Solved Infected with Backdoor.tidserv.l!inf. Am I clean?

Status
Not open for further replies.
G

Guanadon

Posts: 18   +0
Symantec Endpoint said it removed Backdoor.tidserv.l!inf. After that this computer was still showing over 200 outbound connections while sitting idle on the Sonicwall active connections monitor. I have attached all the Preliminary Removal logs per the sticky. Computer has not been networked or used since the scan were run.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4954

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/26/2010 3:25:41 PM
mbam-log-2010-10-26 (15-25-41).txt

Scan type: Quick scan
Objects scanned: 244773
Time elapsed: 18 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\tvaughn\Application Data\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\tvaughn\Application Data\SysWin\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1110122941v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1110122941v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1110122941v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sl700496165 (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GnuHashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-26 17:01:12
Windows 5.1.2600 Service Pack 3
Running: szubkk0t.exe; Driver: C:\DOCUME~1\ADMINI~1.PSI\LOCALS~1\Temp\fxloypod.sys


---- System - GMER 1.0.15 ----

SSDT 875D44A8 ZwAlertResumeThread
SSDT 8755C848 ZwAlertThread
SSDT 8708EAA0 ZwAllocateVirtualMemory
SSDT 875BE5D8 ZwConnectPort
SSDT 870E5AA0 ZwCreateMutant
SSDT 875B5A10 ZwCreateThread
SSDT 870B6BB0 ZwFreeVirtualMemory
SSDT 8765E5F0 ZwImpersonateAnonymousToken
SSDT 87622488 ZwImpersonateThread
SSDT 87565090 ZwMapViewOfSection
SSDT 87572478 ZwOpenEvent
SSDT 8759F330 ZwOpenProcessToken
SSDT 870E2B98 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF78346B0]
SSDT 87592B78 ZwResumeThread
SSDT 8759F4E0 ZwSetContextThread
SSDT 87094BD8 ZwSetInformationProcess
SSDT 870D0AE8 ZwSetInformationThread
SSDT 8754FAA0 ZwSuspendProcess
SSDT 875B2828 ZwSuspendThread
SSDT 8762C0B0 ZwTerminateProcess
SSDT 8759F518 ZwTerminateThread
SSDT 8759F368 ZwUnmapViewOfSection
SSDT 8708AAA0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 90 804E26EC 4 Bytes JMP 97778708
.text ntoskrnl.exe!_abnormal_termination + 214 804E2870 2 Bytes [78, 24] {JS 0x26}
.text ntoskrnl.exe!_abnormal_termination + 217 804E2873 1 Byte [87]
? suicp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3240] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10403687 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4040] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Scap.sys (Check Point Software Technologies)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Scap.sys (Check Point Software Technologies)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Scap.sys (Check Point Software Technologies)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp Scap.sys (Check Point Software Technologies)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-10-21.02) - NTFSx86
Run by Administrator at 17:05:21.25 on Tue 10/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.644 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\INTERB~1\Bin\ibguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slClient.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\expsrv32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\OpenRsm\Agent\OrsmAgentService.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\devmgr32.exe
C:\PROGRA~1\INTERB~1\Bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\administrator.psi\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: {0c518f64-a339-4980-96f6-7ac886e4b19f} - c:\windows\system32\atioglxx32.dll
BHO: {0e7fecb0-6bd6-4b2d-9094-1907ccf67fca} - c:\windows\system32\atioglxx32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: e8022bb2: {5a96e11c-cd93-0d21-c1ab-8b0383b8ad01} - c:\windows\system32\jsproxy32.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [CARPService] "carpserv.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Desktop Authority GUI] "c:\program files\desktopauthority\ragui.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [ControlCenter2.0] "c:\program files\oce\controlcenter2\brctrcen.exe" /autorun
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [XA5RJ9EADJ] c:\windows\temp\Twr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\dell\bluetooth software\BTTray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
Notify: ckpNotify - ckpNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.psi\applic~1\mozilla\firefox\profiles\t1lpe0bo.default\
FF - plugin: c:\documents and settings\tvaughn\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\tvaughn\application data\move networks\plugins\npqmp071505000011.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-9-18 91136]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-17 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-17 108392]
R2 DAInfo;Desktop Authority Kernel Information Provider;c:\program files\desktopauthority\rainfo.sys [2006-12-19 6400]
R2 DAMaint;Desktop Authority Maintenance Service;c:\program files\desktopauthority\ramaint.exe [2006-12-19 49152]
R2 DesktopAuthority;Desktop Authority Service;c:\program files\desktopauthority\DesktopAuthority.exe [2006-12-19 1089536]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2006-8-3 190528]
R2 OrsmAgentServiceCom;OrsmAgentServiceCom;c:\program files\openrsm\agent\OrsmAgentService.exe [2007-4-24 1041920]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2010-7-27 17456]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [2005-12-19 527360]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-8-17 1775344]
R2 Symantec AntiVirus32;Symantec Endpoint Protection ;c:\windows\system32\expsrv32.exe [2010-10-20 1349120]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2010-7-27 670128]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [2006-12-19 2944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-18 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2010-7-27 2041904]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101026.002\NAVENG.SYS [2010-10-26 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101026.002\NAVEX15.SYS [2010-10-26 1371184]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2006-8-3 18944]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [2006-8-3 70144]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-9-18 23180]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-8-17 23888]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2006-8-3 15360]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2010-7-27 14924]

=============== Created Last 30 ================

2010-10-26 18:52:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 18:52:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 18:52:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 14:19:04 0 ---ha-w- c:\documents and settings\administrator.psi\ymmszlgrbn.tmp
2010-10-26 14:14:51 -------- d-----w- c:\program files\Magical Jelly Bean
2010-10-26 14:13:09 -------- d-----w- c:\docume~1\admini~1.psi\locals~1\applic~1\Mozilla
2010-10-20 19:16:44 174592 ----a-w- c:\windows\system32\jscript32.exe
2010-10-20 19:16:27 203776 --sh--w- c:\windows\system32\unrar.exe
2010-10-20 19:16:27 -------- d-----w- c:\windows\system32\709041280
2010-10-20 19:15:57 1349120 ----a-w- c:\windows\system32\devmgr32.exe
2010-10-20 19:15:55 250368 ----a-w- c:\windows\system32\jsproxy32.dll
2010-10-20 19:15:51 1349120 ----a-w- c:\windows\system32\expsrv32.exe
2010-10-20 19:15:48 370176 ----a-w- c:\windows\system32\atioglxx32.dll

==================== Find3M ====================

2010-08-18 16:49:46 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-17 20:22:18 107848 ----a-w- c:\windows\system32\SymVPN.dll
2010-08-17 20:22:16 89088 ----a-w- c:\windows\system32\atl71.dll
2010-08-17 20:22:16 625032 ----a-w- c:\windows\system32\SymNeti.dll
2010-08-17 20:22:16 49480 ----a-w- c:\windows\system32\FwsVpn.dll
2010-08-17 20:22:16 242056 ----a-w- c:\windows\system32\SymRedir.dll

============= FINISH: 17:05:41.65 ===============


DDS (Ver_10-10-21.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/27/2007 4:21:20 PM
System Uptime: 10/26/2010 3:27:16 PM (2 hours ago)

Motherboard: Dell Computer Corporation | | 0D2125
Processor: Intel(R) Pentium(R) M processor 1.80GHz | Microprocessor | 1798/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 30.415 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless WLAN 1450 Dual Band WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4324&SUBSYS_00031028&REV_03\4&39A85202&0&18F0
Manufacturer: Broadcom
Name: Dell Wireless WLAN 1450 Dual Band WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4324&SUBSYS_00031028&REV_03\4&39A85202&0&18F0
Service: BCM43XX

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VPN-1 SecureClient Adapter
Device ID: ROOT\NET\0001
Manufacturer: Check Point
Name: VPN-1 SecureClient Adapter
PNP Device ID: ROOT\NET\0001
Service: OMVA

==== System Restore Points ===================

RP1: 7/26/2010 7:34:50 AM - System Checkpoint
RP2: 7/27/2010 2:27:25 PM - System Checkpoint
RP3: 7/28/2010 3:16:30 PM - System Checkpoint
RP4: 8/2/2010 1:03:40 PM - System Checkpoint
RP5: 8/3/2010 10:02:24 AM - Removed Symantec AntiVirus
RP6: 8/3/2010 10:28:28 AM - Revo Uninstaller's restore point - FaxPress
RP7: 8/3/2010 10:29:27 AM - Removed FaxPress
RP8: 8/4/2010 1:05:31 PM - System Checkpoint
RP9: 8/6/2010 10:05:25 AM - System Checkpoint
RP10: 8/9/2010 8:45:19 AM - System Checkpoint
RP11: 8/10/2010 11:07:01 AM - System Checkpoint
RP12: 8/11/2010 1:26:09 PM - System Checkpoint
RP13: 8/12/2010 2:35:58 PM - System Checkpoint
RP14: 8/16/2010 12:20:07 PM - System Checkpoint
RP15: 8/17/2010 12:55:25 PM - System Checkpoint
RP16: 8/18/2010 12:47:07 PM - Installed Symantec Endpoint Protection Client.
RP17: 8/19/2010 3:33:01 PM - System Checkpoint
RP18: 8/23/2010 8:32:24 AM - System Checkpoint
RP19: 8/26/2010 11:58:16 AM - System Checkpoint
RP20: 8/30/2010 12:19:07 PM - System Checkpoint
RP21: 8/31/2010 12:32:43 PM - System Checkpoint
RP22: 9/1/2010 12:43:54 PM - System Checkpoint
RP23: 9/2/2010 1:35:40 PM - System Checkpoint
RP24: 9/8/2010 10:14:46 AM - System Checkpoint
RP25: 9/9/2010 1:00:19 PM - System Checkpoint
RP26: 9/10/2010 1:39:43 PM - System Checkpoint
RP27: 9/13/2010 1:05:57 PM - System Checkpoint
RP28: 9/14/2010 1:38:42 PM - System Checkpoint
RP29: 9/16/2010 12:36:11 PM - System Checkpoint
RP30: 9/17/2010 1:06:07 PM - System Checkpoint
RP31: 9/20/2010 1:05:44 PM - System Checkpoint
RP32: 9/21/2010 1:55:54 PM - System Checkpoint
RP33: 9/22/2010 3:33:03 PM - System Checkpoint
RP34: 9/24/2010 9:41:39 AM - System Checkpoint
RP35: 10/4/2010 1:38:56 PM - System Checkpoint
RP36: 10/6/2010 8:32:29 AM - System Checkpoint
RP37: 10/7/2010 12:09:42 PM - System Checkpoint
RP38: 10/8/2010 2:53:27 PM - System Checkpoint
RP39: 10/11/2010 11:33:28 AM - System Checkpoint
RP40: 10/12/2010 12:32:52 PM - System Checkpoint
RP41: 10/13/2010 1:50:03 PM - System Checkpoint
RP42: 10/14/2010 2:46:13 PM - System Checkpoint
RP43: 10/15/2010 3:10:40 PM - System Checkpoint
RP44: 10/20/2010 4:11:53 PM - System Checkpoint
RP45: 10/22/2010 10:11:33 AM - System Checkpoint
RP46: 10/25/2010 12:26:40 PM - System Checkpoint
RP47: 10/26/2010 4:11:37 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Aventail Connect
B57Inst
Bonjour
Broadcom Driver Installer
CCleaner (remove only)
Check Point VPN-1 SecureClient NG_AI_R56
Citrix Program Neighborhood ( Citrix ICA Client )
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.9x Modem
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell Bluetooth Software
Dell ResourceCD
Dell Wireless WLAN Utility
Easy CD Creator 5 Basic
eDrawings 2007
G.Neil Attendance Controller 7.0
G.Neil Confidential Employee Record 7.0
G.Neil Friendly Forms Builder 2.5
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB917821)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
IBM iSeries Access for Windows
Instant Interview
InterBase 6 Open Edition - 6.0.1.6
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 14
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LimeWire 5.5.16
LiveUpdate 3.3 (Symantec Corporation)
Made2Manage
Made2Manage 5.50 SP1
Made2Manage 5.50 SP1 550.435.435 SP1
Made2Manage 550.413.413 GA
Made2Manage Bar Code Collection
Made2Manage Bar Code Collection 550.413.413 GA
Made2Manage Bar Code Posting
Made2Manage Bar Code Posting 550.413.413 GA
Magical Jelly Bean KeyFinder
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2000
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows Journal Viewer
MiniSoft
MostFun.com Games - Winemaker Extraordinaire (remove only)
Mozilla Firefox (3.6.11)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multi-Function Suite
Nancy Drew: Ransom of the Seven Ships
OpenRSM-Agent
PaperPort
PowerDVD
QuickTime
Revo Uninstaller 1.89
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SigmaTel AC97 Audio Drivers
SonicWALL Global VPN Client
Spelling Dictionaries Support For Adobe Reader 9
Symantec Endpoint Protection Client
Update for Windows Media Player 10 (KB912452)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Hotfix - KB895181
Windows Media Player 10 Hotfix - KB888656
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
Winemaker Extraordinaire
WinZip
XP TCP/IP Repair

==== End Of File ===========================
 
Welcome aboard
yahooo.gif


Read here: https://www.techspot.com/vb/topic154928.html
 
Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

==================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
Here they are.
2010/10/29 07:08:58.0334 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
2010/10/29 07:08:58.0334 ================================================================================
2010/10/29 07:08:58.0334 SystemInfo:
2010/10/29 07:08:58.0334
2010/10/29 07:08:58.0334 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/29 07:08:58.0334 Product type: Workstation
2010/10/29 07:08:58.0334 ComputerName: MWNLT006
2010/10/29 07:08:58.0334 UserName: tvaughn
2010/10/29 07:08:58.0344 Windows directory: C:\WINDOWS
2010/10/29 07:08:58.0344 System windows directory: C:\WINDOWS
2010/10/29 07:08:58.0344 Processor architecture: Intel x86
2010/10/29 07:08:58.0344 Number of processors: 1
2010/10/29 07:08:58.0344 Page size: 0x1000
2010/10/29 07:08:58.0344 Boot type: Normal boot
2010/10/29 07:08:58.0344 ================================================================================
2010/10/29 07:08:58.0624 Initialize success
2010/10/29 07:09:07.0947 ================================================================================
2010/10/29 07:09:07.0947 Scan started
2010/10/29 07:09:07.0947 Mode: Manual;
2010/10/29 07:09:07.0947 ================================================================================
2010/10/29 07:09:08.0779 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\Drivers\acpi.sys
2010/10/29 07:09:08.0879 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/29 07:09:09.0099 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/29 07:09:09.0299 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/29 07:09:09.0379 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/29 07:09:10.0000 ApfiltrService (aeb775a2bae0f392ba6adc0bb706233a) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2010/10/29 07:09:10.0401 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/29 07:09:10.0551 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\Drivers\atapi.sys
2010/10/29 07:09:10.0902 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/29 07:09:11.0022 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/29 07:09:11.0212 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/29 07:09:11.0352 b57w2k (f26e6eaedea6eb87ae4c5d2f678a1bc2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/10/29 07:09:11.0603 BCM43XX (52d67c5465c01913b03b7daca0cc4077) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/10/29 07:09:11.0703 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/29 07:09:11.0843 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
2010/10/29 07:09:11.0933 BrSerIf (d48c13f4a409aee8dafaddac81e34557) C:\WINDOWS\system32\Drivers\BrSerIf.sys
2010/10/29 07:09:12.0033 BrUsbSer (8fa0ac830a8312912a3aa0c0431cba0d) C:\WINDOWS\system32\Drivers\BrUsbSer.sys
2010/10/29 07:09:12.0113 BtAudio (d25cba29109a4678b63480f7ba197b2f) C:\WINDOWS\system32\DRIVERS\btaudio.sys
2010/10/29 07:09:12.0334 BTDriver (dc41db69f1b455ffa6b33f63060de922) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/10/29 07:09:12.0534 BTKRNL (942532f52d7de1f53b76fd089036dd7e) C:\WINDOWS\system32\drivers\btkrnl.sys
2010/10/29 07:09:12.0654 BTSERIAL (71df789aab47ad3852d43d901537910a) C:\WINDOWS\System32\drivers\btserial.sys
2010/10/29 07:09:12.0754 BTSLBCSP (0ab09c429b1bc150fbaaa09f7be27014) C:\WINDOWS\System32\drivers\btslbcsp.sys
2010/10/29 07:09:12.0854 BTWDNDIS (425d5eaddbd9aa6ca60355bd7a2b28c3) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/10/29 07:09:13.0075 BTWUSB (3e31dce9e13aab5594d9acefae939815) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/10/29 07:09:13.0325 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/29 07:09:13.0475 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/29 07:09:13.0666 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/29 07:09:13.0836 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/29 07:09:13.0996 Cdr4_xp (297acc7d7c66ec86ee0b4eb5af9a8fd3) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2010/10/29 07:09:14.0126 Cdralw2k (5e31abf467a6fd857710c0927c88ee4c) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2010/10/29 07:09:14.0256 CdRom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/29 07:09:14.0377 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys
2010/10/29 07:09:14.0707 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/29 07:09:14.0927 COH_Mon (c586875ece5318c6309ed1ab79d0e55f) C:\WINDOWS\system32\Drivers\COH_Mon.sys
2010/10/29 07:09:15.0028 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/29 07:09:15.0548 DAInfo (e917426a7fdd6f3c4d2ee52a01d04a35) C:\Program Files\DesktopAuthority\RaInfo.sys
2010/10/29 07:09:15.0719 DAmirr (1211dd45f604749a1cde6bc7c8681a1b) C:\WINDOWS\system32\DRIVERS\DAmirr.sys
2010/10/29 07:09:15.0849 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/29 07:09:16.0019 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/29 07:09:16.0259 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/29 07:09:16.0390 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/29 07:09:16.0560 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/29 07:09:16.0680 DNE (ded00b959d94612c22f53538a9f0fc89) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2010/10/29 07:09:16.0810 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2010/10/29 07:09:17.0010 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2010/10/29 07:09:17.0211 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/29 07:09:17.0361 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys
2010/10/29 07:09:17.0792 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/10/29 07:09:17.0852 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/10/29 07:09:18.0032 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/29 07:09:18.0192 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/29 07:09:18.0302 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/29 07:09:18.0392 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/29 07:09:18.0563 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/29 07:09:18.0693 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/29 07:09:18.0773 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/29 07:09:19.0083 FW1 (7441f96680ac1fad27ae34ff8076d594) C:\WINDOWS\system32\DRIVERS\fw.sys
2010/10/29 07:09:19.0264 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/10/29 07:09:19.0384 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/29 07:09:19.0544 gv3 (01cdb5b4649fae249e787a83be22916a) C:\WINDOWS\system32\DRIVERS\gv3.sys
2010/10/29 07:09:19.0724 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\Drivers\hidusb.sys
2010/10/29 07:09:19.0885 HSFHWICH (140ba850417896b6b3322048de280368) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2010/10/29 07:09:20.0055 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/10/29 07:09:20.0225 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/29 07:09:20.0596 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\Drivers\i8042prt.sys
2010/10/29 07:09:20.0686 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/29 07:09:20.0886 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/29 07:09:20.0986 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/29 07:09:21.0196 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/29 07:09:21.0317 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/29 07:09:21.0467 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/29 07:09:21.0587 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/29 07:09:21.0737 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/29 07:09:21.0917 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/29 07:09:22.0038 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\Drivers\isapnp.sys
2010/10/29 07:09:22.0138 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/29 07:09:22.0208 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\Drivers\kbdhid.sys
2010/10/29 07:09:22.0328 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/29 07:09:22.0428 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/29 07:09:22.0699 MDC8021X (bee76ac58bb524523a84000ba8efe55a) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys
2010/10/29 07:09:22.0809 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/29 07:09:22.0909 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys
2010/10/29 07:09:22.0999 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/29 07:09:23.0139 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/29 07:09:23.0340 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/29 07:09:23.0470 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/29 07:09:23.0560 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/29 07:09:23.0710 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/29 07:09:23.0850 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/29 07:09:24.0051 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/29 07:09:24.0161 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/29 07:09:24.0291 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/29 07:09:24.0411 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/29 07:09:24.0521 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/29 07:09:24.0621 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/29 07:09:24.0812 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/29 07:09:24.0912 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/29 07:09:25.0182 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101026.002\NAVENG.SYS
2010/10/29 07:09:25.0312 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101026.002\NAVEX15.SYS
2010/10/29 07:09:25.0523 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/29 07:09:25.0713 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/29 07:09:25.0813 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/29 07:09:25.0893 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/29 07:09:25.0983 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/29 07:09:26.0073 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/29 07:09:26.0284 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/29 07:09:26.0454 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/29 07:09:26.0634 NgFilter (38846eaad056068b691a6ee164c71b9e) C:\WINDOWS\system32\DRIVERS\ngfilter.sys
2010/10/29 07:09:26.0744 NgLog (683f480aca03141360ae848cb57cda04) C:\WINDOWS\system32\DRIVERS\nglog.sys
2010/10/29 07:09:26.0835 NgVpn (d0c0658c693d491c23adaf3d86e5b0f3) C:\WINDOWS\system32\DRIVERS\ngvpn.sys
2010/10/29 07:09:26.0965 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/29 07:09:27.0135 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/29 07:09:27.0355 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/29 07:09:27.0445 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/29 07:09:27.0576 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/29 07:09:27.0706 O2SCBUS (dd3764730845a74a7fc1021148803fdd) C:\WINDOWS\system32\DRIVERS\ozscr.sys
2010/10/29 07:09:27.0846 OMCI (1d98907d80461371437a7c898c58c8ae) C:\WINDOWS\system32\DRIVERS\omci.sys
2010/10/29 07:09:27.0996 OMVA (73c74eb8b231974b7a961fddd878ae01) C:\WINDOWS\system32\DRIVERS\OMVA.sys
2010/10/29 07:09:28.0227 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/29 07:09:28.0317 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/29 07:09:28.0447 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/29 07:09:28.0597 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\Drivers\pci.sys
2010/10/29 07:09:28.0807 pciide (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\Drivers\pciide.sys
2010/10/29 07:09:28.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\Drivers\pcmcia.sys
2010/10/29 07:09:29.0639 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/29 07:09:29.0769 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/29 07:09:29.0869 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/29 07:09:29.0989 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/29 07:09:30.0079 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys
2010/10/29 07:09:30.0700 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/29 07:09:30.0840 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/29 07:09:30.0981 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/29 07:09:31.0181 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/29 07:09:31.0311 RCFOX (5c72bbc9ca332847e0913168d917d2ee) C:\WINDOWS\system32\Drivers\RCFOX.sys
2010/10/29 07:09:31.0421 rcvpn (808b237c0b31327be1dbd72f14787f7e) C:\WINDOWS\system32\DRIVERS\rcvpn.sys
2010/10/29 07:09:31.0641 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/29 07:09:31.0772 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/29 07:09:31.0982 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/29 07:09:32.0092 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/29 07:09:32.0172 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/29 07:09:32.0272 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/10/29 07:09:32.0443 Scap (8c3d61bb8f35264e14fb76856fefad62) C:\WINDOWS\system32\DRIVERS\Scap.sys
2010/10/29 07:09:32.0653 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/29 07:09:32.0853 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/29 07:09:32.0973 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/29 07:09:33.0114 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/10/29 07:09:33.0344 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/29 07:09:33.0755 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/10/29 07:09:33.0925 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/29 07:09:34.0065 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/29 07:09:34.0185 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\WINDOWS\system32\Drivers\SRTSP.SYS
2010/10/29 07:09:34.0325 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
2010/10/29 07:09:34.0456 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
2010/10/29 07:09:34.0666 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/29 07:09:34.0876 STAC97 (f2ca38990f140025b91ee7bbd315f44c) C:\WINDOWS\system32\drivers\STAC97.sys
2010/10/29 07:09:35.0016 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/10/29 07:09:35.0147 StreamDispatcher (81adff4dce596d5f1f4153c064a441fd) C:\WINDOWS\system32\DRIVERS\strmdisp.sys
2010/10/29 07:09:35.0277 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/29 07:09:35.0407 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/29 07:09:35.0717 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/29 07:09:36.0008 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2010/10/29 07:09:36.0148 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/10/29 07:09:36.0388 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/10/29 07:09:36.0759 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/29 07:09:36.0919 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/29 07:09:37.0039 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/29 07:09:37.0169 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/29 07:09:37.0330 Teefer2 (1de2e1357552a79f39bff003a11c533e) C:\WINDOWS\system32\DRIVERS\teefer2.sys
2010/10/29 07:09:37.0420 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/29 07:09:37.0680 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
2010/10/29 07:09:37.0790 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/29 07:09:38.0091 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/29 07:09:38.0231 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/29 07:09:38.0351 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\Drivers\usbehci.sys
2010/10/29 07:09:38.0431 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\Drivers\usbhub.sys
2010/10/29 07:09:38.0581 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/29 07:09:38.0732 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/29 07:09:38.0922 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/29 07:09:39.0022 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\Drivers\usbuhci.sys
2010/10/29 07:09:39.0152 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/29 07:09:39.0363 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/29 07:09:39.0593 VPN-1 (793b9aed2fc908fdfc93f0afa07f59cf) C:\WINDOWS\System32\drivers\vpn.sys
2010/10/29 07:09:39.0833 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/29 07:09:39.0983 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/29 07:09:40.0164 winachsf (2dc7c0b6175a0a8ed84a4f70199c93b5) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/10/29 07:09:40.0454 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/10/29 07:09:40.0654 WPS (c24cfb097547dd4dd9040ec9757f0dca) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2010/10/29 07:09:40.0735 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys
2010/10/29 07:09:40.0845 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/29 07:09:41.0005 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/29 07:09:41.0155 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/29 07:09:41.0426 ================================================================================
2010/10/29 07:09:41.0426 Scan finished
2010/10/29 07:09:41.0426 ================================================================================
2010/10/29 07:11:06.0888 Deinitialize success


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000011c

Kernel Drivers (total 169):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7C6F000 \WINDOWS\system32\KDCOM.DLL
0xF7B7F000 \WINDOWS\system32\BOOTVID.dll
0xF7720000 acpi.sys
0xF7C71000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF770F000 pci.sys
0xF776F000 isapnp.sys
0xF7B83000 compbatt.sys
0xF7B87000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF7D37000 pciide.sys
0xF79EF000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7C73000 intelide.sys
0xF76F1000 pcmcia.sys
0xF777F000 MountMgr.sys
0xF76D2000 ftdisk.sys
0xF79F7000 PartMgr.sys
0xF778F000 VolSnap.sys
0xF76BA000 atapi.sys
0xF769A000 fltmgr.sys
0xF7688000 sr.sys
0xF7671000 KSecDD.sys
0xF765E000 WudfPf.sys
0xF779F000 i8042prt.sys
0xF75D1000 Ntfs.sys
0xF75A4000 NDIS.sys
0xF79FF000 usbuhci.sys
0xF7580000 \WINDOWS\System32\Drivers\USBPORT.SYS
0xF7A07000 usbehci.sys
0xF7566000 Mup.sys
0xF77AF000 disk.sys
0xF77BF000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF744F000 btkrnl.sys
0xF77CF000 agp440.sys
0xF78EF000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF7C33000 \SystemRoot\System32\DRIVERS\CmBatt.sys
0xF6D15000 \SystemRoot\System32\DRIVERS\ati2mtag.sys
0xF6D01000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF78FF000 \SystemRoot\System32\Drivers\usbhub.sys
0xF7C9B000 \SystemRoot\System32\Drivers\USBD.SYS
0xF6CD8000 \SystemRoot\System32\DRIVERS\b57xp32.sys
0xF6CC1000 \SystemRoot\System32\DRIVERS\ozscr.sys
0xF7C37000 \SystemRoot\System32\DRIVERS\SMCLIB.SYS
0xF6CA7000 \SystemRoot\System32\DRIVERS\Apfiltr.sys
0xF7A77000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7A7F000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF790F000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7C3F000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF6C93000 \SystemRoot\System32\DRIVERS\parport.sys
0xF791F000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF792F000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF793F000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF794F000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF6C70000 \SystemRoot\System32\DRIVERS\ks.sys
0xF6C51000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xF7A87000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF7A8F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF6C21000 \SystemRoot\system32\drivers\STAC97.sys
0xF6BFD000 \SystemRoot\system32\drivers\portcls.sys
0xF795F000 \SystemRoot\system32\drivers\drmk.sys
0xF6BCC000 \SystemRoot\System32\DRIVERS\HSFHWICH.sys
0xF6ACD000 \SystemRoot\System32\DRIVERS\HSF_DP.sys
0xF6A25000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF7A97000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6A13000 \SystemRoot\system32\DRIVERS\ngvpn.sys
0xF7A9F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6820000 \SystemRoot\system32\DRIVERS\fw.sys
0xF7DEB000 \SystemRoot\system32\DRIVERS\DAmirr.sys
0xF6804000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xF7C9D000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7AA7000 \SystemRoot\System32\DRIVERS\btaudio.sys
0xF796F000 \SystemRoot\System32\DRIVERS\STREAM.SYS
0xF7DEC000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF7C9F000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF797F000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7C53000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF67ED000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF798F000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF799F000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7AAF000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7AB7000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF67D0000 \SystemRoot\System32\DRIVERS\btwdndis.sys
0xF7ABF000 \SystemRoot\System32\DRIVERS\btport.sys
0xF7C57000 \SystemRoot\system32\DRIVERS\rcvpn.sys
0xF67A0000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF79AF000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF66E2000 \SystemRoot\system32\DRIVERS\teefer2.sys
0xF7CA1000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF665C000 \SystemRoot\System32\DRIVERS\update.sys
0xF7AC7000 \SystemRoot\System32\DRIVERS\omci.sys
0xF7412000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7ACF000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF785F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEC5AA000 \SystemRoot\System32\Drivers\SRTSP.SYS
0xEC45C000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101026.002\NAVEX15.SYS
0xEC437000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xEC423000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101026.002\NAVENG.SYS
0xF6700000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0xF7D33000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7E74000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D35000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B4F000 \SystemRoot\System32\drivers\vga.sys
0xF7C75000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7C77000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEC3C8000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xF7B57000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7B5F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEC383000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xF7C1F000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xEC336000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF783F000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xEC31B000 \??\C:\WINDOWS\system32\Drivers\RCFOX.sys
0xEC2C2000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF784F000 \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
0xEC295000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xEC26D000 \SystemRoot\System32\DRIVERS\netbt.sys
0xEC24B000 \SystemRoot\System32\drivers\afd.sys
0xF781F000 \SystemRoot\System32\DRIVERS\netbios.sys
0xEC1E1000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xEC1BB000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF6790000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xEC0F0000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEC080000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF6770000 \SystemRoot\System32\Drivers\Fips.SYS
0xEC022000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xEC005000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xEBFC5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7C7B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEC614000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7A1F000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xF7DAF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D5000 \SystemRoot\System32\ati2dvag.dll
0xBFA0B000 \SystemRoot\System32\ati2cqag.dll
0xBFA43000 \SystemRoot\System32\ati3duag.dll
0xBFC11000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEBE79000 \SystemRoot\System32\DRIVERS\mdc8021x.sys
0xEBE65000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF7AE7000 \SystemRoot\system32\DRIVERS\nglog.sys
0xEBB8D000 \??\C:\WINDOWS\system32\drivers\WpsHelper.sys
0xEB9D0000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7CC7000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEB904000 \SystemRoot\System32\drivers\vpn.sys
0xF7B1F000 \??\C:\WINDOWS\System32\drivers\btserial.sys
0xEB8D2000 \??\C:\WINDOWS\System32\drivers\btslbcsp.sys
0xF7CC9000 \??\C:\Program Files\DesktopAuthority\RaInfo.sys
0xEB869000 \SystemRoot\System32\Drivers\HTTP.sys
0xEB79F000 \SystemRoot\System32\DRIVERS\srv.sys
0xEB83D000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
0xF7A37000 \SystemRoot\System32\DRIVERS\Scap.sys
0xF7A3F000 \SystemRoot\System32\DRIVERS\strmdisp.sys
0xF78DF000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEB14A000 \SystemRoot\system32\drivers\wdmaud.sys
0xEBA0D000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7B37000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xEB0B1000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xF7B27000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xBFC90000 \SystemRoot\System32\spool\DRIVERS\W32X86\2\acpdf205.dll
0xBAE21000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7B07000 \SystemRoot\System32\Drivers\HIDPARSE.SYS
0xF7A47000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xEBD09000 \SystemRoot\System32\Drivers\hidusb.sys
0xF7231000 \SystemRoot\System32\Drivers\HIDCLASS.SYS
0xEB233000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xBABF1000 \SystemRoot\System32\DRIVERS\bcmwl5.sys
0xBA9E6000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 53):
0 System Idle Process
4 System
1580 C:\WINDOWS\system32\smss.exe
1780 csrss.exe
1812 C:\WINDOWS\system32\winlogon.exe
1856 C:\WINDOWS\system32\services.exe
1868 C:\WINDOWS\system32\lsass.exe
2032 C:\WINDOWS\system32\ati2evxx.exe
164 C:\WINDOWS\system32\svchost.exe
344 svchost.exe
540 C:\WINDOWS\system32\svchost.exe
584 C:\WINDOWS\system32\svchost.exe
640 C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
872 svchost.exe
1052 svchost.exe
1064 C:\WINDOWS\system32\ngvpnmgr.exe
1432 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
184 C:\WINDOWS\system32\spoolsv.exe
528 scardsvr.exe
776 svchost.exe
820 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
944 C:\Program Files\Bonjour\mDNSResponder.exe
1124 C:\Program Files\DesktopAuthority\ramaint.exe
1408 C:\Program Files\DesktopAuthority\DesktopAuthority.exe
408 C:\WINDOWS\system32\svchost.exe
256 C:\PROGRA~1\INTERB~1\Bin\ibguard.exe
468 C:\Program Files\Java\jre6\bin\jqs.exe
508 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1360 C:\WINDOWS\system32\slClient.exe
1644 C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
1768 C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
384 C:\WINDOWS\system32\svchost.exe
924 C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
1112 C:\WINDOWS\system32\expsrv32.exe
1092 C:\WINDOWS\system32\WLTRYSVC.EXE
1044 C:\WINDOWS\system32\devmgr32.exe
1380 C:\Program Files\OpenRsm\Agent\OrsmAgentService.exe
2608 wmpnetwk.exe
3212 C:\Program Files\InterBase\Bin\ibserver.exe
3400 alg.exe
1440 C:\WINDOWS\system32\BCMWLTRY.EXE
3284 C:\WINDOWS\explorer.exe
2144 C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
3916 C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
3980 C:\WINDOWS\system32\carpserv.exe
1236 C:\Program Files\Apoint\Apoint.exe
964 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
3892 C:\Program Files\DesktopAuthority\ragui.exe
3232 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
3512 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
3336 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
3352 C:\Program Files\Apoint\ApntEx.exe
2748 C:\Documents and Settings\administrator.psi\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK6026GAX, Rev: PA202D

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
Both logs look good :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix 10-10-29.03 - Administrator 10/30/2010 6:18.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.556 [GMT -4:00]
Running from: c:\documents and settings\administrator.psi\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\administrator.psi\Application Data\Mozilla\Firefox\Profiles\t1lpe0bo.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}
c:\documents and settings\administrator.psi\Application Data\Mozilla\Firefox\Profiles\t1lpe0bo.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}\chrome.manifest
c:\documents and settings\administrator.psi\Application Data\Mozilla\Firefox\Profiles\t1lpe0bo.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}\chrome\xulcache.jar
c:\documents and settings\administrator.psi\Application Data\Mozilla\Firefox\Profiles\t1lpe0bo.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}\defaults\preferences\xulcache.js
c:\documents and settings\administrator.psi\Application Data\Mozilla\Firefox\Profiles\t1lpe0bo.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}\install.rdf
c:\documents and settings\LocalService\Application Data\02000000dfe8943d1053C.manifest
c:\documents and settings\LocalService\Application Data\02000000dfe8943d1053O.manifest
c:\documents and settings\LocalService\Application Data\02000000dfe8943d1053P.manifest
c:\documents and settings\LocalService\Application Data\02000000dfe8943d1053S.manifest
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{5a747f7c-762a-40bb-99cc-0e35da203ce9}
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{5a747f7c-762a-40bb-99cc-0e35da203ce9}\chrome.manifest
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{5a747f7c-762a-40bb-99cc-0e35da203ce9}\chrome\xulcache.jar
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{5a747f7c-762a-40bb-99cc-0e35da203ce9}\defaults\preferences\xulcache.js
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{5a747f7c-762a-40bb-99cc-0e35da203ce9}\install.rdf
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}\chrome.manifest
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}\chrome\xulcache.jar
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}\defaults\preferences\xulcache.js
c:\documents and settings\tvaughn\Application Data\Mozilla\Firefox\Profiles\liarbe98.default\extensions\{fd5e915e-c6db-4a7d-896b-7668ad16f5b5}\install.rdf
c:\windows\system32\709041280
c:\windows\system32\atioglxx32.dll
c:\windows\system32\unrar.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-30 )))))))))))))))))))))))))))))))
.

2010-10-29 11:03 . 2010-10-29 11:03 0 ----a-w- c:\windows\system32\5.tmp
2010-10-26 18:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 18:52 . 2010-10-26 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 18:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 14:19 . 2010-10-26 14:19 0 ---ha-w- c:\documents and settings\administrator.psi\ymmszlgrbn.tmp
2010-10-26 14:14 . 2010-10-26 14:14 -------- d-----w- c:\program files\Magical Jelly Bean
2010-10-26 14:13 . 2010-10-26 14:13 -------- d-----w- c:\documents and settings\administrator.psi\Local Settings\Application Data\Mozilla
2010-10-21 15:32 . 2010-10-21 15:32 0 ---ha-w- c:\documents and settings\tvaughn\ymmszlgrbn.tmp
2010-10-20 19:16 . 2010-10-20 19:16 174592 ----a-w- c:\windows\system32\jscript32.exe
2010-10-20 19:15 . 2010-10-20 19:15 1349120 ----a-w- c:\windows\system32\devmgr32.exe
2010-10-20 19:15 . 2010-10-20 19:15 250368 ----a-w- c:\windows\system32\jsproxy32.dll
2010-10-20 19:15 . 2010-10-20 19:15 1349120 ----a-w- c:\windows\system32\expsrv32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 12:11 . 2010-08-17 20:22 167936 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-08-18 16:49 . 2010-08-18 16:49 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-18 16:49 . 2010-08-18 16:49 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-17 20:22 . 2010-08-17 20:22 107848 ----a-w- c:\windows\system32\SymVPN.dll
2010-08-17 20:22 . 2010-08-17 20:22 89088 ----a-w- c:\windows\system32\atl71.dll
2010-08-17 20:22 . 2010-08-17 20:22 625032 ----a-w- c:\windows\system32\SymNeti.dll
2010-08-17 20:22 . 2010-08-17 20:22 49480 ----a-w- c:\windows\system32\FwsVpn.dll
2010-08-17 20:22 . 2010-08-17 20:22 42312 ----a-w- c:\windows\system32\drivers\WPSDRVnt.sys
2010-08-17 20:22 . 2010-08-17 20:22 242056 ----a-w- c:\windows\system32\SymRedir.dll
2010-08-17 20:22 . 2010-08-17 20:22 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-08-17 20:22 . 2010-08-17 20:22 320560 ----a-w- c:\windows\system32\drivers\srtspl.sys
2010-08-17 20:22 . 2010-08-17 20:22 281648 ----a-w- c:\windows\system32\drivers\srtsp.sys
2010-08-17 20:21 . 2010-08-17 20:21 50064 ----a-w- c:\windows\system32\drivers\Teefer2.sys
2010-08-17 20:21 . 2010-08-17 20:21 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2010-08-17 20:21 . 2010-08-17 20:21 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2010-08-17 20:21 . 2010-08-17 20:21 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2010-08-17 20:21 . 2010-08-17 20:21 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2010-08-17 20:21 . 2010-08-17 20:21 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-08-17 20:21 . 2010-08-17 20:21 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2010-08-17 20:21 . 2010-08-17 20:21 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2010-08-17 20:21 . 2010-08-17 20:21 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A96E11C-CD93-0D21-C1AB-8B0383B8AD01}]
2010-10-20 19:15 250368 ----a-w- c:\windows\system32\jsproxy32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2002-10-17 4608]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]
"Desktop Authority GUI"="c:\program files\DesktopAuthority\ragui.exe" [2006-03-06 442368]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter2.0"="c:\program files\Oce\ControlCenter2\brctrcen.exe" [2006-06-22 1007616]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2005-10-19 20531]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-08-17 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-04 19:18 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\WINDOWS\\system32\\expsrv32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [9/18/2008 3:39 PM 91136]
R2 DAInfo;Desktop Authority Kernel Information Provider;c:\program files\DesktopAuthority\rainfo.sys [12/19/2006 3:16 PM 6400]
R2 DAMaint;Desktop Authority Maintenance Service;c:\program files\DesktopAuthority\ramaint.exe [12/19/2006 3:16 PM 49152]
R2 DesktopAuthority;Desktop Authority Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [12/19/2006 3:16 PM 1089536]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [8/3/2006 2:50 PM 190528]
R2 OrsmAgentServiceCom;OrsmAgentServiceCom;c:\program files\OpenRsm\Agent\OrsmAgentService.exe [4/24/2007 8:57 AM 1041920]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [7/27/2010 9:01 AM 17456]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [12/19/2005 2:49 PM 527360]
R2 Symantec AntiVirus32;Symantec Endpoint Protection ;c:\windows\system32\expsrv32.exe [10/20/2010 3:15 PM 1349120]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [7/27/2010 9:01 AM 670128]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [12/19/2006 3:16 PM 2944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/18/2010 1:13 PM 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [7/27/2010 9:04 AM 2041904]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [8/3/2006 2:48 PM 18944]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [8/3/2006 2:49 PM 70144]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [9/18/2008 3:38 PM 23180]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [8/17/2010 4:21 PM 23888]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [8/3/2006 2:49 PM 15360]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [7/27/2010 9:04 AM 14924]
.
Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2008-05-05 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-01-23 00:12]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\administrator.psi\Application Data\Mozilla\Firefox\Profiles\t1lpe0bo.default\
FF - plugin: c:\documents and settings\tvaughn\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\tvaughn\Application Data\Move Networks\plugins\npqmp071505000011.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{0628C7B2-A339-4980-96F6-7AC886E4B19f} - c:\windows\system32\atioglxx32.dll
BHO-{073FF658-6BD6-4B2D-9094-1907CCF67FCa} - c:\windows\system32\atioglxx32.dll
BHO-{0C518F64-A339-4980-96F6-7AC886E4B19f} - c:\windows\system32\atioglxx32.dll
BHO-{0E7FECB0-6BD6-4B2D-9094-1907CCF67FCa} - c:\windows\system32\atioglxx32.dll
SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-30 06:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-966400107-4207243982-2677830620-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
.
Completion time: 2010-10-30 06:30:19
ComboFix-quarantined-files.txt 2010-10-30 10:30
ComboFix2.txt 2010-08-03 18:39

Pre-Run: 32,705,716,224 bytes free
Post-Run: 32,683,872,256 bytes free

- - End Of File - - EDFF15F65CA7CBA3FDE360ACAC234015

HERE IS THE LOG AND THANKS FOR THE HELP
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\5.tmp
c:\documents and settings\administrator.psi\ymmszlgrbn.tmp
c:\documents and settings\tvaughn\ymmszlgrbn.tmp
c:\windows\system32\jscript32.exe
c:\windows\system32\devmgr32.exe
c:\windows\system32\jsproxy32.dll
c:\windows\system32\expsrv32.exe


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A96E11C-CD93-0D21-C1AB-8B0383B8AD01}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Well dragging the script into ComboFix did not cause it to start. So after trying several times I clicked ComboFix myself. log to follow
 
Well, you have to run my script.
If dragging doesn't work, try this:

Run script from command line:

Click Start > Run and copy/paste the following line in the runbox and press enter:

combofix "%userprofile%\desktop\cfscript.txt"

Note. CFScript.txt MUST be located on the desktop for this to work.
 
Running from the Command Line failed and noted it was a rich text. Happily Combofix closed itself after that. I saved the script as unicode and was able to drag to start.
I had to change the Encoding from ANSI to unicode. Log to follow.
 
Here is the log. Combofix even sent malware files back home for analysis, first time I have seen that.


ComboFix 10-10-29.03 - Administrator 10/30/2010 15:03:37.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.472 [GMT -4:00]
Running from: c:\documents and settings\administrator.psi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\administrator.psi\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"c:\documents and settings\administrator.psi\ymmszlgrbn.tmp"
"c:\documents and settings\tvaughn\ymmszlgrbn.tmp"
"c:\windows\system32\5.tmp"
"c:\windows\system32\devmgr32.exe"
"c:\windows\system32\expsrv32.exe"
"c:\windows\system32\jscript32.exe"
"c:\windows\system32\jsproxy32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\administrator.psi\ymmszlgrbn.tmp
c:\documents and settings\tvaughn\ymmszlgrbn.tmp
c:\windows\system32\5.tmp
c:\windows\system32\devmgr32.exe
c:\windows\system32\expsrv32.exe
c:\windows\system32\jscript32.exe
c:\windows\system32\jsproxy32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Symantec_AntiVirus32
-------\Service_Symantec AntiVirus32


((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-30 )))))))))))))))))))))))))))))))
.

2010-10-30 19:09 . 2010-10-20 19:15 1349120 ----a-w- c:\windows\system32\atioglxx32.exe
2010-10-30 17:33 . 2010-10-30 17:33 0 ----a-w- c:\windows\system32\3.tmp
2010-10-26 18:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 18:52 . 2010-10-26 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 18:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 14:14 . 2010-10-26 14:14 -------- d-----w- c:\program files\Magical Jelly Bean
2010-10-26 14:13 . 2010-10-26 14:13 -------- d-----w- c:\documents and settings\administrator.psi\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 12:11 . 2010-08-17 20:22 167936 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-08-18 16:49 . 2010-08-18 16:49 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-18 16:49 . 2010-08-18 16:49 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-17 20:22 . 2010-08-17 20:22 107848 ----a-w- c:\windows\system32\SymVPN.dll
2010-08-17 20:22 . 2010-08-17 20:22 89088 ----a-w- c:\windows\system32\atl71.dll
2010-08-17 20:22 . 2010-08-17 20:22 625032 ----a-w- c:\windows\system32\SymNeti.dll
2010-08-17 20:22 . 2010-08-17 20:22 49480 ----a-w- c:\windows\system32\FwsVpn.dll
2010-08-17 20:22 . 2010-08-17 20:22 42312 ----a-w- c:\windows\system32\drivers\WPSDRVnt.sys
2010-08-17 20:22 . 2010-08-17 20:22 242056 ----a-w- c:\windows\system32\SymRedir.dll
2010-08-17 20:22 . 2010-08-17 20:22 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-08-17 20:22 . 2010-08-17 20:22 320560 ----a-w- c:\windows\system32\drivers\srtspl.sys
2010-08-17 20:22 . 2010-08-17 20:22 281648 ----a-w- c:\windows\system32\drivers\srtsp.sys
2010-08-17 20:21 . 2010-08-17 20:21 50064 ----a-w- c:\windows\system32\drivers\Teefer2.sys
2010-08-17 20:21 . 2010-08-17 20:21 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2010-08-17 20:21 . 2010-08-17 20:21 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2010-08-17 20:21 . 2010-08-17 20:21 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2010-08-17 20:21 . 2010-08-17 20:21 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2010-08-17 20:21 . 2010-08-17 20:21 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-08-17 20:21 . 2010-08-17 20:21 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2010-08-17 20:21 . 2010-08-17 20:21 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2010-08-17 20:21 . 2010-08-17 20:21 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-10-30_10.27.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-30 19:13 . 2010-10-30 19:13 16384 c:\windows\Temp\Perflib_Perfdata_500.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2002-10-17 4608]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]
"Desktop Authority GUI"="c:\program files\DesktopAuthority\ragui.exe" [2006-03-06 442368]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter2.0"="c:\program files\Oce\ControlCenter2\brctrcen.exe" [2006-06-22 1007616]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2005-10-19 20531]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-08-17 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-04 19:18 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [9/18/2008 3:39 PM 91136]
R2 DAInfo;Desktop Authority Kernel Information Provider;c:\program files\DesktopAuthority\rainfo.sys [12/19/2006 3:16 PM 6400]
R2 DAMaint;Desktop Authority Maintenance Service;c:\program files\DesktopAuthority\ramaint.exe [12/19/2006 3:16 PM 49152]
R2 DesktopAuthority;Desktop Authority Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [12/19/2006 3:16 PM 1089536]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [8/3/2006 2:50 PM 190528]
R2 OrsmAgentServiceCom;OrsmAgentServiceCom;c:\program files\OpenRsm\Agent\OrsmAgentService.exe [4/24/2007 8:57 AM 1041920]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [7/27/2010 9:01 AM 17456]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [12/19/2005 2:49 PM 527360]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [7/27/2010 9:01 AM 670128]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [12/19/2006 3:16 PM 2944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/18/2010 1:13 PM 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [7/27/2010 9:04 AM 2041904]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [8/3/2006 2:48 PM 18944]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [8/3/2006 2:49 PM 70144]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [9/18/2008 3:38 PM 23180]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [8/17/2010 4:21 PM 23888]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [8/3/2006 2:49 PM 15360]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [7/27/2010 9:04 AM 14924]
.
Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2008-05-05 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-01-23 00:12]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\administrator.psi\Application Data\Mozilla\Firefox\Profiles\t1lpe0bo.default\
FF - plugin: c:\documents and settings\tvaughn\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\tvaughn\Application Data\Move Networks\plugins\npqmp071505000011.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-30 15:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-966400107-4207243982-2677830620-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1196)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\System32\BTNCopy.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\INTERB~1\Bin\ibguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\progra~1\INTERB~1\Bin\ibserver.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
c:\windows\system32\carpserv.exe
c:\program files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2010-10-30 15:43:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-30 19:43
ComboFix2.txt 2010-10-30 18:45
ComboFix3.txt 2010-10-30 10:30
ComboFix4.txt 2010-08-03 18:39

Pre-Run: 32,650,100,736 bytes free
Post-Run: 32,529,973,248 bytes free

- - End Of File - - 020737F5E9AEFA82C539F2D69D6A8073
 
We still have some more work to do...

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\atioglxx32.exe
c:\windows\system32\3.tmp


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
LOG

ComboFix 10-10-29.03 - Administrator 10/30/2010 16:21:08.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.559 [GMT -4:00]
Running from: c:\documents and settings\administrator.psi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\administrator.psi\Desktop\cfscript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"c:\windows\system32\3.tmp"
"c:\windows\system32\atioglxx32.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3.tmp
c:\windows\system32\atioglxx32.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-30 )))))))))))))))))))))))))))))))
.

2010-10-26 18:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 18:52 . 2010-10-26 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 18:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 14:14 . 2010-10-26 14:14 -------- d-----w- c:\program files\Magical Jelly Bean
2010-10-26 14:13 . 2010-10-26 14:13 -------- d-----w- c:\documents and settings\administrator.psi\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 12:11 . 2010-08-17 20:22 167936 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-08-18 16:49 . 2010-08-18 16:49 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-18 16:49 . 2010-08-18 16:49 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-17 20:22 . 2010-08-17 20:22 107848 ----a-w- c:\windows\system32\SymVPN.dll
2010-08-17 20:22 . 2010-08-17 20:22 89088 ----a-w- c:\windows\system32\atl71.dll
2010-08-17 20:22 . 2010-08-17 20:22 625032 ----a-w- c:\windows\system32\SymNeti.dll
2010-08-17 20:22 . 2010-08-17 20:22 49480 ----a-w- c:\windows\system32\FwsVpn.dll
2010-08-17 20:22 . 2010-08-17 20:22 42312 ----a-w- c:\windows\system32\drivers\WPSDRVnt.sys
2010-08-17 20:22 . 2010-08-17 20:22 242056 ----a-w- c:\windows\system32\SymRedir.dll
2010-08-17 20:22 . 2010-08-17 20:22 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-08-17 20:22 . 2010-08-17 20:22 320560 ----a-w- c:\windows\system32\drivers\srtspl.sys
2010-08-17 20:22 . 2010-08-17 20:22 281648 ----a-w- c:\windows\system32\drivers\srtsp.sys
2010-08-17 20:21 . 2010-08-17 20:21 50064 ----a-w- c:\windows\system32\drivers\Teefer2.sys
2010-08-17 20:21 . 2010-08-17 20:21 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2010-08-17 20:21 . 2010-08-17 20:21 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2010-08-17 20:21 . 2010-08-17 20:21 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2010-08-17 20:21 . 2010-08-17 20:21 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2010-08-17 20:21 . 2010-08-17 20:21 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-08-17 20:21 . 2010-08-17 20:21 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2010-08-17 20:21 . 2010-08-17 20:21 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2010-08-17 20:21 . 2010-08-17 20:21 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-10-30_10.27.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-30 19:13 . 2010-10-30 19:13 16384 c:\windows\Temp\Perflib_Perfdata_500.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2002-10-17 4608]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]
"Desktop Authority GUI"="c:\program files\DesktopAuthority\ragui.exe" [2006-03-06 442368]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter2.0"="c:\program files\Oce\ControlCenter2\brctrcen.exe" [2006-06-22 1007616]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2005-10-19 20531]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-08-17 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-04 19:18 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [9/18/2008 3:39 PM 91136]
R2 DAInfo;Desktop Authority Kernel Information Provider;c:\program files\DesktopAuthority\rainfo.sys [12/19/2006 3:16 PM 6400]
R2 DAMaint;Desktop Authority Maintenance Service;c:\program files\DesktopAuthority\ramaint.exe [12/19/2006 3:16 PM 49152]
R2 DesktopAuthority;Desktop Authority Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [12/19/2006 3:16 PM 1089536]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [8/3/2006 2:50 PM 190528]
R2 OrsmAgentServiceCom;OrsmAgentServiceCom;c:\program files\OpenRsm\Agent\OrsmAgentService.exe [4/24/2007 8:57 AM 1041920]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [7/27/2010 9:01 AM 17456]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [12/19/2005 2:49 PM 527360]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [7/27/2010 9:01 AM 670128]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [12/19/2006 3:16 PM 2944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/18/2010 1:13 PM 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [7/27/2010 9:04 AM 2041904]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [8/3/2006 2:48 PM 18944]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [8/3/2006 2:49 PM 70144]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [9/18/2008 3:38 PM 23180]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [8/17/2010 4:21 PM 23888]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [8/3/2006 2:49 PM 15360]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [7/27/2010 9:04 AM 14924]
.
Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2008-05-05 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-01-23 00:12]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\administrator.psi\Application Data\Mozilla\Firefox\Profiles\t1lpe0bo.default\
FF - plugin: c:\documents and settings\tvaughn\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\tvaughn\Application Data\Move Networks\plugins\npqmp071505000011.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-30 16:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-966400107-4207243982-2677830620-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,ce,b8,6a,4d,55,46,44,a5,97,78,\
.
Completion time: 2010-10-30 16:32:59
ComboFix-quarantined-files.txt 2010-10-30 20:32
ComboFix2.txt 2010-10-30 19:43
ComboFix3.txt 2010-10-30 18:45
ComboFix4.txt 2010-10-30 10:30
ComboFix5.txt 2010-10-30 20:19

Pre-Run: 32,543,719,424 bytes free
Post-Run: 32,520,568,832 bytes free

- - End Of File - - EBF39210577C0ED9968AD97869E1596F
 
Good :)

How is computer doing at the moment?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
I found no log labeled Extras

OTL logfile created on: 10/30/2010 4:46:31 PM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\administrator.psi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 532.00 Mb Available Physical Memory | 52.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 30.32 Gb Free Space | 54.25% Space Free | Partition Type: NTFS
Drive E: | 3.74 Gb Total Space | 1.38 Gb Free Space | 36.88% Space Free | Partition Type: FAT32

Computer Name: MWNLT006 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/30 16:42:22 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.psi\Desktop\OTL.exe
PRC - [2010/08/17 16:22:02 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2010/08/17 16:21:58 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2010/08/17 16:21:52 | 001,831,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2010/08/17 16:21:52 | 001,447,240 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2010/08/17 16:21:46 | 001,775,344 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/24 08:57:02 | 001,041,920 | ---- | M] () -- C:\Program Files\OpenRsm\Agent\OrsmAgentService.exe
PRC - [2006/08/03 14:50:28 | 000,190,528 | ---- | M] (Aventail Corporation) -- C:\WINDOWS\system32\ngvpnmgr.exe
PRC - [2006/03/06 02:55:08 | 000,527,360 | ---- | M] (ScriptLogic Corporation) -- C:\WINDOWS\system32\slClient.exe
PRC - [2006/03/06 02:54:44 | 000,442,368 | ---- | M] (ScriptLogic Corporation) -- C:\Program Files\DesktopAuthority\ragui.exe
PRC - [2006/03/06 02:54:44 | 000,049,152 | ---- | M] (ScriptLogic Corporation) -- C:\Program Files\DesktopAuthority\ramaint.exe
PRC - [2006/03/06 02:23:30 | 001,089,536 | ---- | M] (ScriptLogic Corporation) -- C:\Program Files\DesktopAuthority\DesktopAuthority.exe
PRC - [2005/03/17 14:25:54 | 000,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2005/03/01 19:49:30 | 001,691,741 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
PRC - [2005/03/01 19:49:18 | 000,036,962 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
PRC - [2005/03/01 19:49:14 | 000,110,689 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
PRC - [2004/09/13 12:33:20 | 000,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2002/10/17 12:54:04 | 000,004,608 | ---- | M] (Conexant Systems) -- C:\WINDOWS\system32\carpserv.exe
PRC - [2001/04/24 21:50:12 | 000,022,016 | ---- | M] (Inprise Corporation) -- C:\Program Files\InterBase\Bin\ibguard.exe
PRC - [2001/04/24 21:48:26 | 001,703,936 | ---- | M] (Inprise Corporation) -- C:\Program Files\InterBase\Bin\ibserver.exe


========== Modules (SafeList) ==========

MOD - [2010/10/30 16:42:22 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.psi\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/08/17 16:22:02 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/08/17 16:22:02 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2010/08/17 16:21:52 | 001,831,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2010/08/17 16:21:52 | 000,345,416 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2010/08/17 16:21:46 | 001,775,344 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/07/13 12:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2007/04/24 08:57:02 | 001,041,920 | ---- | M] () [Auto | Running] -- C:\Program Files\OpenRsm\Agent\OrsmAgentService.exe -- (OrsmAgentServiceCom)
SRV - [2006/08/03 14:50:28 | 000,190,528 | ---- | M] (Aventail Corporation) [Auto | Running] -- C:\WINDOWS\system32\ngvpnmgr.exe -- (NgVpnMgr)
SRV - [2006/03/06 02:55:08 | 000,527,360 | ---- | M] (ScriptLogic Corporation) [Auto | Running] -- C:\WINDOWS\system32\slClient.exe -- (SLClient)
SRV - [2006/03/06 02:54:44 | 000,049,152 | ---- | M] (ScriptLogic Corporation) [Auto | Running] -- C:\Program Files\DesktopAuthority\ramaint.exe -- (DAMaint)
SRV - [2006/03/06 02:23:30 | 001,089,536 | ---- | M] (ScriptLogic Corporation) [Auto | Running] -- C:\Program Files\DesktopAuthority\DesktopAuthority.exe -- (DesktopAuthority)
SRV - [2005/06/08 05:40:00 | 000,065,585 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\cwbrxd.exe -- (Cwbrxd)
SRV - [2005/03/01 19:49:18 | 000,036,962 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe -- (SR_WatchDog)
SRV - [2005/03/01 19:49:14 | 000,110,689 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe -- (SR_Service)
SRV - [2004/10/15 10:12:38 | 000,131,072 | ---- | M] (SonicWALL, Inc.) [On_Demand | Stopped] -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe -- (RampartSvc)
SRV - [2001/04/24 21:50:12 | 000,022,016 | ---- | M] (Inprise Corporation) [Auto | Running] -- C:\Program Files\InterBase\Bin\ibguard.exe -- (InterBaseGuardian)
SRV - [2001/04/24 21:48:26 | 001,703,936 | ---- | M] (Inprise Corporation) [On_Demand | Running] -- C:\Program Files\InterBase\Bin\ibserver.exe -- (InterBaseServer)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/10/25 08:47:21 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101026.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/10/25 08:47:21 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101026.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/10/05 08:11:31 | 000,167,936 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WpsHelper.sys -- (WpsHelper)
DRV - [2010/08/18 12:49:46 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/08/17 16:22:16 | 000,042,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\WPSDRVnt.sys -- (WPS)
DRV - [2010/08/17 16:22:04 | 000,320,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2010/08/17 16:22:04 | 000,281,648 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2010/08/17 16:22:04 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2010/08/17 16:21:56 | 000,050,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Teefer2.sys -- (Teefer2)
DRV - [2010/08/17 16:21:28 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/08/17 16:21:28 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2010/08/17 16:21:24 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2010/08/17 16:21:20 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2010/07/15 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/07/15 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2006/08/03 14:49:52 | 000,015,360 | ---- | M] (Aventail Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ngfilter.sys -- (NgFilter)
DRV - [2006/08/03 14:49:48 | 000,070,144 | ---- | M] (Aventail Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NgVpn.sys -- (NgVpn)
DRV - [2006/08/03 14:48:56 | 000,018,944 | ---- | M] (Aventail Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nglog.sys -- (NgLog)
DRV - [2006/03/06 02:54:44 | 000,006,400 | ---- | M] (ScriptLogic Corporation) [Kernel | Auto | Running] -- C:\Program Files\DesktopAuthority\rainfo.sys -- (DAInfo)
DRV - [2006/03/06 02:54:42 | 000,002,944 | ---- | M] (ScriptLogic Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DAmirr.sys -- (DAmirr)
DRV - [2006/01/19 03:17:38 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2006/01/18 22:44:46 | 000,053,248 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)
DRV - [2005/03/01 19:49:36 | 002,041,904 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fw.sys -- (FW1)
DRV - [2005/03/01 19:49:30 | 000,017,456 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\scap.sys -- (Scap)
DRV - [2005/03/01 19:49:28 | 000,014,924 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OMVA.sys -- (OMVA)
DRV - [2005/03/01 19:49:24 | 000,670,128 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\vpn.sys -- (VPN-1)
DRV - [2004/12/16 11:35:46 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2004/12/16 11:35:46 | 000,143,834 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2004/12/16 11:35:46 | 000,030,630 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2004/12/16 11:35:46 | 000,025,898 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2004/12/15 17:35:36 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2004/11/16 11:03:52 | 000,108,791 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/10/25 15:19:18 | 000,092,561 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ozscr.sys -- (O2SCBUS)
DRV - [2004/10/15 12:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2004/10/15 10:46:12 | 000,091,136 | ---- | M] (SonicWALL, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\RCFOX.SYS -- (RCFOX)
DRV - [2004/08/03 22:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/06/25 19:15:50 | 000,315,392 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/06/17 16:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 16:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 16:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/14 17:15:22 | 000,147,236 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003/08/20 14:01:22 | 000,023,180 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rcvpn.sys -- (rcvpn)
DRV - [2003/01/07 18:41:12 | 000,166,016 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2002/12/17 13:32:58 | 000,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/12/17 13:32:46 | 000,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/12/17 13:27:32 | 000,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/12/10 12:03:14 | 001,155,914 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2002/12/09 10:43:58 | 000,144,608 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2002/12/09 10:42:18 | 000,022,119 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\btserial.sys -- (BTSERIAL)
DRV - [2002/12/09 10:41:56 | 000,222,164 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\btslbcsp.sys -- (BTSLBCSP)
DRV - [2002/12/09 10:37:08 | 000,030,043 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2002/12/09 10:35:54 | 000,065,076 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2002/12/09 10:06:28 | 000,021,701 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (BtAudio)
DRV - [2002/11/18 18:20:44 | 000,030,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gv3.sys -- (gv3)
DRV - [2002/11/11 18:57:16 | 000,193,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2002/10/17 12:54:18 | 000,036,348 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\strmdisp.sys -- (StreamDispatcher)
DRV - [2002/10/09 10:20:52 | 000,017,153 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = B2 C7 28 06 39 A3 80 49 96 F6 7A C8 86 E4 B1 9F [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {fd5e915e-c6db-4a7d-896b-7668ad16f5b5}:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{BA7129B6-B8EF-4793-9B55-877BDFD8796F}: C:\Documents and Settings\tvaughn\Local Settings\Application Data\{BA7129B6-B8EF-4793-9B55-877BDFD8796F}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDA7428-901E-4E4C-8F04-33B513899B22}: C:\Documents and Settings\tvaughn\Local Settings\Application Data\{ABDA7428-901E-4E4C-8F04-33B513899B22}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{1B8E3070-1825-4D22-B7B9-38324334412B}: C:\Documents and Settings\administrator.psi\Local Settings\Application Data\{1B8E3070-1825-4D22-B7B9-38324334412B}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{694C55D1-CF37-4BBE-BD7B-85282EC657EF}: C:\Documents and Settings\administrator.psi\Local Settings\Application Data\{694C55D1-CF37-4BBE-BD7B-85282EC657EF}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{65300691-F88E-4443-A635-379D741A5A5B}: C:\Documents and Settings\administrator.psi\Local Settings\Application Data\{65300691-F88E-4443-A635-379D741A5A5B}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{EF23141B-C3AB-4D24-B9C5-C74A7E586558}: C:\Documents and Settings\administrator.psi\Local Settings\Application Data\{EF23141B-C3AB-4D24-B9C5-C74A7E586558}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{319B0AED-DAD2-4A26-970F-CF3E4F1F3747}: C:\Documents and Settings\administrator.psi\Local Settings\Application Data\{319B0AED-DAD2-4A26-970F-CF3E4F1F3747}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{1DDAB3E0-87FA-4E5E-8CCB-FD4E2EE259BF}: C:\Documents and Settings\administrator.psi\Local Settings\Application Data\{1DDAB3E0-87FA-4E5E-8CCB-FD4E2EE259BF}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{C9A41CBE-B1D4-4538-9F7C-5AD95C9E92E4}: C:\Documents and Settings\administrator.psi\Local Settings\Application Data\{C9A41CBE-B1D4-4538-9F7C-5AD95C9E92E4}\
FF - HKLM\software\mozilla\Firefox\Extensions\\{3C55ADF8-A461-4BBE-9575-5A857429D087}: C:\Documents and Settings\administrator.psi\Local Settings\Application Data\{3C55ADF8-A461-4BBE-9575-5A857429D087}\
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/26 10:13:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/21 08:34:33 | 000,000,000 | ---D | M]

[2010/10/26 10:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.psi\Application Data\Mozilla\Extensions
[2010/10/30 06:26:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.psi\Application Data\Mozilla\Firefox\Profiles\t1lpe0bo.default\extensions
[2010/07/27 13:50:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/10/30 16:30:07 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [CARPService] C:\WINDOWS\System32\carpserv.exe (Conexant Systems)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\cwbsvstr.exe (IBM Corporation)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Oce\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [Desktop Authority GUI] C:\Program Files\DesktopAuthority\ragui.exe (ScriptLogic Corporation)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} Reg Error: Key error. (QuickTime Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PSI.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ckpNotify: DllName - ckpNotify.dll - C:\WINDOWS\System32\ckpNotify.dll (Check Point Software Technologies)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/12/15 09:57:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.g723 - g723.acm File not found
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codecx.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I263 - C:\WINDOWS\System32\i263_32.drv (Intel Corporation)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\i263_32.drv (Intel Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: VIDC.IV41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/10/30 16:42:30 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\administrator.psi\Desktop\OTL.exe
[2010/10/30 16:19:38 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/10/30 06:15:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/27 09:19:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator.psi\Desktop\fix logs
[2010/10/26 14:52:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/10/26 14:52:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/10/26 14:52:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/10/26 10:14:51 | 000,000,000 | ---D | C] -- C:\Program Files\Magical Jelly Bean
[2010/10/26 10:14:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator.psi\My Documents\Downloads
[2010/10/26 10:13:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator.psi\Local Settings\Application Data\Mozilla
[2010/10/26 10:13:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator.psi\Application Data\Mozilla
[2010/10/20 15:16:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\WinRAR
[2010/10/15 08:51:53 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2005/08/31 21:33:54 | 000,092,672 | ---- | C] ( ) -- C:\WINDOWS\System32\DVDRead.dll
[2004/12/16 15:06:12 | 000,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll

========== Files - Modified Within 30 Days ==========

[2010/10/30 16:42:22 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.psi\Desktop\OTL.exe
[2010/10/30 16:30:07 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/10/30 15:38:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/30 15:13:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/30 15:12:59 | 1073,000,448 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/30 15:09:42 | 000,000,101 | ---- | M] () -- C:\WINDOWS\System32\1658809488
[2010/10/30 06:10:17 | 003,895,619 | R--- | M] () -- C:\Documents and Settings\administrator.psi\Desktop\ComboFix.exe
[2010/10/28 18:21:27 | 000,084,992 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/10/28 08:22:05 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Outlook 2003.lnk
[2010/10/27 16:40:24 | 000,001,438 | ---- | M] () -- C:\WINDOWS\M2MWin.ini
[2010/10/26 14:52:52 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/26 10:15:08 | 000,001,185 | ---- | M] () -- C:\WINDOWS\System32\1745551515
[2010/10/26 08:13:13 | 000,000,348 | -HS- | M] () -- C:\WINDOWS\System32\1210133431
[2010/10/25 13:24:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/15 08:53:58 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/05 11:42:13 | 000,002,471 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Access 2003.lnk
[2010/10/05 08:11:31 | 000,167,936 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WpsHelper.sys

========== Files Created - No Company Name ==========

[2010/10/30 06:14:12 | 003,895,619 | R--- | C] () -- C:\Documents and Settings\administrator.psi\Desktop\ComboFix.exe
[2010/10/26 14:52:52 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/20 15:17:32 | 000,001,185 | ---- | C] () -- C:\WINDOWS\System32\1745551515
[2010/10/20 15:17:32 | 000,000,348 | -HS- | C] () -- C:\WINDOWS\System32\1210133431
[2010/10/20 15:15:51 | 000,000,101 | ---- | C] () -- C:\WINDOWS\System32\1658809488
[2010/10/15 08:53:58 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/27 09:04:53 | 000,106,591 | ---- | C] () -- C:\WINDOWS\System32\fwnetcfg.dll
[2010/07/27 09:04:41 | 000,004,133 | ---- | C] () -- C:\WINDOWS\entrust.ini
[2009/11/25 14:04:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ransom.INI
[2009/08/10 11:10:48 | 000,010,844 | ---- | C] () -- C:\WINDOWS\convert.ini
[2009/06/17 09:06:53 | 000,000,537 | ---- | C] () -- C:\WINDOWS\GNEILEMP.INI
[2009/06/17 09:04:43 | 000,000,215 | ---- | C] () -- C:\WINDOWS\HRWARE.INI
[2009/04/10 13:34:48 | 000,000,022 | ---- | C] () -- C:\WINDOWS\iexplore.ini
[2007/10/12 16:18:46 | 000,000,079 | ---- | C] () -- C:\WINDOWS\showcalc.ini
[2007/09/24 08:40:51 | 000,020,529 | ---- | C] () -- C:\WINDOWS\System32\cwbwiz.dll
[2007/09/24 08:40:51 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbad.dll
[2007/09/24 08:40:50 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\cwbrw.dll
[2007/09/24 08:40:50 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\cwbsv.dll
[2007/09/24 08:40:50 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbsy.dll
[2007/09/24 08:40:50 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbnl.dll
[2007/09/24 08:40:50 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbco.dll
[2007/09/24 08:40:50 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbnldlg.dll
[2007/09/11 17:57:18 | 000,001,438 | ---- | C] () -- C:\WINDOWS\M2MWin.ini
[2007/08/27 18:09:19 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/08/27 18:08:50 | 000,000,215 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2007/08/27 18:08:50 | 000,000,089 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2007/08/27 18:08:37 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
[2007/08/27 18:08:36 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2007/08/27 18:08:27 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\BrfxD05a.dll
[2007/08/27 18:08:26 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2007/08/27 18:05:08 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/12/19 16:21:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2006/08/03 14:51:58 | 000,089,666 | ---- | C] () -- C:\WINDOWS\ngmsi.dll
[2005/12/19 14:49:45 | 000,000,248 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2005/03/11 10:42:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/12/16 15:20:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2004/12/16 15:06:12 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/12/16 12:06:02 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/12/16 11:23:29 | 000,000,013 | ---- | C] () -- C:\WINDOWS\cpicnv.INI
[2004/12/16 11:23:29 | 000,000,009 | ---- | C] () -- C:\WINDOWS\ImgFax.INI
[2004/12/16 11:21:30 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\acdbres.dll
[2004/12/16 11:11:41 | 000,000,013 | ---- | C] () -- C:\WINDOWS\OemOut.ini
[2004/12/16 10:59:34 | 000,000,636 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/12/15 04:50:43 | 000,004,361 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/11/25 17:51:38 | 000,169,472 | ---- | C] () -- C:\WINDOWS\System32\Mcw32.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/12/10 12:03:14 | 001,155,914 | ---- | C] () -- C:\WINDOWS\System32\drivers\btkrnl.sys
[2002/12/09 14:07:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\btins.dll
[2002/12/09 14:05:48 | 000,720,896 | ---- | C] () -- C:\WINDOWS\System32\BtWizard.dll
[2002/12/09 11:23:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\BtXpShell.dll
[2002/12/09 11:18:50 | 000,757,837 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll
[2002/12/09 11:13:38 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll
[2002/12/09 10:43:58 | 000,144,608 | ---- | C] () -- C:\WINDOWS\System32\drivers\btwdndis.sys
[2002/12/09 10:42:18 | 000,022,119 | ---- | C] () -- C:\WINDOWS\System32\drivers\btserial.sys
[2002/12/09 10:41:56 | 000,222,164 | ---- | C] () -- C:\WINDOWS\System32\drivers\btslbcsp.sys
[2002/12/09 10:37:08 | 000,030,043 | ---- | C] () -- C:\WINDOWS\System32\drivers\btport.sys
[2002/12/09 10:36:26 | 000,017,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\frmupgr.sys
[2002/12/09 10:35:54 | 000,065,076 | ---- | C] () -- C:\WINDOWS\System32\drivers\btwusb.sys
[2002/12/09 10:25:42 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\btsec.dll
[2002/12/09 10:24:48 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\btsendto_wab.dll
[2002/12/09 10:24:24 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\btsendto_office.dll
[2002/12/09 10:22:14 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\btsendto_notes.dll
[2002/12/09 10:21:04 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\btosif_olx.dll
[2002/12/09 10:20:32 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2002/12/09 10:20:00 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\bthcrpui.dll
[2002/12/09 10:19:34 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\bthcrp.dll
[2002/12/09 10:19:06 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\btsendto.dll
[2002/12/09 10:18:34 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\btwpimif.dll
[2002/12/09 10:18:24 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\btosif_ol.dll
[2002/12/09 10:17:58 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\btosif_notes.dll
[2002/12/09 10:17:30 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\btosif.dll
[2002/12/09 10:16:40 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\WidcommSdk.dll
[2002/12/09 10:14:58 | 000,368,701 | ---- | C] () -- C:\WINDOWS\System32\wbtapi.dll
[2002/12/09 10:13:08 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\BtAudioHelper.dll
[2002/12/09 10:12:50 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\BTXPPanel.dll
[2002/12/09 10:12:34 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\btbigbmp.dll
[2002/12/09 10:08:32 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\btdev.dll
[2002/12/09 10:08:18 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\bt2k_ins.dll
[2002/12/09 10:08:02 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\BTNCopy.dll
[2002/12/09 10:07:58 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\btrezxp.dll
[2002/12/09 10:07:50 | 002,166,784 | ---- | C] () -- C:\WINDOWS\System32\btrez.dll
[2002/12/09 10:06:28 | 000,021,701 | ---- | C] () -- C:\WINDOWS\System32\drivers\btaudio.sys
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/12/19 15:16:52 | 000,001,024 | ---- | M] () -- C:\.rnd
[2004/12/15 09:57:49 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/08/03 08:02:00 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/03 14:26:48 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/21 21:39:30 | 000,360,894 | ---- | M] () -- C:\bootex.log
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/10/30 16:32:59 | 000,013,848 | ---- | M] () -- C:\ComboFix.txt
[2004/12/15 09:57:49 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2001/08/23 08:00:00 | 001,556,020 | ---- | M] () -- C:\DEPLOY.CAB
[2008/12/23 15:39:24 | 000,001,338 | ---- | M] () -- C:\devicetable.log
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 09:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 09:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2006/09/14 15:16:12 | 005,292,544 | ---- | M] () -- C:\fx3000Win2k_xp_printdriver.exe
[2006/09/14 15:16:12 | 000,936,960 | ---- | M] () -- C:\fx3000winntprintdriver.exe
[2006/09/14 15:16:14 | 003,769,856 | ---- | M] () -- C:\fx3000winxp64bitprintdriver.exe
[2007/11/07 09:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2010/10/30 15:12:59 | 1073,000,448 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/28 12:29:29 | 000,004,388 | ---- | M] () -- C:\hpCDE.log
[2007/11/07 09:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007/11/07 09:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 09:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 09:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 09:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 09:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 09:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 09:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2004/12/15 09:57:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/07/21 10:47:11 | 000,000,512 | ---- | M] () -- C:\Mbr_Back_0.bin
[2010/07/21 10:45:48 | 000,000,512 | ---- | M] () -- C:\mike.mbr
[2004/12/15 09:57:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/12/16 10:35:29 | 002,213,906 | ---- | M] () -- C:\NAV9_Installation.log
[2005/03/11 11:04:24 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/08/10 11:18:17 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/10/30 15:12:56 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2004/12/16 11:21:58 | 000,000,088 | ---- | M] () -- C:\pciv7bug.log
[2009/07/24 16:20:00 | 000,049,192 | ---- | M] () -- C:\playground.log
[2007/09/04 16:07:24 | 000,001,024 | ---- | M] () -- C:\rpOut.FPT
[2007/09/04 15:43:56 | 008,157,049 | ---- | M] () -- C:\Rpshgo01.DBF
[2007/09/04 15:43:56 | 003,704,896 | ---- | M] () -- C:\Rpshgo01.FPT
[2005/03/11 10:37:46 | 004,153,196 | ---- | M] () -- C:\SCS2_Installation.log
[2007/11/07 09:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/11/07 09:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007/11/07 09:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI
[2004/08/05 16:52:25 | 278,927,592 | ---- | M] (Microsoft Corporation) -- C:\xpSP2_f8e85320da933bb0ec76a2ba3a2f7a8.exe

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2004/12/15 09:57:25 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/03/06 02:54:42 | 000,020,480 | ---- | M] (ScriptLogic Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\DAproc.dll
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2004/03/22 18:17:06 | 000,025,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2001/11/20 14:37:28 | 000,047,616 | R--- | M] (Black Ice Software) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\ppbiPr.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >
[2004/12/16 12:43:03 | 000,000,156 | ---- | M] () -- C:\Documents and Settings\All Users\Favorites\Crane Pumps & Systems HELPDESK.url
[2004/12/16 12:43:41 | 000,000,128 | ---- | M] () -- C:\Documents and Settings\All Users\Favorites\Crane Pumps & Systems INTERNET.url
[2004/12/16 12:42:49 | 000,000,138 | ---- | M] () -- C:\Documents and Settings\All Users\Favorites\Crane Pumps & Systems INTRANET.url
[2004/12/16 12:43:25 | 000,000,174 | ---- | M] () -- C:\Documents and Settings\All Users\Favorites\Microsoft Outlook Web Access - Logon.url
[2004/12/16 10:43:15 | 000,000,119 | ---- | M] () -- C:\Documents and Settings\All Users\Favorites\MSN.com.url
[2004/12/16 10:43:15 | 000,000,197 | ---- | M] () -- C:\Documents and Settings\All Users\Favorites\Radio Station Guide.url

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2004/12/15 04:49:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/12/15 04:49:18 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/12/15 04:49:18 | 000,438,272 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/08/10 11:30:07 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2007/09/24 08:37:17 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\administrator.psi\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2004/12/16 10:43:14 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\administrator.psi\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/10/30 06:10:17 | 003,895,619 | R--- | M] () -- C:\Documents and Settings\administrator.psi\Desktop\ComboFix.exe
[2010/07/23 19:22:35 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\administrator.psi\Desktop\mbam-setup-1.46.exe
[2010/10/30 16:42:22 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.psi\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2007/09/24 08:37:17 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\administrator.psi\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2007/09/24 08:11:02 | 000,004,360 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/07/30 16:04:45 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\administrator.psi\Cookies\desktop.ini
[2010/10/30 16:33:13 | 000,032,768 | -HS- | M] () -- C:\Documents and Settings\administrator.psi\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/13 20:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2002/08/20 13:32:18 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2002/08/20 13:32:18 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2002/08/20 13:32:22 | 000,000,807 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
[2008/05/02 10:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/13 13:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/13 20:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2002/08/20 16:08:38 | 000,069,663 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgsin.exe
[2003/03/31 08:00:00 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2003/03/31 08:00:00 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2003/03/31 08:00:00 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2002/08/20 13:32:20 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/07/17 12:41:06 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoUpdate" = 0
"AUOptions" = 3
"ScheduledInstallDay" = 0
"ScheduledInstallTime" = 3
"UseWUServer" = 1
"RescheduleWaitTimeEnabled" = 1
"RescheduleWaitTime" = 5
"NoAutoRebootWithLoggedOnUsers" = 1

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:687D1056

< End of report >
 
I don't know how to answer that as I have not been doing anything but following your instructions and keeping it offline. But If you are saying it is clean it must be doing great!! My original complaint was that this computer was being used by our payroll and accounting person and I had over 200 active connections sending data to the web. NOT good. So are you saying this Unit is clean?
 
We're not done yet.
I just wanted to know, if you're experiencing any current issues.

I still need to go through your OTL log.
Hold on there...
 
Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

====================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} Reg Error: Key error. (QuickTime Object)
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:687D1056

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

=======================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Now that I have run TFC I cannot connect to the internet. can not run ESET

LOGS:

All processes killed
========== OTL ==========
Starting removal of ActiveX control {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:687D1056 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: administrator.psi
->Temp folder emptied: 10098966 bytes
->Temporary Internet Files folder emptied: 440288 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 32002407 bytes
->Flash cache emptied: 722 bytes

User: ADMINI~1~PSI

User: adm_crismiller
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: cps-osinstall
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: cps-warrenadmin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: dcsomos
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: emcarter
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: osinstall
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: scriptlogicuser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: tmvaughn1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: tvaughn
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 4919971 bytes
->Flash cache emptied: 722 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1010063 bytes

Total Files Cleaned = 46.00 mb


[EMPTYFLASH]

User: Administrator

User: administrator.psi
->Flash cache emptied: 0 bytes

User: ADMINI~1~PSI

User: adm_crismiller

User: All Users

User: cps-osinstall

User: cps-warrenadmin

User: dcsomos

User: Default User

User: emcarter

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: osinstall

User: scriptlogicuser

User: tmvaughn1
->Flash cache emptied: 0 bytes

User: tvaughn
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.1 log created on 10302010_175255

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Symantec Endpoint Protection Client
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
Java(TM) 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.1.85.3
Adobe Reader 9.4.0
Mozilla Firefox (3.6.11) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````
 
TFC couldn't break your internet connection.

Try to restart computer and let me know.
Are you posting from some other computer?
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
792
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni

Latest posts

Back