Solved I cant get rid of this registry file

Status
Not open for further replies.
S

sirnick

Posts: 20   +0
I have an old computer that i have been trying to clean up. I've got it running smooth but there is this one file that is ANNOYING. I run msconfig and UNcheck it but when i reboot it rechecks itself. It has turned off the regedit so i did a cmd prompt to turn it back on. And when i go into the regedit and manually find and delete the string, i will reboot, open regedit only to find the string is back and NOT GONE. Any help would be awesome.

EDIT: i just noticed the 8-step removal thread, checking that now, sry for newbness.

EDIT(2): Ok i have reviewed the 8 step removal thread and downloaded all the programs listed. To ensure safeness i tested the process out on my current computer and everything ran and scanned perfect. So i saved all the programs (Avira, TFC, MBAM, GMER, DDS) to a flash drive and started the process on the computer with this "Problem." TFC ran great and did everything it was supposed to. I install MBAM and it seemed to install but when i tried to Launch and Update, no window popped up indicating that it was updating. So i ctrl+shift+esc and check the process, i see the mbam.exe in the processes but i cant see it on my screen. So i end the process and double click the shortcut on my desktop. Still nothing, i check the processes again and there it it, mbam.exe running but i still cannot see it. Also, i downloaded Chrome and Opera to this computer and it WILL NOT let me instal either programs. Chrome gets an error message before it can even install any files, and opera gets to the point where a shortcut is created but then a error window pops up saying " cant create shortcut to desktop" and upon clicking ok on that window, it removes the shortcut and all the files dealing with Opera. This is strange to me, but i would love to figure this out. I will now just install Avira and see if it sees anything and i will keep this post updated.
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.
Complete as many steps, as you can.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Ok i cant run Mbam at all on that comp, so i will just skip that step. Post with logs will be here soon.
 
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-05 00:14:03
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400JB-00JJA0 rev.05.01C05
Running: 9996xb45.exe; Driver: C:\DOCUME~1\STATIO~1\LOCALS~1\Temp\pxlyypow.sys


---- System - GMER 1.0.15 ----

SSDT F8A70136 ZwCreateKey
SSDT F8A7012C ZwCreateThread
SSDT F8A7013B ZwDeleteKey
SSDT F8A70145 ZwDeleteValueKey
SSDT F8A7014A ZwLoadKey
SSDT F8A70118 ZwOpenProcess
SSDT F8A7011D ZwOpenThread
SSDT F8A70154 ZwReplaceKey
SSDT F8A7014F ZwRestoreKey
SSDT F8A70140 ZwSetValueKey

Code E1795D70 ZwEnumerateKey
Code E1795E50 ZwFlushInstructionCache
Code F47EFEAB pIofCallDriver
Code F47F0853 pIofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP E1795D74
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP E1795E54

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[524] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 01551052 C:\WINDOWS\system32\msziptools.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[524] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00F8000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[524] WS2_32.dll!send 71AB428A 5 Bytes JMP 00FA000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[524] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00F9000A
.text C:\WINDOWS\Explorer.EXE[1300] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00E0000A
.text C:\WINDOWS\Explorer.EXE[1300] WS2_32.dll!send 71AB428A 5 Bytes JMP 00E2000A
.text C:\WINDOWS\Explorer.EXE[1300] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00E1000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\TDSSmqlt.sys (*** hidden *** ) F47EE000-F4800000 (73728 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:300] F47F0D66

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\TDSSmqlt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlrvd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlrvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@affid 11
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@subid v3020
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@flagged 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Station 1\Local Settings\Temp\TDSS7dce.tmp 102400 bytes executable
File C:\Documents and Settings\Station 1\Local Settings\Temp\TDSS7e0c.tmp 616960 bytes executable
File C:\WINDOWS\system32\drivers\TDSSmqlt.sys 60416 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\TDSShrxr.dll 29696 bytes executable
File C:\WINDOWS\system32\TDSSkkbi.log 3139 bytes
File C:\WINDOWS\system32\TDSSlrvd.dat 441 bytes
File C:\WINDOWS\system32\TDSSlxwp.dll 2710 bytes
File C:\WINDOWS\system32\TDSSoiqn.dll 35840 bytes executable
File C:\WINDOWS\system32\TDSSrtqp.dll 31232 bytes executable
File C:\WINDOWS\system32\TDSSxfum.dll 73728 bytes executable

---- EOF - GMER 1.0.15 ----

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/21/2005 7:35:07 PM
System Uptime: 4/4/2011 11:08:08 PM (1 hours ago)
.
Motherboard: Dell Computer Corporation | | OptiPlex GX50
Processor: Intel(R) Celeron(TM) CPU 1200MHz | Microprocessor | 1196/100mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 29.319 GiB free.
D: is CDROM (CDFS)
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP575: 12/18/2008 5:31:24 PM - System Checkpoint
RP576: 12/18/2008 5:31:24 PM - System Checkpoint
RP577: 12/18/2008 5:31:24 PM - System Checkpoint
RP578: 12/18/2008 5:31:24 PM - System Checkpoint
RP579: 12/18/2008 5:31:24 PM - System Checkpoint
RP580: 12/18/2008 5:31:25 PM - System Checkpoint
RP581: 12/18/2008 5:31:25 PM - System Checkpoint
RP582: 12/18/2008 5:31:25 PM - System Checkpoint
RP583: 12/18/2008 5:31:25 PM - System Checkpoint
RP584: 12/18/2008 5:31:25 PM - System Checkpoint
RP585: 12/18/2008 5:31:25 PM - System Checkpoint
RP586: 12/18/2008 5:31:25 PM - System Checkpoint
RP587: 12/18/2008 5:31:26 PM - System Checkpoint
RP588: 12/18/2008 5:31:26 PM - System Checkpoint
RP589: 12/18/2008 5:31:26 PM - System Checkpoint
RP590: 12/18/2008 5:31:26 PM - System Checkpoint
RP591: 12/18/2008 5:31:26 PM - System Checkpoint
RP592: 12/18/2008 5:31:26 PM - System Checkpoint
RP593: 12/18/2008 5:31:26 PM - System Checkpoint
RP594: 12/18/2008 5:31:27 PM - System Checkpoint
RP595: 12/18/2008 5:31:27 PM - System Checkpoint
RP596: 12/18/2008 5:31:27 PM - System Checkpoint
RP597: 12/18/2008 5:31:27 PM - System Checkpoint
RP598: 12/18/2008 5:31:27 PM - Software Distribution Service 3.0
RP599: 12/18/2008 5:31:27 PM - Software Distribution Service 3.0
RP600: 12/18/2008 5:31:27 PM - System Checkpoint
RP601: 12/18/2008 5:31:28 PM - System Checkpoint
RP602: 12/18/2008 5:31:28 PM - System Checkpoint
RP603: 12/18/2008 5:31:28 PM - System Checkpoint
RP604: 12/18/2008 5:31:28 PM - System Checkpoint
RP605: 12/18/2008 5:31:28 PM - System Checkpoint
RP606: 12/18/2008 5:31:29 PM - System Checkpoint
RP607: 12/18/2008 5:31:29 PM - System Checkpoint
RP608: 12/18/2008 5:31:29 PM - System Checkpoint
RP609: 12/18/2008 5:31:29 PM - System Checkpoint
RP610: 12/18/2008 5:31:29 PM - System Checkpoint
RP611: 12/18/2008 5:31:30 PM - System Checkpoint
RP612: 12/18/2008 5:31:30 PM - System Checkpoint
RP613: 12/18/2008 5:31:30 PM - System Checkpoint
RP614: 12/18/2008 5:31:30 PM - Software Distribution Service 3.0
RP615: 12/18/2008 5:31:30 PM - System Checkpoint
RP616: 12/18/2008 5:31:30 PM - System Checkpoint
RP617: 12/18/2008 5:31:30 PM - System Checkpoint
RP618: 12/18/2008 5:31:41 PM - Last known good configuration
.
==== Installed Programs ======================
.
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
Advertisement Service
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Toolbar 5.0
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Avira AntiVir Personal - Free Antivirus
CIF Dual-Mode Camera
FrostWire 4.13.4
Google Toolbar for Internet Explorer
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
iTunes
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero PhotoShow Express
Nero Suite
QuickTime
RealPlayer
Rhapsody Player Engine
Samsung Digimax 201
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Ulead Photo Explorer 8.0 SE Basic
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Viewpoint Media Player
ViviCam Digital Camera Driver
WebFldrs XP
Windows Driver Package - Camera Maker (MR97310_USB_DUAL_CAMERA) Image 05/02/2006 2.0.1.0
Windows Driver Package - MARS (mr97310c) Image 04/11/2005 2.0.0.0
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
.
==== Event Viewer Messages From Past Week ========
.
4/4/2011 9:29:49 PM, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
4/4/2011 6:37:44 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
4/4/2011 6:37:44 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\STATIO~1\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
4/4/2011 6:37:44 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
4/4/2011 6:36:03 PM, error: Print [19] - Sharing printer failed + 1722, Printer Lexmark Z53 Color Jetprinter (Copy 2) share name Printer.
4/4/2011 11:11:39 PM, error: System Error [1003] - Error code 1000000a, parameter1 00000018, parameter2 00000002, parameter3 00000000, parameter4 8050af20.
4/4/2011 11:05:35 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
4/4/2011 11:04:48 PM, error: Service Control Manager [7034] - The Distributed Transaction Coordinator service terminated unexpectedly. It has done this 1 time(s).
4/3/2011 8:17:06 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/3/2011 8:01:33 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file rcimlby.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
4/3/2011 3:07:55 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
4/3/2011 2:58:11 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
.
==== End Of File ===========================

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Station 1 at 0:15:46.07 on Tue 04/05/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.67 [GMT -5:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\Documents and Settings\Station 1\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: {380973b6-8dbe-4f0d-bfa7-c48d7d3852a3} - c:\windows\system32\jelulede.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\cbXPiGaB.dll
BHO: c:\windows\system32\tyshb36rfjdf.dll: {d5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\tyshb36rfjdf.dll
BHO: {f8420915-984a-4760-9cb5-c8f0d67957b9} - c:\windows\system32\nnnmkJdc.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [jiwewabaso] Rundll32.exe "c:\windows\system32\tumaveko.dll",s
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm565YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/html - {c0874b9f-6e9f-4500-afa3-6d555f6296b8} - c:\windows\system32\msziptools.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: cbXPiGaB - cbXPiGaB.dll
AppInit_DLLs: c:\windows\system32\beyofaji.dll
STS: c:\windows\system32\tyshb36rfjdf.dll: {d5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\tyshb36rfjdf.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\cbXPiGaB.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnmkJdc
LSA: Notification Packages = scecli c:\windows\system32\beyofaji.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-4 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-4 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-4 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-4 61960]
.
=============== Created Last 30 ================
.
2011-04-05 02:33:11 -------- d-----w- c:\windows\system32\NtmsData
2011-04-04 23:43:14 -------- d-----w- c:\docume~1\statio~1\applic~1\Avira
2011-04-04 23:39:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-04 23:38:52 -------- d-----w- c:\program files\Avira
2011-04-04 23:38:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-04 21:44:23 -------- d-----w- c:\docume~1\statio~1\locals~1\applic~1\Opera
2011-04-04 21:20:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 21:20:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-04 21:20:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-04 17:31:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 02:05:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-03 19:59:19 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2008-09-21 06:33:51 62628 --sha-w- c:\windows\system32\jelulede.dll
2008-12-21 06:33:42 62628 --sha-w- c:\windows\system32\pujawewo.dll
2008-09-21 06:33:51 62628 --sha-w- c:\windows\system32\tumaveko.dll
.
============= FINISH: 0:18:40.06 ===============
 
Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
2011/04/06 16:56:26.0671 1912 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/06 16:56:27.0703 1912 ================================================================================
2011/04/06 16:56:27.0703 1912 SystemInfo:
2011/04/06 16:56:27.0703 1912
2011/04/06 16:56:27.0703 1912 OS Version: 5.1.2600 ServicePack: 2.0
2011/04/06 16:56:27.0703 1912 Product type: Workstation
2011/04/06 16:56:27.0703 1912 ComputerName: STATION1
2011/04/06 16:56:27.0703 1912 UserName: Station 1
2011/04/06 16:56:27.0703 1912 Windows directory: C:\WINDOWS
2011/04/06 16:56:27.0703 1912 System windows directory: C:\WINDOWS
2011/04/06 16:56:27.0703 1912 Processor architecture: Intel x86
2011/04/06 16:56:27.0703 1912 Number of processors: 1
2011/04/06 16:56:27.0703 1912 Page size: 0x1000
2011/04/06 16:56:27.0703 1912 Boot type: Normal boot
2011/04/06 16:56:27.0703 1912 ================================================================================
2011/04/06 16:56:29.0046 1912 Initialize success
2011/04/06 16:56:33.0984 0632 ================================================================================
2011/04/06 16:56:33.0984 0632 Scan started
2011/04/06 16:56:33.0984 0632 Mode: Manual;
2011/04/06 16:56:33.0984 0632 ================================================================================
2011/04/06 16:56:35.0015 0632 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/04/06 16:56:35.0203 0632 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/06 16:56:35.0343 0632 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/06 16:56:35.0625 0632 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/04/06 16:56:35.0890 0632 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/04/06 16:56:37.0171 0632 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/06 16:56:37.0328 0632 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/06 16:56:37.0578 0632 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/06 16:56:37.0734 0632 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/06 16:56:38.0078 0632 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/04/06 16:56:38.0406 0632 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/04/06 16:56:38.0875 0632 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/04/06 16:56:39.0125 0632 basic2 (1b9c81ab9a456eabd9f8335f04b5f495) C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys
2011/04/06 16:56:39.0343 0632 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/06 16:56:39.0609 0632 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/06 16:56:39.0781 0632 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/06 16:56:40.0031 0632 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/06 16:56:40.0218 0632 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/06 16:56:40.0437 0632 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/06 16:56:41.0343 0632 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/06 16:56:41.0578 0632 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/06 16:56:41.0812 0632 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/06 16:56:42.0000 0632 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/06 16:56:42.0171 0632 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/06 16:56:42.0515 0632 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/06 16:56:42.0640 0632 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/04/06 16:56:42.0859 0632 Fallback (c823debe2548656549f84a875d65237b) C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys
2011/04/06 16:56:42.0984 0632 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/06 16:56:43.0156 0632 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/06 16:56:43.0406 0632 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/06 16:56:43.0546 0632 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/06 16:56:43.0718 0632 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/06 16:56:43.0875 0632 Fsks (6483414841d4cab6c3b4db2ac6edd70b) C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys
2011/04/06 16:56:44.0015 0632 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/06 16:56:44.0218 0632 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/06 16:56:44.0421 0632 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/04/06 16:56:44.0765 0632 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/06 16:56:45.0203 0632 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/06 16:56:45.0765 0632 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2011/04/06 16:56:45.0937 0632 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2011/04/06 16:56:46.0250 0632 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys
2011/04/06 16:56:46.0484 0632 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/06 16:56:47.0031 0632 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/06 16:56:47.0156 0632 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/04/06 16:56:47.0312 0632 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/04/06 16:56:47.0671 0632 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/04/06 16:56:47.0812 0632 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/04/06 16:56:47.0953 0632 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/04/06 16:56:48.0062 0632 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/04/06 16:56:48.0171 0632 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2011/04/06 16:56:48.0265 0632 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2011/04/06 16:56:48.0359 0632 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2011/04/06 16:56:48.0593 0632 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/04/06 16:56:48.0734 0632 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/04/06 16:56:48.0953 0632 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/04/06 16:56:49.0046 0632 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/04/06 16:56:49.0187 0632 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2011/04/06 16:56:49.0296 0632 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2011/04/06 16:56:49.0406 0632 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/06 16:56:49.0750 0632 InCDfs (b87fc7c71632240dac8f4d20e9ce8377) C:\WINDOWS\system32\drivers\InCDfs.sys
2011/04/06 16:56:49.0859 0632 InCDPass (2e878405128ec98886eb9c2216ac7bd6) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
2011/04/06 16:56:49.0968 0632 InCDrec (ddf078917a42f105385d7eb6debb3433) C:\WINDOWS\system32\drivers\InCDrec.sys
2011/04/06 16:56:50.0093 0632 incdrm (7f352360e947ad2cd4ba60de27b1a299) C:\WINDOWS\system32\drivers\incdrm.sys
2011/04/06 16:56:50.0421 0632 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/06 16:56:50.0562 0632 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/06 16:56:50.0937 0632 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/06 16:56:51.0171 0632 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/06 16:56:51.0296 0632 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/06 16:56:51.0406 0632 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/06 16:56:51.0531 0632 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/06 16:56:51.0718 0632 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/06 16:56:51.0953 0632 K56 (9c5e3fdbfcc30cf71a49ca178b9ad442) C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys
2011/04/06 16:56:52.0109 0632 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/06 16:56:52.0265 0632 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/06 16:56:52.0484 0632 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/06 16:56:52.0781 0632 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/06 16:56:53.0140 0632 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/06 16:56:53.0281 0632 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/06 16:56:53.0437 0632 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/06 16:56:53.0656 0632 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/04/06 16:56:53.0828 0632 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/06 16:56:53.0984 0632 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/06 16:56:54.0109 0632 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/06 16:56:54.0250 0632 MR97310_USB_DUAL_CAMERA (2d5990203cb98b7dfd13d73d71c48028) C:\WINDOWS\system32\DRIVERS\mr97310c.sys
2011/04/06 16:56:54.0703 0632 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/06 16:56:54.0921 0632 MRxSmb (6f2d483b97b395544e59749c47963c6a) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/06 16:56:55.0109 0632 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/06 16:56:55.0281 0632 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/06 16:56:55.0406 0632 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/06 16:56:55.0515 0632 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/06 16:56:55.0750 0632 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/06 16:56:55.0968 0632 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/06 16:56:56.0109 0632 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/06 16:56:56.0296 0632 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/06 16:56:57.0031 0632 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/06 16:56:57.0218 0632 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/06 16:56:57.0296 0632 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/06 16:56:57.0406 0632 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/06 16:56:57.0546 0632 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/06 16:56:57.0640 0632 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/06 16:56:57.0734 0632 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/06 16:56:57.0906 0632 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/06 16:56:58.0265 0632 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/06 16:56:58.0484 0632 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/06 16:56:58.0671 0632 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/06 16:56:58.0812 0632 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/06 16:56:59.0046 0632 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/06 16:56:59.0234 0632 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/04/06 16:56:59.0375 0632 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/06 16:56:59.0500 0632 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/06 16:56:59.0640 0632 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/06 16:56:59.0812 0632 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/06 16:57:00.0250 0632 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/06 16:57:01.0250 0632 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/06 16:57:01.0406 0632 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/06 16:57:01.0687 0632 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/06 16:57:01.0937 0632 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/06 16:57:02.0703 0632 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/06 16:57:02.0843 0632 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/06 16:57:02.0968 0632 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/06 16:57:03.0078 0632 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/06 16:57:03.0312 0632 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/06 16:57:03.0515 0632 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/06 16:57:03.0687 0632 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/06 16:57:03.0890 0632 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/06 16:57:04.0125 0632 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/06 16:57:04.0359 0632 Rksample (bb7549bd94d1aac3599c7606c50c48a0) C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys
2011/04/06 16:57:04.0734 0632 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/06 16:57:04.0937 0632 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/06 16:57:05.0109 0632 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/06 16:57:05.0265 0632 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/06 16:57:05.0578 0632 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/06 16:57:05.0718 0632 SoftFax (d9e8e0ce154a2f6430d9efabdf730867) C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys
2011/04/06 16:57:05.0968 0632 SpeakerPhone (6c843c43fd7f0b42cfe477ce88d0f9b3) C:\WINDOWS\system32\DRIVERS\HSF_SPKP.sys
2011/04/06 16:57:06.0140 0632 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/06 16:57:06.0578 0632 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/06 16:57:06.0937 0632 Srv (7a0111577d8046633d5162a3ce15e9e1) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/06 16:57:07.0312 0632 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/04/06 16:57:07.0515 0632 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/06 16:57:07.0812 0632 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/06 16:57:07.0937 0632 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/06 16:57:08.0687 0632 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/06 16:57:08.0953 0632 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/06 16:57:09.0109 0632 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/06 16:57:09.0156 0632 Suspicious service (Hidden): TDSSserv.sys
2011/04/06 16:57:09.0359 0632 TDSSserv.sys (9679cbb6fb2104010efb44910e08a563) C:\WINDOWS\system32\drivers\TDSSmqlt.sys
2011/04/06 16:57:09.0375 0632 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\TDSSmqlt.sys. md5: 9679cbb6fb2104010efb44910e08a563
2011/04/06 16:57:09.0375 0632 Suspicious file (Hidden): C:\WINDOWS\system32\drivers\TDSSmqlt.sys. md5: 9679cbb6fb2104010efb44910e08a563
2011/04/06 16:57:09.0406 0632 TDSSserv.sys - detected Rootkit.Win32.TDSS.tdl2 (0)
2011/04/06 16:57:09.0500 0632 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/06 16:57:09.0609 0632 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/06 16:57:09.0843 0632 Tones (8021a499db46b2961c285168671cb9af) C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys
2011/04/06 16:57:10.0140 0632 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/06 16:57:10.0484 0632 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/06 16:57:10.0812 0632 USBAAPL (f340199e8cb097e1acd58a967c665919) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/04/06 16:57:11.0000 0632 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/06 16:57:11.0156 0632 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/06 16:57:11.0421 0632 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/06 16:57:11.0656 0632 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/06 16:57:11.0812 0632 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/06 16:57:12.0015 0632 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/06 16:57:12.0484 0632 V124 (269c0ade94b90029b12497747be408cb) C:\WINDOWS\system32\DRIVERS\HSF_V124.sys
2011/04/06 16:57:12.0859 0632 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/04/06 16:57:13.0171 0632 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/06 16:57:13.0484 0632 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/06 16:57:13.0843 0632 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/06 16:57:14.0203 0632 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2011/04/06 16:57:14.0671 0632 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/06 16:57:15.0359 0632 ================================================================================
2011/04/06 16:57:15.0359 0632 Scan finished
2011/04/06 16:57:15.0359 0632 ================================================================================
2011/04/06 16:57:15.0437 0264 Detected object count: 1
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\drivers\TDSSmqlt.sys - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSoiqn.dll - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSlrvd.dat - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSShrxr.dll - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSrtqp.dll - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSxfum.dll - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSlxwp.dll - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSnmxh.log - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSsihc.dll - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSrhyp.log - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 C:\WINDOWS\system32\TDSSkkbi.log - will be deleted after reboot
2011/04/06 16:57:29.0343 0264 HKLM\SYSTEM\ControlSet001\services\TDSSserv.sys - will be deleted after reboot
2011/04/06 16:57:29.0359 0264 HKLM\SYSTEM\ControlSet003\services\TDSSserv.sys - will be deleted after reboot
2011/04/06 16:57:29.0375 0264 C:\WINDOWS\system32\drivers\TDSSmqlt.sys - will be deleted after reboot
2011/04/06 16:57:29.0375 0264 Rootkit.Win32.TDSS.tdl2(TDSSserv.sys) - User select action: Delete
2011/04/06 17:02:18.0468 4076 Deinitialize success

FYI it wouldnt let me put this program on the desktop, so i had to run it from a flash drive, it still seemed to work, though. Thanks
 
Very well :)

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Broni, once i Ran TDSkiller from flash drive it made me restart, where upon when it had rebooted the zip file TDSkiller was on the desktop, where i had tried to put it the first time. Should i re-run TDSkiller again and paste the log from that session? or just continue with your instructions? Thanks alot.
 
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF9762000 \WINDOWS\system32\KDCOM.DLL
0xF9672000 \WINDOWS\system32\BOOTVID.dll
0xF9213000 ACPI.sys
0xF9764000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF9202000 pci.sys
0xF9262000 isapnp.sys
0xF9766000 intelide.sys
0xF94E2000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF9272000 MountMgr.sys
0xF91E3000 ftdisk.sys
0xF9768000 dmload.sys
0xF91BD000 dmio.sys
0xF94EA000 PartMgr.sys
0xF9282000 VolSnap.sys
0xF91A5000 atapi.sys
0xF9292000 disk.sys
0xF92A2000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF9185000 fltmgr.sys
0xF9173000 sr.sys
0xF915C000 KSecDD.sys
0xF90CF000 Ntfs.sys
0xF90A2000 NDIS.sys
0xF9087000 Mup.sys
0xF9442000 \SystemRoot\System32\DRIVERS\p3.sys
0xF9006000 \SystemRoot\System32\DRIVERS\i81xnt5.sys
0xF8FF2000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF8FBC000 \SystemRoot\System32\DRIVERS\HSFBS2S2.sys
0xF8F99000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8E9A000 \SystemRoot\System32\DRIVERS\HSFDPSP2.sys
0xF8DF2000 \SystemRoot\System32\DRIVERS\HSFCXTS2.sys
0xF9582000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8DE1000 \SystemRoot\System32\DRIVERS\el90xbc5.sys
0xF958A000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF9472000 \SystemRoot\System32\DRIVERS\serial.sys
0xF9716000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF8DCD000 \SystemRoot\System32\DRIVERS\parport.sys
0xF9482000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF9492000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF959A000 \SystemRoot\System32\Drivers\incdrm.SYS
0xF95A2000 \SystemRoot\System32\DRIVERS\InCDPass.sys
0xF95AA000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF95B2000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF8DAA000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF8D92000 \SystemRoot\system32\drivers\ac97intc.sys
0xF8D6E000 \SystemRoot\system32\drivers\portcls.sys
0xF94A2000 \SystemRoot\system32\drivers\drmk.sys
0xF9841000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF94B2000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF9726000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF8D13000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF94C2000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF94D2000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF95BA000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF8D02000 \SystemRoot\System32\DRIVERS\psched.sys
0xF92C2000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF95CA000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF95D2000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF8A33000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF9302000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF95DA000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF95E2000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF977C000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF89DA000 \SystemRoot\System32\DRIVERS\update.sys
0xF973E000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF9312000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF9372000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF979A000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF971A000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF9622000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF979C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8AA4000 \SystemRoot\System32\Drivers\Null.SYS
0xF979E000 \SystemRoot\System32\Drivers\Beep.SYS
0xF9632000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF963A000 \SystemRoot\System32\drivers\vga.sys
0xF97A0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF97A2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF89CA000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xF4800000 \SystemRoot\System32\Drivers\InCDfs.SYS
0xF9642000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF964A000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF89C6000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF47C5000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF476D000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF4745000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF4723000 \SystemRoot\System32\drivers\afd.sys
0xF93C2000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF9652000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xF46F8000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF4689000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF93F2000 \SystemRoot\System32\Drivers\Fips.SYS
0xF4668000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF4642000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF97A6000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF9422000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF9512000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF902E000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF9452000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF9522000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF96F2000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF492E000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF4602000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF97C0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF89CE000 \SystemRoot\System32\drivers\Dxapi.sys
0xF952A000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xF98CA000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D5000 \SystemRoot\System32\i81xdnt5.dll
0xF48DA000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF4465000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xF447E000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF4122000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF40F6000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF977A000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF40B9000 \SystemRoot\system32\drivers\wdmaud.sys
0xF43ED000 \SystemRoot\system32\drivers\sysaudio.sys
0xF3FFC000 \SystemRoot\System32\DRIVERS\HSF_FALL.sys
0xF3FDF000 \SystemRoot\System32\DRIVERS\HSF_FSKS.sys
0xF3F7F000 \SystemRoot\System32\DRIVERS\HSF_K56K.sys
0xF4159000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
0xF3E65000 \SystemRoot\System32\DRIVERS\srv.sys
0xF3E34000 \SystemRoot\System32\DRIVERS\HSF_FAXX.sys
0xF3E22000 \SystemRoot\System32\DRIVERS\HSF_SPKP.sys
0xF42A5000 \SystemRoot\System32\DRIVERS\HSF_TONE.sys
0xF3C8A000 \SystemRoot\System32\DRIVERS\HSF_V124.sys
0xF3A69000 \SystemRoot\System32\Drivers\HTTP.sys
0xF382A000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 25):
0 System Idle Process
4 System
336 C:\WINDOWS\system32\smss.exe
404 csrss.exe
428 C:\WINDOWS\system32\winlogon.exe
576 C:\WINDOWS\system32\services.exe
588 C:\WINDOWS\system32\lsass.exe
744 C:\WINDOWS\system32\svchost.exe
804 svchost.exe
844 C:\WINDOWS\system32\svchost.exe
936 svchost.exe
992 svchost.exe
1232 C:\WINDOWS\explorer.exe
1248 C:\WINDOWS\system32\spoolsv.exe
1332 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1448 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1696 C:\WINDOWS\system32\svchost.exe
1792 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1884 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
1892 C:\WINDOWS\system32\ctfmon.exe
1912 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
528 alg.exe
1012 C:\WINDOWS\system32\wscntfy.exe
1864 C:\WINDOWS\system32\notepad.exe
1684 C:\Documents and Settings\Station 1\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD400JB-00JJA0, Rev: 05.01C05

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!



ComboFix 11-04-06.03 - Station 1 04/07/2011 8:20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.92 [GMT -5:00]
Running from: c:\documents and settings\Station 1\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Internet Explorer\msimg32.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\system32\cdJkmnnn.ini
c:\windows\system32\cdJkmnnn.ini2
c:\windows\system32\eponegef.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\prunnet.exe
c:\windows\system32\xgtxfhdt.ini
.
----- BITS: Possible infected sites -----
.
hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TDSSSERV.SYS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
.
.
2011-04-05 02:33 . 2011-04-06 23:27 -------- d-----w- c:\windows\system32\NtmsData
2011-04-04 23:43 . 2011-04-04 23:43 -------- d-----w- c:\documents and settings\Station 1\Application Data\Avira
2011-04-04 23:39 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-04-04 23:39 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-04-04 23:39 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-04 23:39 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-04-04 23:38 . 2011-04-04 23:38 -------- d-----w- c:\program files\Avira
2011-04-04 23:38 . 2011-04-04 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-04-04 21:44 . 2011-04-04 21:44 -------- d-----w- c:\documents and settings\Station 1\Local Settings\Application Data\Opera
2011-04-04 21:20 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 21:20 . 2011-04-04 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-04 21:20 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-04 17:31 . 2011-04-04 21:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 02:05 . 2011-04-04 02:05 -------- d--h--w- c:\windows\system32\GroupPolicy
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 06:33 62628 --sha-w- c:\windows\system32\pujawewo.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-26 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5cde9214]
2008-12-18 23:34 72704 ----a-w- c:\windows\system32\tdhfxtgx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 05:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:56 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-01-15 09:22 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-02-26 00:28 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-01-10 21:27 385024 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-01-26 01:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=3 (0x3)
"McShield"=3 (0x3)
"iPod Service"=3 (0x3)
"InCDsrvR"=2 (0x2)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"aolavupd"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/4/2011 6:39 PM 135336]
.
Contents of the 'Scheduled Tasks' folder
.
2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
2011-04-06 c:\windows\Tasks\tjikrmeg.job
- c:\windows\system32\khfDvuTk.dll [2008-12-18 23:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
Notify-cbXPiGaB - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-AOLSPScheduler - c:\program files\Common Files\AOL\1159402144\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe
MSConfigStartUp-EmailScan - c:\program files\mcafee.com\antivirus\mcvsescn.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1159402144\ee\AOLSoftware.exe
MSConfigStartUp-jiwewabaso - c:\windows\system32\tumaveko.dll
MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\STATIO~1\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-jsf8j34rgfght - c:\docume~1\STATIO~1\LOCALS~1\Temp\winloggn.exe
MSConfigStartUp-MPFExe - c:\program files\mcafee.com\personal firewall\MPfTray.exe
MSConfigStartUp-OASClnt - c:\program files\mcafee.com\antivirus\oasclnt.exe
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-sscRun - c:\program files\Common Files\AOL\1159402144\ee\SSCRun.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-Ulead AutoDetector - c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
AddRemove-AdobeESD - c:\program files\Common Files\Adobe\ESD\uninst.exe
AddRemove-AOL Deskbar - c:\program files\AOL Deskbar\UNWISE.EXE
AddRemove-AOL Toolbar - c:\program files\AOL\AOL Toolbar 5.0\uninstall.exe
AddRemove-AOL YGP Screensaver - c:\program files\Common Files\AOL\Screensaver\uninst_ygpss.exe
AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe
AddRemove-AolCoach2_en - c:\program files\Common Files\AolCoach\en_en\AolCInUn.exe
AddRemove-FrostWire - c:\program files\FrostWire\Uninstall.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
AddRemove-ViviCam Digital Camera Driver - c:\progra~1\VIVICA~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-07 08:29
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-07 08:34:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-07 13:34
.
Pre-Run: 31,424,389,120 bytes free
Post-Run: 31,491,887,104 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 713780643295A24A0EE0B3C2DE60BCD3
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\pujawewo.dll
c:\windows\system32\tdhfxtgx.dll
c:\windows\Tasks\tjikrmeg.job
c:\windows\system32\khfDvuTk.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5cde9214]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 11-04-06.03 - Station 1 04/07/2011 23:33:36.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.121 [GMT -5:00]
Running from: c:\documents and settings\Station 1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Station 1\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\system32\khfDvuTk.dll"
"c:\windows\system32\pujawewo.dll"
"c:\windows\system32\tdhfxtgx.dll"
"c:\windows\Tasks\tjikrmeg.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\khfDvuTk.dll
c:\windows\system32\pujawewo.dll
c:\windows\system32\tdhfxtgx.dll
c:\windows\Tasks\tjikrmeg.job
.
.
((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
.
.
2011-04-05 02:33 . 2011-04-06 23:27 -------- d-----w- c:\windows\system32\NtmsData
2011-04-04 23:43 . 2011-04-04 23:43 -------- d-----w- c:\documents and settings\Station 1\Application Data\Avira
2011-04-04 23:39 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-04-04 23:39 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-04-04 23:39 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-04 23:39 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-04-04 23:38 . 2011-04-04 23:38 -------- d-----w- c:\program files\Avira
2011-04-04 23:38 . 2011-04-04 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-04-04 21:44 . 2011-04-04 21:44 -------- d-----w- c:\documents and settings\Station 1\Local Settings\Application Data\Opera
2011-04-04 21:20 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 21:20 . 2011-04-04 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-04 21:20 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-04 17:31 . 2011-04-04 21:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 02:05 . 2011-04-04 02:05 -------- d--h--w- c:\windows\system32\GroupPolicy
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-26 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 05:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:56 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-01-15 09:22 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-02-26 00:28 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-01-10 21:27 385024 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-01-26 01:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=3 (0x3)
"McShield"=3 (0x3)
"iPod Service"=3 (0x3)
"InCDsrvR"=2 (0x2)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"aolavupd"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/4/2011 6:39 PM 135336]
.
Contents of the 'Scheduled Tasks' folder
.
2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-07 23:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-07 23:47:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-08 04:47
ComboFix2.txt 2011-04-07 13:34
.
Pre-Run: 31,495,360,512 bytes free
Post-Run: 31,486,717,952 bytes free
.
- - End Of File - - 20DBD59A281F67F6195F8157F23D09CB

EDIT: ComboFix also wanted me to connect the PC to the internet so it could submit some malware files for further analyzing, so i let it.
 
Good :)

How is computer doing?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
OTL logfile created on: 4/8/2011 12:37:57 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Station 1\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 131.00 Mb Available Physical Memory | 52.00% Memory free
625.00 Mb Paging File | 396.00 Mb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 29.33 Gb Free Space | 78.69% Space Free | Partition Type: NTFS
Drive D: | 131.98 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 1.86 Gb Total Space | 1.63 Gb Free Space | 87.60% Space Free | Partition Type: FAT

Computer Name: STATION1 | User Name: Station 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/08 00:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
PRC - [2011/03/04 14:37:00 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/04 14:36:52 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/03/04 14:36:51 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/04/08 00:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (Apple Mobile Device)
SRV - File not found [Disabled | Stopped] -- -- (AOL TopSpeedMonitor)
SRV - [2011/03/04 14:37:00 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/03/04 14:36:52 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2005/07/08 10:24:46 | 000,871,424 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)


========== Driver Services (SafeList) ==========

DRV - [2011/03/04 16:11:12 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/03/04 14:37:13 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2006/05/02 13:38:42 | 000,110,720 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr97310c.sys -- (MR97310_USB_DUAL_CAMERA)
DRV - [2005/07/08 18:17:54 | 000,099,584 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/07/08 18:17:36 | 000,029,696 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2005/07/08 10:17:31 | 000,028,672 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
DRV - [2004/08/03 22:29:50 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 22:29:48 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 22:29:46 | 000,025,471 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv10nt.sys -- (iAimTV5)
DRV - [2004/08/03 22:29:46 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 22:29:46 | 000,022,271 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv06nt.sys -- (iAimTV6)
DRV - [2004/08/03 22:29:44 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 22:29:44 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 22:29:42 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 22:29:42 | 000,011,871 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv09nt.sys -- (iAimFP7)
DRV - [2004/08/03 22:29:40 | 000,011,807 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv07nt.sys -- (iAimFP5)
DRV - [2004/08/03 22:29:40 | 000,011,295 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv08nt.sys -- (iAimFP6)
DRV - [2004/08/03 22:29:38 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 22:29:38 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 22:29:38 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 22:29:38 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2)
DRV - [2001/08/17 08:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
DRV - [2001/08/17 08:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 08:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 08:28:10 | 000,073,279 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_SPKP.sys -- (SpeakerPhone)
DRV - [2001/08/17 08:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 08:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 08:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 08:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 08:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 08:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)
DRV - [2001/08/17 07:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found
IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2007/12/30 21:30:20 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/04/07 23:41:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - File not found
O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\ShellBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\ShellBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found
O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found
O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - File not found
O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab (UnagiAx Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Station 1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Station 1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/21 19:31:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16620634377289728)

========== Files/Folders - Created Within 30 Days ==========

[2011/04/08 00:36:02 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
[2011/04/07 23:49:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/04/07 08:18:48 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/07 08:16:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/07 08:16:16 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/07 08:16:16 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/07 08:16:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/07 08:16:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/07 08:15:28 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/04 21:33:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2011/04/04 18:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Avira
[2011/04/04 18:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/04/04 18:39:16 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2011/04/04 18:39:08 | 000,137,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/04/04 18:39:08 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2011/04/04 18:39:07 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/04/04 18:39:07 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2011/04/04 18:38:52 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/04/04 18:38:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/04/04 16:44:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Local Settings\Application Data\Opera
[2011/04/04 16:44:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Opera
[2011/04/04 16:40:56 | 007,469,592 | ---- | C] (Opera Software ASA) -- C:\Documents and Settings\Station 1\Desktop\Opera_1101_en_Setup.exe
[2011/04/04 16:26:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Macromedia
[2011/04/04 16:20:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/04 16:20:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/04 16:20:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/04 16:20:32 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/04 12:42:25 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Station 1\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/04 12:31:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/04 12:21:18 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\TFC.exe
[2011/04/03 21:05:46 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/04/03 20:21:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Google
[2011/04/03 20:21:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Station 1\Application Data\Microsoft
[2011/04/03 14:59:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss

========== Files - Modified Within 30 Days ==========

[2011/04/08 00:32:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/08 00:32:48 | 266,420,224 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/08 00:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
[2011/04/07 23:41:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/07 08:18:54 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/07 08:04:48 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\MBRCheck.exe
[2011/04/07 08:02:42 | 004,315,750 | R--- | M] () -- C:\Documents and Settings\Station 1\Desktop\ComboFix.exe
[2011/04/06 18:10:36 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\rowirafe
[2011/04/06 16:50:12 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/06 16:41:34 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\tdsskiller.zip
[2011/04/04 18:40:22 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/04/04 16:41:26 | 007,469,592 | ---- | M] (Opera Software ASA) -- C:\Documents and Settings\Station 1\Desktop\Opera_1101_en_Setup.exe
[2011/04/04 16:20:38 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/04 13:26:28 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\dds.scr
[2011/04/04 13:22:06 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\9996xb45.exe
[2011/04/04 13:20:36 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Station 1\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/04 13:19:06 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\TFC.exe
[2011/04/03 21:28:41 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/04/03 15:00:10 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/03 15:00:10 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/03 14:58:41 | 000,119,712 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2011/04/03 14:58:08 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

========== Files Created - No Company Name ==========

[2011/04/07 08:18:54 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/04/07 08:18:50 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/07 08:16:16 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/07 08:16:16 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/07 08:16:16 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/07 08:16:16 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/07 08:16:16 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/07 08:14:04 | 004,315,750 | R--- | C] () -- C:\Documents and Settings\Station 1\Desktop\ComboFix.exe
[2011/04/07 08:12:29 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Station 1\Desktop\MBRCheck.exe
[2011/04/06 16:54:47 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Station 1\Desktop\tdsskiller.zip
[2011/04/05 00:14:45 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Station 1\Desktop\dds.scr
[2011/04/04 23:13:23 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Station 1\Desktop\9996xb45.exe
[2011/04/04 18:40:22 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/04/04 16:20:38 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/12/21 01:34:56 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\amwwsbkb.dll
[2008/12/18 18:34:33 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\xxywwTkI.dll
[2008/12/18 18:34:32 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\qbsbhc.dll
[2008/12/18 18:34:28 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\adonxpyk.dll
[2008/01/18 15:47:38 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/07/03 01:17:13 | 000,002,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/05/27 18:49:01 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/11/22 02:53:15 | 000,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/11/04 04:16:22 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Station 1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/09/27 19:12:28 | 000,000,715 | ---- | C] () -- C:\WINDOWS\aolback.exe.lnk
[2006/09/27 19:06:59 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/09/24 19:55:42 | 000,000,026 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2006/09/24 19:53:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2006/09/06 17:44:40 | 000,000,071 | ---- | C] () -- C:\WINDOWS\pex.INI
[2006/09/06 17:37:36 | 000,000,151 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2006/09/06 17:32:35 | 000,104,593 | ---- | C] () -- C:\WINDOWS\System32\drivers\MPIXVID.SYS
[2006/08/16 16:09:17 | 001,441,280 | ---- | C] () -- C:\WINDOWS\DelphiUninstall.exe
[2005/08/21 20:04:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/21 19:40:27 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/08/21 19:35:15 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/21 19:27:38 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/21 14:14:48 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/21 14:13:49 | 000,276,560 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/10/12 10:58:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\mr310exd.dll
[2001/10/12 10:57:18 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\mr310exv.dll
[2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 07:00:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 07:00:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 07:00:00 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 07:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/12/07 10:13:58 | 000,015,164 | ---- | C] () -- C:\WINDOWS\mr310twc.ini

========== LOP Check ==========

[2006/09/06 17:37:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2006/11/22 02:45:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2011/04/04 16:44:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Station 1\Application Data\Opera

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2005/08/21 19:31:20 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011/04/03 21:28:41 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/04/07 08:18:54 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2011/04/07 23:47:50 | 000,007,597 | ---- | M] () -- C:\ComboFix.txt
[2005/08/21 19:31:20 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/04/08 00:32:48 | 266,420,224 | -HS- | M] () -- C:\hiberfil.sys
[2005/08/21 19:31:20 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2005/08/21 19:31:20 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2005/08/24 20:57:53 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2005/08/24 20:57:53 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2011/04/08 00:32:46 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
[2006/09/27 17:28:40 | 000,000,058 | -H-- | M] () -- C:\T4Metrics.log
[2011/04/06 17:02:18 | 000,047,104 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_06.04.2011_16.56.26_log.txt

< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2005/08/21 19:30:50 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2004/11/17 16:24:24 | 000,421,888 | ---- | M] () -- C:\WINDOWS\Nero PhotoShow.scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2005/08/21 14:12:59 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/08/21 14:12:59 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/08/21 14:12:59 | 000,385,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2005/08/24 21:03:24 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Desktop\*.exe >
[2011/04/04 13:22:06 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\9996xb45.exe
[2011/04/04 16:28:59 | 000,568,696 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Station 1\Desktop\ChromeSetup.exe
[2011/04/07 08:02:42 | 004,315,750 | R--- | M] () -- C:\Documents and Settings\Station 1\Desktop\ComboFix.exe
[2011/04/04 13:20:36 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Station 1\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/07 08:04:48 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Station 1\Desktop\MBRCheck.exe
[2011/04/04 16:41:26 | 007,469,592 | ---- | M] (Opera Software ASA) -- C:\Documents and Settings\Station 1\Desktop\Opera_1101_en_Setup.exe
[2011/04/08 00:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\OTL.exe
[2011/04/04 13:19:06 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Station 1\Desktop\TFC.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >
[2007/10/09 09:42:05 | 000,012,106 | ---- | M] () -- C:\WINDOWS\mr310twc.src

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2005/08/24 21:11:26 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Station 1\Favorites\Desktop.ini
[2007/05/09 10:49:34 | 000,001,288 | ---- | M] () -- C:\Documents and Settings\Station 1\Favorites\Microsoft bCentral.lnk

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2011/04/08 00:32:55 | 000,311,296 | ---- | M] () -- C:\Documents and Settings\Station 1\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2004/08/04 00:56:58 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2001/05/02 15:24:18 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\blogo.gif
[2004/08/04 00:56:42 | 000,028,672 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2004/07/17 11:41:10 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2001/03/07 06:00:26 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2001/05/22 13:06:52 | 000,000,866 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
[2008/05/02 09:22:02 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2004/08/04 00:56:14 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2004/10/13 11:24:37 | 001,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2001/02/01 06:00:26 | 000,000,685 | ---- | M] () -- C:\Program Files\Messenger\msmsgs.exe.manifest
[2001/08/01 21:58:12 | 000,016,415 | ---- | M] () -- C:\Program Files\Messenger\msmsgsin.exe
[2004/07/17 11:41:10 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2004/07/17 11:41:10 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2004/07/17 11:41:10 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2000/12/05 13:10:32 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/07/17 11:41:06 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


< End of report >
 
OTL Extras logfile created on: 4/8/2011 12:37:57 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Station 1\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 131.00 Mb Available Physical Memory | 52.00% Memory free
625.00 Mb Paging File | 396.00 Mb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 29.33 Gb Free Space | 78.69% Space Free | Partition Type: NTFS
Drive D: | 131.98 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 1.86 Gb Total Space | 1.63 Gb Free Space | 87.60% Space Free | Partition Type: FAT

Computer Name: STATION1 | User Name: Station 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4D8E38A1-0932-11D7-8E11-0080C8274868}" = Samsung Digimax 201
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}" = QuickTime
"{857343AD-9A00-4287-BF8B-F65C9633CA0C}" = CIF Dual-Mode Camera
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{91130409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}" = iTunes
"{D271DAE0-8D68-4C97-8356-A126D48A1D8C}" = Ulead Photo Explorer 8.0 SE Basic
"{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}" = Apple Mobile Device Support
"AskSBar Uninstall" = Ask Toolbar
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mr97310c_79b33283ba293e6c94e125bce27e0ecded0a2591" = Windows Driver Package - Camera Maker (MR97310_USB_DUAL_CAMERA) Image 05/02/2006 2.0.1.0
"mr97310c_e6b1f8ca93ed72ea043389d1fb2e937f663f6786" = Windows Driver Package - MARS (mr97310c) Image 04/11/2005 2.0.0.0
"Nero PhotoShow Express" = Nero PhotoShow Express
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Windows XP Service Pack" = Windows XP Service Pack 2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/4/2011 5:29:05 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

Error - 4/4/2011 5:29:32 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

Error - 4/4/2011 5:29:44 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

Error - 4/4/2011 5:30:04 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

Error - 4/4/2011 5:31:35 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

Error - 4/4/2011 5:33:33 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

Error - 4/4/2011 5:37:20 PM | Computer Name = STATION1 | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.183.21, faulting
module googleupdate.exe, version 1.2.183.21, fault address 0x000050de.

[ System Events ]
Error - 4/6/2011 5:52:40 PM | Computer Name = STATION1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 4/6/2011 5:52:40 PM | Computer Name = STATION1 | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 4/6/2011 5:53:29 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 4/6/2011 5:54:06 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 4/6/2011 6:03:34 PM | Computer Name = STATION1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 4/6/2011 6:19:02 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 4/6/2011 6:21:30 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 4/6/2011 6:54:04 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 4/6/2011 6:56:18 PM | Computer Name = STATION1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 4/6/2011 7:07:38 PM | Computer Name = STATION1 | Source = Service Control Manager | ID = 7034
Description = The Distributed Transaction Coordinator service terminated unexpectedly.
It has done this 1 time(s).


< End of report >

NOTE: While i was doing the OTL scan Avira was on and it detected 2 malware files. I disabled Avira and let OTL finish.
 
1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

===================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found
IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - File not found
O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\ShellBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found
O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found
O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found
O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - File not found
O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[2008/12/21 01:34:56 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\amwwsbkb.dll
[2008/12/18 18:34:33 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\xxywwTkI.dll
[2008/12/18 18:34:32 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\qbsbhc.dll
[2008/12/18 18:34:28 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\adonxpyk.dll
[2006/11/22 02:45:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

=====================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
OTL---
All processes killed
Error: Unable to interpret <IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - File not found> in the current context!
Error: Unable to interpret <O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found> in the current context!
Error: Unable to interpret <O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - File not found> in the current context!
Error: Unable to interpret <O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\ShellBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found> in the current context!
Error: Unable to interpret <O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - File not found> in the current context!
Error: Unable to interpret <O3 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - File not found> in the current context!
Error: Unable to interpret <O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - File not found> in the current context!
Error: Unable to interpret <O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: ([]msn in My Computer)> in the current context!
Error: Unable to interpret <O15 - HKU\S-1-5-21-1123561945-115176313-682003330-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)> in the current context!
Error: Unable to interpret <O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)> in the current context!
Error: Unable to interpret <[2008/12/21 01:34:56 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\amwwsbkb.dll> in the current context!
Error: Unable to interpret <[2008/12/18 18:34:33 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\xxywwTkI.dll> in the current context!
Error: Unable to interpret <[2008/12/18 18:34:32 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\qbsbhc.dll> in the current context!
Error: Unable to interpret <[2008/12/18 18:34:28 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\adonxpyk.dll> in the current context!
Error: Unable to interpret <[2006/11/22 02:45:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Station 1
->Temp folder emptied: 10207916 bytes
->Temporary Internet Files folder emptied: 4473803 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 240 bytes
->Flash cache emptied: 348 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 43172 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 14.00 mb


[EMPTYFLASH]

User: All Users
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

User: Station 1
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04112011_074048

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

-----
Checkup.txt

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 24
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 3
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

-----
ESETSCAN.txt

C:\Qoobox\Quarantine\[4]-Submit_2011-04-07_23.33.20.zip multiple threats
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\WINDOWS\system32\cdJkmnnn.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\cdJkmnnn.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\eponegef.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Win32/VB.NUC trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\xgtxfhdt.ini.vir Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119054.dll Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119055.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119056.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119057.exe Win32/VB.NUC trojan
C:\System Volume Information\_restore{7D2E60AD-9DC1-453A-9A8E-DD4146391507}\RP619\A0119058.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\adonxpyk.dll a variant of Win32/Adware.Virtumonde.NEE application
C:\WINDOWS\system32\amwwsbkb.dll a variant of Win32/Adware.Virtumonde.NEE application
C:\WINDOWS\system32\pmnkLCRk.dll a variant of Win32/Adware.Virtumonde.NEI application
C:\WINDOWS\system32\qbsbhc.dll a variant of Win32/Adware.Virtumonde.NEE application
C:\WINDOWS\system32\xxywwTkI.dll Win32/Adware.Virtumonde application

EDIT: oh you asked how the computer is doing. The computer is doing a little better. Still seems a little sick.
 
Why is Avira listed as outdated?
Please, update it immediately.

=======================================================================

Uninstall:
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 3

=================================================================

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

=====================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL

:Services

:Reg

:Files
C:\WINDOWS\system32\adonxpyk.dll 
C:\WINDOWS\system32\amwwsbkb.dll 
C:\WINDOWS\system32\pmnkLCRk.dll 
C:\WINDOWS\system32\qbsbhc.dll 
C:\WINDOWS\system32\xxywwTkI.dll

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

===================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current (including Service Pack 3 installation!)

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.
 
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\system32\adonxpyk.dll moved successfully.
C:\WINDOWS\system32\amwwsbkb.dll moved successfully.
C:\WINDOWS\system32\pmnkLCRk.dll moved successfully.
File\Folder C:\WINDOWS\system32\qbsbhc.dll not found.
C:\WINDOWS\system32\xxywwTkI.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Station 1
->Temp folder emptied: 99694 bytes
->Temporary Internet Files folder emptied: 7048305 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 348 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1267 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 7.00 mb


[EMPTYFLASH]

User: All Users
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

User: Station 1
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04132011_124508

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

-------

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Station 1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

User: Station 1
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.22.3 log created on 04132011_125044

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Status
Not open for further replies.

Similar threads

midian182
Survey: 20% of Japanese students don't know any keyboard shortcuts, 40% unfamiliar with...
Replies
16
Views
498
monkeylove
monkeylove
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
476
eriksnyman1
E
J
Inactive Admin rights are revoked
Replies
18
Views
2K
Broni
Broni

Latest posts

Back