TechSpot

I cant get rid of this registry file

By sirnick
Apr 4, 2011
  1. I have an old computer that i have been trying to clean up. I've got it running smooth but there is this one file that is ANNOYING. I run msconfig and UNcheck it but when i reboot it rechecks itself. It has turned off the regedit so i did a cmd prompt to turn it back on. And when i go into the regedit and manually find and delete the string, i will reboot, open regedit only to find the string is back and NOT GONE. Any help would be awesome.

    EDIT: i just noticed the 8-step removal thread, checking that now, sry for newbness.

    EDIT(2): Ok i have reviewed the 8 step removal thread and downloaded all the programs listed. To ensure safeness i tested the process out on my current computer and everything ran and scanned perfect. So i saved all the programs (Avira, TFC, MBAM, GMER, DDS) to a flash drive and started the process on the computer with this "Problem." TFC ran great and did everything it was supposed to. I install MBAM and it seemed to install but when i tried to Launch and Update, no window popped up indicating that it was updating. So i ctrl+shift+esc and check the process, i see the mbam.exe in the processes but i cant see it on my screen. So i end the process and double click the shortcut on my desktop. Still nothing, i check the processes again and there it it, mbam.exe running but i still cannot see it. Also, i downloaded Chrome and Opera to this computer and it WILL NOT let me instal either programs. Chrome gets an error message before it can even install any files, and opera gets to the point where a shortcut is created but then a error window pops up saying " cant create shortcut to desktop" and upon clicking ok on that window, it removes the shortcut and all the files dealing with Opera. This is strange to me, but i would love to figure this out. I will now just install Avira and see if it sees anything and i will keep this post updated.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
    Complete as many steps, as you can.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    Ok i cant run Mbam at all on that comp, so i will just skip that step. Post with logs will be here soon.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    OK....................
     
  5. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-04-05 00:14:03
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400JB-00JJA0 rev.05.01C05
    Running: 9996xb45.exe; Driver: C:\DOCUME~1\STATIO~1\LOCALS~1\Temp\pxlyypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT F8A70136 ZwCreateKey
    SSDT F8A7012C ZwCreateThread
    SSDT F8A7013B ZwDeleteKey
    SSDT F8A70145 ZwDeleteValueKey
    SSDT F8A7014A ZwLoadKey
    SSDT F8A70118 ZwOpenProcess
    SSDT F8A7011D ZwOpenThread
    SSDT F8A70154 ZwReplaceKey
    SSDT F8A7014F ZwRestoreKey
    SSDT F8A70140 ZwSetValueKey

    Code E1795D70 ZwEnumerateKey
    Code E1795E50 ZwFlushInstructionCache
    Code F47EFEAB pIofCallDriver
    Code F47F0853 pIofCompleteRequest

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP E1795D74
    PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP E1795E54

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[524] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 01551052 C:\WINDOWS\system32\msziptools.dll
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[524] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00F8000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[524] WS2_32.dll!send 71AB428A 5 Bytes JMP 00FA000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[524] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00F9000A
    .text C:\WINDOWS\Explorer.EXE[1300] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00E0000A
    .text C:\WINDOWS\Explorer.EXE[1300] WS2_32.dll!send 71AB428A 5 Bytes JMP 00E2000A
    .text C:\WINDOWS\Explorer.EXE[1300] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00E1000A

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

    ---- Modules - GMER 1.0.15 ----

    Module \systemroot\system32\drivers\TDSSmqlt.sys (*** hidden *** ) F47EE000-F4800000 (73728 bytes)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:300] F47F0D66

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\drivers\TDSSmqlt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqn.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlrvd.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxr.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqn.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlrvd.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxr.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
    Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@affid 11
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@subid v3020
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@control 0x09 0x19 0x1F 0x16 ...
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@prov 10010
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@googleadserver pagead2.googlesyndication.com
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@flagged 1

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\Station 1\Local Settings\Temp\TDSS7dce.tmp 102400 bytes executable
    File C:\Documents and Settings\Station 1\Local Settings\Temp\TDSS7e0c.tmp 616960 bytes executable
    File C:\WINDOWS\system32\drivers\TDSSmqlt.sys 60416 bytes executable <-- ROOTKIT !!!
    File C:\WINDOWS\system32\TDSShrxr.dll 29696 bytes executable
    File C:\WINDOWS\system32\TDSSkkbi.log 3139 bytes
    File C:\WINDOWS\system32\TDSSlrvd.dat 441 bytes
    File C:\WINDOWS\system32\TDSSlxwp.dll 2710 bytes
    File C:\WINDOWS\system32\TDSSoiqn.dll 35840 bytes executable
    File C:\WINDOWS\system32\TDSSrtqp.dll 31232 bytes executable
    File C:\WINDOWS\system32\TDSSxfum.dll 73728 bytes executable

    ---- EOF - GMER 1.0.15 ----

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/21/2005 7:35:07 PM
    System Uptime: 4/4/2011 11:08:08 PM (1 hours ago)
    .
    Motherboard: Dell Computer Corporation | | OptiPlex GX50
    Processor: Intel(R) Celeron(TM) CPU 1200MHz | Microprocessor | 1196/100mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 29.319 GiB free.
    D: is CDROM (CDFS)
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP575: 12/18/2008 5:31:24 PM - System Checkpoint
    RP576: 12/18/2008 5:31:24 PM - System Checkpoint
    RP577: 12/18/2008 5:31:24 PM - System Checkpoint
    RP578: 12/18/2008 5:31:24 PM - System Checkpoint
    RP579: 12/18/2008 5:31:24 PM - System Checkpoint
    RP580: 12/18/2008 5:31:25 PM - System Checkpoint
    RP581: 12/18/2008 5:31:25 PM - System Checkpoint
    RP582: 12/18/2008 5:31:25 PM - System Checkpoint
    RP583: 12/18/2008 5:31:25 PM - System Checkpoint
    RP584: 12/18/2008 5:31:25 PM - System Checkpoint
    RP585: 12/18/2008 5:31:25 PM - System Checkpoint
    RP586: 12/18/2008 5:31:25 PM - System Checkpoint
    RP587: 12/18/2008 5:31:26 PM - System Checkpoint
    RP588: 12/18/2008 5:31:26 PM - System Checkpoint
    RP589: 12/18/2008 5:31:26 PM - System Checkpoint
    RP590: 12/18/2008 5:31:26 PM - System Checkpoint
    RP591: 12/18/2008 5:31:26 PM - System Checkpoint
    RP592: 12/18/2008 5:31:26 PM - System Checkpoint
    RP593: 12/18/2008 5:31:26 PM - System Checkpoint
    RP594: 12/18/2008 5:31:27 PM - System Checkpoint
    RP595: 12/18/2008 5:31:27 PM - System Checkpoint
    RP596: 12/18/2008 5:31:27 PM - System Checkpoint
    RP597: 12/18/2008 5:31:27 PM - System Checkpoint
    RP598: 12/18/2008 5:31:27 PM - Software Distribution Service 3.0
    RP599: 12/18/2008 5:31:27 PM - Software Distribution Service 3.0
    RP600: 12/18/2008 5:31:27 PM - System Checkpoint
    RP601: 12/18/2008 5:31:28 PM - System Checkpoint
    RP602: 12/18/2008 5:31:28 PM - System Checkpoint
    RP603: 12/18/2008 5:31:28 PM - System Checkpoint
    RP604: 12/18/2008 5:31:28 PM - System Checkpoint
    RP605: 12/18/2008 5:31:28 PM - System Checkpoint
    RP606: 12/18/2008 5:31:29 PM - System Checkpoint
    RP607: 12/18/2008 5:31:29 PM - System Checkpoint
    RP608: 12/18/2008 5:31:29 PM - System Checkpoint
    RP609: 12/18/2008 5:31:29 PM - System Checkpoint
    RP610: 12/18/2008 5:31:29 PM - System Checkpoint
    RP611: 12/18/2008 5:31:30 PM - System Checkpoint
    RP612: 12/18/2008 5:31:30 PM - System Checkpoint
    RP613: 12/18/2008 5:31:30 PM - System Checkpoint
    RP614: 12/18/2008 5:31:30 PM - Software Distribution Service 3.0
    RP615: 12/18/2008 5:31:30 PM - System Checkpoint
    RP616: 12/18/2008 5:31:30 PM - System Checkpoint
    RP617: 12/18/2008 5:31:30 PM - System Checkpoint
    RP618: 12/18/2008 5:31:41 PM - Last known good configuration
    .
    ==== Installed Programs ======================
    .
    Adobe Download Manager 2.0 (Remove Only)
    Adobe Flash Player 9 ActiveX
    Adobe Reader 7.0.8
    Adobe® Photoshop® Album Starter Edition 3.0
    Advertisement Service
    AOL Coach Version 2.0(Build:20041026.5 en)
    AOL Deskbar
    AOL Toolbar 5.0
    AOL You've Got Pictures Screensaver
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Avira AntiVir Personal - Free Antivirus
    CIF Dual-Mode Camera
    FrostWire 4.13.4
    Google Toolbar for Internet Explorer
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB952287)
    iTunes
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    Malwarebytes' Anti-Malware
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Media Content
    Microsoft Office XP Small Business
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    Nero PhotoShow Express
    Nero Suite
    QuickTime
    RealPlayer
    Rhapsody Player Engine
    Samsung Digimax 201
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB942615)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Ulead Photo Explorer 8.0 SE Basic
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB946627)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955839)
    Viewpoint Media Player
    ViviCam Digital Camera Driver
    WebFldrs XP
    Windows Driver Package - Camera Maker (MR97310_USB_DUAL_CAMERA) Image 05/02/2006 2.0.1.0
    Windows Driver Package - MARS (mr97310c) Image 04/11/2005 2.0.0.0
    Windows Genuine Advantage v1.3.0254.0
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893086
    Windows XP Service Pack 2
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/4/2011 9:29:49 PM, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
    4/4/2011 6:37:44 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    4/4/2011 6:37:44 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\STATIO~1\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    4/4/2011 6:37:44 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    4/4/2011 6:36:03 PM, error: Print [19] - Sharing printer failed + 1722, Printer Lexmark Z53 Color Jetprinter (Copy 2) share name Printer.
    4/4/2011 11:11:39 PM, error: System Error [1003] - Error code 1000000a, parameter1 00000018, parameter2 00000002, parameter3 00000000, parameter4 8050af20.
    4/4/2011 11:05:35 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    4/4/2011 11:04:48 PM, error: Service Control Manager [7034] - The Distributed Transaction Coordinator service terminated unexpectedly. It has done this 1 time(s).
    4/3/2011 8:17:06 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    4/3/2011 8:01:33 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file rcimlby.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
    4/3/2011 3:07:55 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
    4/3/2011 2:58:11 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    .
    ==== End Of File ===========================

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Station 1 at 0:15:46.07 on Tue 04/05/2011
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.67 [GMT -5:00]
    .
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
    C:\Documents and Settings\Station 1\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.aol.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
    mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    BHO: {380973b6-8dbe-4f0d-bfa7-c48d7d3852a3} - c:\windows\system32\jelulede.dll
    BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\cbXPiGaB.dll
    BHO: c:\windows\system32\tyshb36rfjdf.dll: {d5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\tyshb36rfjdf.dll
    BHO: {f8420915-984a-4760-9cb5-c8f0d67957b9} - c:\windows\system32\nnnmkJdc.dll
    TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
    TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    mRun: [jiwewabaso] Rundll32.exe "c:\windows\system32\tumaveko.dll",s
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
    IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm565YYUS
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
    IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
    DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Filter: text/html - {c0874b9f-6e9f-4500-afa3-6d555f6296b8} - c:\windows\system32\msziptools.dll
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: cbXPiGaB - cbXPiGaB.dll
    AppInit_DLLs: c:\windows\system32\beyofaji.dll
    STS: c:\windows\system32\tyshb36rfjdf.dll: {d5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\tyshb36rfjdf.dll
    SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\cbXPiGaB.dll
    LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnmkJdc
    LSA: Notification Packages = scecli c:\windows\system32\beyofaji.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-4 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-4 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-4 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-4 61960]
    .
    =============== Created Last 30 ================
    .
    2011-04-05 02:33:11 -------- d-----w- c:\windows\system32\NtmsData
    2011-04-04 23:43:14 -------- d-----w- c:\docume~1\statio~1\applic~1\Avira
    2011-04-04 23:39:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-04-04 23:38:52 -------- d-----w- c:\program files\Avira
    2011-04-04 23:38:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2011-04-04 21:44:23 -------- d-----w- c:\docume~1\statio~1\locals~1\applic~1\Opera
    2011-04-04 21:20:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-04 21:20:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-04 21:20:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-04 17:31:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-04 02:05:46 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-04-03 19:59:19 -------- d-----w- c:\windows\pss
    .
    ==================== Find3M ====================
    .
    2008-09-21 06:33:51 62628 --sha-w- c:\windows\system32\jelulede.dll
    2008-12-21 06:33:42 62628 --sha-w- c:\windows\system32\pujawewo.dll
    2008-09-21 06:33:51 62628 --sha-w- c:\windows\system32\tumaveko.dll
    .
    ============= FINISH: 0:18:40.06 ===============
     
  6. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  7. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    2011/04/06 16:56:26.0671 1912 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
    2011/04/06 16:56:27.0703 1912 ================================================================================
    2011/04/06 16:56:27.0703 1912 SystemInfo:
    2011/04/06 16:56:27.0703 1912
    2011/04/06 16:56:27.0703 1912 OS Version: 5.1.2600 ServicePack: 2.0
    2011/04/06 16:56:27.0703 1912 Product type: Workstation
    2011/04/06 16:56:27.0703 1912 ComputerName: STATION1
    2011/04/06 16:56:27.0703 1912 UserName: Station 1
    2011/04/06 16:56:27.0703 1912 Windows directory: C:\WINDOWS
    2011/04/06 16:56:27.0703 1912 System windows directory: C:\WINDOWS
    2011/04/06 16:56:27.0703 1912 Processor architecture: Intel x86
    2011/04/06 16:56:27.0703 1912 Number of processors: 1
    2011/04/06 16:56:27.0703 1912 Page size: 0x1000
    2011/04/06 16:56:27.0703 1912 Boot type: Normal boot
    2011/04/06 16:56:27.0703 1912 ================================================================================
    2011/04/06 16:56:29.0046 1912 Initialize success
    2011/04/06 16:56:33.0984 0632 ================================================================================
    2011/04/06 16:56:33.0984 0632 Scan started
    2011/04/06 16:56:33.0984 0632 Mode: Manual;
    2011/04/06 16:56:33.0984 0632 ================================================================================
    2011/04/06 16:56:35.0015 0632 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
    2011/04/06 16:56:35.0203 0632 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/04/06 16:56:35.0343 0632 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/04/06 16:56:35.0625 0632 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
    2011/04/06 16:56:35.0890 0632 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/04/06 16:56:37.0171 0632 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/04/06 16:56:37.0328 0632 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/04/06 16:56:37.0578 0632 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/04/06 16:56:37.0734 0632 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/04/06 16:56:38.0078 0632 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2011/04/06 16:56:38.0406 0632 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2011/04/06 16:56:38.0875 0632 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2011/04/06 16:56:39.0125 0632 basic2 (1b9c81ab9a456eabd9f8335f04b5f495) C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys
    2011/04/06 16:56:39.0343 0632 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/04/06 16:56:39.0609 0632 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/04/06 16:56:39.0781 0632 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/04/06 16:56:40.0031 0632 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/04/06 16:56:40.0218 0632 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/04/06 16:56:40.0437 0632 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/04/06 16:56:41.0343 0632 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/04/06 16:56:41.0578 0632 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/04/06 16:56:41.0812 0632 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/04/06 16:56:42.0000 0632 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/04/06 16:56:42.0171 0632 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/04/06 16:56:42.0515 0632 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/04/06 16:56:42.0640 0632 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
    2011/04/06 16:56:42.0859 0632 Fallback (c823debe2548656549f84a875d65237b) C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys
    2011/04/06 16:56:42.0984 0632 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/04/06 16:56:43.0156 0632 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/04/06 16:56:43.0406 0632 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/04/06 16:56:43.0546 0632 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/04/06 16:56:43.0718 0632 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/04/06 16:56:43.0875 0632 Fsks (6483414841d4cab6c3b4db2ac6edd70b) C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys
    2011/04/06 16:56:44.0015 0632 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/04/06 16:56:44.0218 0632 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/04/06 16:56:44.0421 0632 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/04/06 16:56:44.0765 0632 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/04/06 16:56:45.0203 0632 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/04/06 16:56:45.0765 0632 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
    2011/04/06 16:56:45.0937 0632 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
    2011/04/06 16:56:46.0250 0632 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys
    2011/04/06 16:56:46.0484 0632 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/04/06 16:56:47.0031 0632 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/04/06 16:56:47.0156 0632 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
    2011/04/06 16:56:47.0312 0632 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
    2011/04/06 16:56:47.0671 0632 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
    2011/04/06 16:56:47.0812 0632 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
    2011/04/06 16:56:47.0953 0632 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
    2011/04/06 16:56:48.0062 0632 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
    2011/04/06 16:56:48.0171 0632 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
    2011/04/06 16:56:48.0265 0632 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
    2011/04/06 16:56:48.0359 0632 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
    2011/04/06 16:56:48.0593 0632 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
    2011/04/06 16:56:48.0734 0632 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
    2011/04/06 16:56:48.0953 0632 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
    2011/04/06 16:56:49.0046 0632 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
    2011/04/06 16:56:49.0187 0632 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
    2011/04/06 16:56:49.0296 0632 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
    2011/04/06 16:56:49.0406 0632 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/04/06 16:56:49.0750 0632 InCDfs (b87fc7c71632240dac8f4d20e9ce8377) C:\WINDOWS\system32\drivers\InCDfs.sys
    2011/04/06 16:56:49.0859 0632 InCDPass (2e878405128ec98886eb9c2216ac7bd6) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
    2011/04/06 16:56:49.0968 0632 InCDrec (ddf078917a42f105385d7eb6debb3433) C:\WINDOWS\system32\drivers\InCDrec.sys
    2011/04/06 16:56:50.0093 0632 incdrm (7f352360e947ad2cd4ba60de27b1a299) C:\WINDOWS\system32\drivers\incdrm.sys
    2011/04/06 16:56:50.0421 0632 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/04/06 16:56:50.0562 0632 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/04/06 16:56:50.0937 0632 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/04/06 16:56:51.0171 0632 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/04/06 16:56:51.0296 0632 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/04/06 16:56:51.0406 0632 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/04/06 16:56:51.0531 0632 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/04/06 16:56:51.0718 0632 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/04/06 16:56:51.0953 0632 K56 (9c5e3fdbfcc30cf71a49ca178b9ad442) C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys
    2011/04/06 16:56:52.0109 0632 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/04/06 16:56:52.0265 0632 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/04/06 16:56:52.0484 0632 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/04/06 16:56:52.0781 0632 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/04/06 16:56:53.0140 0632 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/04/06 16:56:53.0281 0632 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/04/06 16:56:53.0437 0632 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/04/06 16:56:53.0656 0632 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/04/06 16:56:53.0828 0632 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/04/06 16:56:53.0984 0632 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/04/06 16:56:54.0109 0632 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/04/06 16:56:54.0250 0632 MR97310_USB_DUAL_CAMERA (2d5990203cb98b7dfd13d73d71c48028) C:\WINDOWS\system32\DRIVERS\mr97310c.sys
    2011/04/06 16:56:54.0703 0632 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/04/06 16:56:54.0921 0632 MRxSmb (6f2d483b97b395544e59749c47963c6a) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/04/06 16:56:55.0109 0632 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/04/06 16:56:55.0281 0632 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/04/06 16:56:55.0406 0632 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/04/06 16:56:55.0515 0632 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/04/06 16:56:55.0750 0632 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/04/06 16:56:55.0968 0632 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/04/06 16:56:56.0109 0632 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/04/06 16:56:56.0296 0632 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/04/06 16:56:57.0031 0632 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/04/06 16:56:57.0218 0632 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/04/06 16:56:57.0296 0632 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/04/06 16:56:57.0406 0632 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/04/06 16:56:57.0546 0632 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/04/06 16:56:57.0640 0632 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/04/06 16:56:57.0734 0632 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/04/06 16:56:57.0906 0632 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/04/06 16:56:58.0265 0632 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/04/06 16:56:58.0484 0632 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/04/06 16:56:58.0671 0632 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/04/06 16:56:58.0812 0632 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/04/06 16:56:59.0046 0632 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/04/06 16:56:59.0234 0632 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys
    2011/04/06 16:56:59.0375 0632 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/04/06 16:56:59.0500 0632 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/04/06 16:56:59.0640 0632 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/04/06 16:56:59.0812 0632 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/04/06 16:57:00.0250 0632 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/04/06 16:57:01.0250 0632 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/04/06 16:57:01.0406 0632 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/04/06 16:57:01.0687 0632 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/04/06 16:57:01.0937 0632 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/04/06 16:57:02.0703 0632 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/04/06 16:57:02.0843 0632 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/04/06 16:57:02.0968 0632 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/04/06 16:57:03.0078 0632 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/04/06 16:57:03.0312 0632 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/04/06 16:57:03.0515 0632 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/04/06 16:57:03.0687 0632 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/04/06 16:57:03.0890 0632 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/04/06 16:57:04.0125 0632 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/04/06 16:57:04.0359 0632 Rksample (bb7549bd94d1aac3599c7606c50c48a0) C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys
    2011/04/06 16:57:04.0734 0632 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/04/06 16:57:04.0937 0632 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/04/06 16:57:05.0109 0632 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/04/06 16:57:05.0265 0632 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/04/06 16:57:05.0578 0632 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/04/06 16:57:05.0718 0632 SoftFax (d9e8e0ce154a2f6430d9efabdf730867) C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys
    2011/04/06 16:57:05.0968 0632 SpeakerPhone (6c843c43fd7f0b42cfe477ce88d0f9b3) C:\WINDOWS\system32\DRIVERS\HSF_SPKP.sys
    2011/04/06 16:57:06.0140 0632 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/04/06 16:57:06.0578 0632 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/04/06 16:57:06.0937 0632 Srv (7a0111577d8046633d5162a3ce15e9e1) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/04/06 16:57:07.0312 0632 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2011/04/06 16:57:07.0515 0632 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/04/06 16:57:07.0812 0632 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/04/06 16:57:07.0937 0632 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/04/06 16:57:08.0687 0632 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/04/06 16:57:08.0953 0632 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/04/06 16:57:09.0109 0632 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/04/06 16:57:09.0156 0632 Suspicious service (Hidden): TDSSserv.sys
    2011/04/06 16:57:09.0359 0632 TDSSserv.sys (9679cbb6fb2104010efb44910e08a563) C:\WINDOWS\system32\drivers\TDSSmqlt.sys
    2011/04/06 16:57:09.0375 0632 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\TDSSmqlt.sys. md5: 9679cbb6fb2104010efb44910e08a563
    2011/04/06 16:57:09.0375 0632 Suspicious file (Hidden): C:\WINDOWS\system32\drivers\TDSSmqlt.sys. md5: 9679cbb6fb2104010efb44910e08a563
    2011/04/06 16:57:09.0406 0632 TDSSserv.sys - detected Rootkit.Win32.TDSS.tdl2 (0)
    2011/04/06 16:57:09.0500 0632 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/04/06 16:57:09.0609 0632 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/04/06 16:57:09.0843 0632 Tones (8021a499db46b2961c285168671cb9af) C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys
    2011/04/06 16:57:10.0140 0632 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/04/06 16:57:10.0484 0632 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/04/06 16:57:10.0812 0632 USBAAPL (f340199e8cb097e1acd58a967c665919) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/04/06 16:57:11.0000 0632 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/04/06 16:57:11.0156 0632 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/04/06 16:57:11.0421 0632 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/04/06 16:57:11.0656 0632 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/04/06 16:57:11.0812 0632 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/04/06 16:57:12.0015 0632 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/04/06 16:57:12.0484 0632 V124 (269c0ade94b90029b12497747be408cb) C:\WINDOWS\system32\DRIVERS\HSF_V124.sys
    2011/04/06 16:57:12.0859 0632 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/04/06 16:57:13.0171 0632 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/04/06 16:57:13.0484 0632 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/04/06 16:57:13.0843 0632 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/04/06 16:57:14.0203 0632 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
    2011/04/06 16:57:14.0671 0632 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/04/06 16:57:15.0359 0632 ================================================================================
    2011/04/06 16:57:15.0359 0632 Scan finished
    2011/04/06 16:57:15.0359 0632 ================================================================================
    2011/04/06 16:57:15.0437 0264 Detected object count: 1
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\drivers\TDSSmqlt.sys - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSoiqn.dll - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSlrvd.dat - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSShrxr.dll - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSrtqp.dll - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSxfum.dll - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSlxwp.dll - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSnmxh.log - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSsihc.dll - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSrhyp.log - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSkkbi.log - will be deleted after reboot
    2011/04/06 16:57:29.0343 0264 HKLM\SYSTEM\ControlSet001\services\TDSSserv.sys - will be deleted after reboot
    2011/04/06 16:57:29.0359 0264 HKLM\SYSTEM\ControlSet003\services\TDSSserv.sys - will be deleted after reboot
    2011/04/06 16:57:29.0375 0264 C:\WINDOWS\system32\drivers\TDSSmqlt.sys - will be deleted after reboot
    2011/04/06 16:57:29.0375 0264 Rootkit.Win32.TDSS.tdl2(TDSSserv.sys) - User select action: Delete
    2011/04/06 17:02:18.0468 4076 Deinitialize success

    FYI it wouldnt let me put this program on the desktop, so i had to run it from a flash drive, it still seemed to work, though. Thanks
     
  8. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Very well :)

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    Broni, once i Ran TDSkiller from flash drive it made me restart, where upon when it had rebooted the zip file TDSkiller was on the desktop, where i had tried to put it the first time. Should i re-run TDSkiller again and paste the log from that session? or just continue with your instructions? Thanks alot.
     
  10. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0000001d

    Kernel Drivers (total 130):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EC000 \WINDOWS\system32\hal.dll
    0xF9762000 \WINDOWS\system32\KDCOM.DLL
    0xF9672000 \WINDOWS\system32\BOOTVID.dll
    0xF9213000 ACPI.sys
    0xF9764000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF9202000 pci.sys
    0xF9262000 isapnp.sys
    0xF9766000 intelide.sys
    0xF94E2000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF9272000 MountMgr.sys
    0xF91E3000 ftdisk.sys
    0xF9768000 dmload.sys
    0xF91BD000 dmio.sys
    0xF94EA000 PartMgr.sys
    0xF9282000 VolSnap.sys
    0xF91A5000 atapi.sys
    0xF9292000 disk.sys
    0xF92A2000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF9185000 fltmgr.sys
    0xF9173000 sr.sys
    0xF915C000 KSecDD.sys
    0xF90CF000 Ntfs.sys
    0xF90A2000 NDIS.sys
    0xF9087000 Mup.sys
    0xF9442000 \SystemRoot\System32\DRIVERS\p3.sys
    0xF9006000 \SystemRoot\System32\DRIVERS\i81xnt5.sys
    0xF8FF2000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    0xF8FBC000 \SystemRoot\System32\DRIVERS\HSFBS2S2.sys
    0xF8F99000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF8E9A000 \SystemRoot\System32\DRIVERS\HSFDPSP2.sys
    0xF8DF2000 \SystemRoot\System32\DRIVERS\HSFCXTS2.sys
    0xF9582000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF8DE1000 \SystemRoot\System32\DRIVERS\el90xbc5.sys
    0xF958A000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xF9472000 \SystemRoot\System32\DRIVERS\serial.sys
    0xF9716000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xF8DCD000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF9482000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF9492000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF959A000 \SystemRoot\System32\Drivers\incdrm.SYS
    0xF95A2000 \SystemRoot\System32\DRIVERS\InCDPass.sys
    0xF95AA000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF95B2000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xF8DAA000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF8D92000 \SystemRoot\system32\drivers\ac97intc.sys
    0xF8D6E000 \SystemRoot\system32\drivers\portcls.sys
    0xF94A2000 \SystemRoot\system32\drivers\drmk.sys
    0xF9841000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF94B2000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF9726000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xF8D13000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF94C2000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF94D2000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF95BA000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xF8D02000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF92C2000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF95CA000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF95D2000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF8A33000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF9302000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF95DA000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF95E2000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF977C000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xF89DA000 \SystemRoot\System32\DRIVERS\update.sys
    0xF973E000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF9312000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF9372000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF979A000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF971A000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xF9622000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xF979C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF8AA4000 \SystemRoot\System32\Drivers\Null.SYS
    0xF979E000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF9632000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF963A000 \SystemRoot\System32\drivers\vga.sys
    0xF97A0000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF97A2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF89CA000 \SystemRoot\System32\Drivers\InCDrec.SYS
    0xF4800000 \SystemRoot\System32\Drivers\InCDfs.SYS
    0xF9642000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF964A000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF89C6000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xF47C5000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xF476D000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF4745000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xF4723000 \SystemRoot\System32\drivers\afd.sys
    0xF93C2000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xF9652000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xF46F8000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xF4689000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xF93F2000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF4668000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xF4642000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF97A6000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF9422000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF9512000 \SystemRoot\System32\DRIVERS\usbccgp.sys
    0xF902E000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF9452000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF9522000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF96F2000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF492E000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xF4602000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF97C0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF89CE000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF952A000 \SystemRoot\System32\watchdog.sys
    0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
    0xF98CA000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF9D5000 \SystemRoot\System32\i81xdnt5.dll
    0xF48DA000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xF4465000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xF447E000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xF4122000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF40F6000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xF977A000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xF40B9000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF43ED000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF3FFC000 \SystemRoot\System32\DRIVERS\HSF_FALL.sys
    0xF3FDF000 \SystemRoot\System32\DRIVERS\HSF_FSKS.sys
    0xF3F7F000 \SystemRoot\System32\DRIVERS\HSF_K56K.sys
    0xF4159000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
    0xF3E65000 \SystemRoot\System32\DRIVERS\srv.sys
    0xF3E34000 \SystemRoot\System32\DRIVERS\HSF_FAXX.sys
    0xF3E22000 \SystemRoot\System32\DRIVERS\HSF_SPKP.sys
    0xF42A5000 \SystemRoot\System32\DRIVERS\HSF_TONE.sys
    0xF3C8A000 \SystemRoot\System32\DRIVERS\HSF_V124.sys
    0xF3A69000 \SystemRoot\System32\Drivers\HTTP.sys
    0xF382A000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 25):
    0 System Idle Process
    4 System
    336 C:\WINDOWS\system32\smss.exe
    404 csrss.exe
    428 C:\WINDOWS\system32\winlogon.exe
    576 C:\WINDOWS\system32\services.exe
    588 C:\WINDOWS\system32\lsass.exe
    744 C:\WINDOWS\system32\svchost.exe
    804 svchost.exe
    844 C:\WINDOWS\system32\svchost.exe
    936 svchost.exe
    992 svchost.exe
    1232 C:\WINDOWS\explorer.exe
    1248 C:\WINDOWS\system32\spoolsv.exe
    1332 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1448 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1696 C:\WINDOWS\system32\svchost.exe
    1792 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    1884 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    1892 C:\WINDOWS\system32\ctfmon.exe
    1912 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    528 alg.exe
    1012 C:\WINDOWS\system32\wscntfy.exe
    1864 C:\WINDOWS\system32\notepad.exe
    1684 C:\Documents and Settings\Station 1\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD400JB-00JJA0, Rev: 05.01C05

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!



    ComboFix 11-04-06.03 - Station 1 04/07/2011 8:20.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.92 [GMT -5:00]
    Running from: c:\documents and settings\Station 1\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\program files\Internet Explorer\msimg32.dll
    c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
    c:\windows\system32\cdJkmnnn.ini
    c:\windows\system32\cdJkmnnn.ini2
    c:\windows\system32\eponegef.ini
    c:\windows\system32\mcrh.tmp
    c:\windows\system32\prunnet.exe
    c:\windows\system32\xgtxfhdt.ini
    .
    ----- BITS: Possible infected sites -----
    .
    hxxp://childhe.com
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_TDSSSERV.SYS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-05 02:33 . 2011-04-06 23:27 -------- d-----w- c:\windows\system32\NtmsData
    2011-04-04 23:43 . 2011-04-04 23:43 -------- d-----w- c:\documents and settings\Station 1\Application Data\Avira
    2011-04-04 23:39 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-04-04 23:39 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-04-04 23:39 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-04-04 23:39 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-04-04 23:38 . 2011-04-04 23:38 -------- d-----w- c:\program files\Avira
    2011-04-04 23:38 . 2011-04-04 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-04-04 21:44 . 2011-04-04 21:44 -------- d-----w- c:\documents and settings\Station 1\Local Settings\Application Data\Opera
    2011-04-04 21:20 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-04 21:20 . 2011-04-04 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-04-04 21:20 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-04 17:31 . 2011-04-04 21:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-04 02:05 . 2011-04-04 02:05 -------- d--h--w- c:\windows\system32\GroupPolicy
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-21 06:33 62628 --sha-w- c:\windows\system32\pujawewo.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-26 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5cde9214]
    2008-12-18 23:34 72704 ----a-w- c:\windows\system32\tdhfxtgx.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-06-07 05:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 05:56 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-01-15 09:22 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    2005-02-26 00:28 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-01-10 21:27 385024 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2007-09-25 07:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2008-01-26 01:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "MpfService"=3 (0x3)
    "McShield"=3 (0x3)
    "iPod Service"=3 (0x3)
    "InCDsrvR"=2 (0x2)
    "gusvc"=3 (0x3)
    "Apple Mobile Device"=2 (0x2)
    "aolavupd"=2 (0x2)
    "AOL TopSpeedMonitor"=2 (0x2)
    "AOL ACS"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/4/2011 6:39 PM 135336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
    .
    2011-04-06 c:\windows\Tasks\tjikrmeg.job
    - c:\windows\system32\khfDvuTk.dll [2008-12-18 23:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    Notify-cbXPiGaB - (no file)
    SafeBoot-klmdb.sys
    MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
    MSConfigStartUp-AOLSPScheduler - c:\program files\Common Files\AOL\1159402144\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe
    MSConfigStartUp-EmailScan - c:\program files\mcafee.com\antivirus\mcvsescn.exe
    MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1159402144\ee\AOLSoftware.exe
    MSConfigStartUp-jiwewabaso - c:\windows\system32\tumaveko.dll
    MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\STATIO~1\LOCALS~1\Temp\csrssc.exe
    MSConfigStartUp-jsf8j34rgfght - c:\docume~1\STATIO~1\LOCALS~1\Temp\winloggn.exe
    MSConfigStartUp-MPFExe - c:\program files\mcafee.com\personal firewall\MPfTray.exe
    MSConfigStartUp-OASClnt - c:\program files\mcafee.com\antivirus\oasclnt.exe
    MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
    MSConfigStartUp-sscRun - c:\program files\Common Files\AOL\1159402144\ee\SSCRun.exe
    MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
    MSConfigStartUp-Ulead AutoDetector - c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
    AddRemove-AdobeESD - c:\program files\Common Files\Adobe\ESD\uninst.exe
    AddRemove-AOL Deskbar - c:\program files\AOL Deskbar\UNWISE.EXE
    AddRemove-AOL Toolbar - c:\program files\AOL\AOL Toolbar 5.0\uninstall.exe
    AddRemove-AOL YGP Screensaver - c:\program files\Common Files\AOL\Screensaver\uninst_ygpss.exe
    AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe
    AddRemove-AolCoach2_en - c:\program files\Common Files\AolCoach\en_en\AolCInUn.exe
    AddRemove-FrostWire - c:\program files\FrostWire\Uninstall.exe
    AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
    AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
    AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
    AddRemove-ViviCam Digital Camera Driver - c:\progra~1\VIVICA~1\UNWISE.EXE
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-07 08:29
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-04-07 08:34:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-07 13:34
    .
    Pre-Run: 31,424,389,120 bytes free
    Post-Run: 31,491,887,104 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 713780643295A24A0EE0B3C2DE60BCD3
     
  11. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\pujawewo.dll
    c:\windows\system32\tdhfxtgx.dll
    c:\windows\Tasks\tjikrmeg.job
    c:\windows\system32\khfDvuTk.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5cde9214]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  12. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    ComboFix 11-04-06.03 - Station 1 04/07/2011 23:33:36.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.121 [GMT -5:00]
    Running from: c:\documents and settings\Station 1\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Station 1\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    FILE ::
    "c:\windows\system32\khfDvuTk.dll"
    "c:\windows\system32\pujawewo.dll"
    "c:\windows\system32\tdhfxtgx.dll"
    "c:\windows\Tasks\tjikrmeg.job"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\khfDvuTk.dll
    c:\windows\system32\pujawewo.dll
    c:\windows\system32\tdhfxtgx.dll
    c:\windows\Tasks\tjikrmeg.job
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-05 02:33 . 2011-04-06 23:27 -------- d-----w- c:\windows\system32\NtmsData
    2011-04-04 23:43 . 2011-04-04 23:43 -------- d-----w- c:\documents and settings\Station 1\Application Data\Avira
    2011-04-04 23:39 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-04-04 23:39 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-04-04 23:39 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-04-04 23:39 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-04-04 23:38 . 2011-04-04 23:38 -------- d-----w- c:\program files\Avira
    2011-04-04 23:38 . 2011-04-04 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-04-04 21:44 . 2011-04-04 21:44 -------- d-----w- c:\documents and settings\Station 1\Local Settings\Application Data\Opera
    2011-04-04 21:20 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-04 21:20 . 2011-04-04 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-04-04 21:20 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-04 17:31 . 2011-04-04 21:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-04 02:05 . 2011-04-04 02:05 -------- d--h--w- c:\windows\system32\GroupPolicy
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-26 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-06-07 05:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 05:56 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-01-15 09:22 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    2005-02-26 00:28 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-01-10 21:27 385024 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2007-09-25 07:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2008-01-26 01:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "MpfService"=3 (0x3)
    "McShield"=3 (0x3)
    "iPod Service"=3 (0x3)
    "InCDsrvR"=2 (0x2)
    "gusvc"=3 (0x3)
    "Apple Mobile Device"=2 (0x2)
    "aolavupd"=2 (0x2)
    "AOL TopSpeedMonitor"=2 (0x2)
    "AOL ACS"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/4/2011 6:39 PM 135336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-07 23:42
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-04-07 23:47:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-08 04:47
    ComboFix2.txt 2011-04-07 13:34
    .
    Pre-Run: 31,495,360,512 bytes free
    Post-Run: 31,486,717,952 bytes free
    .
    - - End Of File - - 20DBD59A281F67F6195F8157F23D09CB

    EDIT: ComboFix also wanted me to connect the PC to the internet so it could submit some malware files for further analyzing, so i let it.
     
  13. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  14. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    OTL logfile created on: 4/8/2011 12:37:57 AM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Station 1\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    254.00 Mb Total Physical Memory | 131.00 Mb Available Physical Memory | 52.00% Memory free
    625.00 Mb Paging File | 396.00 Mb Available in Paging File | 63.00% Paging File free
    Paging file location(s): C:\pagefile.sys 384 768 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.27 Gb Total Space | 29.33 Gb Free Space | 78.69% Space Free | Partition Type: NTFS
    Drive D: | 131.98 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive E: | 1.86 Gb Total Space | 1.63 Gb Free Space | 87.60% Space Free | Partition Type: FAT

    Computer Name: STATION1 | User Name: Station 1 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/04/08 00:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
    PRC - [2011/03/04 14:37:00 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2011/03/04 14:36:52 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2011/03/04 14:36:51 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/04/08 00:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
    MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (Apple Mobile Device)
    SRV - File not found [Disabled | Stopped] -- -- (AOL TopSpeedMonitor)
    SRV - [2011/03/04 14:37:00 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2011/03/04 14:36:52 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2005/07/08 10:24:46 | 000,871,424 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/03/04 16:11:12 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2011/03/04 14:37:13 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2006/05/02 13:38:42 | 000,110,720 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr97310c.sys -- (MR97310_USB_DUAL_CAMERA)
    DRV - [2005/07/08 18:17:54 | 000,099,584 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
    DRV - [2005/07/08 18:17:36 | 000,029,696 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
    DRV - [2005/07/08 10:17:31 | 000,028,672 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
    DRV - [2004/08/03 22:29:50 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4)
    DRV - [2004/08/03 22:29:48 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3)
    DRV - [2004/08/03 22:29:46 | 000,025,471 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv10nt.sys -- (iAimTV5)
    DRV - [2004/08/03 22:29:46 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4)
    DRV - [2004/08/03 22:29:46 | 000,022,271 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv06nt.sys -- (iAimTV6)
    DRV - [2004/08/03 22:29:44 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3)
    DRV - [2004/08/03 22:29:44 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1)
    DRV - [2004/08/03 22:29:42 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0)
    DRV - [2004/08/03 22:29:42 | 000,011,871 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv09nt.sys -- (iAimFP7)
    DRV - [2004/08/03 22:29:40 | 000,011,807 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv07nt.sys -- (iAimFP5)
    DRV - [2004/08/03 22:29:40 | 000,011,295 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv08nt.sys -- (iAimFP6)
    DRV - [2004/08/03 22:29:38 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
    DRV - [2004/08/03 22:29:38 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0)
    DRV - [2004/08/03 22:29:38 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1)
    DRV - [2004/08/03 22:29:38 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2)
    DRV - [2001/08/17 08:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
    DRV - [2001/08/17 08:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
    DRV - [2001/08/17 08:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
    DRV - [2001/08/17 08:28:10 | 000,073,279 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_SPKP.sys -- (SpeakerPhone)
    DRV - [2001/08/17 08:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
    DRV - [2001/08/17 08:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
    DRV - [2001/08/17 08:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
    DRV - [2001/08/17 08:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
    DRV - [2001/08/17 08:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
    DRV - [2001/08/17 08:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)
    DRV - [2001/08/17 07:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
    IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found
    IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2007/12/30 21:30:20 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/04/07 23:41:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
    O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - File not found
    O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\ShellBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
    O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\ShellBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found
    O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
    O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found
    O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
    O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - File not found
    O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: ([]msn in My Computer)
    O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
    O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab (UnagiAx Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Station 1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Station 1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/08/21 19:31:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16620634377289728)

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/04/08 00:36:02 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
    [2011/04/07 23:49:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2011/04/07 08:18:48 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/04/07 08:16:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/04/07 08:16:16 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/04/07 08:16:16 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/04/07 08:16:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/04/07 08:16:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/04/07 08:15:28 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/04/04 21:33:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
    [2011/04/04 18:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Avira
    [2011/04/04 18:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
    [2011/04/04 18:39:16 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2011/04/04 18:39:08 | 000,137,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2011/04/04 18:39:08 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2011/04/04 18:39:07 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2011/04/04 18:39:07 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2011/04/04 18:38:52 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2011/04/04 18:38:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2011/04/04 16:44:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Local Settings\Application Data\Opera
    [2011/04/04 16:44:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Opera
    [2011/04/04 16:40:56 | 007,469,592 | ---- | C] (Opera Software ASA) -- C:\Documents and Settings\Station 1\Desktop\Opera_1101_en_Setup.exe
    [2011/04/04 16:26:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Macromedia
    [2011/04/04 16:20:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/04/04 16:20:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/04/04 16:20:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/04/04 16:20:32 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/04/04 12:42:25 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Station 1\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/04/04 12:31:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/04/04 12:21:18 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\TFC.exe
    [2011/04/03 21:05:46 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
    [2011/04/03 20:21:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Google
    [2011/04/03 20:21:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Microsoft
    [2011/04/03 14:59:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss

    ========== Files - Modified Within 30 Days ==========

    [2011/04/08 00:32:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/04/08 00:32:48 | 266,420,224 | -HS- | M] () -- C:\hiberfil.sys
    [2011/04/08 00:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
    [2011/04/07 23:41:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/04/07 08:18:54 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/04/07 08:04:48 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\MBRCheck.exe
    [2011/04/07 08:02:42 | 004,315,750 | R--- | M] () -- C:\Documents and Settings\Station 1\Desktop\ComboFix.exe
    [2011/04/06 18:10:36 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\rowirafe
    [2011/04/06 16:50:12 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/04/06 16:41:34 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\tdsskiller.zip
    [2011/04/04 18:40:22 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2011/04/04 16:41:26 | 007,469,592 | ---- | M] (Opera Software ASA) -- C:\Documents and Settings\Station 1\Desktop\Opera_1101_en_Setup.exe
    [2011/04/04 16:20:38 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/04/04 13:26:28 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\dds.scr
    [2011/04/04 13:22:06 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\9996xb45.exe
    [2011/04/04 13:20:36 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Station 1\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/04/04 13:19:06 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\TFC.exe
    [2011/04/03 21:28:41 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/04/03 15:00:10 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/04/03 15:00:10 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/04/03 14:58:41 | 000,119,712 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
    [2011/04/03 14:58:08 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

    ========== Files Created - No Company Name ==========

    [2011/04/07 08:18:54 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/04/07 08:18:50 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/04/07 08:16:16 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/04/07 08:16:16 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/04/07 08:16:16 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/04/07 08:16:16 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/04/07 08:16:16 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/04/07 08:14:04 | 004,315,750 | R--- | C] () -- C:\Documents and Settings\Station 1\Desktop\ComboFix.exe
    [2011/04/07 08:12:29 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Station 1\Desktop\MBRCheck.exe
    [2011/04/06 16:54:47 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Station 1\Desktop\tdsskiller.zip
    [2011/04/05 00:14:45 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Station 1\Desktop\dds.scr
    [2011/04/04 23:13:23 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Station 1\Desktop\9996xb45.exe
    [2011/04/04 18:40:22 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2011/04/04 16:20:38 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2008/12/21 01:34:56 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\amwwsbkb.dll
    [2008/12/18 18:34:33 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\xxywwTkI.dll
    [2008/12/18 18:34:32 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\qbsbhc.dll
    [2008/12/18 18:34:28 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\adonxpyk.dll
    [2008/01/18 15:47:38 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
    [2007/07/03 01:17:13 | 000,002,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2007/05/27 18:49:01 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2006/11/22 02:53:15 | 000,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
    [2006/11/04 04:16:22 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Station 1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2006/09/27 19:12:28 | 000,000,715 | ---- | C] () -- C:\WINDOWS\aolback.exe.lnk
    [2006/09/27 19:06:59 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2006/09/24 19:55:42 | 000,000,026 | ---- | C] () -- C:\WINDOWS\marscam.ini
    [2006/09/24 19:53:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
    [2006/09/06 17:44:40 | 000,000,071 | ---- | C] () -- C:\WINDOWS\pex.INI
    [2006/09/06 17:37:36 | 000,000,151 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
    [2006/09/06 17:32:35 | 000,104,593 | ---- | C] () -- C:\WINDOWS\System32\drivers\MPIXVID.SYS
    [2006/08/16 16:09:17 | 001,441,280 | ---- | C] () -- C:\WINDOWS\DelphiUninstall.exe
    [2005/08/21 20:04:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2005/08/21 19:40:27 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
    [2005/08/21 19:35:15 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2005/08/21 19:27:38 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2005/08/21 14:14:48 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2005/08/21 14:13:49 | 000,276,560 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2001/10/12 10:58:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\mr310exd.dll
    [2001/10/12 10:57:18 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\mr310exv.dll
    [2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2001/08/18 07:00:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2001/08/18 07:00:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2001/08/18 07:00:00 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2001/08/18 07:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2000/12/07 10:13:58 | 000,015,164 | ---- | C] () -- C:\WINDOWS\mr310twc.ini

    ========== LOP Check ==========

    [2006/09/06 17:37:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
    [2006/11/22 02:45:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2011/04/04 16:44:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Station 1\Application Data\Opera

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2005/08/21 19:31:20 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2011/04/03 21:28:41 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/04/07 08:18:54 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/04/07 23:47:50 | 000,007,597 | ---- | M] () -- C:\ComboFix.txt
    [2005/08/21 19:31:20 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2011/04/08 00:32:48 | 266,420,224 | -HS- | M] () -- C:\hiberfil.sys
    [2005/08/21 19:31:20 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2005/08/21 19:31:20 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2005/08/24 20:57:53 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2005/08/24 20:57:53 | 000,250,032 | RHS- | M] () -- C:\ntldr
    [2011/04/08 00:32:46 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
    [2006/09/27 17:28:40 | 000,000,058 | -H-- | M] () -- C:\T4Metrics.log
    [2011/04/06 17:02:18 | 000,047,104 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_06.04.2011_16.56.26_log.txt

    < %systemroot%\Fonts\*.com >

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2005/08/21 19:30:50 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2004/11/17 16:24:24 | 000,421,888 | ---- | M] () -- C:\WINDOWS\Nero PhotoShow.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2005/08/21 14:12:59 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2005/08/21 14:12:59 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2005/08/21 14:12:59 | 000,385,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2005/08/24 21:03:24 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >

    < %USERPROFILE%\Desktop\*.exe >
    [2011/04/04 13:22:06 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\9996xb45.exe
    [2011/04/04 16:28:59 | 000,568,696 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Station 1\Desktop\ChromeSetup.exe
    [2011/04/07 08:02:42 | 004,315,750 | R--- | M] () -- C:\Documents and Settings\Station 1\Desktop\ComboFix.exe
    [2011/04/04 13:20:36 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Station 1\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/04/07 08:04:48 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\MBRCheck.exe
    [2011/04/04 16:41:26 | 007,469,592 | ---- | M] (Opera Software ASA) -- C:\Documents and Settings\Station 1\Desktop\Opera_1101_en_Setup.exe
    [2011/04/08 00:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
    [2011/04/04 13:19:06 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\TFC.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >
    [2007/10/09 09:42:05 | 000,012,106 | ---- | M] () -- C:\WINDOWS\mr310twc.src

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2005/08/24 21:11:26 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Station 1\Favorites\Desktop.ini
    [2007/05/09 10:49:34 | 000,001,288 | ---- | M] () -- C:\Documents and Settings\Station 1\Favorites\Microsoft bCentral.lnk

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/04/08 00:32:55 | 000,311,296 | ---- | M] () -- C:\Documents and Settings\Station 1\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2004/08/04 00:56:58 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2001/05/02 15:24:18 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\blogo.gif
    [2004/08/04 00:56:42 | 000,028,672 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/07/17 11:41:10 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2001/03/07 06:00:26 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2001/05/22 13:06:52 | 000,000,866 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
    [2008/05/02 09:22:02 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2004/08/04 00:56:14 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2004/10/13 11:24:37 | 001,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2001/02/01 06:00:26 | 000,000,685 | ---- | M] () -- C:\Program Files\Messenger\msmsgs.exe.manifest
    [2001/08/01 21:58:12 | 000,016,415 | ---- | M] () -- C:\Program Files\Messenger\msmsgsin.exe
    [2004/07/17 11:41:10 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/07/17 11:41:10 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/07/17 11:41:10 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2000/12/05 13:10:32 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/07/17 11:41:06 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >
     
  15. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    OTL Extras logfile created on: 4/8/2011 12:37:57 AM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Station 1\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    254.00 Mb Total Physical Memory | 131.00 Mb Available Physical Memory | 52.00% Memory free
    625.00 Mb Paging File | 396.00 Mb Available in Paging File | 63.00% Paging File free
    Paging file location(s): C:\pagefile.sys 384 768 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.27 Gb Total Space | 29.33 Gb Free Space | 78.69% Space Free | Partition Type: NTFS
    Drive D: | 131.98 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive E: | 1.86 Gb Total Space | 1.63 Gb Free Space | 87.60% Space Free | Partition Type: FAT

    Computer Name: STATION1 | User Name: Station 1 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
    "{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
    "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
    "{4D8E38A1-0932-11D7-8E11-0080C8274868}" = Samsung Digimax 201
    "{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
    "{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}" = QuickTime
    "{857343AD-9A00-4287-BF8B-F65C9633CA0C}" = CIF Dual-Mode Camera
    "{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
    "{91130409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
    "{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
    "{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
    "{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}" = iTunes
    "{D271DAE0-8D68-4C97-8356-A126D48A1D8C}" = Ulead Photo Explorer 8.0 SE Basic
    "{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}" = Apple Mobile Device Support
    "AskSBar Uninstall" = Ask Toolbar
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "mr97310c_79b33283ba293e6c94e125bce27e0ecded0a2591" = Windows Driver Package - Camera Maker (MR97310_USB_DUAL_CAMERA) Image 05/02/2006 2.0.1.0
    "mr97310c_e6b1f8ca93ed72ea043389d1fb2e937f663f6786" = Windows Driver Package - MARS (mr97310c) Image 04/11/2005 2.0.0.0
    "Nero PhotoShow Express" = Nero PhotoShow Express
    "NeroMultiInstaller!UninstallKey" = Nero Suite
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "ShockwaveFlash" = Adobe Flash Player 9 ActiveX
    "Windows XP Service Pack" = Windows XP Service Pack 2

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 4/4/2011 5:29:05 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
    Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
    module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

    Error - 4/4/2011 5:29:32 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
    Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
    module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

    Error - 4/4/2011 5:29:44 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
    Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
    module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

    Error - 4/4/2011 5:30:04 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
    Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
    module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

    Error - 4/4/2011 5:31:35 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
    Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
    module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

    Error - 4/4/2011 5:33:33 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
    Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
    module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

    Error - 4/4/2011 5:37:20 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
    Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
    module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

    [ System Events ]
    Error - 4/6/2011 5:52:40 PM | Computer Name = STATION1 | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
    Service service to connect.

    Error - 4/6/2011 5:52:40 PM | Computer Name = STATION1 | Source = Service Control Manager | ID = 7000
    Description = The Application Layer Gateway Service service failed to start due
    to the following error: %%1053

    Error - 4/6/2011 5:53:29 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
    Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
    with DCOM within the required timeout.

    Error - 4/6/2011 5:54:06 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
    Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
    with DCOM within the required timeout.

    Error - 4/6/2011 6:03:34 PM | Computer Name = STATION1 | Source = sr | ID = 1
    Description = The System Restore filter encountered the unexpected error '0xC0000001'
    while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
    the volume.

    Error - 4/6/2011 6:19:02 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
    Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
    with DCOM within the required timeout.

    Error - 4/6/2011 6:21:30 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
    Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
    with DCOM within the required timeout.

    Error - 4/6/2011 6:54:04 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
    Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
    with DCOM within the required timeout.

    Error - 4/6/2011 6:56:18 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
    Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
    with DCOM within the required timeout.

    Error - 4/6/2011 7:07:38 PM | Computer Name = STATION1 | Source = Service Control Manager | ID = 7034
    Description = The Distributed Transaction Coordinator service terminated unexpectedly.
    It has done this 1 time(s).


    < End of report >

    NOTE: While i was doing the OTL scan Avira was on and it detected 2 malware files. I disabled Avira and let OTL finish.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    You didn't say:
     
  17. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ===================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found
      IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found
      O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found
      O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - File not found
      O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\ShellBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found
      O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found
      O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found
      O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - File not found
      O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: ([]msn in My Computer)
      O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
      [2008/12/21 01:34:56 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\amwwsbkb.dll
      [2008/12/18 18:34:33 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\xxywwTkI.dll
      [2008/12/18 18:34:32 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\qbsbhc.dll
      [2008/12/18 18:34:28 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\adonxpyk.dll
      [2006/11/22 02:45:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =====================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  18. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    OTL---
    All processes killed
    Error: Unable to interpret <IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found> in the current context!
    Error: Unable to interpret <IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found> in the current context!
    Error: Unable to interpret <O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found> in the current context!
    Error: Unable to interpret <O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - File not found> in the current context!
    Error: Unable to interpret <O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\ShellBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found> in the current context!
    Error: Unable to interpret <O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found> in the current context!
    Error: Unable to interpret <O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found> in the current context!
    Error: Unable to interpret <O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - File not found> in the current context!
    Error: Unable to interpret <O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: ([]msn in My Computer)> in the current context!
    Error: Unable to interpret <O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)> in the current context!
    Error: Unable to interpret <O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)> in the current context!
    Error: Unable to interpret <[2008/12/21 01:34:56 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\amwwsbkb.dll> in the current context!
    Error: Unable to interpret <[2008/12/18 18:34:33 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\xxywwTkI.dll> in the current context!
    Error: Unable to interpret <[2008/12/18 18:34:32 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\qbsbhc.dll> in the current context!
    Error: Unable to interpret <[2008/12/18 18:34:28 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\adonxpyk.dll> in the current context!
    Error: Unable to interpret <[2006/11/22 02:45:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint> in the current context!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Station 1
    ->Temp folder emptied: 10207916 bytes
    ->Temporary Internet Files folder emptied: 4473803 bytes
    ->Java cache emptied: 0 bytes
    ->Opera cache emptied: 240 bytes
    ->Flash cache emptied: 348 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 43172 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 14.00 mb


    [EMPTYFLASH]

    User: All Users
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: LocalService

    User: NetworkService

    User: Station 1
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.22.3 log created on 04112011_074048

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...

    -----
    Checkup.txt

    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 2
    Out of date service pack!!
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    Avira AntiVir Personal - Free Antivirus
    Antivirus out of date! (On Access scanning disabled!)
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 24
    Java(TM) SE Runtime Environment 6 Update 1
    Java(TM) 6 Update 3
    Out of date Java installed!
    Adobe Flash Player 9 (Out of date Flash Player installed!)
    Adobe Reader 7.0.8
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    ``````````End of Log````````````

    -----
    ESETSCAN.txt

    C:\Qoobox\Quarantine\[4]-Submit_2011-04-07_23.33.20.zip multiple threats
    C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Win32/Toolbar.MyWebSearch application
    C:\Qoobox\Quarantine\C\WINDOWS\system32\cdJkmnnn.ini.vir Win32/Adware.Virtumonde.NEO application
    C:\Qoobox\Quarantine\C\WINDOWS\system32\cdJkmnnn.ini2.vir Win32/Adware.Virtumonde.NEO application
    C:\Qoobox\Quarantine\C\WINDOWS\system32\eponegef.ini.vir Win32/Adware.Virtumonde.NEO application
    C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Win32/VB.NUC trojan
    C:\Qoobox\Quarantine\C\WINDOWS\system32\xgtxfhdt.ini.vir Win32/Adware.Virtumonde.NEO application
    C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119054.dll Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119055.ini Win32/Adware.Virtumonde.NEO application
    C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119056.ini Win32/Adware.Virtumonde.NEO application
    C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119057.exe Win32/VB.NUC trojan
    C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119058.ini Win32/Adware.Virtumonde.NEO application
    C:\WINDOWS\system32\adonxpyk.dll a variant of Win32/Adware.Virtumonde.NEE application
    C:\WINDOWS\system32\amwwsbkb.dll a variant of Win32/Adware.Virtumonde.NEE application
    C:\WINDOWS\system32\pmnkLCRk.dll a variant of Win32/Adware.Virtumonde.NEI application
    C:\WINDOWS\system32\qbsbhc.dll a variant of Win32/Adware.Virtumonde.NEE application
    C:\WINDOWS\system32\xxywwTkI.dll Win32/Adware.Virtumonde application

    EDIT: oh you asked how the computer is doing. The computer is doing a little better. Still seems a little sick.
     
  19. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Why is Avira listed as outdated?
    Please, update it immediately.

    =======================================================================

    Uninstall:
    Java(TM) SE Runtime Environment 6 Update 1
    Java(TM) 6 Update 3


    =================================================================

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

    =====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      C:\WINDOWS\system32\adonxpyk.dll 
      C:\WINDOWS\system32\amwwsbkb.dll 
      C:\WINDOWS\system32\pmnkLCRk.dll 
      C:\WINDOWS\system32\qbsbhc.dll 
      C:\WINDOWS\system32\xxywwTkI.dll
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current (including Service Pack 3 installation!)

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
     
  20. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\WINDOWS\system32\adonxpyk.dll moved successfully.
    C:\WINDOWS\system32\amwwsbkb.dll moved successfully.
    C:\WINDOWS\system32\pmnkLCRk.dll moved successfully.
    File\Folder C:\WINDOWS\system32\qbsbhc.dll not found.
    C:\WINDOWS\system32\xxywwTkI.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Station 1
    ->Temp folder emptied: 99694 bytes
    ->Temporary Internet Files folder emptied: 7048305 bytes
    ->Java cache emptied: 0 bytes
    ->Opera cache emptied: 0 bytes
    ->Flash cache emptied: 348 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1267 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 7.00 mb


    [EMPTYFLASH]

    User: All Users
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: LocalService

    User: NetworkService

    User: Station 1
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.22.3 log created on 04132011_124508

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...

    -------

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Station 1
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Opera cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: LocalService

    User: NetworkService

    User: Station 1
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.22.3 log created on 04132011_125044

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  21. sirnick

    sirnick TS Rookie Topic Starter Posts: 20

    Computer is running much better Broni. Thank you so much :)
     
  22. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Yes!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...