip6
    18/02/2011 20:00:59, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    18/02/2011 20:00:59, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    18/02/2011 20:00:59, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    18/02/2011 20:00:59, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    18/02/2011 20:00:59, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    18/02/2011 20:00:59, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    18/02/2011 20:00:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    18/02/2011 20:00:16, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    18/02/2011 15:58:22, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\vgx\vgx.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
    18/02/2011 15:24:42, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    18/02/2011 14:04:02, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows nt\accessories\wordpad.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5584.
    18/02/2011 14:03:53, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\wmplayer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
    18/02/2011 14:03:52, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\wmpband.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
    18/02/2011 14:03:39, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\setup_wm.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5146.
    18/02/2011 14:03:38, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\mpvis.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
    18/02/2011 14:03:25, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\migrate.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 10.0.0.3646.
    18/02/2011 13:40:03, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2.1.4027.0.
    18/02/2011 13:28:27, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iedw.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 7.0.5730.11.
    18/02/2011 13:28:22, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
    18/02/2011 13:18:32, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadce.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3002.0.
    18/02/2011 12:46:19, error: Service Control Manager [7000] - The HP WMI Interface service failed to start due to the following error: The system cannot find the file specified.
    18/02/2011 12:46:18, error: DCOM [10005] - DCOM got error "%2" attempting to start the service hpqwmi with arguments "-Service" in order to run the server: {7DC5B2D7-CACC-47F2-836E-4DF85F026072}
    18/02/2011 12:45:33, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
    18/02/2011 12:24:26, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5931.
    18/02/2011 12:24:21, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\triedit\triedit.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.1.0.9246.
    18/02/2011 12:19:13, error: Service Control Manager [7022] - The AVGIDSAgent service hung on starting.
    18/02/2011 10:39:37, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\urlmon.dll. Reference error message: Error Message is unavailable .
    18/02/2011 10:39:34, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\WININET.dll. Reference error message: Error Message is unavailable .
    18/02/2011 10:39:30, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\urlmon.dll. Reference error message: The operation completed successfully. .
    17/02/2011 13:42:34, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer.
    17/02/2011 13:40:35, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    17/02/2011 13:13:17, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5931, the version of the system file is 6.0.2900.5931.
    17/02/2011 13:08:06, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.1.4027.0, the version of the system file is 2.1.4027.0.
    17/02/2011 12:59:34, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\iedw.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 7.0.5730.11, the version of the system file is 7.0.5730.11.
    17/02/2011 12:59:34, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.0.6001.18702, the version of the system file is 8.0.6001.18702.
    17/02/2011 12:52:15, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadce.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.81.3002.0, the version of the system file is 2.81.3002.0.
    17/02/2011 12:50:16, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\vgx\vgx.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.0.6001.18702, the version of the system file is 8.0.6001.18702.
    17/02/2011 12:50:15, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\triedit\triedit.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.1.0.9246, the version of the system file is 6.1.0.9246.
    17/02/2011 12:29:50, error: Service Control Manager [7000] - The HP WMI Interface service failed to start due to the following error: Access is denied.
    17/02/2011 12:29:50, error: DCOM [10005] - DCOM got error "%5" attempting to start the service hpqwmi with arguments "-Service" in order to run the server: {7DC5B2D7-CACC-47F2-836E-4DF85F026072}
    17/02/2011 12:29:31, error: Service Control Manager [7022] - The KService service hung on starting.
    17/02/2011 12:27:56, error: Service Control Manager [7000] - The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    17/02/2011 12:27:35, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    17/02/2011 12:27:34, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

    ==== End Of File ===========================
  7. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    We have a rootkit there.
    BTW, it's never a good idea to run Combofix on your own.

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  8. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    Thanks for the assistance Broni. I'll take your advice regarding ComboFix.

    Here's the TDSSKiller log...

    2011/02/23 22:55:31.0859 3228 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08
    2011/02/23 22:55:32.0890 3228 ================================================================================
    2011/02/23 22:55:32.0890 3228 SystemInfo:
    2011/02/23 22:55:32.0890 3228
    2011/02/23 22:55:32.0890 3228 OS Version: 5.1.2600 ServicePack: 3.0
    2011/02/23 22:55:32.0890 3228 Product type: Workstation
    2011/02/23 22:55:32.0890 3228 ComputerName: JULIANS
    2011/02/23 22:55:32.0890 3228 UserName: Swifter
    2011/02/23 22:55:32.0890 3228 Windows directory: C:\WINDOWS
    2011/02/23 22:55:32.0890 3228 System windows directory: C:\WINDOWS
    2011/02/23 22:55:32.0890 3228 Processor architecture: Intel x86
    2011/02/23 22:55:32.0890 3228 Number of processors: 1
    2011/02/23 22:55:32.0890 3228 Page size: 0x1000
    2011/02/23 22:55:32.0890 3228 Boot type: Normal boot
    2011/02/23 22:55:32.0890 3228 ================================================================================
    2011/02/23 22:55:33.0234 3228 Initialize success
    2011/02/23 22:55:38.0828 3716 ================================================================================
    2011/02/23 22:55:38.0828 3716 Scan started
    2011/02/23 22:55:38.0828 3716 Mode: Manual;
    2011/02/23 22:55:38.0828 3716 ================================================================================
    2011/02/23 22:55:40.0406 3716 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/02/23 22:55:40.0546 3716 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/02/23 22:55:40.0687 3716 ADILOADER (6278ab04aae16c1438f3c4d34706c3b7) C:\WINDOWS\system32\Drivers\adildr.sys
    2011/02/23 22:55:40.0843 3716 adiusbaw (88fa846846e5080fa2d2fbec1ef2aeaa) C:\WINDOWS\system32\DRIVERS\adiusbaw.sys
    2011/02/23 22:55:41.0171 3716 aeaudio (f13d8e7e1faa31019c25eb17b5fb2662) C:\WINDOWS\system32\drivers\aeaudio.sys
    2011/02/23 22:55:41.0312 3716 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/02/23 22:55:41.0593 3716 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/02/23 22:55:41.0890 3716 AgereSoftModem (029e01cb2938bec5af31bf47b6af0159) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2011/02/23 22:55:42.0781 3716 ApfiltrService (285b803bfa147716b6fe7545586450cd) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
    2011/02/23 22:55:43.0515 3716 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys
    2011/02/23 22:55:43.0687 3716 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/02/23 22:55:43.0828 3716 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/02/23 22:55:44.0171 3716 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/02/23 22:55:44.0328 3716 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/02/23 22:55:44.0500 3716 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    2011/02/23 22:55:44.0671 3716 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/02/23 22:55:44.0921 3716 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
    2011/02/23 22:55:45.0078 3716 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
    2011/02/23 22:55:45.0234 3716 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
    2011/02/23 22:55:45.0390 3716 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
    2011/02/23 22:55:45.0562 3716 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
    2011/02/23 22:55:45.0718 3716 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/02/23 22:55:45.0859 3716 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/02/23 22:55:46.0125 3716 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/02/23 22:55:46.0343 3716 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/02/23 22:55:46.0625 3716 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/02/23 22:55:46.0906 3716 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/02/23 22:55:47.0156 3716 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/02/23 22:55:47.0609 3716 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/02/23 22:55:47.0796 3716 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/02/23 22:55:48.0015 3716 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/02/23 22:55:48.0156 3716 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/02/23 22:55:48.0468 3716 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/02/23 22:55:48.0750 3716 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/02/23 22:55:48.0890 3716 eabfiltr (c6aca0190ee7b614673ee0c91863b1eb) C:\WINDOWS\system32\drivers\EABFiltr.sys
    2011/02/23 22:55:49.0015 3716 eabusb (da1011db09ad641de40cd5cca70c0c43) C:\WINDOWS\system32\drivers\eabusb.sys
    2011/02/23 22:55:49.0187 3716 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/02/23 22:55:49.0343 3716 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/02/23 22:55:49.0578 3716 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/02/23 22:55:49.0718 3716 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/02/23 22:55:49.0921 3716 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/02/23 22:55:50.0093 3716 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/02/23 22:55:50.0203 3716 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/02/23 22:55:50.0328 3716 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/02/23 22:55:50.0468 3716 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/02/23 22:55:50.0687 3716 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/02/23 22:55:50.0968 3716 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/02/23 22:55:51.0296 3716 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/02/23 22:55:51.0468 3716 ialm (f159a2aaf79d8fe6c7a77a8b3de92581) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2011/02/23 22:55:51.0718 3716 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/02/23 22:55:51.0953 3716 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/02/23 22:55:52.0093 3716 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/02/23 22:55:52.0234 3716 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/02/23 22:55:52.0390 3716 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/02/23 22:55:52.0531 3716 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/02/23 22:55:52.0703 3716 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/02/23 22:55:52.0859 3716 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/02/23 22:55:53.0046 3716 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/02/23 22:55:53.0203 3716 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/02/23 22:55:53.0359 3716 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/02/23 22:55:53.0562 3716 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/02/23 22:55:53.0796 3716 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/02/23 22:55:54.0390 3716 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/02/23 22:55:54.0562 3716 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/02/23 22:55:54.0765 3716 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/02/23 22:55:54.0921 3716 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/02/23 22:55:55.0078 3716 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/02/23 22:55:55.0312 3716 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/02/23 22:55:55.0593 3716 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/02/23 22:55:55.0843 3716 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/02/23 22:55:55.0968 3716 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/02/23 22:55:56.0109 3716 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/02/23 22:55:56.0250 3716 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/02/23 22:55:56.0390 3716 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/02/23 22:55:56.0531 3716 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/02/23 22:55:56.0718 3716 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/02/23 22:55:56.0875 3716 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/02/23 22:55:57.0046 3716 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/02/23 22:55:57.0203 3716 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/02/23 22:55:57.0375 3716 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/02/23 22:55:57.0515 3716 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/02/23 22:55:57.0656 3716 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/02/23 22:55:57.0796 3716 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/02/23 22:55:57.0937 3716 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/02/23 22:55:58.0109 3716 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/02/23 22:55:58.0312 3716 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/02/23 22:55:58.0500 3716 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/02/23 22:55:58.0734 3716 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/02/23 22:55:58.0890 3716 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/02/23 22:55:59.0015 3716 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/02/23 22:55:59.0187 3716 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/02/23 22:55:59.0343 3716 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/02/23 22:55:59.0468 3716 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/02/23 22:55:59.0625 3716 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/02/23 22:55:59.0859 3716 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    2011/02/23 22:55:59.0984 3716 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/02/23 22:56:00.0937 3716 PhilCam8116 (a3a4d50051ddbcf390e5918c43c167ef) C:\WINDOWS\system32\DRIVERS\CamDrL21.sys
    2011/02/23 22:56:01.0093 3716 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/02/23 22:56:01.0234 3716 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/02/23 22:56:01.0375 3716 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/02/23 22:56:01.0515 3716 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/02/23 22:56:02.0156 3716 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/02/23 22:56:02.0312 3716 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/02/23 22:56:02.0468 3716 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/02/23 22:56:02.0609 3716 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/02/23 22:56:02.0734 3716 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/02/23 22:56:02.0890 3716 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/02/23 22:56:03.0046 3716 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/02/23 22:56:03.0218 3716 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/02/23 22:56:03.0359 3716 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
    2011/02/23 22:56:03.0562 3716 RTL8023xp (1e7978c5e355407efdfc7b7328ef13e7) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
    2011/02/23 22:56:03.0718 3716 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2011/02/23 22:56:03.0859 3716 s117bus (1f561844318914e7eb6e54673a4cc54c) C:\WINDOWS\system32\DRIVERS\s117bus.sys
    2011/02/23 22:56:04.0015 3716 s117mdfl (ba93eec3cdf6a63b77ae66221aa4f902) C:\WINDOWS\system32\DRIVERS\s117mdfl.sys
    2011/02/23 22:56:04.0171 3716 s117mdm (cba12fd8a8ee5b5cdfbbae2381cd6703) C:\WINDOWS\system32\DRIVERS\s117mdm.sys
    2011/02/23 22:56:04.0343 3716 s117mgmt (bd6483e64b1da17e812b34bcdefd9459) C:\WINDOWS\system32\DRIVERS\s117mgmt.sys
    2011/02/23 22:56:04.0500 3716 s117nd5 (c7ca36c3054b4cd47a1f6611b046e2f9) C:\WINDOWS\system32\DRIVERS\s117nd5.sys
    2011/02/23 22:56:04.0671 3716 s117obex (e290b3a6b58fb72ca97dd48d64e4fc1c) C:\WINDOWS\system32\DRIVERS\s117obex.sys
    2011/02/23 22:56:04.0843 3716 s117unic (5c4d1ba23c7511ac880e8ba7baa80dba) C:\WINDOWS\system32\DRIVERS\s117unic.sys
    2011/02/23 22:56:05.0031 3716 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/02/23 22:56:05.0218 3716 senfilt (9a4c4a4b191200f12085d188be70e4e3) C:\WINDOWS\system32\drivers\senfilt.sys
    2011/02/23 22:56:05.0468 3716 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/02/23 22:56:05.0640 3716 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/02/23 22:56:05.0937 3716 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/02/23 22:56:06.0125 3716 smwdm (014ab093e6452ea88031bb6e22919bb5) C:\WINDOWS\system32\drivers\smwdm.sys
    2011/02/23 22:56:06.0453 3716 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/02/23 22:56:06.0718 3716 sptd (d390675b8ce45e5fb359338e5e649329) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/02/23 22:56:06.0718 3716 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d390675b8ce45e5fb359338e5e649329
    2011/02/23 22:56:06.0734 3716 sptd - detected Locked file (1)
    2011/02/23 22:56:06.0875 3716 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/02/23 22:56:07.0078 3716 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/02/23 22:56:07.0281 3716 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/02/23 22:56:07.0453 3716 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/02/23 22:56:07.0578 3716 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/02/23 22:56:08.0203 3716 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/02/23 22:56:08.0484 3716 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/02/23 22:56:08.0656 3716 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
    2011/02/23 22:56:08.0796 3716 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/02/23 22:56:09.0000 3716 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/02/23 22:56:09.0140 3716 TermDD (d51e6f456701cb24e7d35e55f38175a4) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/02/23 22:56:09.0140 3716 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: d51e6f456701cb24e7d35e55f38175a4, Fake md5: 88155247177638048422893737429d9e
    2011/02/23 22:56:09.0156 3716 TermDD - detected Rootkit.Win32.TDSS.tdl3 (0)
    2011/02/23 22:56:09.0421 3716 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
    2011/02/23 22:56:09.0562 3716 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/02/23 22:56:09.0843 3716 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/02/23 22:56:10.0031 3716 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/02/23 22:56:10.0187 3716 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/02/23 22:56:10.0328 3716 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/02/23 22:56:10.0500 3716 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/02/23 22:56:10.0640 3716 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/02/23 22:56:10.0781 3716 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/02/23 22:56:10.0953 3716 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/02/23 22:56:11.0093 3716 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/02/23 22:56:11.0250 3716 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/02/23 22:56:11.0500 3716 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/02/23 22:56:11.0687 3716 w800bus (731ee7f3e635ee060ede1bb26c90d231) C:\WINDOWS\system32\DRIVERS\w800bus.sys
    2011/02/23 22:56:11.0828 3716 w800mdfl (ea5fd1aa88ea436bc6218282507ef450) C:\WINDOWS\system32\DRIVERS\w800mdfl.sys
    2011/02/23 22:56:11.0953 3716 w800mdm (806eced80c80ee07dd32ff720ca9d8d6) C:\WINDOWS\system32\DRIVERS\w800mdm.sys
    2011/02/23 22:56:12.0093 3716 w800mgmt (b420b0023f068cbf00e1b9591bed1437) C:\WINDOWS\system32\DRIVERS\w800mgmt.sys
    2011/02/23 22:56:12.0250 3716 w800obex (dcd2be4ebb36cfac0fe9094d5aa2c618) C:\WINDOWS\system32\DRIVERS\w800obex.sys
    2011/02/23 22:56:12.0390 3716 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/02/23 22:56:12.0625 3716 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/02/23 22:56:12.0859 3716 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/02/23 22:56:13.0015 3716 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2011/02/23 22:56:13.0187 3716 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/02/23 22:56:13.0359 3716 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/02/23 22:56:13.0515 3716 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/02/23 22:56:13.0968 3716 ================================================================================
    2011/02/23 22:56:13.0968 3716 Scan finished
    2011/02/23 22:56:13.0968 3716 ================================================================================
    2011/02/23 22:56:14.0000 1328 Detected object count: 2
    2011/02/23 22:56:31.0515 1328 Locked file(sptd) - User select action: Skip
    2011/02/23 22:56:31.0625 1328 TermDD (d51e6f456701cb24e7d35e55f38175a4) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/02/23 22:56:31.0625 1328 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: d51e6f456701cb24e7d35e55f38175a4, Fake md5: 88155247177638048422893737429d9e
    2011/02/23 22:56:34.0484 1328 Backup copy found, using it..
    2011/02/23 22:56:34.0484 1328 C:\WINDOWS\system32\DRIVERS\termdd.sys - will be cured after reboot
    2011/02/23 22:56:34.0484 1328 Rootkit.Win32.TDSS.tdl3(TermDD) - User select action: Cure
    2011/02/23 22:56:43.0031 2144 Deinitialize success
  9. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Well done :)

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
  10. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    RkU Version: 3.8.388.590, Type LE (SR2)
    ==============================================
    OS Name: Windows XP
    Version 5.1.2600 (Service Pack 3)
    Number of processors #1
    ==============================================
    >Drivers
    ==============================================
    0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
    0x804D7000 PnpManager 2066816 bytes
    0x804D7000 RAW 2066816 bytes
    0x804D7000 WMIxWDM 2066816 bytes
    0xBF800000 Win32k 1851392 bytes
    0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0xF74A7000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1069056 bytes (Agere Systems, SoftModem Device Driver)
    0xF82B7000 PCI_NTPNP0952 958464 bytes
    0xF82B7000 sptd.sys 958464 bytes
    0xBF068000 C:\WINDOWS\System32\ialmdd5.DLL 847872 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
    0xF7756000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 778240 bytes (Intel Corporation, Intel Graphics Miniport Driver)
    0xF8122000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
    0xAA47D000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0xF75AC000 C:\WINDOWS\system32\drivers\senfilt.sys 385024 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
    0xF7407000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
    0xF76C3000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 372736 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
    0xAA59A000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
    0xA9CB0000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
    0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
    0xA9679000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0xF7671000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
    0xAA562000 C:\WINDOWS\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)
    0xF8271000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
    0xA9EAA000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0xF80F5000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
    0xA903D000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
    0xAA4ED000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0xBF03F000 C:\WINDOWS\System32\ialmdev5.DLL 167936 bytes (Intel Corporation, Component GHAL Driver)
    0xAA53A000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
    0xAA457000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
    0xAA34F000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
    0xF764D000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0xF771E000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0xF762A000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
    0xAA518000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x806D0000 ACPI_HAL 131840 bytes
    0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0xF760A000 C:\WINDOWS\system32\drivers\aeaudio.sys 131072 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)
    0xF81EB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0xF8223000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
    0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 126976 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
    0xF8242000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
    0xF748D000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 106496 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
    0xF80DB000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0xF820B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
    0xAA337000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
    0xF829F000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
    0xF81C2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0xF7476000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0xA9D55000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
    0xF7742000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
    0xAA5F3000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
    0xF81AF000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
    0xF83A1000 klmdb.sys 73728 bytes
    0xF76B1000 C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys 73728 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
    0xF81D9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
    0xF8260000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0xF7465000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
    0xF8564000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0xF8514000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0xF8574000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
    0xAA383000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
    0xF8634000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
    0xF84F4000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xF8544000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
    0xF8584000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0xF84D4000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0xF85A4000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0xF8654000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
    0xF8554000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
    0xF84C4000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
    0xF8594000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0xF84B4000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
    0xF85D4000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
    0xF85C4000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
    0xF84E4000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
    0xF8534000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
    0xF8664000 C:\WINDOWS\system32\drivers\ip6fw.sys 36864 bytes (Microsoft Corporation, IPv6 Windows Firewall Driver)
    0xF85B4000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
    0xF8644000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
    0xA93A0000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
    0xF8504000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0xF8674000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xF882C000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
    0xF88B4000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
    0xF8824000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0xF8734000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0xF8884000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
    0xF8834000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
    0xF883C000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
    0xF881C000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0xF88A4000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0xF88AC000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
    0xF873C000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
    0xF884C000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
    0xF8854000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
    0xF8844000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
    0xF878C000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
    0xA9FC7000 C:\WINDOWS\System32\Drivers\Aspi32.SYS 16384 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
    0xF88CC000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
    0xF808E000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
    0xF806E000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
    0xAA2AB000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
    0xF88D0000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
    0xF88C4000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
    0xF88C8000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
    0xAA653000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
    0xF8086000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 12288 bytes (GEAR Software Inc., CD DVD Filter)
    0xF807E000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0xF8984000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0xF809E000 C:\WINDOWS\system32\DRIVERS\tunmp.sys 12288 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0xF809A000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
    0xF89F2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
    0xF8A2C000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
    0xF89FC000 C:\WINDOWS\system32\drivers\EABFiltr.sys 8192 bytes (Hewlett-Packard Development Company, L.P., QLB PS/2 Keyboard filter driver)
    0xF89F0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
    0xF89B8000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
    0xF89B4000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0xF89F4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
    0xF89F6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
    0xF89D4000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0xF89E2000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0xF89B6000 C:\WINDOWS\System32\Drivers\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0xF8BBF000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
    0xF8BBA000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
    0xF8B1D000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
    0xF8A7D000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
    0x82B6D1E8 unknown_irp_handler 3608 bytes
    0x8289B1E8 unknown_irp_handler 3608 bytes
    0x824C61E8 unknown_irp_handler 3608 bytes
    0x82A171E8 unknown_irp_handler 3608 bytes
    0x82BDB1E8 unknown_irp_handler 3608 bytes
    0x824EA1E8 unknown_irp_handler 3608 bytes
    0x82A001E8 unknown_irp_handler 3608 bytes
    0x824CE1E8 unknown_irp_handler 3608 bytes
    0x8246C790 unknown_irp_handler 2160 bytes
    ==============================================
    >Stealth
    ==============================================
    WARNING: Virus alike driver modification [k600cm95.sys]
    WARNING: Virus alike driver modification [w800cm95.sys]
    WARNING: Virus alike driver modification [v800cm95.sys]
    WARNING: Virus alike driver modification [k750cm95.sys]
    WARNING: Virus alike driver modification [z800cm95.sys]
    WARNING: Virus alike driver modification [acpiec.sys]
    WARNING: Virus alike driver modification [cpqdap01.sys]
    WARNING: Virus alike driver modification [nikedrv.sys]
    WARNING: Virus alike driver modification [rio8drv.sys]
    WARNING: Virus alike driver modification [riodrv.sys]
    WARNING: Virus alike driver modification [ws2ifsl.sys]
    WARNING: Virus alike driver modification [LVUSBSta.sys]
    WARNING: Virus alike driver modification [fsvga.sys]
    WARNING: Virus alike driver modification [mouhid.sys]
    WARNING: Virus alike driver modification [s117cmnt.sys]
    WARNING: Virus alike driver modification [s117whnt.sys]
    WARNING: Virus alike driver modification [nwlnkflt.sys]
    WARNING: Virus alike driver modification [ftdisk.sys]
    WARNING: Virus alike driver modification [adiusbaw.sys]
    WARNING: Virus alike driver modification [cbidf2k.sys]
    WARNING: Virus alike driver modification [smclib.sys]
    WARNING: Virus alike driver modification [RTL8139.sys]
    WARNING: Virus alike driver modification [tsbvcap.sys]
    WARNING: Virus alike driver modification [cinemst2.sys]
    WARNING: Virus alike driver modification [atmepvc.sys]
    WARNING: Virus alike driver modification [nwlnkfwd.sys]
    WARNING: Virus alike driver modification [ipfltdrv.sys]
    WARNING: Virus alike driver modification [rawwan.sys]
    WARNING: Virus alike driver modification [atmuni.sys]
    WARNING: Virus alike driver modification [pxhelp20.sys]
    WARNING: Virus alike driver modification [CamDrL21.sys]
    WARNING: Virus alike driver modification [wpdusb.sys]
    WARNING: Virus alike driver modification [tosdvd.sys]
    WARNING: Virus alike driver modification [k600bus.sys]
    WARNING: Virus alike driver modification [v800bus.sys]
    WARNING: Virus alike driver modification [k750bus.sys]
    WARNING: Virus alike driver modification [z800bus.sys]
    WARNING: Virus alike driver modification [nwlnkspx.sys]
    WARNING: Virus alike driver modification [k600whnt.sys]
    WARNING: Virus alike driver modification [k750whnt.sys]
    WARNING: Virus alike driver modification [w800whnt.sys]
    WARNING: Virus alike driver modification [z800whnt.sys]
    WARNING: Virus alike driver modification [EabUsb.sys]
    WARNING: Virus alike driver modification [v800whnt.sys]
    WARNING: Virus alike driver modification [vdmindvd.sys]
    WARNING: Virus alike driver modification [dmload.sys]
    WARNING: Virus alike driver modification [rootmdm.sys]
    WARNING: Virus alike driver modification [k600mdfl.sys]
    WARNING: Virus alike driver modification [k600cmnt.sys]
    WARNING: Virus alike driver modification [w800cmnt.sys]
    WARNING: Virus alike driver modification [k750cmnt.sys]
    WARNING: Virus alike driver modification [v800cmnt.sys]
    WARNING: Virus alike driver modification [z800cmnt.sys]
    WARNING: Virus alike driver modification [v800mdfl.sys]
    WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]
    WARNING: Virus alike driver modification [nwlnknb.sys]
    WARNING: Virus alike driver modification [k750mdfl.sys]
    WARNING: Virus alike driver modification [z800mdfl.sys]
    WARNING: Virus alike driver modification [k750wh95.sys]
    WARNING: Virus alike driver modification [z800wh95.sys]
    WARNING: Virus alike driver modification [k600wh95.sys]
    WARNING: Virus alike driver modification [w800wh95.sys]
    WARNING: Virus alike driver modification [v800wh95.sys]
    WARNING: Virus alike driver modification [parvdm.sys]
    WARNING: Virus alike driver modification [v800obex.sys]
    WARNING: Virus alike driver modification [mcd.sys]
    WARNING: Virus alike driver modification [k600obex.sys]
    WARNING: Virus alike driver modification [WudfPf.sys]
    WARNING: Virus alike driver modification [v800mgmt.sys]
    WARNING: Virus alike driver modification [k600mgmt.sys]
    WARNING: Virus alike driver modification [k750obex.sys]
    WARNING: Virus alike driver modification [z800obex.sys]
    WARNING: Virus alike driver modification [k750mgmt.sys]
    WARNING: Virus alike driver modification [z800mgmt.sys]
    WARNING: Virus alike driver modification [WudfRd.sys]
    WARNING: Virus alike driver modification [v800mdm.sys]
    WARNING: Virus alike driver modification [k600mdm.sys]
    WARNING: Virus alike driver modification [k750mdm.sys]
    WARNING: Virus alike driver modification [z800mdm.sys]
  11. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  12. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    As soon as this finished, a Windows Security Alert popup appeared asking whether I wished to keep blocking Internet Explorer or not. I haven't answered yet. What should I answer at this stage?





    ComboFix 11-02-23.05 - Swifter 23/02/2011 23:23:32.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.502.204 [GMT 0:00]
    Running from: c:\documents and settings\Swifter\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    /wow section - STAGE 25
    The system cannot find the path specified.
    @DO was unexpected at this time.


    ((((((((((((((((((((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))))))))))))))))))))))))))
    .

    2011-02-23 22:59 . 2011-02-23 22:59 -------- d-----w- c:\windows\LastGood
    2011-02-23 21:57 . 2011-02-23 21:57 152051 ----a-w- c:\windows\system32\taskmgrmgr.exe
    2011-02-23 19:17 . 2011-02-23 19:17 -------- d-----w- c:\documents and settings\Swifter\Application Data\Malwarebytes
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-02-23 18:53 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-23 18:53 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-18 20:04 . 2011-02-18 21:18 152051 ----a-w- c:\windows\Explorermgr.exe
    2011-02-18 12:04 . 2011-02-18 12:04 -------- d-----w- c:\documents and settings\Swifter\Application Data\AVG10
    2011-02-18 12:02 . 2011-02-18 12:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-02-18 11:57 . 2011-02-23 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-02-18 11:15 . 2011-02-23 20:43 -------- d-----w- c:\program files\ayirbhrn
    2011-02-18 11:15 . 2011-02-18 11:15 -------- d-----w- c:\documents and settings\Swifter\cs
    2011-02-13 20:39 . 2011-02-18 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-02-09 13:32 . 2006-12-15 03:09 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
    2011-02-07 21:44 . 2011-02-08 19:16 -------- d-----w- c:\documents and settings\Swifter\Local Settings\Application Data\AskToolbar
    2011-02-07 21:27 . 2011-02-17 12:31 -------- d-----w- c:\documents and settings\Swifter\Application Data\FrostWire
    2011-02-07 21:27 . 2011-02-18 11:15 -------- d-----w- c:\program files\Ask.com
    2011-02-07 21:26 . 2011-02-18 12:18 -------- d-----w- c:\program files\FrostWire
    2011-02-07 21:10 . 2011-02-18 15:46 -------- d-----w- c:\program files\Blinkx
    2011-01-28 21:40 . 2011-01-28 21:40 -------- d-----w- c:\windows\system32\wbem\Repository

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 22:57 . 2006-02-25 20:29 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
    2010-11-26 08:22 . 2010-11-26 08:22 458752 ----a-w- c:\windows\system32\ssblinkx.scr
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-09-28 22:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
    "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 205169]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 561568]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 950798]
    "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SoundMAX"=c:\program files\Analog Devices\SoundMAX\Smax4.exe /tray
    "SoundMAXPnP"=c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
    "AGRSMMSG"=AGRSMMSG.exe
    "Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "17166:TCP"= 17166:TCP:BitComet 17166 TCP
    "17166:UDP"= 17166:UDP:BitComet 17166 UDP
    "22136:TCP"= 22136:TCP:BitComet 22136 TCP
    "22136:UDP"= 22136:UDP:BitComet 22136 UDP

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/08/2007 22:40 685816]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KLMDB
    *NewlyCreated* - NORMANDY
    *Deregistered* - klmdb
    *Deregistered* - Normandy
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2011-02-18 c:\windows\Tasks\Epson Printer Software Downloader.job
    - c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 11:43]

    2011-02-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-09-28 22:44]

    2011-02-23 c:\windows\Tasks\User_Feed_Synchronization-{6C5A829B-00FC-4AB1-BEFD-3BE4BA8BD8C6}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    TCP: {060000B6-B48C-4731-86DC-5733EA900558} = 192.168.0.1
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-klmdb.sys



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-23 23:29
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwQueryDirectoryFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?4?5?0??????? ???B???????????????B? ??????

    scanning hidden files ...


    c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe 152051 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1444)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-02-23 23:34:39
    ComboFix-quarantined-files.txt 2011-02-23 23:34
    ComboFix2.txt 2011-02-23 21:01

    Pre-Run: 23,541,362,688 bytes free
    Post-Run: 23,576,473,600 bytes free

    - - End Of File - - FAD7E1021B2310F6DF157E5D98930628
  13. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Uninstall Ask Toolbar, known foistware.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe
    
    Folder::
    c:\program files\ayirbhrn
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  14. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    ComboFix 11-02-23.05 - Swifter 24/02/2011 0:04.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.502.117 [GMT 0:00]
    Running from: c:\documents and settings\Swifter\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Swifter\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    "c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe"
    .
    /wow section - STAGE 25
    The system cannot find the path specified.
    grep: temp2401: No such file or directory
    @DO was unexpected at this time.


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))
    .

    2011-02-24 00:01 . 2011-02-24 00:01 152051 ----a-w- c:\windows\system32\notepadmgr.exe
    2011-02-23 22:59 . 2011-02-23 22:59 -------- d-----w- c:\windows\LastGood
    2011-02-23 21:57 . 2011-02-23 21:57 152051 ----a-w- c:\windows\system32\taskmgrmgr.exe
    2011-02-23 19:17 . 2011-02-23 19:17 -------- d-----w- c:\documents and settings\Swifter\Application Data\Malwarebytes
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-02-23 18:53 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-23 18:53 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-18 20:04 . 2011-02-23 23:35 152051 ----a-w- c:\windows\Explorermgr.exe
    2011-02-18 12:04 . 2011-02-18 12:04 -------- d-----w- c:\documents and settings\Swifter\Application Data\AVG10
    2011-02-18 12:02 . 2011-02-18 12:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-02-18 11:57 . 2011-02-23 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-02-18 11:15 . 2011-02-24 00:12 -------- d-----w- c:\program files\ayirbhrn
    2011-02-18 11:15 . 2011-02-18 11:15 -------- d-----w- c:\documents and settings\Swifter\cs
    2011-02-13 20:39 . 2011-02-18 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-02-09 13:32 . 2006-12-15 03:09 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
    2011-02-07 21:27 . 2011-02-17 12:31 -------- d-----w- c:\documents and settings\Swifter\Application Data\FrostWire
    2011-02-07 21:26 . 2011-02-18 12:18 -------- d-----w- c:\program files\FrostWire
    2011-02-07 21:10 . 2011-02-18 15:46 -------- d-----w- c:\program files\Blinkx
    2011-01-28 21:40 . 2011-01-28 21:40 -------- d-----w- c:\windows\system32\wbem\Repository

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 22:57 . 2006-02-25 20:29 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
    2010-11-26 08:22 . 2010-11-26 08:22 458752 ----a-w- c:\windows\system32\ssblinkx.scr
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-02-23_23.29.30 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-09-09 15:26 . 2008-04-14 00:12 57344 c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll
    + 2006-02-25 20:21 . 2004-08-04 12:00 54784 c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll
    + 2006-02-25 20:21 . 2004-08-04 12:00 50688 c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcirt.dll
    + 2006-12-02 00:46 . 2006-12-02 00:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
    + 2006-12-02 00:08 . 2006-12-02 00:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
    + 2006-12-02 00:08 . 2006-12-02 00:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
    + 2006-12-02 00:08 . 2006-12-02 00:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
    + 2006-12-02 00:08 . 2006-12-02 00:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
    + 2006-12-02 00:08 . 2006-12-02 00:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
    + 2006-12-02 00:08 . 2006-12-02 00:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
    + 2006-12-02 00:08 . 2006-12-02 00:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
    + 2006-12-02 00:08 . 2006-12-02 00:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
    + 2006-12-02 00:08 . 2006-12-02 00:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
    + 2006-12-02 00:26 . 2006-12-02 00:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
    + 2006-12-02 00:25 . 2006-12-02 00:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
    + 2006-12-01 22:56 . 2006-12-01 22:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
    + 2007-04-20 18:31 . 2007-04-20 18:31 95744 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
    + 2008-09-09 15:26 . 2008-04-14 00:12 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
    + 2006-02-25 20:21 . 2004-08-04 12:00 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\atl.dll
    + 2008-09-30 16:45 . 2008-09-30 16:45 91656 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
    + 2007-12-13 20:50 . 2007-12-13 20:50 82432 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 18944 c:\windows\vmmreg32.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 25600 c:\windows\twunk_32.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 49680 c:\windows\twunk_16.exe
    + 2007-01-27 19:50 . 2002-06-10 14:49 12288 c:\windows\twain_32\QuickCam\LQCTwn32.dll
    + 2007-01-27 19:50 . 2002-06-10 14:25 28672 c:\windows\twain_32\QuickCam\HVideoSP.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 50688 c:\windows\twain_32.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 94784 c:\windows\twain.dll
    + 2004-05-03 16:26 . 2004-05-03 16:26 80384 c:\windows\tiinst\gtipci21.sys
    + 2004-03-23 11:45 . 2004-03-23 11:45 28672 c:\windows\tiinst\cttib1.dll
    + 2006-02-25 20:22 . 2004-08-04 12:00 15360 c:\windows\TASKMAN.EXE
    + 2006-02-25 20:29 . 2008-04-14 00:12 11776 c:\windows\system32\xolehlp.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 50176 c:\windows\system32\xmlprovi.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 30720 c:\windows\system32\xcopy.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 91648 c:\windows\system32\xactsrv.dll
    + 2004-08-04 00:56 . 2008-04-14 00:12 52736 c:\windows\system32\wzcsapi.dll
    + 2005-05-26 04:16 . 2009-08-06 19:24 44768 c:\windows\system32\wups2.dll
    + 2006-02-25 20:31 . 2009-08-06 19:24 35552 c:\windows\system32\wups.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 32256 c:\windows\system32\wupdmgr.exe
    + 2006-04-11 13:26 . 2006-09-28 17:56 55808 c:\windows\system32\WudfSvc.dll
    + 2006-04-11 13:30 . 2006-09-28 19:13 95344 c:\windows\system32\WUDFCoinstaller.dll
    + 2006-02-25 20:31 . 2009-08-06 19:24 53472 c:\windows\system32\wuauclt.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 18432 c:\windows\system32\wtsapi32.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 50688 c:\windows\system32\wstdecod.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 22528 c:\windows\system32\wsock32.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 41984 c:\windows\system32\wsnmp32.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 19456 c:\windows\system32\wshtcpip.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 11264 c:\windows\system32\wshrm.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 11776 c:\windows\system32\wshisn.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 14336 c:\windows\system32\wship6.dll
    + 2004-08-04 12:00 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 36864 c:\windows\system32\wshcon.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 80896 c:\windows\system32\wscsvc.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 13824 c:\windows\system32\wscntfy.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 19968 c:\windows\system32\ws2help.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 82432 c:\windows\system32\ws2_32.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 11264 c:\windows\system32\wpnpinst.exe
    + 2004-08-11 01:45 . 2006-05-09 19:58 13312 c:\windows\system32\wpdtrace.dll
    + 2006-10-18 20:47 . 2006-10-18 20:47 38400 c:\windows\system32\wpdshextres.dll
    + 2006-05-09 19:58 . 2006-10-18 19:00 17408 c:\windows\system32\wpdshextautoplay.exe
    + 2004-08-11 01:45 . 2006-10-18 20:47 63488 c:\windows\system32\wpdmtpus.dll
    + 2004-08-11 01:45 . 2006-10-18 20:47 35840 c:\windows\system32\wpdconns.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 32256 c:\windows\system32\wpabaln.exe
    + 2001-08-17 22:36 . 2004-08-04 12:00 13824 c:\windows\system32\wowfaxui.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 10368 c:\windows\system32\wowexec.exe
    + 2006-05-13 09:31 . 2003-03-25 05:49 86016 c:\windows\system32\WNVPLAY1.DLL
    + 2006-05-13 09:31 . 2003-03-25 05:49 32768 c:\windows\system32\wnpapi32.dll
    + 2006-05-13 09:32 . 2002-07-17 08:20 45056 c:\windows\system32\WNASPI32.DLL
    + 2004-08-04 12:00 . 2004-08-11 01:45 20480 c:\windows\system32\wmpui.dll
    + 2004-08-04 12:00 . 2006-10-18 20:47 99840 c:\windows\system32\wmpshell.dll
    + 2004-08-04 12:00 . 2004-08-11 01:45 20480 c:\windows\system32\wmpcore.dll
    + 2004-08-04 12:00 . 2004-08-11 01:45 20480 c:\windows\system32\wmpcd.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 18944 c:\windows\system32\wmiprop.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 51200 c:\windows\system32\wmerrenu.dll
    + 2004-08-04 12:00 . 2006-10-18 20:47 37376 c:\windows\system32\wmdmps.dll
    + 2004-08-04 12:00 . 2006-10-18 20:47 33792 c:\windows\system32\wmdmlog.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 92672 c:\windows\system32\wlnotify.dll
    + 2008-09-09 15:29 . 2008-04-14 00:12 69120 c:\windows\system32\wlanapi.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 18944 c:\windows\system32\winstrm.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 53760 c:\windows\system32\winsta.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 17408 c:\windows\system32\winshfhc.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 99328 c:\windows\system32\winscard.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 16896 c:\windows\system32\winrnr.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 11776 c:\windows\system32\winmsd.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 32256 c:\windows\system32\winipsec.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 35328 c:\windows\system32\winchat.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 13312 c:\windows\system32\win87em.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 18432 c:\windows\system32\win.com
    + 2004-08-04 12:00 . 2008-04-14 00:12 75776 c:\windows\system32\wiascr.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 13600 c:\windows\system32\wfwnet.drv
    + 2004-08-04 12:00 . 2008-04-14 00:12 65024 c:\windows\system32\wextract.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 40448 c:\windows\system32\webhits.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 68096 c:\windows\system32\webclnt.dll
    + 2006-02-25 21:44 . 2001-09-11 15:20 30208 c:\windows\system32\wdmioctl.dll
    + 2004-08-04 00:56 . 2008-04-14 00:12 23552 c:\windows\system32\wdmaud.drv
    + 2004-08-04 12:00 . 2009-06-25 08:25 54272 c:\windows\system32\wdigest.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 45568 c:\windows\system32\wbem\xml\wmi2xml.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 95232 c:\windows\system32\wbem\wmiutils.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 52224 c:\windows\system32\wbem\wmitimep.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 41472 c:\windows\system32\wbem\wmipsess.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 62464 c:\windows\system32\wbem\wmipjobj.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 61952 c:\windows\system32\wbem\wmipiprt.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 75264 c:\windows\system32\wbem\wmipicmp.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 61440 c:\windows\system32\wbem\wmimsg.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 60928 c:\windows\system32\wbem\wmicookr.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 88576 c:\windows\system32\wbem\wmiaprpl.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 16384 c:\windows\system32\wbem\winmgmtr.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 13312 c:\windows\system32\wbem\winmgmt.exe
    + 2006-02-25 20:29 . 2008-04-14 00:12 43520 c:\windows\system32\wbem\wbemsvc.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 18944 c:\windows\system32\wbem\wbemprox.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 43008 c:\windows\system32\wbem\wbemperf.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 71680 c:\windows\system32\wbem\wbemcons.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 12288 c:\windows\system32\wbem\wbemads.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 16896 c:\windows\system32\wbem\unsecapp.exe
    + 2006-02-25 20:29 . 2004-08-04 12:00 59904 c:\windows\system32\wbem\trnsprov.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 61952 c:\windows\system32\wbem\tmplprov.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 86528 c:\windows\system32\wbem\stdprov.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 40960 c:\windows\system32\wbem\smtpcons.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 36352 c:\windows\system32\wbem\scrcons.exe
    + 2006-02-25 20:29 . 2008-04-14 00:12 47104 c:\windows\system32\wbem\ncprov.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 16384 c:\windows\system32\wbem\mofcomp.exe
    + 2006-02-25 20:29 . 2008-04-14 00:11 24576 c:\windows\system32\wbem\krnlprov.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 53248 c:\windows\system32\wbem\fwdprov.dll
    + 2004-08-04 12:00 . 2008-04-14 00:11 21504 c:\windows\system32\wbem\evntrprv.dll
    + 2004-08-04 12:00 . 2008-04-13 18:44 17664 c:\windows\system32\watchdog.sys
    + 2004-08-04 12:00 . 2008-04-14 00:12 15872 c:\windows\system32\w3ssl.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 22016 c:\windows\system32\w32topl.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 49664 c:\windows\system32\w32tm.exe
    + 2006-02-25 21:47 . 2005-01-27 16:46 94247 c:\windows\system32\Vxdif.dll
    + 2005-01-12 00:00 . 2007-04-23 00:15 39672 c:\windows\system32\VXBLOCK.dll
    + 2006-05-13 09:32 . 2003-04-04 16:17 98304 c:\windows\system32\vsscodec.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 33792 c:\windows\system32\vssadmin.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 16896 c:\windows\system32\vss_ps.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 18176 c:\windows\system32\vga64k.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 51456 c:\windows\system32\vga256.dll
    + 2007-01-27 19:55 . 2008-04-14 00:12 53760 c:\windows\system32\vfwwdm32.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 20535 c:\windows\system32\vfpodbc.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 18944 c:\windows\system32\version.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 98304 c:\windows\system32\verifier.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 26624 c:\windows\system32\verifier.dll
    + 2006-03-17 00:38 . 2008-04-14 00:12 28672 c:\windows\system32\verclsid.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 51712 c:\windows\system32\vdmredir.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 26112 c:\windows\system32\vdmdbg.dll
    + 1999-11-24 17:40 . 1999-11-24 17:40 40960 c:\windows\system32\VBAME.DLL
    + 2004-08-04 12:00 . 2008-04-14 00:12 30749 c:\windows\system32\vbajet32.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 50176 c:\windows\system32\utilman.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 25600 c:\windows\system32\utildll.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 49211 c:\windows\system32\usrvpa.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 45116 c:\windows\system32\usrvoica.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 49209 c:\windows\system32\usrv80a.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 41019 c:\windows\system32\usrsvpia.dll
    + 2001-08-17 22:37 . 2004-08-04 12:00 69700 c:\windows\system32\usrshuta.exe
    + 2001-08-17 22:36 . 2004-08-04 12:00 49211 c:\windows\system32\usrsdpia.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 77883 c:\windows\system32\usrrtosa.dll
    + 2001-08-17 22:37 . 2004-08-04 12:00 61508 c:\windows\system32\usrprbda.exe
    + 2001-08-17 22:37 . 2004-08-04 12:00 77891 c:\windows\system32\usrmlnka.exe
    + 2001-08-17 22:36 . 2004-08-04 12:00 53305 c:\windows\system32\usrlbva.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 86073 c:\windows\system32\usrfaxa.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 77890 c:\windows\system32\usrdpa.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 69699 c:\windows\system32\usrcoina.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 61500 c:\windows\system32\usrcntra.dll
    + 2004-08-04 12:00 . 2008-04-14 00:11 19968 c:\windows\system32\usmt\log.dll
    + 2008-09-09 15:26 . 2008-04-13 16:44 17920 c:\windows\system32\usmt\cobramsg.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 26112 c:\windows\system32\userinit.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 47872 c:\windows\system32\user.exe
    + 2006-02-25 20:25 . 2008-04-14 00:12 74240 c:\windows\system32\usbui.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 16896 c:\windows\system32\usbmon.dll
    + 2003-02-21 05:16 . 2003-02-21 05:16 49152 c:\windows\system32\URTTemp\regtlib.exe
    + 2006-02-25 21:50 . 2003-02-20 19:09 77824 c:\windows\system32\URTTemp\mscorsn.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 17920 c:\windows\system32\ureg.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 18432 c:\windows\system32\ups.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 16896 c:\windows\system32\upnpcont.exe
    + 2007-06-05 10:19 . 2007-08-01 10:03 93184 c:\windows\system32\UnPoker.exe

    + 2004-08-04 12:00 . 2008-04-14 00:12 13824 c:\windows\system32\uniplat.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 74240 c:\windows\system32\unimdmat.dll
    + 2006-02-25 20:24 . 2008-04-14 00:11 76288 c:\windows\system32\uniime.dll
    + 2004-09-16 01:00 . 2004-09-16 01:00 77824 c:\windows\system32\UMLoader.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 13312 c:\windows\system32\umdmxfrm.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 35840 c:\windows\system32\umandlg.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 82432 c:\windows\system32\ufat.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 26624 c:\windows\system32\udhisapi.dll
    + 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 57856 c:\windows\system32\twext.dll
    + 2008-07-29 20:10 . 2008-07-29 20:10 26112 c:\windows\system32\TsWpfWrp.exe
    + 2006-02-25 20:29 . 2004-08-04 12:00 16896 c:\windows\system32\tsshutdn.exe
    + 2008-09-09 15:29 . 2008-04-14 00:12 50688 c:\windows\system32\tspkg.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 16384 c:\windows\system32\tskill.exe
    + 2008-09-09 15:29 . 2008-04-14 00:12 53248 c:\windows\system32\tsgqec.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 14848 c:\windows\system32\tsdiscon.exe
    + 2004-08-04 12:00 . 2008-04-14 00:13 12168 c:\windows\system32\tsddd.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\tsd32.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 44544 c:\windows\system32\tscupgrd.exe
    + 2006-02-25 20:29 . 2004-08-04 12:00 14848 c:\windows\system32\tscon.exe
    + 2006-02-25 20:29 . 2008-04-14 00:12 93696 c:\windows\system32\tscfgwmi.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 52224 c:\windows\system32\tsappcmp.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 90112 c:\windows\system32\trkwks.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 12800 c:\windows\system32\tree.com
    + 2004-08-04 12:00 . 2004-08-04 12:00 31232 c:\windows\system32\traffic.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 31744 c:\windows\system32\tracert6.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 12288 c:\windows\system32\tracert.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 13888 c:\windows\system32\toolhelp.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 16896 c:\windows\system32\tftp.exe
    + 2004-08-04 12:00 . 2009-06-12 12:31 76288 c:\windows\system32\telnet.exe
    + 2006-05-13 09:32 . 2003-03-25 05:49 11264 c:\windows\system32\TEKYUV.DLL
    + 2004-08-04 12:00 . 2004-08-04 12:00 19456 c:\windows\system32\tcpsvcs.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 45568 c:\windows\system32\tcpmonui.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 45568 c:\windows\system32\tcpmon.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 14848 c:\windows\system32\tcpmib.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 12288 c:\windows\system32\tcmsetup.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\taskman.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 78848 c:\windows\system32\tapiui.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 19200 c:\windows\system32\tapi.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 36864 c:\windows\system32\syskey.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 15872 c:\windows\system32\sysinv.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 18896 c:\windows\system32\sysedit.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 57856 c:\windows\system32\synceng.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 51200 c:\windows\system32\syncapp.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
    + 2004-08-04 12:00 . 2009-10-21 05:38 75776 c:\windows\system32\strmfilt.dll
    + 2006-02-25 20:22 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 14848 c:\windows\system32\stimon.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 68096 c:\windows\system32\sti.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 59392 c:\windows\system32\stclient.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 14336 c:\windows\system32\ssstars.scr
    + 2004-08-04 12:00 . 2008-04-14 00:12 18944 c:\windows\system32\ssmyst.scr
    + 2004-08-04 12:00 . 2008-04-14 00:12 47104 c:\windows\system32\ssmypics.scr
    + 2004-08-04 12:00 . 2008-04-14 00:12 20992 c:\windows\system32\ssmarque.scr
    + 2004-08-04 12:00 . 2008-04-14 00:12 71680 c:\windows\system32\ssdpsrv.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 34816 c:\windows\system32\ssdpapi.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 19968 c:\windows\system32\ssbezier.scr
    + 2004-08-04 12:00 . 2008-04-14 00:12 96768 c:\windows\system32\srvsvc.dll
    + 2006-02-25 20:31 . 2008-04-14 00:12 67584 c:\windows\system32\srclient.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 49179 c:\windows\system32\sqlwoa.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 24603 c:\windows\system32\sqlwid.dll
    + 2006-02-25 20:22 . 2004-08-04 12:00 24661 c:\windows\system32\spxcoins.dll
    + 2008-09-09 15:29 . 2008-04-14 00:12 20992 c:\windows\system32\spupdwxp.exe
    + 2006-02-28 12:06 . 2009-01-07 17:21 26144 c:\windows\system32\spupdsvc.exe
    + 2001-08-17 22:36 . 2004-08-04 12:00 72192 c:\windows\system32\sprio800.dll
    + 2001-08-17 22:36 . 2004-08-04 12:00 70656 c:\windows\system32\sprio600.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 75264 c:\windows\system32\spoolss.dll
    + 2006-02-28 13:37 . 2007-04-09 12:23 28552 c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
    + 2003-02-04 05:58 . 2003-02-04 05:58 48128 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\SETUP32.DLL
    + 2003-06-06 07:00 . 2003-06-06 07:00 38400 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\EPUTIX25.EXE
    + 2003-02-20 01:08 . 2003-02-20 01:08 54784 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\EPSET32.DLL
    + 2003-04-17 04:00 . 2003-04-17 04:00 52736 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\EPIPGI10.DLL
    + 2002-06-07 04:00 . 2002-06-07 04:00 28160 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\EPIBSR30.EXE
    + 2002-09-30 01:01 . 2002-09-30 01:01 94208 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\EBPSHRE4.DLL
    + 2002-07-01 02:02 . 2002-07-01 02:02 62464 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\E_S00RP2.EXE
    + 2003-04-02 01:00 . 2003-04-02 01:00 78848 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\E_H4E0G2.DLL
    + 2003-04-03 04:00 . 2003-04-03 04:00 84480 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\E_DUMWE2.DLL
    + 2003-04-03 05:00 . 2003-04-03 05:00 64784 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\E_DMAI16.DLL
    + 2003-04-14 05:00 . 2003-04-14 05:00 53155 c:\windows\system32\spool\drivers\w32x86\epsonstylus_cx5400097f\E_DDSP13.DLL
    + 2004-08-04 12:00 . 2008-04-14 04:42 11264 c:\windows\system32\spnpinst.exe
    + 2001-08-17 22:36 . 2004-08-04 12:00 69632 c:\windows\system32\spnike.dll
    + 2008-06-08 16:23 . 2009-01-07 17:20 16928 c:\windows\system32\spmsg.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 24576 c:\windows\system32\sort.exe
    + 2006-05-13 09:32 . 2003-03-25 05:49 99840 c:\windows\system32\sonydvau.dll
    + 2006-05-13 09:32 . 2003-03-25 05:49 77824 c:\windows\system32\sonydv.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 56832 c:\windows\system32\sol.exe
    + 2008-12-03 01:00 . 2008-10-16 14:09 43544 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
    + 2008-09-05 12:37 . 2008-07-18 21:10 45768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
    + 2007-08-25 18:33 . 2007-07-30 18:19 43352 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
    + 2007-06-22 07:03 . 2007-04-16 21:45 43352 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.374\wups2.dll
    + 2008-12-03 01:00 . 2008-10-16 14:08 34328 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
    + 2008-09-05 12:37 . 2008-07-18 21:10 36552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
    + 2007-08-25 18:33 . 2007-07-30 18:18 33624 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
    + 2007-06-22 07:03 . 2007-04-16 21:47 33624 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374\wups.dll
    + 2006-02-28 12:02 . 2005-05-26 04:16 41240 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\5.8.0.2469\wups.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 18944 c:\windows\system32\snmpapi.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 50688 c:\windows\system32\smss.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 89600 c:\windows\system32\smlogsvc.exe
    + 2008-09-09 15:29 . 2008-04-14 00:12 73796 c:\windows\system32\slserv.exe
    + 2008-09-09 15:29 . 2008-04-14 00:12 32866 c:\windows\system32\slrundll.exe
    + 2008-09-09 15:29 . 2008-04-14 00:12 73832 c:\windows\system32\slcoinst.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 14848 c:\windows\system32\slbrccsp.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 98304 c:\windows\system32\slbiop.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 25088 c:\windows\system32\slayerxp.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 26112 c:\windows\system32\skeys.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 13824 c:\windows\system32\sisbkup.dll
    + 2007-10-18 10:31 . 2007-10-18 10:31 51224 c:\windows\system32\sirenacm.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 70144 c:\windows\system32\sigverif.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 13312 c:\windows\system32\sigtab.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 19456 c:\windows\system32\shutdown.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 27648 c:\windows\system32\shscrap.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 77824 c:\windows\system32\shrpubw.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 45056 c:\windows\system32\shmgrate.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 65024 c:\windows\system32\shimeng.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 68096 c:\windows\system32\shgina.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 25088 c:\windows\system32\shfolder.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 14848 c:\windows\system32\shadow.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 23552 c:\windows\system32\sfmapi.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 11753 c:\windows\system32\setver.exe
    + 2008-09-09 15:29 . 2008-04-14 00:12 32768 c:\windows\system32\setupn.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 26624 c:\windows\system32\Setup\startoc.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 17408 c:\windows\system32\Setup\ocmsn.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 15360 c:\windows\system32\Setup\ocgen.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 62976 c:\windows\system32\Setup\ntoc.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 77312 c:\windows\system32\Setup\netoc.dll
    + 2004-08-04 12:00 . 2008-04-14 00:11 15360 c:\windows\system32\Setup\msgrocm.dll
    + 2004-08-04 12:00 . 2008-04-14 00:11 90112 c:\windows\system32\Setup\msdtcstp.dll
    + 2004-08-04 12:00 . 2008-04-14 00:11 32828 c:\windows\system32\Setup\fp40ext.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 23040 c:\windows\system32\setup.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 31232 c:\windows\system32\sethc.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 14848 c:\windows\system32\serwvdrv.dll
    + 2006-02-25 20:29 . 2008-04-14 00:12 56320 c:\windows\system32\servdeps.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 14336 c:\windows\system32\serialui.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 13824 c:\windows\system32\senscfg.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 39424 c:\windows\system32\sens.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 54784 c:\windows\system32\sendmail.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 29184 c:\windows\system32\sendcmsg.dll
    + 2004-08-04 12:00 . 2009-06-25 08:25 56832 c:\windows\system32\secur32.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 18944 c:\windows\system32\seclogon.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 29184 c:\windows\system32\sdhcinst.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 77312 c:\windows\system32\sdbinst.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 26624 c:\windows\system32\scredir.dll
    + 1998-03-24 20:54 . 1998-03-24 20:54 15872 c:\windows\system32\SCP32.DLL
    + 2004-08-04 12:00 . 2008-04-14 00:12 20480 c:\windows\system32\sclgntfy.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 95744 c:\windows\system32\scardsvr.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 69632 c:\windows\system32\scarddlg.dll
    + 2004-08-04 12:00 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 13312 c:\windows\system32\savedump.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 64000 c:\windows\system32\samlib.dll
    + 2006-02-25 20:31 . 2008-04-14 00:12 45568 c:\windows\system32\safrslv.dll
    + 2006-02-25 20:31 . 2008-04-14 00:12 29696 c:\windows\system32\safrdm.dll
    + 2006-02-25 20:31 . 2008-04-14 00:12 43520 c:\windows\system32\safrcdlg.dll
    + 2006-02-25 20:29 . 2004-08-04 12:00 15872 c:\windows\system32\rwinsta.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 14336 c:\windows\system32\runonce.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 33280 c:\windows\system32\rundll32.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 16384 c:\windows\system32\runas.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 44032 c:\windows\system32\rtutils.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 98304 c:\windows\system32\rtm.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 31744 c:\windows\system32\rtipxmib.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 77312 c:\windows\system32\rtcshare.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 92672 c:\windows\system32\rsvpsp.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 23552 c:\windows\system32\rsvpmsg.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 49152 c:\windows\system32\rsmui.exe
    + 2004-08-04 12:00 . 2004-08-04 12:00 24576 c:\windows\system32\rsmsink.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 18944 c:\windows\system32\rsmps.dll
    + 2004-08-04 12:00 . 2004-08-04 12:00 49152 c:\windows\system32\rsm.exe
    + 2004-08-04 12:00 . 2008-04-14 00:12 39936 c:\windows\system32\rshx32.dll
    + 2004-08-04 12:00 . 2008-04-14 00:12 14848 c:\windows\system32\rsh.exe
  15. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    There are thousands of lines inbetween the above post and this final bit. If you need the whole lot, let me know.

    + 2005-04-28 19:35 . 2005-04-28 19:35 1286144 c:\windows\$hf_mig$\KB894391\SP2QFE\ole32.dll
    + 2005-03-02 01:11 . 2005-03-02 01:11 1836160 c:\windows\$hf_mig$\KB890859\SP2QFE\win32k.sys
    + 2005-03-02 01:04 . 2005-03-02 01:04 2179456 c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
    + 2005-03-02 00:36 . 2005-03-02 00:36 2015232 c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrpamp.exe
    + 2005-03-02 00:36 . 2005-03-02 00:36 2056832 c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
    + 2005-03-02 01:02 . 2005-03-02 01:02 2135552 c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlmp.exe
    + 2006-02-25 22:13 . 2004-12-21 20:50 8451072 c:\windows\$hf_mig$\KB890047\SP2QFE\shell32.dll
    + 2006-02-25 22:13 . 2004-10-13 16:21 1694208 c:\windows\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
    + 2006-02-25 22:12 . 2005-01-14 05:07 1284608 c:\windows\$hf_mig$\KB873333\SP2QFE\ole32.dll
    + 2004-08-04 12:00 . 2009-07-13 22:43 10841088 c:\windows\system32\wmp.dll
    + 2006-10-25 14:06 . 2011-02-18 11:21 12703056 c:\windows\system32\Restore\rstrlog.dat
    + 2002-05-28 17:55 . 2002-05-28 17:55 13107200 c:\windows\system32\oembios.bin
    + 2006-02-28 13:04 . 2011-02-04 17:34 37443528 c:\windows\system32\MRT.exe
    + 2006-11-07 20:03 . 2010-05-06 10:41 11076096 c:\windows\system32\ieframe.dll
    + 2004-08-04 12:00 . 2009-07-13 22:43 10841088 c:\windows\system32\dllcache\wmp.dll
    + 2002-05-28 17:55 . 2002-05-28 17:55 13107200 c:\windows\system32\dllcache\oembios.bin
    + 2007-05-10 15:48 . 2010-05-06 10:41 11076096 c:\windows\system32\dllcache\ieframe.dll
    + 2006-02-25 20:23 . 2004-08-04 12:00 10129408 c:\windows\system32\dllcache\hwxkor.dll
    + 2006-02-25 20:22 . 2008-04-14 00:09 13463552 c:\windows\system32\dllcache\hwxjpn.dll
    + 2006-02-25 20:23 . 2004-08-04 12:00 10096640 c:\windows\system32\dllcache\hwxcht.dll
    + 2008-09-09 15:28 . 2007-04-02 18:39 11053008 c:\windows\ServicePackFiles\i386\msncli.exe
    + 2008-09-09 15:27 . 2008-04-14 00:09 13463552 c:\windows\ServicePackFiles\i386\lang\hwxjpn.dll
    + 2007-05-21 07:44 . 2007-01-19 12:20 16633344 c:\windows\Installer\MSN Messenger 8.1.0178\MsnMsgs.Msi
    + 2007-01-27 19:43 . 2006-07-29 20:38 15524352 c:\windows\Installer\MSN Messenger 8.0.0812\MsnMsgs.Msi
    + 2006-08-10 11:29 . 2006-06-16 14:01 15433728 c:\windows\Installer\MSN Messenger 8.0.0792\MsnMsgs.Msi
    + 2006-02-25 22:09 . 2006-02-25 22:09 19204096 c:\windows\Installer\cc981.msp
    + 2007-07-13 06:59 . 2007-07-13 06:59 15256576 c:\windows\Installer\4443f.msp
    + 2008-12-13 09:21 . 2008-12-13 09:21 10473472 c:\windows\Installer\15ce2ed.msp
    + 2006-09-12 15:59 . 2006-09-12 15:59 14482944 c:\windows\Installer\1283e3.msp
    + 2006-02-25 20:23 . 2004-08-04 12:00 10129408 c:\windows\ime\IMKR6_1\Applets\hwxkor.dll
    + 2006-02-25 20:22 . 2008-04-14 00:09 13463552 c:\windows\ime\IMJP8_1\APPLETS\hwxjpn.dll
    + 2006-02-25 20:23 . 2004-08-04 12:00 10096640 c:\windows\ime\CHTIME\Applets\HWXCHT.DLL
    + 2006-02-25 21:59 . 2006-02-25 21:59 20034560 c:\windows\Downloaded Installations\{EA6652A6-343E-4645-AF84-0BACF426C950}\iTunes.msi
    + 2007-12-13 20:47 . 2007-12-13 20:47 53197824 c:\windows\Downloaded Installations\{9BFAD254-E7B8-42FC-B34D-DEDAB4C0D17D}\Sony Ericsson PC Suite.msi
    + 2008-03-07 11:25 . 2008-03-07 11:25 16359936 c:\windows\Downloaded Installations\{923AEEE1-2D2D-4646-BEBC-0CE16BA68FB6}\Drive Manager.msi
    + 2006-03-06 22:58 . 2005-12-19 20:33 34321552 c:\windows\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\QuickTimeInstaller.exe
    + 2006-08-12 16:59 . 2006-05-10 09:23 35177616 c:\windows\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\QuickTimeInstaller.exe
    + 2007-08-15 07:00 . 2006-10-18 20:47 10834432 c:\windows\$NtUninstallKB936782_WMP11$\wmp.dll
    + 2008-09-09 15:42 . 2004-08-04 12:00 13463552 c:\windows\$NtServicePackUninstall$\hwxjpn.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
    "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 205169]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 561568]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 950798]
    "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ayirbhrn\ifahlkbe.exe"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SoundMAX"=c:\program files\Analog Devices\SoundMAX\Smax4.exe /tray
    "SoundMAXPnP"=c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
    "AGRSMMSG"=AGRSMMSG.exe
    "Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "17166:TCP"= 17166:TCP:BitComet 17166 TCP
    "17166:UDP"= 17166:UDP:BitComet 17166 UDP
    "22136:TCP"= 22136:TCP:BitComet 22136 TCP
    "22136:UDP"= 22136:UDP:BitComet 22136 UDP

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/08/2007 22:40 685816]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KLMDB
    *NewlyCreated* - NORMANDY
    *Deregistered* - klmdb
    *Deregistered* - Normandy
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2011-02-18 c:\windows\Tasks\Epson Printer Software Downloader.job
    - c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 11:43]

    2011-02-23 c:\windows\Tasks\User_Feed_Synchronization-{6C5A829B-00FC-4AB1-BEFD-3BE4BA8BD8C6}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    TCP: {060000B6-B48C-4731-86DC-5733EA900558} = 192.168.0.1
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-24 00:12
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwQueryDirectoryFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?4?5?0??????? ???B???????????????B? ??????

    scanning hidden files ...


    c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe 152051 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-02-24 00:16:37
    ComboFix-quarantined-files.txt 2011-02-24 00:16
    ComboFix2.txt 2011-02-23 23:34
    ComboFix3.txt 2011-02-23 21:01

    Pre-Run: 23,556,993,024 bytes free
    Post-Run: 23,368,884,224 bytes free

    - - End Of File - - 1F3538B7813E6F623E1EBFC5907AD5F9
  16. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    I'm off to bed now but will be back on tomorrow evening. Thanks for all your help so far Broni. Hopefully I can get this finished tomorrow!
  17. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    No problem :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe
    
    DDS::
    uInternet Settings,ProxyOverride = <local>
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  18. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    FYI, the Windows Security Alert popup is still appearing, asking whether I want to continue to block IE.

    Here's the ComboFix log...


    ComboFix 11-02-24.01 - Swifter 24/02/2011 18:18:16.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.502.202 [GMT 0:00]
    Running from: c:\documents and settings\Swifter\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Swifter\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    "c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))
    .

    2011-02-24 00:01 . 2011-02-24 00:01 152051 ----a-w- c:\windows\system32\notepadmgr.exe
    2011-02-23 21:57 . 2011-02-23 21:57 152051 ----a-w- c:\windows\system32\taskmgrmgr.exe
    2011-02-23 19:17 . 2011-02-23 19:17 -------- d-----w- c:\documents and settings\Swifter\Application Data\Malwarebytes
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-02-23 18:53 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-23 18:53 . 2011-02-23 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-23 18:53 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-18 20:04 . 2011-02-23 23:35 152051 ----a-w- c:\windows\Explorermgr.exe
    2011-02-18 12:04 . 2011-02-18 12:04 -------- d-----w- c:\documents and settings\Swifter\Application Data\AVG10
    2011-02-18 12:02 . 2011-02-18 12:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-02-18 11:57 . 2011-02-23 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-02-18 11:15 . 2011-02-24 00:12 -------- d-----w- c:\program files\ayirbhrn
    2011-02-18 11:15 . 2011-02-18 11:15 -------- d-----w- c:\documents and settings\Swifter\cs
    2011-02-13 20:39 . 2011-02-18 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-02-09 13:32 . 2006-12-15 03:09 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
    2011-02-07 21:27 . 2011-02-17 12:31 -------- d-----w- c:\documents and settings\Swifter\Application Data\FrostWire
    2011-02-07 21:26 . 2011-02-18 12:18 -------- d-----w- c:\program files\FrostWire
    2011-02-07 21:10 . 2011-02-18 15:46 -------- d-----w- c:\program files\Blinkx
    2011-01-28 21:40 . 2011-01-28 21:40 -------- d-----w- c:\windows\system32\wbem\Repository

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 22:57 . 2006-02-25 20:29 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
    .

    ((((((((((((((((((((((((((((( SnapShot_2011-02-24_00.12.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-24 18:08 . 2011-02-24 18:08 16384 c:\windows\Temp\Perflib_Perfdata_274.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
    "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 205169]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 561568]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 950798]
    "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SoundMAX"=c:\program files\Analog Devices\SoundMAX\Smax4.exe /tray
    "SoundMAXPnP"=c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
    "AGRSMMSG"=AGRSMMSG.exe
    "Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "17166:TCP"= 17166:TCP:BitComet 17166 TCP
    "17166:UDP"= 17166:UDP:BitComet 17166 UDP
    "22136:TCP"= 22136:TCP:BitComet 22136 TCP
    "22136:UDP"= 22136:UDP:BitComet 22136 UDP

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/08/2007 22:40 685816]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2011-02-18 c:\windows\Tasks\Epson Printer Software Downloader.job
    - c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 11:43]

    2011-02-24 c:\windows\Tasks\User_Feed_Synchronization-{6C5A829B-00FC-4AB1-BEFD-3BE4BA8BD8C6}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    TCP: {060000B6-B48C-4731-86DC-5733EA900558} = 192.168.0.1
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-24 18:24
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwQueryDirectoryFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?4?5?0??????? ???B???????????????B? ??????

    scanning hidden files ...


    c:\documents and settings\Swifter\Start Menu\Programs\Startup\ifahlkbe.exe 152051 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-02-24 18:29:04
    ComboFix-quarantined-files.txt 2011-02-24 18:28
    ComboFix2.txt 2011-02-24 00:16
    ComboFix3.txt 2011-02-23 23:34
    ComboFix4.txt 2011-02-23 21:01

    Pre-Run: 22,735,364,096 bytes free
    Post-Run: 22,751,215,616 bytes free

    - - End Of File - - 93226A96CA3CD3B1C74B7F307A1CB3F4
  19. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Looks good now...

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  20. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    I'll run this now. There still seems to be several problems. If I connect a USB pen to it, it instantly adds a 'RECYCLER' folder and 4x shortcut files, which seem to be part of a trojan. Random shortcuts also appear on the desktop and the error messages for Quick Launch buttons continue to appear every time I boot it up.

    I'll run the program now and paste the logs in a minute.
  21. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Do not connected any external devices for now.
  22. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    OTL TEXT:

    OTL logfile created on: 24/02/2011 23:26:08 - Run 1
    OTL by OldTimer - Version 3.2.21.0 Folder = C:\Documents and Settings\Swifter\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    502.00 Mb Total Physical Memory | 189.00 Mb Available Physical Memory | 38.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 79.00% Paging File free
    Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.25 Gb Total Space | 20.64 Gb Free Space | 55.41% Space Free | Partition Type: NTFS
    Drive E: | 959.13 Mb Total Space | 958.84 Mb Free Space | 99.97% Space Free | Partition Type: FAT

    Computer Name: JULIANS | User Name: Swifter | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/02/24 23:20:18 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Swifter\Desktop\OTL.exe
    PRC - [2009/04/07 09:13:10 | 000,673,616 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
    PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008/02/27 16:56:54 | 003,072,184 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe
    PRC - [2007/10/09 16:21:06 | 000,169,328 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
    PRC - [2007/10/09 16:21:02 | 000,124,280 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
    PRC - [2006/12/15 03:23:27 | 000,075,520 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    PRC - [2006/04/18 08:32:00 | 000,561,568 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/02/24 23:20:18 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Swifter\Desktop\OTL.exe
    MOD - [2005/11/30 15:31:34 | 000,438,801 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\cpqinfo.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- -- (IDriverT)
    SRV - File not found [On_Demand | Stopped] -- -- (hpqwmi)
    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- -- (gusvc)
    SRV - File not found [Auto | Stopped] -- -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)
    SRV - File not found [Auto | Stopped] -- -- (EPSON_EB_RPCV4_01) EPSON V5 Service4(01)
    SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
    SRV - [2008/02/27 16:56:54 | 003,072,184 | ---- | M] (Kontiki Inc.) [Auto | Running] -- C:\Program Files\Kontiki\KService.exe -- (KService)
    SRV - [2007/10/25 14:27:54 | 000,421,255 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
    SRV - [2007/10/09 16:21:02 | 000,124,280 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe -- (Basics Service)


    ========== Driver Services (SafeList) ==========

    DRV - [2010/02/11 12:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
    DRV - [2008/04/13 18:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
    DRV - [2007/08/07 22:40:10 | 000,685,816 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
    DRV - [2007/06/25 09:43:38 | 000,098,344 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117obex.sys -- (s117obex)
    DRV - [2007/06/25 09:43:36 | 000,108,456 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117mdm.sys -- (s117mdm)
    DRV - [2007/06/25 09:43:36 | 000,100,264 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117mgmt.sys -- (s117mgmt) Sony Ericsson Device 117 USB WMC Device Management Drivers (WDM)
    DRV - [2007/06/25 09:43:36 | 000,098,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117unic.sys -- (s117unic) Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (WDM)
    DRV - [2007/06/25 09:43:36 | 000,022,952 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117nd5.sys -- (s117nd5) Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (NDIS)
    DRV - [2007/06/25 09:43:26 | 000,014,888 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117mdfl.sys -- (s117mdfl)
    DRV - [2007/06/25 09:43:22 | 000,082,984 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117bus.sys -- (s117bus) Sony Ericsson Device 117 driver (WDM)
    DRV - [2005/11/16 13:12:46 | 001,066,278 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2005/05/24 14:01:16 | 000,077,040 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w800obex.sys -- (w800obex)
    DRV - [2005/05/24 14:00:56 | 000,079,216 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w800mgmt.sys -- (w800mgmt)
    DRV - [2005/05/24 14:00:46 | 000,087,424 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w800mdm.sys -- (w800mdm)
    DRV - [2005/05/24 14:00:44 | 000,006,096 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w800mdfl.sys -- (w800mdfl)
    DRV - [2005/05/24 14:00:37 | 000,052,384 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w800bus.sys -- (w800bus) Sony Ericsson W800 driver (WDM)
    DRV - [2005/05/05 10:04:08 | 000,007,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
    DRV - [2005/05/05 10:04:04 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
    DRV - [2005/03/10 09:41:52 | 000,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2005/01/31 17:23:08 | 000,109,319 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
    DRV - [2004/06/28 10:35:24 | 000,069,760 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
    DRV - [2004/04/26 09:49:56 | 000,381,056 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
    DRV - [2003/07/17 16:48:44 | 000,046,167 | ---- | M] (Analog Deivces) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\adildr.sys -- (ADILOADER) General Purpose USB Driver (adildr.sys)
    DRV - [2003/03/27 13:38:44 | 000,127,145 | ---- | M] (Analog Devices Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\adiusbaw.sys -- (adiusbaw)
    DRV - [2002/07/17 07:53:02 | 000,016,877 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (Aspi32)
    DRV - [2002/06/10 14:16:34 | 000,371,766 | ---- | M] (Philips Semiconductors) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CamDrL21.sys -- (PhilCam8116) Logitech QuickCam Pro 3000(PID_08B0)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-507921405-1659004503-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-507921405-1659004503-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\URLSearchHook: - Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-507921405-1659004503-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Web Search"
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1640187&SearchSource=3&q="
    FF - prefs.js..browser.startup.homepage: "http://www.google.com"
    FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429
    FF - prefs.js..extensions.enabledItems: m3ffxtbr@mywebsearch.com:1.1
    FF - prefs.js..extensions.enabledItems: {7c5c0f58-e061-457d-9033-77307f5ed00c}:1.5.45.0
    FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
    FF - prefs.js..keyword.URL: "http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRfox000&fl=0&ptb=kTH8wFRKbs5AqNC5cxm5Ow&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor="

    FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\firefox\

    [2009/07/26 16:16:36 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Extensions
    [2008/06/19 13:36:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Extensions\home2@tomtom.com
    [2009/07/26 16:16:36 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Extensions\mozswing@mozswing.org
    [2011/01/28 17:34:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Firefox\Profiles\9g4z1utt.default\extensions
    [2010/07/21 21:11:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Firefox\Profiles\9g4z1utt.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/07/21 21:11:23 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Firefox\Profiles\9g4z1utt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    [2010/07/21 21:11:39 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Firefox\Profiles\9g4z1utt.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    [2008/09/14 21:58:54 | 000,000,000 | ---D | M] (TorrentMan Toolbar) -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Firefox\Profiles\9g4z1utt.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}
    [2009/12/17 20:39:09 | 000,009,941 | ---- | M] () -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Firefox\Profiles\9g4z1utt.default\searchplugins\mywebsearch.xml
    [2011/01/29 09:32:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2008/06/12 11:30:37 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    [2008/06/04 16:38:46 | 000,000,000 | ---D | M] (TorrentMan Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}
    File not found (No name found) -- C:\PROGRAM FILES\AVG\AVG8\FIREFOX
    File not found (No name found) -- C:\PROGRAM FILES\MYWEBSEARCH\BAR\FIREFOX
    [2008/02/27 16:57:38 | 000,262,513 | ---- | M] (British Broadcasting Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npBBCPlugin.dll
    [2008/01/23 06:20:30 | 000,647,576 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll

    O1 HOSTS File: ([2011/02/24 18:23:59 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (dsWebAllowBHO Class) - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll (Microsoft Corporation)
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    O2 - BHO: (no name) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - No CLSID value found.
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
    O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No CLSID value found.
    O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\WebBrowser: (no name) - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No CLSID value found.
    O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\WebBrowser: (no name) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No CLSID value found.
    O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [basicsmssmenu] C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe (Maxtor Corporation)
    O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
    O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
    O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
    O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe (Sun Microsystems, Inc.)
    O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll (Sun Microsystems, Inc.)
    O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
    O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - Reg Error: Key error. File not found
    O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Program Files\ayirbhrn\ifahlkbe.exe) - C:\Program Files\ayirbhrn\ifahlkbe.exe File not found
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O24 - Desktop Components:0 () - file:///C:/DOCUME~1/Swifter/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
    O24 - Desktop Components:1 (My Current Home Page) - About:Home
    O24 - Desktop WallPaper: C:\Documents and Settings\Swifter\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Swifter\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/02/25 20:34:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2011/02/24 23:20:48 | 000,013,534 | RHS- | M] () - E:\autorun.inf -- [ FAT ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - File not found
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\...com [@ = ComFile] -- Reg Error: Key error. File not found

    NetSvcs: AppMgmt - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.at3 - C:\WINDOWS\System32\atrac3.acm ()
    Drivers32: msacm.divxa32 - C:\WINDOWS\System32\DivXa32.acm (Hacked With Joy !)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.imc - C:\WINDOWS\System32\IMC32.ACM (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
    Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
    Drivers32: msacm.pcdv - C:\WINDOWS\System32\pcdv.acm (Canopus Co., Ltd.)
    Drivers32: msacm.qmpeg - C:\WINDOWS\System32\qmpeg.acm (QDesign Corporation)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
    Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
    Drivers32: msacm.wrpr - C:\WINDOWS\System32\AVIWRAP.DLL ()
    Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.3ivx - C:\WINDOWS\System32\3ivxVfWCodec.dll (3ivx.com)
    Drivers32: vidc.aasc - C:\WINDOWS\System32\AASC32.DLL (Autodesk, Inc.)
    Drivers32: vidc.advs - C:\WINDOWS\System32\Dvc.dll (Adaptec)
    Drivers32: vidc.aflc - C:\WINDOWS\System32\FLCCODEC32.DLL (Autodesk, Inc.)
    Drivers32: vidc.afli - C:\WINDOWS\System32\FLCCODEC32.DLL (Autodesk, Inc.)
    Drivers32: vidc.ap41 - C:\WINDOWS\System32\DivXc32f.dll (Hacked with Joy !)
    Drivers32: vidc.asv1 - C:\WINDOWS\System32\ASUSASV1.DLL ()
    Drivers32: vidc.asv2 - C:\WINDOWS\System32\ASUSASV2.dll ()
    Drivers32: vidc.avrn - C:\WINDOWS\System32\AvidAVICodec.dll (Avid Technology, Inc)
    Drivers32: vidc.bt20 - C:\WINDOWS\System32\BTVVC32.DRV (Brooktree Corporation)
    Drivers32: vidc.cdvc - C:\WINDOWS\System32\CSCCDVC.DLL (Canopus Co., Ltd.)
    Drivers32: vidc.cscd - C:\WINDOWS\System32\camcodec.dll (RenderSoft Software.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Compression Technologies, Inc.)
    Drivers32: vidc.dcmj - C:\WINDOWS\System32\mcmjpg32.dll (MainConcept)
    Drivers32: vidc.ddvc - C:\WINDOWS\System32\CSCdvsd.DLL (Canopus Co., Ltd.)
    Drivers32: vidc.div3 - C:\WINDOWS\System32\DivXc32.dll (Hacked with Joy !)
    Drivers32: vidc.div4 - C:\WINDOWS\System32\DivXc32f.dll (Hacked with Joy !)
    Drivers32: vidc.dmb1 - C:\WINDOWS\System32\M3JPEG32.DLL (Morgan Multimedia)
    Drivers32: vidc.dps0 - C:\WINDOWS\System32\DpsAviCC.dll (Digital Processing Systems Inc.)
    Drivers32: vidc.dv25 - C:\WINDOWS\System32\DigiVCap.dll (Matrox Electronic Systems)
    Drivers32: vidc.dv50 - C:\WINDOWS\System32\DigiVCap.dll (Matrox Electronic Systems)
    Drivers32: vidc.dvsd - C:\WINDOWS\System32\MCDVD_32.DLL (MainConcept)
    Drivers32: vidc.dvx4 - C:\WINDOWS\System32\divx4.dll (DivXNetworks, Inc.)
    Drivers32: vidc.em2v - C:\WINDOWS\System32\ETXCodec.dll (Etymonix Inc.)
    Drivers32: VIDC.FFDS - ff_vfw.dll File not found
    Drivers32: vidc.fljp - C:\WINDOWS\System32\MMTVMJ.dll (Morgan Multimedia)
    Drivers32: vidc.frwd - C:\WINDOWS\System32\frwd.dll (Darim Vision Co.)
    Drivers32: vidc.frwt - C:\WINDOWS\System32\frwt.dll (Darim Vision Co.)
    Drivers32: vidc.frwu - C:\WINDOWS\System32\frwu.dll (Darim Vision Co.)
    Drivers32: vidc.glzw - C:\WINDOWS\System32\Glzw.dll (Gabest)
    Drivers32: vidc.gpeg - C:\WINDOWS\System32\Gpeg.dll (Gabest)
    Drivers32: vidc.hfyu - C:\WINDOWS\System32\huffyuv.dll (Disappearing Inc.)
    Drivers32: vidc.i263 - C:\WINDOWS\System32\i263_32.drv (Intel Corporation)
    Drivers32: vidc.ipdv - C:\WINDOWS\System32\idvcodec.dll (Matsushita Electric Industrial Co., Ltd. I-O DATA DEVICE,INC.)
    Drivers32: vidc.ir21 - C:\WINDOWS\System32\IR21_R.DLL ()
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.dll (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\Ir50_32.dll (Intel Corporation)
    Drivers32: vidc.lead - C:\WINDOWS\System32\LCodcCMP.dll (LEAD Technologies, Inc.)
    Drivers32: vidc.miro - C:\WINDOWS\System32\mirodv2avi.dll (Pinnacle Systems)
    Drivers32: vidc.mj2c - C:\WINDOWS\System32\M3JP2K32.dll (Morgan Multimedia)
    Drivers32: vidc.mjpa - C:\WINDOWS\System32\rtmjpgcdc.dll (Pinnacle Systems)
    Drivers32: vidc.mjpg - C:\WINDOWS\System32\M3JPEG32.DLL (Morgan Multimedia)
    Drivers32: vidc.mjpx - C:\WINDOWS\System32\pvmjpg21.dll (Pegasus Imaging Corporation)
    Drivers32: vidc.mkvc - C:\WINDOWS\System32\KMVIDC32.DLL ()
    Drivers32: vidc.mmes - C:\WINDOWS\System32\DigiVCap.dll (Matrox Electronic Systems)
    Drivers32: vidc.mmjp - C:\WINDOWS\System32\DigiVCap.dll (Matrox Electronic Systems)
    Drivers32: vidc.mp42 - C:\WINDOWS\System32\mpg4c32.dll ()
    Drivers32: vidc.mp43 - C:\WINDOWS\System32\mpg4c32.dll ()
    Drivers32: vidc.mpg4 - C:\WINDOWS\System32\mpg4c32.dll ()
    Drivers32: vidc.msmc - C:\WINDOWS\System32\DigiVCap.dll (Matrox Electronic Systems)
    Drivers32: VIDC.mszh - C:\WINDOWS\System32\AVIMSZH.DLL ()
    Drivers32: vidc.mwv1 - C:\WINDOWS\System32\ICMW_32.DLL (Aware Inc.)
    Drivers32: vidc.mxmc - MimicICM.DLL File not found
    Drivers32: vidc.nt00 - C:\WINDOWS\System32\NTCodec.dll (NewTek, Inc)
    Drivers32: vidc.pdvc - C:\WINDOWS\System32\idvcodec.dll (Matsushita Electric Industrial Co., Ltd. I-O DATA DEVICE,INC.)
    Drivers32: vidc.pim1 - C:\WINDOWS\System32\pclepim1.dll (Pinnacle Systems)
    Drivers32: vidc.pimj - C:\WINDOWS\System32\pvljpg20.dll (Pegasus Imaging Corporation)
    Drivers32: vidc.pvw2 - C:\WINDOWS\System32\pvwv220.dll (Pegasus Imaging Corporation)
    Drivers32: vidc.rmp4 - C:\WINDOWS\System32\rmp4.dll ()
    Drivers32: vidc.rt21 - C:\WINDOWS\System32\IR21_R.DLL ()
    Drivers32: vidc.rud0 - C:\WINDOWS\System32\Rududu.dll (nico)
    Drivers32: vidc.s422 - C:\WINDOWS\System32\TEKYUV.DLL ()
    Drivers32: vidc.sjpg - C:\WINDOWS\System32\pmjpeg32.dll (White Pine Software and Paradigm Matrix)
    Drivers32: vidc.sony - C:\WINDOWS\System32\sonydv.dll (Sony Corporation)
    Drivers32: vidc.tscc - C:\Program Files\MpcStar\Codecs\tscc\tsccvid.dll (TechSmith Corporation)
    Drivers32: vidc.tvmj - C:\WINDOWS\System32\MMTVMJ.dll (Morgan Multimedia)
    Drivers32: vidc.vcr1 - C:\WINDOWS\System32\ATIVCR1.DLL (ATI Technologies, Inc.)
    Drivers32: vidc.vcr2 - C:\WINDOWS\System32\ativcr2.dll (ATI Technologies, Inc.)
    Drivers32: vidc.vifp - C:\WINDOWS\System32\VFCodec.dll ()
    Drivers32: vidc.vixl - C:\WINDOWS\System32\MIROXL32.DLL (Pinnacle Systems)
    Drivers32: vidc.vp31 - C:\WINDOWS\System32\vp31vfw.dll (On2.com)
    Drivers32: vidc.vssv - C:\WINDOWS\System32\vsscodec.dll (Vanguard Software Solutions, Inc.)
    Drivers32: vidc.wnv1 - C:\WINDOWS\System32\WNVPLAY1.DLL (Winnov)
    Drivers32: vidc.wrpr - C:\WINDOWS\System32\AVIWRAP.DLL ()
    Drivers32: vidc.y41p - C:\WINDOWS\System32\BTVVC32.DRV (Brooktree Corporation)
    Drivers32: vidc.zlib - C:\WINDOWS\System32\AVIZLIB.DLL ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (68412030092050432)

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/02/24 23:20:22 | 000,577,024 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Swifter\Desktop\OTL.exe
    [2011/02/23 22:55:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Swifter\Desktop\tdsskiller
    [2011/02/23 21:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2011
    [2011/02/23 20:19:26 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/02/23 20:16:14 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/02/23 20:16:14 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/02/23 20:16:14 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/02/23 20:16:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/02/23 20:14:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/02/23 19:40:59 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/02/23 19:17:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Swifter\Application Data\Malwarebytes
    [2011/02/23 18:53:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/02/23 18:53:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/02/23 18:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/02/23 18:53:10 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/02/23 18:53:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/02/18 21:04:18 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Swifter\Recent
    [2011/02/18 12:04:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Swifter\Application Data\AVG10
    [2011/02/18 12:02:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2011/02/18 11:57:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
    [2011/02/18 11:15:51 | 000,000,000 | ---D | C] -- C:\Program Files\ayirbhrn
    [2011/02/18 11:15:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Swifter\cs
    [2011/02/18 11:15:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Swifter\Start Menu\Programs\blinkx beat
    [2011/02/13 20:39:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2011/02/07 21:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Swifter\My Documents\FrostWire
    [2011/02/07 21:27:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Swifter\Application Data\FrostWire
    [2011/02/07 21:27:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Swifter\Start Menu\Programs\FrostWire
    [2011/02/07 21:26:13 | 000,000,000 | ---D | C] -- C:\Program Files\FrostWire
    [2011/02/07 21:25:23 | 008,310,726 | ---- | C] (FrostWire Team) -- C:\Documents and Settings\Swifter\My Documents\frostwire-4.21.3.windows.exe
    [2011/02/07 21:10:19 | 000,000,000 | ---D | C] -- C:\Program Files\Blinkx
    [2011/01/26 18:32:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Swifter\Start Menu\Programs\Rave
    [2007/06/21 17:09:24 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Swifter\Application Data\pcouffin.sys
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/02/24 23:20:18 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Swifter\Desktop\OTL.exe
    [2011/02/24 23:19:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/02/24 23:19:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/02/24 18:37:39 | 000,152,051 | ---- | M] () -- C:\WINDOWS\System32\notepadmgr.exe
    [2011/02/24 18:23:59 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/02/24 18:14:39 | 004,274,341 | R--- | M] () -- C:\Documents and Settings\Swifter\Desktop\ComboFix.exe
    [2011/02/24 18:11:49 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6C5A829B-00FC-4AB1-BEFD-3BE4BA8BD8C6}.job
    [2011/02/23 23:35:52 | 000,152,051 | ---- | M] () -- C:\WINDOWS\Explorermgr.exe
    [2011/02/23 23:07:04 | 000,288,709 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\RKUnhookerLE.EXE
    [2011/02/23 22:45:50 | 001,257,772 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\tdsskiller.zip
    [2011/02/23 22:35:06 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/02/23 22:28:17 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\Shortcut (2) to Internet Explorer.lnk
    [2011/02/23 21:57:30 | 000,152,051 | ---- | M] () -- C:\WINDOWS\System32\taskmgrmgr.exe
    [2011/02/23 21:56:38 | 000,779,142 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\dds.scr
    [2011/02/23 21:55:08 | 000,451,463 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\wvwx6fpx.exe
    [2011/02/23 21:36:12 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\Shortcut to Internet Explorer.lnk
    [2011/02/23 20:19:37 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/02/23 19:32:30 | 000,721,324 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\rkill.com
    [2011/02/23 18:53:19 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/02/18 12:37:19 | 000,000,244 | ---- | M] () -- C:\WINDOWS\tasks\Epson Printer Software Downloader.job
    [2011/02/18 12:29:34 | 000,003,231 | ---- | M] () -- C:\Documents and Settings\Swifter\Local Settings\Application Data\gumlc.dat
    [2011/02/15 20:35:19 | 000,000,435 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
    [2011/02/15 09:38:00 | 000,444,844 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/02/15 09:38:00 | 000,072,488 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/02/07 21:25:21 | 008,310,726 | ---- | M] (FrostWire Team) -- C:\Documents and Settings\Swifter\My Documents\frostwire-4.21.3.windows.exe
    [2011/02/07 21:12:10 | 000,208,464 | ---- | M] () -- C:\Documents and Settings\Swifter\My Documents\LimeWireSetup.exe
    [2011/02/07 17:28:53 | 001,166,454 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\untitled.bmp
    [2011/01/31 11:25:20 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Swifter\My Documents\RECEIPT for sandra.doc
    [2011/01/31 11:19:19 | 000,022,016 | ---- | M] () -- C:\Documents and Settings\Swifter\My Documents\RECEIPT for us.doc
    [2011/01/31 10:41:08 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Swifter\My Documents\MONDAY GROUP 1 TRAINEES.doc
    [2011/01/31 10:33:17 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Swifter\My Documents\MONDAY GROUP 2 TRAINEES.doc
    [2011/01/31 09:57:39 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\Microsoft Word.lnk
    [2011/01/31 09:56:41 | 000,424,448 | ---- | M] () -- C:\Documents and Settings\Swifter\My Documents\invoice for us.doc
    [2011/01/28 21:53:40 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Swifter\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Outlook.lnk
    [2011/01/26 22:01:28 | 154,871,128 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Swifter\Desktop\avg_free_x86_all_2011_1204a3402.exe
    [2011/01/26 12:37:10 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Swifter\My Documents\FOOTBALL KITS ordered.doc
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/02/24 00:01:12 | 000,152,051 | ---- | C] () -- C:\WINDOWS\System32\notepadmgr.exe
    [2011/02/23 23:08:26 | 000,288,709 | ---- | C] () -- C:\Documents and Settings\Swifter\Desktop\RKUnhookerLE.EXE
    [2011/02/23 22:46:29 | 001,257,772 | ---- | C] () -- C:\Documents and Settings\Swifter\Desktop\tdsskiller.zip
    [2011/02/23 22:28:17 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Swifter\Desktop\Shortcut (2) to Internet Explorer.lnk
    [2011/02/23 21:58:16 | 000,779,142 | ---- | C] () -- C:\Documents and Settings\Swifter\Desktop\dds.scr
    [2011/02/23 21:58:09 | 000,451,463 | ---- | C] () -- C:\Documents and Settings\Swifter\Desktop\wvwx6fpx.exe
    [2011/02/23 21:57:30 | 000,152,051 | ---- | C] () -- C:\WINDOWS\System32\taskmgrmgr.exe
    [2011/02/23 21:36:12 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Swifter\Desktop\Shortcut to Internet Explorer.lnk
    [2011/02/23 21:21:27 | 154,871,128 | ---- | C] () -- C:\Documents and Settings\Swifter\Desktop\avg_free_x86_all_2011_1204a3402.exe
    [2011/02/23 20:19:36 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/02/23 20:19:29 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/02/23 20:16:14 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/02/23 20:16:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/02/23 20:16:14 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/02/23 20:16:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/02/23 20:16:14 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/02/23 20:09:32 | 004,274,341 | R--- | C] () -- C:\Documents and Settings\Swifter\Desktop\ComboFix.exe
    [2011/02/23 20:06:42 | 000,721,324 | ---- | C] () -- C:\Documents and Settings\Swifter\Desktop\rkill.com
    [2011/02/23 19:26:14 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/02/23 18:53:19 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/02/18 20:04:49 | 000,152,051 | ---- | C] () -- C:\WINDOWS\Explorermgr.exe
    [2011/02/16 21:55:51 | 000,081,437 | ---- | C] () -- C:\Documents and Settings\Swifter\xrrwsxvt.log
    [2011/02/16 21:55:51 | 000,000,806 | ---- | C] () -- C:\Documents and Settings\Swifter\vybagyrq.log
    [2011/02/16 21:55:50 | 000,003,907 | ---- | C] () -- C:\Documents and Settings\Swifter\cgkmxhsr.log
    [2011/02/16 21:55:18 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\Swifter\jgdymjga.log
    [2011/02/15 20:48:57 | 052,408,320 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\site1.wpp
    [2011/02/13 20:39:39 | 000,003,510 | ---- | C] () -- C:\Documents and Settings\Swifter\commonpriv.log
    [2011/02/13 20:39:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Swifter\commonpriv.log.lock
    [2011/02/07 21:12:08 | 000,208,464 | ---- | C] () -- C:\Documents and Settings\Swifter\My Documents\LimeWireSetup.exe
    [2011/02/07 17:28:53 | 001,166,454 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\untitled.bmp
    [2011/01/31 11:25:20 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Swifter\My Documents\RECEIPT for sandra.doc
    [2011/01/31 11:19:18 | 000,022,016 | ---- | C] () -- C:\Documents and Settings\Swifter\My Documents\RECEIPT for us.doc
    [2011/01/31 09:56:39 | 000,424,448 | ---- | C] () -- C:\Documents and Settings\Swifter\My Documents\invoice for us.doc
    [2011/01/30 21:47:30 | 000,003,231 | ---- | C] () -- C:\Documents and Settings\Swifter\Local Settings\Application Data\gumlc.dat
    [2011/01/28 21:53:40 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Swifter\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Outlook.lnk
    [2011/01/26 13:04:16 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Swifter\My Documents\MONDAY GROUP 2 TRAINEES.doc
    [2011/01/26 12:58:09 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Swifter\My Documents\MONDAY GROUP 1 TRAINEES.doc
    [2011/01/26 12:37:10 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Swifter\My Documents\FOOTBALL KITS ordered.doc
    [2011/01/24 23:48:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
    [2011/01/22 12:29:13 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
    [2008/06/12 00:58:43 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2008/06/10 19:04:13 | 000,040,372 | ---- | C] () -- C:\Documents and Settings\Swifter\Local Settings\Application Data\FASTWiz.log
    [2008/05/26 16:02:50 | 000,000,048 | ---- | C] () -- C:\WINDOWS\WININIT.INI
    [2008/03/01 12:19:00 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Swifter\Application Data\ezpinst.exe
    [2008/01/02 13:29:05 | 000,001,111 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2007/08/07 22:40:08 | 000,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
    [2007/06/21 17:09:36 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Swifter\Application Data\pcouffin.log
    [2007/06/21 17:09:24 | 000,007,824 | ---- | C] () -- C:\Documents and Settings\Swifter\Application Data\pcouffin.cat
    [2007/06/21 17:09:24 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Swifter\Application Data\pcouffin.inf
    [2007/01/27 19:52:25 | 000,000,241 | ---- | C] () -- C:\WINDOWS\QSync.INI
    [2007/01/27 19:50:55 | 000,005,187 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
    [2007/01/27 19:50:51 | 000,000,536 | ---- | C] () -- C:\WINDOWS\_delis32.ini
    [2006/05/13 09:32:15 | 000,011,264 | R--- | C] () -- C:\WINDOWS\System32\TEKYUV.DLL
    [2006/05/13 09:32:14 | 000,266,240 | R--- | C] () -- C:\WINDOWS\System32\rmp4.dll
    [2006/05/13 09:32:14 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\dsrmp4.dll
    [2006/05/13 09:32:13 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\mpegdecoder.dll
    [2006/05/13 09:32:12 | 000,023,552 | R--- | C] () -- C:\WINDOWS\System32\pdi.dll
    [2006/05/13 09:32:11 | 000,921,600 | R--- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
    [2006/05/13 09:32:11 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\OggDS.dll
    [2006/05/13 09:32:11 | 000,188,416 | R--- | C] () -- C:\WINDOWS\System32\vorbis.dll
    [2006/05/13 09:32:11 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\ogg.dll
    [2006/05/13 09:32:11 | 000,000,702 | R--- | C] () -- C:\WINDOWS\MMTVMJ.INI
    [2006/05/13 09:32:10 | 000,000,761 | R--- | C] () -- C:\WINDOWS\M3JP2K.INI
    [2006/05/13 09:32:09 | 000,000,714 | R--- | C] () -- C:\WINDOWS\m3jpeg.ini
    [2006/05/13 09:32:05 | 000,413,760 | R--- | C] () -- C:\WINDOWS\System32\mpg4c32.dll
    [2006/05/13 09:32:01 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
    [2006/05/13 09:32:00 | 000,077,664 | R--- | C] () -- C:\WINDOWS\System32\IR21_R.DLL
    [2006/05/13 09:32:00 | 000,056,832 | R--- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
    [2006/05/13 09:31:59 | 000,152,064 | R--- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2006/05/13 09:31:54 | 000,092,672 | R--- | C] () -- C:\WINDOWS\System32\ASUSASV2.dll
    [2006/05/13 09:31:54 | 000,071,680 | R--- | C] () -- C:\WINDOWS\System32\ASUSASV1.DLL
    [2006/05/13 09:31:54 | 000,066,560 | R--- | C] () -- C:\WINDOWS\System32\atiyuv12.dll
    [2006/05/13 09:31:53 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
    [2006/05/13 09:31:52 | 000,482,816 | R--- | C] () -- C:\WINDOWS\System32\VFCodec.dll
    [2006/05/13 09:31:52 | 000,047,104 | R--- | C] () -- C:\WINDOWS\System32\KMVIDC32.DLL
    [2006/05/13 09:31:52 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AVIWRAP.DLL
    [2006/05/13 09:31:46 | 000,114,688 | R--- | C] () -- C:\WINDOWS\System32\AVIZLIB.DLL
    [2006/05/13 09:31:46 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\AVIMSZH.DLL
    [2006/05/13 09:31:39 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
    [2006/05/13 09:31:39 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\libfaad.dll
    [2006/04/25 13:24:42 | 000,000,163 | ---- | C] () -- C:\WINDOWS\DVDFabGold.INI
    [2006/04/17 11:52:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\gnucleus.INI
    [2006/03/22 21:46:10 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
    [2006/03/12 15:06:09 | 000,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
    [2006/03/09 21:14:47 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Swifter\Local Settings\Application Data\fusioncache.dat
    [2006/02/28 20:23:06 | 000,163,840 | ---- | C] () -- C:\Documents and Settings\Swifter\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2006/02/28 19:07:16 | 000,000,952 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2006/02/28 13:37:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/02/27 18:48:18 | 000,000,154 | ---- | C] () -- C:\WINDOWS\adidsl.ini
    [2006/02/27 18:48:18 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Fast800.ini
    [2006/02/27 18:48:09 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\coclassfast.dll
    [2006/02/27 18:48:09 | 000,046,892 | ---- | C] () -- C:\WINDOWS\System32\adadix16.dll
    [2006/02/25 21:57:24 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2006/02/25 20:44:28 | 000,000,936 | ---- | C] () -- C:\WINDOWS\adiras.ini
    [2006/02/25 20:24:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2005/08/03 12:33:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

    ========== LOP Check ==========
  23. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    continued......

    [2011/02/23 21:46:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
    [2011/02/18 11:15:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
    [2011/02/18 12:02:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2008/03/07 21:33:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Documents
    [2008/02/04 13:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eBay
    [2011/01/22 12:44:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
    [2008/09/06 14:23:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
    [2011/02/24 23:31:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
    [2011/02/18 11:52:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2006/02/28 16:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
    [2008/03/07 11:26:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
    [2008/02/07 20:47:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
    [2011/02/13 20:38:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2008/06/21 00:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
    [2008/06/19 02:17:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
    [2011/01/22 12:36:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
    [2007/06/22 08:01:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
    [2007/02/24 12:22:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WholeSecurity
    [2008/10/23 18:18:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    [2011/02/18 12:04:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\AVG10
    [2011/02/07 22:09:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\CometPlayer
    [2008/02/04 13:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\eBay
    [2011/01/23 09:59:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\Epson
    [2011/02/17 12:31:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\FrostWire
    [2008/09/06 14:24:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\Grisoft
    [2006/02/25 22:53:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\Leadertech
    [2009/11/28 18:40:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\LimeWire
    [2006/03/04 19:03:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\MSNInstaller
    [2011/02/04 09:38:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\Ninu
    [2011/02/03 20:02:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\Qoircy
    [2008/10/12 19:17:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\Serif
    [2007/04/12 17:13:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\SignupShield
    [2008/08/29 12:32:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\Sony
    [2010/11/14 22:21:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\TigerPlayer
    [2008/06/19 13:36:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\TomTom
    [2008/06/19 02:17:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\TuneUp Software
    [2008/03/01 12:19:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\Vso
    [2007/06/20 10:49:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\WholeSecurity
    [2006/03/09 21:17:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Swifter\Application Data\Windows Desktop Search
    [2011/02/18 12:37:19 | 000,000,244 | ---- | M] () -- C:\WINDOWS\Tasks\Epson Printer Software Downloader.job
    [2011/02/24 18:11:49 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6C5A829B-00FC-4AB1-BEFD-3BE4BA8BD8C6}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2008/06/19 21:33:11 | 000,000,000 | ---- | M] () -- C:\700.log
    [2006/02/25 21:49:54 | 000,020,372 | ---- | M] () -- C:\adobelog.txt
    [2006/02/25 20:34:39 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2006/02/25 20:28:14 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/02/23 20:19:37 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2006/02/25 22:11:35 | 000,000,090 | ---- | M] () -- C:\chpst.log
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/02/24 18:29:05 | 000,010,152 | ---- | M] () -- C:\ComboFix.txt
    [2006/02/25 20:34:39 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2006/02/25 22:10:26 | 003,223,204 | ---- | M] () -- C:\DNSP1.LOG
    [2008/06/04 20:57:56 | 000,033,666 | ---- | M] () -- C:\dvdfabexpress_burn.log
    [2008/03/24 21:31:00 | 000,009,371 | ---- | M] () -- C:\dvdfab_burn.log
    [2007/01/31 17:44:55 | 000,001,096 | ---- | M] () -- C:\hdd.log
    [2006/02/25 21:57:24 | 000,000,171 | ---- | M] () -- C:\HSC.log
    [2008/06/26 17:46:44 | 000,000,132 | ---- | M] () -- C:\ICSYSINF.log
    [2007/05/14 21:29:18 | 000,000,374 | ---- | M] () -- C:\INSTALL.LOG
    [2006/02/25 20:34:39 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2006/09/08 10:08:50 | 000,000,985 | -H-- | M] () -- C:\IPH.PH
    [2007/01/27 19:47:53 | 000,000,183 | ---- | M] () -- C:\LogiSetup.log
    [2006/02/25 22:15:16 | 000,000,161 | ---- | M] () -- C:\mscuxp.log
    [2006/02/25 20:34:39 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2004/08/04 12:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/09/09 15:45:51 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/02/24 23:19:23 | 792,723,456 | -HS- | M] () -- C:\pagefile.sys
    [2011/02/23 20:08:06 | 000,000,408 | ---- | M] () -- C:\rkill.log
    [2006/02/25 22:15:11 | 000,000,196 | ---- | M] () -- C:\sedinst2.log
    [2006/02/25 22:07:20 | 000,000,171 | ---- | M] () -- C:\setup.log
    [2008/05/01 12:01:14 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
    [2008/05/01 12:01:14 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
    [2006/02/25 22:06:50 | 000,020,958 | ---- | M] () -- C:\sunjava.log
    [2011/02/23 22:56:43 | 000,045,132 | ---- | M] () -- C:\TDSSKiller.2.4.18.0_23.02.2011_22.55.31_log.txt
    [2006/02/25 21:47:24 | 000,000,032 | ---- | M] () -- C:\ticrdbus.log
    [2008/06/05 18:47:21 | 000,000,146 | ---- | M] () -- C:\YServer.txt

    < %systemroot%\Fonts\*.com >
    [2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/02/25 20:34:02 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 12:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007/04/09 12:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 10:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >
    [2008/07/22 14:54:29 | 000,001,586 | -H-- | M] () -- C:\Documents and Settings\Swifter\Application Data\Microsoft\LastFlashConfig.WFC

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2006/02/25 20:20:00 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2006/02/25 20:20:00 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2006/02/25 20:20:00 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/09/09 15:54:23 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >
    [2008/02/28 13:01:24 | 000,774,144 | ---- | M] () -- C:\WINDOWS\system32\NEROINSTAEC43759.DB
    [1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2006/02/25 20:42:37 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Swifter\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2006/02/25 20:42:36 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Swifter\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/01/26 22:01:28 | 154,871,128 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Swifter\Desktop\avg_free_x86_all_2011_1204a3402.exe
    [2011/02/24 18:14:39 | 004,274,341 | R--- | M] () -- C:\Documents and Settings\Swifter\Desktop\ComboFix.exe
    [2010/11/09 11:47:20 | 021,499,328 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\mpcstar_4.9_setup.exe
    [2011/02/24 23:20:18 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Swifter\Desktop\OTL.exe
    [2011/02/23 23:07:04 | 000,288,709 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\RKUnhookerLE.EXE
    [2011/02/18 21:17:28 | 012,390,344 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Swifter\Desktop\windows-kb890830-v3.16.exe
    [2011/02/23 21:55:08 | 000,451,463 | ---- | M] () -- C:\Documents and Settings\Swifter\Desktop\wvwx6fpx.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2010/07/15 19:11:10 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\Swifter\My Documents\avira_antivir_personal_en.exe
    [2011/02/07 21:25:21 | 008,310,726 | ---- | M] (FrostWire Team) -- C:\Documents and Settings\Swifter\My Documents\frostwire-4.21.3.windows.exe
    [2011/02/07 21:12:10 | 000,208,464 | ---- | M] () -- C:\Documents and Settings\Swifter\My Documents\LimeWireSetup.exe

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2006/02/25 20:42:36 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Swifter\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2009/06/29 18:05:07 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\Swifter\Cookies\desktop.ini
    [2011/02/24 23:19:48 | 000,032,768 | -HS- | M] () -- C:\Documents and Settings\Swifter\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 21:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 00:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2007/04/02 18:07:22 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/04/13 17:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 00:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 18:07:23 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 18:07:23 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 18:07:24 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2007/04/02 18:07:27 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2007/04/02 18:04:01 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [2002/07/17 15:22:34 | 000,004,672 | ---- | M] (Adaptec) -- C:\WINDOWS\system\WOWPOST.EXE

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:41FA22AC

    < End of report >
  24. Drena Designs

    Drena Designs Newcomer, in training Topic Starter Posts: 25

    EXTRAS TEXT

    OTL Extras logfile created on: 24/02/2011 23:26:08 - Run 1
    OTL by OldTimer - Version 3.2.21.0 Folder = C:\Documents and Settings\Swifter\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    502.00 Mb Total Physical Memory | 189.00 Mb Available Physical Memory | 38.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 79.00% Paging File free
    Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.25 Gb Total Space | 20.64 Gb Free Space | 55.41% Space Free | Partition Type: NTFS
    Drive E: | 959.13 Mb Total Space | 958.84 Mb Free Space | 99.97% Space Free | Partition Type: FAT

    Computer Name: JULIANS | User Name: Swifter | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    [HKEY_USERS\S-1-5-21-507921405-1659004503-839522115-1004\SOFTWARE\Classes\<extension>]
    .bat [@ = batfile] -- Reg Error: Key error. File not found
    .cmd [@ = cmdfile] -- Reg Error: Key error. File not found
    .com [@ = ComFile] -- Reg Error: Key error. File not found
    .hta [@ = htafile] -- Reg Error: Key error. File not found
    .url [@ = InternetShortcut] -- Reg Error: Key error. File not found
    .vbs [@ = VBSFile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "FirewallOverride" = 0
    "AntiVirusOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "17166:TCP" = 17166:TCP:*:Enabled:BitComet 17166 TCP
    "17166:UDP" = 17166:UDP:*:Enabled:BitComet 17166 UDP
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "22136:TCP" = 22136:TCP:*:Enabled:BitComet 22136 TCP
    "22136:UDP" = 22136:UDP:*:Enabled:BitComet 22136 UDP
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
    "C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
    "C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
    "C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.)
    "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
    "C:\Program Files\Epson Software\Event Manager\EEventManager.exe" = C:\Program Files\Epson Software\Event Manager\EEventManager.exe:*:Enabled:EEventManager Application -- (SEIKO EPSON CORPORATION)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
    "{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
    "{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
    "{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 1.01 A3
    "{48B0F38D-1913-44F3-99AA-D4C55A2B038E}" = Drive Manager
    "{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
    "{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}" = SAGEM F@st 800-840
    "{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
    "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
    "{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = TIxx21
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{6A5FE305-1147-400D-9795-8B80E693476A}" = Serif WebPlus SE
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
    "{87C2248A-C7DD-49ED-9BCD-B312A9D0819E}" = Epson Easy Photo Print 2
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
    "{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
    "{900A92BA-19EF-4A34-86CF-7B6C85BDD971}" = VC_MergeModuleToMSI
    "{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
    "{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
    "{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
    "{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
    "{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
    "{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
    "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
    "{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
    "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
    "{B6A98E5F-D6A7-46FB-9E9D-1F7BF4434001}" = Epson Printer Software Downloader
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.20 H1
    "{D466F3D9-510C-4729-B7D4-2E70490E4CDF}" = BBC iPlayer Download Manager
    "{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
    "{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
    "{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
    "Agere Systems Soft Modem" = Agere Systems AC'97 Modem
    "Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
    "CCleaner" = CCleaner (remove only)
    "Epson Printer Software Downloader" = Epson Printer Software Downloader
    "EPSON Scanner" = EPSON Scan
    "Epson Stylus SX110_TX110 User’s Guide" = Epson Stylus SX110_TX110 Manual
    "EPSON SX110 Series" = EPSON SX110 Series Printer Uninstall
    "FrostWire" = FrostWire 4.21.3
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{48B0F38D-1913-44F3-99AA-D4C55A2B038E}" = Drive Manager
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MpcStar" = MpcStar 4.9
    "mplibwiz.inf" = Media Library Management Wizard
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "WIC" = Windows Imaging Component
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinRAR archiver" = WinRAR archiver
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-507921405-1659004503-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "blinkx beat" = blinkx beat

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 08/07/2010 07:32:16 | Computer Name = DIAMOND | Source = Application Error | ID = 1000
    Description = Faulting application KService.exe, version 5.12.707.160, faulting
    module KService.exe, version 5.12.707.160, fault address 0x0021215a.

    Error - 09/07/2010 04:17:45 | Computer Name = DIAMOND | Source = Application Error | ID = 1000
    Description = Faulting application firefox.exe, version 1.9.0.3725, faulting module
    unknown, version 0.0.0.0, fault address 0x000028d6.

    Error - 09/07/2010 08:59:41 | Computer Name = DIAMOND | Source = Application Error | ID = 1000
    Description = Faulting application KService.exe, version 5.12.707.160, faulting
    module KService.exe, version 5.12.707.160, fault address 0x0021215a.

    Error - 09/07/2010 11:11:31 | Computer Name = DIAMOND | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 10/07/2010 10:31:33 | Computer Name = DIAMOND | Source = Application Error | ID = 1000
    Description = Faulting application KService.exe, version 5.12.707.160, faulting
    module KService.exe, version 5.12.707.160, fault address 0x0021215a.

    Error - 11/07/2010 15:14:16 | Computer Name = DIAMOND | Source = Application Error | ID = 1000
    Description = Faulting application firefox.exe, version 1.9.0.3725, faulting module
    unknown, version 0.0.0.0, fault address 0x000028d6.

    Error - 11/07/2010 15:34:51 | Computer Name = DIAMOND | Source = Application Error | ID = 1000
    Description = Faulting application KService.exe, version 5.12.707.160, faulting
    module KService.exe, version 5.12.707.160, fault address 0x0021215a.

    Error - 12/07/2010 12:39:32 | Computer Name = DIAMOND | Source = Application Error | ID = 1000
    Description = Faulting application KService.exe, version 5.12.707.160, faulting
    module KService.exe, version 5.12.707.160, fault address 0x0021215a.

    Error - 13/07/2010 11:33:03 | Computer Name = DIAMOND | Source = Application Error | ID = 1000
    Description = Faulting application KService.exe, version 5.12.707.160, faulting
    module KService.exe, version 5.12.707.160, fault address 0x0021215a.

    Error - 14/07/2010 12:30:50 | Computer Name = DIAMOND | Source = Application Error | ID = 1000
    Description = Faulting application KService.exe, version 5.12.707.160, faulting
    module KService.exe, version 5.12.707.160, fault address 0x0021215a.

    [ System Events ]
    Error - 24/02/2011 14:08:40 | Computer Name = JULIANS | Source = Service Control Manager | ID = 7000
    Description = The General Purpose USB Driver (adildr.sys) service failed to start
    due to the following error: %%1058

    Error - 24/02/2011 14:08:40 | Computer Name = JULIANS | Source = Service Control Manager | ID = 7000
    Description = The EPSON V5 Service4(01) service failed to start due to the following
    error: %%2

    Error - 24/02/2011 14:08:40 | Computer Name = JULIANS | Source = Service Control Manager | ID = 7000
    Description = The EPSON V3 Service4(01) service failed to start due to the following
    error: %%2

    Error - 24/02/2011 17:32:36 | Computer Name = JULIANS | Source = Service Control Manager | ID = 7000
    Description = The General Purpose USB Driver (adildr.sys) service failed to start
    due to the following error: %%1058

    Error - 24/02/2011 17:32:36 | Computer Name = JULIANS | Source = Service Control Manager | ID = 7000
    Description = The EPSON V5 Service4(01) service failed to start due to the following
    error: %%2

    Error - 24/02/2011 17:32:36 | Computer Name = JULIANS | Source = Service Control Manager | ID = 7000
    Description = The EPSON V3 Service4(01) service failed to start due to the following
    error: %%2

    Error - 24/02/2011 19:19:42 | Computer Name = JULIANS | Source = Service Control Manager | ID = 7000
    Description = The General Purpose USB Driver (adildr.sys) service failed to start
    due to the following error: %%1058

    Error - 24/02/2011 19:19:42 | Computer Name = JULIANS | Source = Service Control Manager | ID = 7000
    Description = The EPSON V5 Service4(01) service failed to start due to the following
    error: %%2

    Error - 24/02/2011 19:19:42 | Computer Name = JULIANS | Source = Service Control Manager | ID = 7000
    Description = The EPSON V3 Service4(01) service failed to start due to the following
    error: %%2

    Error - 24/02/2011 19:24:11 | Computer Name = JULIANS | Source = BROWSER | ID = 8032
    Description = The browser service has failed to retrieve the backup list too many
    times on transport \Device\NetBT_Tcpip_{C60218AD-0F74-447E-9F78-A047BF2017ED}. The
    backup browser is stopping.


    < End of report >
  25. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    You need to reinstall AVG.

    ==========================================================================

    Unless you willingly installed Kontiki Player....
    Go Start>Control Panel>Add\Remove ("Programs and Features" in Vista), and uninstall Sky Anytime (if present).
    Download, and run KClean.exe: http://static.sky.com/kclean/KClean.exe to remove Kontiki from your computer.
    NOTE: Kontiki is a known resource hog.

    ======================================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
      FF - prefs.js..browser.search.defaultenginename: "Web Search"
      FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1640187&SearchSource=3&q="
      FF - prefs.js..extensions.enabledItems: m3ffxtbr@mywebsearch.com:1.1
      FF - prefs.js..keyword.URL: "http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRfox000&fl=0&ptb=kTH8wFRKbs5AqNC5cxm5Ow&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor="
      FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\firefox\
      [2009/12/17 20:39:09 | 000,009,941 | ---- | M] () -- C:\Documents and Settings\Swifter\Application Data\Mozilla\Firefox\Profiles\9g4z1utt.default\searchplugins\mywebsearch.xml
      File not found (No name found) -- C:\PROGRAM FILES\MYWEBSEARCH\BAR\FIREFOX
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
      O2 - BHO: (no name) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - No CLSID value found.
      O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
      O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
      O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No CLSID value found.
      O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\WebBrowser: (no name) - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No CLSID value found.
      O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\WebBrowser: (no name) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No CLSID value found.
      O3 - HKU\S-1-5-21-507921405-1659004503-839522115-1004\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
      O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
      O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
      O20 - HKLM Winlogon: UserInit - (C:\Program Files\ayirbhrn\ifahlkbe.exe) - C:\Program Files\ayirbhrn\ifahlkbe.exe File not found
      O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - Reg Error: Key error. File not found
      O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [2011/02/16 21:55:51 | 000,081,437 | ---- | C] () -- C:\Documents and Settings\Swifter\xrrwsxvt.log
      [2011/02/16 21:55:51 | 000,000,806 | ---- | C] () -- C:\Documents and Settings\Swifter\vybagyrq.log
      [2011/02/16 21:55:50 | 000,003,907 | ---- | C] () -- C:\Documents and Settings\Swifter\cgkmxhsr.log
      [2011/02/16 21:55:18 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\Swifter\jgdymjga.log
      @Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:41FA22AC
      
      
      :Files
      C:\Program Files\MyWebSearch
      
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.