Internet searches redirect to unwanted pages

Solved
By BigSand
Feb 18, 2011
Topic Status:
Not open for further replies.
  1. Hello, I've fell victim to my web searches redirecting me to unwanted pages.
    I've gone thru the 8 step virus removal steps, and the redirecting still is happening,
    but my browser is loading pages faster now.
    I'm using McAfee Antivirus Plus, Internet Explorer 8.

    These are the logs from the 8 step process.
    Thanks for any help, BigSand

    ==========


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5806

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    2/18/2011 7:41:15 PM
    mbam-log-2011-02-18 (19-41-15).txt

    Scan type: Quick scan
    Objects scanned: 151233
    Time elapsed: 8 minute(s), 14 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 42
    Registry Values Infected: 2
    Registry Data Items Infected: 2
    Folders Infected: 31
    Files Infected: 124

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\BHO.CSBHO (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\BHO.CSBHO.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CometAppUtil.CometUIEvents (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CometAppUtil.CometUIEvents.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CometIEToolbar.CometToolbar (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CometIEToolbar.CometToolbar.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Core.CometFrame (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Core.CometFrame.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Core.CometWindow (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Core.CometWindow.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Core.FileInfo (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Core.FileInfo.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Core.System (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Core.System.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSBand.HorizontalIEBand (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSBand.HorizontalIEBand.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSBand.VerticalIEBand (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSBand.VerticalIEBand.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSEng.CSEngine (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSEng.CSEngine.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSEng.CSHost (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSEng.CSHost.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSEng.EvHandler (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSEng.EvHandler.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSIP.CSCollection (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSIP.CSCollection.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSIP.CSIPDispatch (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSIP.CSIPDispatch.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSIP.CSIPPacket (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CSIP.CSIPPacket.1 (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cc2k (Adware.Comet) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Value: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Value: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\program files\Comet (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Bin (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Core (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Data (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Install (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\funbutton (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\refbutton (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\relatedsearch (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\screensaver (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Shared (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\smileytown (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Travel (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\webbutton (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\License (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\LogQueue (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\campaigns (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\campaigns\AdZap (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\listeners (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Temp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Update (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\WINDOWS\pragmapaieqqpxpe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\all users\favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
    c:\program files\Comet\Bin\csinstall.exe (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Bin\unins.ico (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Data\csres.dat (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\1b.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\1bl.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\1br.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\1l.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\1r.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\1t.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\1tl.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\1tr.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\adzap.html (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\adzap.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\adzap.wav (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\adzap_tb.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\azunins.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\cap1a.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\cap1b.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\cap2a.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\cap2b.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\cap3a.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\cap3b.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\except.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\header.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\pubutton.bmp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\pubutton_alert.bmp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\pubutton_off.bmp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\scr_adzap.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\sump.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\sys_except.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\adzap\zapometer.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\funbutton\funbutton.bmp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\refbutton\refbutton.bmp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\refbutton\refbutton.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\relatedsearch\related.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\relatedsearch\related.xsl (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\screensaver\screensaver.bmp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Shared\autosrch.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Shared\related.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Shared\tbproducts.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\smileytown\smileytown.bmp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\smileytown\smileytown.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\smileytown\smileytown.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Travel\cars.xsl (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Travel\flights.xsl (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Travel\hotels.xsl (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Travel\travel.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\Travel\travel_context.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Products\webbutton\webbutton.bmp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\band.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\cnfmgr.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\context.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\controlpanel.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\license.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\logging.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\masterconfig.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\tbmgr.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\toolbar.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\update.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\utillauncher.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\winutil.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\addremove.htm (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\addremove.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\addremove_cc.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\armask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\arskin.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\cc3.ico (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\strip.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\stripend.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\titlelabel_ar.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\addremove\title_arui.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\License\adzap.lic (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\messaging.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\settings.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\1line_left.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\1line_left_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\1line_left_small.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\1line_left_small_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\1line_right.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\1line_right_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\1line_right_small.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\1line_right_small_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\2line_left.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\2line_left_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\2line_left_small.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\2line_left_small_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\2line_right.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\2line_right_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\2line_right_small.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\2line_right_small_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\3line_left.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\3line_left_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\3line_left_small.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\3line_left_small_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\3line_right.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\3line_right_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\3line_right_small.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\3line_right_small_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\defaultbuttonmessage.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\Base\message.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\campaigns\AdZap\bandmessage.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\campaigns\AdZap\band_bubble.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\campaigns\AdZap\band_bubble_mask.gif (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\campaigns\AdZap\buttonmessage.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\listeners\adzap_0001.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Services\messaging\listeners\travel_0001.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Temp\intro.js (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_adzap.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_autosearch.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_errorsearch.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_funbutton.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_platform.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_refbutton.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_relatedsearch.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_screensaver.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_searchassist.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_smileytown.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_travel.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\uninstall\un_webbutton.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Update\travelbutton.bmp (Adware.Comet) -> Quarantined and deleted successfully.
    c:\program files\Comet\Update\un_travelbutton.xml (Adware.Comet) -> Quarantined and deleted successfully.
    c:\WINDOWS\pragmapaieqqpxpe\pragmacfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    c:\WINDOWS\pragmapaieqqpxpe\pragmasrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    ====================
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-18 19:58:08
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST380011A rev.8.16
    Running: pbcu7uul.exe; Driver: C:\DOCUME~1\Tom\LOCALS~1\Temp\kwloapow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF84A70E0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF84A70F4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF84A7120]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF84A70CC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF84A70A4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF84A70B8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF84A710A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF84A714C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF84A7136]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 83365422
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 83365422
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 83365422
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 83365422

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________8.16____#4a35485635444656202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
    ============================
  2. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    Searches being redirected

    Thank you for your help. Along with my web searches being redirected, also happening is new windows opening up without clicking on anything. Of course, they ultimately want to sell me something.
    Here are the other logs requested in the 8 step process.
    Thanks, BigSand


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Tom at 20:05:15.79 on Fri 02/18/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.196 [GMT -6:00]

    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
    C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    svchost.exe
    C:\WINDOWS\system32\dlcxcoms.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Documents and Settings\Tom\Desktop\Virus Removal Tools\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://m.www.yahoo.com/
    uDefault_Page_URL = hxxp://www.dell4me.com/myway
    uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101103132358.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: Starware: {edc4193f-34ad-4d07-aa87-e3fdb89e3e76} - c:\progra~1\comet\bin\csband.dll
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Easy Dock]
    mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
    mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
    mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
    mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
    mRun: [Easy Dock]
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\tom\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
    IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {563E7741-AF29-4C3D-9A67-22D07B8521F8} = 206.9.64.100
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-26 386840]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-26 84072]
    R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-26 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-26 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-26 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-26 55840]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-26 152960]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-26 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-26 88544]
    S2 0140671298049203mcinstcleanup;McAfee Application Installer Cleanup (0140671298049203);c:\windows\temp\014067~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\014067~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
    S2 gupdate1c9930c59c2e53d;Google Update Service (gupdate1c9930c59c2e53d);c:\program files\google\update\GoogleUpdate.exe [2009-2-19 133104]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-2-18 38224]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-26 52104]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-26 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-26 84264]
    S3 o1394bul;o1394bul;\??\c:\docume~1\tom\locals~1\temp\o1394bul.sys --> c:\docume~1\tom\locals~1\temp\o1394bul.sys [?]

    =============== Created Last 30 ================

    2011-02-19 01:28:33 -------- d-----w- c:\docume~1\tom\applic~1\Malwarebytes
    2011-02-19 01:28:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-19 01:28:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-02-19 01:28:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-19 01:28:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-18 16:37:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-02-18 16:37:29 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-02-18 04:05:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
    2011-02-18 04:05:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\nLiAnDm15405
    2011-01-21 14:44:37 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

    ==================== Find3M ====================

    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2000-09-24 06:27:18 33554896 -c--a-w- c:\program files\fo-psp7.exe

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST380011A rev.8.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x833655DC]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8336b7b8]; MOV EAX, [0x8336b834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x833CBAB8]
    3 CLASSPNP[0xF86C7FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x83381CA8]
    \Driver\atapi[0x8330DD10] -> IRP_MJ_CREATE -> 0x833655DC
    kernel: MBR read successfully
    _asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________8.16____#4a35485635444656202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x83365422
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 20:08:57.03 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/9/2004 12:35:23 PM
    System Uptime: 2/18/2011 7:44:22 PM (1 hours ago)

    Motherboard: Dell Computer Corp. | | 0N6381
    Processor: Intel(R) Celeron(R) CPU 2.66GHz | Microprocessor | 2660/533mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 72 GiB total, 47.544 GiB free.
    D: is CDROM ()
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
    Description: USB Mass Storage Device
    Device ID: USB\VID_413C&PID_5115&MI_03\6&B574F60&0&0003
    Manufacturer: Compatible USB storage device
    Name: USB Mass Storage Device
    PNP Device ID: USB\VID_413C&PID_5115&MI_03\6&B574F60&0&0003
    Service: USBSTOR

    ==== System Restore Points ===================

    RP1935: 11/21/2010 9:20:50 AM - System Checkpoint
    RP1936: 11/22/2010 10:18:23 AM - System Checkpoint
    RP1937: 11/23/2010 10:57:32 AM - System Checkpoint
    RP1938: 11/24/2010 11:21:26 AM - System Checkpoint
    RP1939: 11/25/2010 12:21:26 PM - System Checkpoint
    RP1940: 11/26/2010 12:32:25 PM - System Checkpoint
    RP1941: 11/27/2010 12:43:20 PM - System Checkpoint
    RP1942: 11/28/2010 12:59:52 PM - System Checkpoint
    RP1943: 11/29/2010 1:28:33 PM - System Checkpoint
    RP1944: 11/30/2010 1:30:12 PM - System Checkpoint
    RP1945: 12/1/2010 1:55:44 PM - System Checkpoint
    RP1946: 12/2/2010 2:02:12 PM - System Checkpoint
    RP1947: 12/3/2010 2:16:43 PM - System Checkpoint
    RP1948: 12/4/2010 2:58:56 PM - System Checkpoint
    RP1949: 12/5/2010 7:39:18 PM - System Checkpoint
    RP1950: 12/6/2010 7:56:38 PM - System Checkpoint
    RP1951: 12/7/2010 8:16:38 PM - System Checkpoint
    RP1952: 12/8/2010 9:00:01 PM - System Checkpoint
    RP1953: 12/9/2010 9:27:23 PM - System Checkpoint
    RP1954: 12/11/2010 9:37:31 AM - System Checkpoint
    RP1955: 12/12/2010 10:21:49 AM - System Checkpoint
    RP1956: 12/13/2010 10:23:58 AM - System Checkpoint
    RP1957: 12/14/2010 10:54:05 AM - System Checkpoint
    RP1958: 12/15/2010 11:51:30 AM - System Checkpoint
    RP1959: 12/15/2010 10:15:09 PM - Software Distribution Service 3.0
    RP1960: 12/17/2010 9:06:13 AM - System Checkpoint
    RP1961: 12/18/2010 9:21:26 AM - System Checkpoint
    RP1962: 12/19/2010 9:42:41 AM - System Checkpoint
    RP1963: 12/20/2010 9:54:14 AM - System Checkpoint
    RP1964: 12/21/2010 10:18:17 AM - System Checkpoint
    RP1965: 12/22/2010 10:28:37 AM - System Checkpoint
    RP1966: 12/23/2010 11:43:56 AM - System Checkpoint
    RP1967: 12/24/2010 1:10:40 PM - System Checkpoint
    RP1968: 12/25/2010 1:15:05 PM - System Checkpoint
    RP1969: 12/26/2010 1:56:12 PM - System Checkpoint
    RP1970: 12/27/2010 2:48:46 PM - System Checkpoint
    RP1971: 12/28/2010 3:29:21 PM - System Checkpoint
    RP1972: 12/29/2010 4:11:47 PM - System Checkpoint
    RP1973: 12/30/2010 4:53:43 PM - System Checkpoint
    RP1974: 12/31/2010 7:31:26 PM - System Checkpoint
    RP1975: 1/1/2011 8:16:03 PM - System Checkpoint
    RP1976: 1/2/2011 8:33:37 PM - System Checkpoint
    RP1977: 1/3/2011 9:18:29 PM - System Checkpoint
    RP1978: 1/5/2011 6:42:23 AM - System Checkpoint
    RP1979: 1/6/2011 9:38:33 AM - System Checkpoint
    RP1980: 1/7/2011 10:06:53 AM - System Checkpoint
    RP1981: 1/8/2011 10:17:58 AM - System Checkpoint
    RP1982: 1/9/2011 8:22:54 PM - System Checkpoint
    RP1983: 1/11/2011 9:46:36 AM - System Checkpoint
    RP1984: 1/12/2011 10:31:48 AM - System Checkpoint
    RP1985: 1/12/2011 2:00:22 PM - Software Distribution Service 3.0
    RP1986: 1/13/2011 2:26:25 PM - System Checkpoint
    RP1987: 1/14/2011 3:26:25 PM - System Checkpoint
    RP1988: 1/15/2011 4:10:11 PM - System Checkpoint
    RP1989: 1/16/2011 4:46:14 PM - System Checkpoint
    RP1990: 1/17/2011 7:16:04 PM - System Checkpoint
    RP1991: 1/18/2011 8:03:40 PM - System Checkpoint
    RP1992: 1/19/2011 8:44:16 PM - System Checkpoint
    RP1993: 1/21/2011 8:00:04 AM - System Checkpoint
    RP1994: 1/22/2011 9:24:11 AM - System Checkpoint
    RP1995: 1/23/2011 10:02:44 AM - System Checkpoint
    RP1996: 1/24/2011 10:13:48 AM - System Checkpoint
    RP1997: 1/25/2011 10:27:22 AM - System Checkpoint
    RP1998: 1/26/2011 11:48:22 AM - System Checkpoint
    RP1999: 1/27/2011 12:09:24 PM - System Checkpoint
    RP2000: 1/28/2011 1:25:16 PM - System Checkpoint
    RP2001: 1/29/2011 1:52:34 PM - System Checkpoint
    RP2002: 1/30/2011 2:27:21 PM - System Checkpoint
    RP2003: 1/31/2011 2:31:56 PM - System Checkpoint
    RP2004: 2/1/2011 3:08:52 PM - System Checkpoint
    RP2005: 2/2/2011 4:03:41 PM - System Checkpoint
    RP2006: 2/3/2011 4:15:10 PM - System Checkpoint
    RP2007: 2/4/2011 4:34:13 PM - System Checkpoint
    RP2008: 2/5/2011 8:14:40 PM - System Checkpoint
    RP2009: 2/6/2011 8:18:25 PM - System Checkpoint
    RP2010: 2/7/2011 9:05:55 PM - System Checkpoint
    RP2011: 2/8/2011 9:16:16 PM - System Checkpoint
    RP2012: 2/9/2011 9:12:08 AM - Software Distribution Service 3.0
    RP2013: 2/10/2011 9:42:53 AM - System Checkpoint
    RP2014: 2/11/2011 4:10:11 PM - System Checkpoint
    RP2015: 2/12/2011 4:45:05 PM - System Checkpoint
    RP2016: 2/13/2011 5:04:26 PM - System Checkpoint
    RP2017: 2/14/2011 5:32:11 PM - System Checkpoint
    RP2018: 2/15/2011 5:58:28 PM - System Checkpoint
    RP2019: 2/16/2011 6:57:04 PM - System Checkpoint
    RP2020: 2/17/2011 7:11:30 PM - System Checkpoint
    RP2021: 2/18/2011 10:35:31 AM - Restore Operation

    ==== Installed Programs ======================

    ABBYY FineReader 6.0 Sprint
    Adobe Flash Player 10 ActiveX
    Adobe Photoshop Album 2.0 Starter Edition
    Adobe Reader 8.2.6
    Apple Application Support
    Apple Software Update
    ArcSoft Panorama Maker 4
    AXIS Media Control Embedded
    Banctec Service Agreement
    Core FTP Lite 1.3b
    Critical Update for Windows Media Player 11 (KB959772)
    Dell Digital Jukebox Driver
    Dell Driver Reset Tool
    Dell Media Experience
    Dell PC Fax
    Dell Photo AIO Printer 926
    Dell Picture Studio v3.0
    Dell Support Center (Support Software)
    Dell System Restore
    DellSupport
    eMachineShop
    ESRI ArcExplorer 2.0
    EZ Calendar
    Family Tree Maker
    Family Tree Maker 2005
    G5a922EN
    GedHTree Version 2.70
    Google Earth
    Google Update Helper
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP PhotoSmart 210/215 Camera Software (by ArcSoft)
    HP Precisionscan Pro 3.1
    HP Share-to-Web
    i-detect
    i-detect 30-Day Trial
    Indeo® software
    Intel(R) 537EP V9x DF PCI Modem
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    Internet Explorer Default Page
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_06
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) SE Runtime Environment 6 Update 1
    LandDesigner 3D
    Learn2 Player (Uninstall Only)
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    MapCreate U.S.A 6.3
    McAfee AntiVirus Plus
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2001
    Microsoft National Language Support Downlevel APIs
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Office XP Professional with FrontPage
    Microsoft Picture It! Express 7.0
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works 2001 Setup Launcher
    Microsoft Works 6.0
    Microsoft Works Suite Add-in for Microsoft Word
    Modem Event Monitor
    Modem Helper
    Modem On Hold
    Move Networks Media Player for Internet Explorer
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Musicmatch for Windows Media Player
    Musicmatch® Jukebox
    My Way Search Assistant
    Nikon Message Center
    Nikon Transfer
    Ortho® Home Gardener's Problem Solver
    OziExplorer 3.95
    Paint Shop Pro 7 ESD
    PowerDVD 5.3
    Quicken 2002 Deluxe
    QuickTime
    RCA Detective™ 3.0.0.101
    RCA easyRip 2.4.2.0
    RCA Updater 1.0.4.0
    RealPlayer Basic
    Savings Bond Wizard
    Screensavers Installer
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sierra 3D Deck
    Sierra Garden Encyclopedia
    Sierra Garden Planner
    Sierra Interior Design Collection
    Sierra Photo Garden Designer
    Sierra Photo Home Interiors
    Sonic DLA
    Sonic RecordNow!
    Sonic Update Manager
    SoundMAX
    Supercow
    TaxACT 2003
    TaxACT 2004
    TaxACT 2005
    TaxACT 2006
    TaxACT 2007
    TaxACT 2008
    TaxACT 2008 Minnesota
    TaxACT 2009
    TaxACT 2009 Minnesota
    TaxACT 2010
    TaxACT 2010 Minnesota
    TaxACT Minnesota 2004
    TaxACT Minnesota 2005
    TaxACT Minnesota 2006
    TaxACT Minnesota 2007
    Uniden Cordless Telephone Customization Tool
    Uniden USB to UART Bridge Controller
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    US Airways Caribbean Screen Saver
    USB MMC-SD Reader
    Viewpoint Media Player
    Wave MP3 Editor - Evaluation
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 11
    Windows XP Service Pack 3
    WordPerfect Office 12
    Works Suite OS Pack
    Works Synchronization
    Yahoo! Messenger
    Yahoo! Music Jukebox

    ==== Event Viewer Messages From Past Week ========

    2/18/2011 7:52:48 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
    2/18/2011 7:52:36 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    2/18/2011 7:51:41 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/18/2011 7:45:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
    2/18/2011 7:44:55 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    2/18/2011 7:28:56 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    2/18/2011 6:42:53 PM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    2/18/2011 6:42:53 PM, error: Service Control Manager [7034] - The dlcx_device service terminated unexpectedly. It has done this 1 time(s).
    2/18/2011 6:42:53 PM, error: Service Control Manager [7031] - The McAfee VirusScan Announcer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/18/2011 6:42:53 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/18/2011 6:42:53 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/18/2011 6:42:53 PM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/18/2011 6:42:53 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2/18/2011 10:34:14 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    2/18/2011 10:33:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    2/18/2011 10:28:07 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {395633B1-EED9-4DFC-B67F-9788B51C9F06}

    ==== End Of File ===========================
  4. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    We have a rootkit there.

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  5. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    TDSSKiller update

    Broni, I've just ran TDSSKiller per your request, and the log follows.
    I just did a few web searches, and so far, wonderful results.
    THANKS!
    Is there any particular sites, base on my logs, that I should not
    be visiting in the future, or any tips on preventing future
    malware, viruses, etc?
    Thanks, BigSand

    2011/02/19 12:37:40.0937 3008 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
    2011/02/19 12:37:42.0796 3008 ================================================================================
    2011/02/19 12:37:42.0796 3008 SystemInfo:
    2011/02/19 12:37:42.0796 3008
    2011/02/19 12:37:42.0796 3008 OS Version: 5.1.2600 ServicePack: 3.0
    2011/02/19 12:37:42.0796 3008 Product type: Workstation
    2011/02/19 12:37:42.0796 3008 ComputerName: DJRZ4761
    2011/02/19 12:37:42.0796 3008 UserName: Tom
    2011/02/19 12:37:42.0796 3008 Windows directory: C:\WINDOWS
    2011/02/19 12:37:42.0796 3008 System windows directory: C:\WINDOWS
    2011/02/19 12:37:42.0796 3008 Processor architecture: Intel x86
    2011/02/19 12:37:42.0796 3008 Number of processors: 1
    2011/02/19 12:37:42.0796 3008 Page size: 0x1000
    2011/02/19 12:37:42.0796 3008 Boot type: Normal boot
    2011/02/19 12:37:42.0796 3008 ================================================================================
    2011/02/19 12:37:44.0296 3008 Initialize success
    2011/02/19 12:37:56.0703 4044 ================================================================================
    2011/02/19 12:37:56.0703 4044 Scan started
    2011/02/19 12:37:56.0703 4044 Mode: Manual;
    2011/02/19 12:37:56.0703 4044 ================================================================================
    2011/02/19 12:37:58.0296 4044 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2011/02/19 12:37:58.0468 4044 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/02/19 12:37:58.0671 4044 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/02/19 12:37:58.0765 4044 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2011/02/19 12:37:58.0859 4044 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/02/19 12:37:59.0046 4044 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/02/19 12:37:59.0203 4044 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/02/19 12:37:59.0375 4044 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2011/02/19 12:37:59.0468 4044 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2011/02/19 12:37:59.0562 4044 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2011/02/19 12:37:59.0703 4044 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/02/19 12:37:59.0828 4044 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2011/02/19 12:37:59.0953 4044 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2011/02/19 12:38:00.0046 4044 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2011/02/19 12:38:00.0203 4044 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2011/02/19 12:38:00.0390 4044 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2011/02/19 12:38:00.0546 4044 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2011/02/19 12:38:00.0718 4044 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2011/02/19 12:38:00.0812 4044 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
    2011/02/19 12:38:00.0921 4044 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/02/19 12:38:01.0046 4044 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/02/19 12:38:01.0203 4044 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/02/19 12:38:01.0328 4044 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/02/19 12:38:01.0390 4044 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/02/19 12:38:01.0578 4044 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2011/02/19 12:38:01.0718 4044 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/02/19 12:38:01.0921 4044 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/02/19 12:38:02.0062 4044 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2011/02/19 12:38:02.0203 4044 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/02/19 12:38:02.0296 4044 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/02/19 12:38:02.0468 4044 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/02/19 12:38:02.0640 4044 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys
    2011/02/19 12:38:02.0921 4044 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2011/02/19 12:38:03.0109 4044 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2011/02/19 12:38:03.0218 4044 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2011/02/19 12:38:03.0328 4044 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2011/02/19 12:38:04.0062 4044 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/02/19 12:38:04.0265 4044 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/02/19 12:38:04.0437 4044 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/02/19 12:38:04.0609 4044 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/02/19 12:38:04.0828 4044 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/02/19 12:38:05.0093 4044 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2011/02/19 12:38:05.0250 4044 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/02/19 12:38:05.0359 4044 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys
    2011/02/19 12:38:05.0453 4044 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys
    2011/02/19 12:38:05.0656 4044 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
    2011/02/19 12:38:05.0843 4044 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
    2011/02/19 12:38:05.0968 4044 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/02/19 12:38:06.0171 4044 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/02/19 12:38:06.0281 4044 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/02/19 12:38:06.0515 4044 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/02/19 12:38:06.0687 4044 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/02/19 12:38:06.0843 4044 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/02/19 12:38:06.0953 4044 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/02/19 12:38:07.0046 4044 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/02/19 12:38:07.0218 4044 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/02/19 12:38:07.0328 4044 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/02/19 12:38:07.0515 4044 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2011/02/19 12:38:07.0703 4044 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/02/19 12:38:07.0875 4044 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2011/02/19 12:38:07.0984 4044 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2011/02/19 12:38:08.0078 4044 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/02/19 12:38:08.0281 4044 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2011/02/19 12:38:08.0484 4044 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/02/19 12:38:08.0609 4044 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2011/02/19 12:38:08.0812 4044 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
    2011/02/19 12:38:09.0046 4044 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
    2011/02/19 12:38:09.0234 4044 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
    2011/02/19 12:38:09.0406 4044 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/02/19 12:38:09.0593 4044 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/02/19 12:38:09.0765 4044 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/02/19 12:38:09.0937 4044 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/02/19 12:38:10.0031 4044 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/02/19 12:38:10.0187 4044 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/02/19 12:38:10.0359 4044 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/02/19 12:38:10.0515 4044 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/02/19 12:38:10.0625 4044 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/02/19 12:38:10.0781 4044 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/02/19 12:38:10.0953 4044 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/02/19 12:38:11.0140 4044 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/02/19 12:38:11.0312 4044 MBAMSwissArmy (d68e165c3123aba3b1282eddb4213bd8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2011/02/19 12:38:11.0593 4044 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys
    2011/02/19 12:38:11.0953 4044 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys
    2011/02/19 12:38:12.0171 4044 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys
    2011/02/19 12:38:12.0343 4044 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys
    2011/02/19 12:38:12.0546 4044 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys
    2011/02/19 12:38:12.0718 4044 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    2011/02/19 12:38:12.0750 4044 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    2011/02/19 12:38:12.0843 4044 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys
    2011/02/19 12:38:12.0968 4044 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys
    2011/02/19 12:38:13.0140 4044 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/02/19 12:38:13.0312 4044 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/02/19 12:38:13.0484 4044 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/02/19 12:38:13.0656 4044 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
    2011/02/19 12:38:13.0734 4044 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/02/19 12:38:13.0859 4044 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/02/19 12:38:14.0031 4044 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/02/19 12:38:14.0140 4044 MR97310_USB_DUAL_CAMERA (1aae79a4176a957bf2bb679812f04655) C:\WINDOWS\system32\DRIVERS\mr97310c.sys
    2011/02/19 12:38:14.0250 4044 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2011/02/19 12:38:14.0437 4044 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/02/19 12:38:14.0640 4044 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/02/19 12:38:14.0906 4044 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/02/19 12:38:15.0062 4044 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/02/19 12:38:15.0218 4044 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/02/19 12:38:15.0375 4044 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/02/19 12:38:15.0531 4044 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/02/19 12:38:15.0687 4044 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/02/19 12:38:15.0828 4044 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/02/19 12:38:16.0015 4044 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/02/19 12:38:16.0171 4044 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/02/19 12:38:16.0328 4044 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/02/19 12:38:16.0484 4044 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/02/19 12:38:16.0656 4044 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/02/19 12:38:16.0765 4044 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/02/19 12:38:16.0953 4044 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/02/19 12:38:17.0046 4044 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/02/19 12:38:17.0140 4044 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/02/19 12:38:17.0265 4044 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/02/19 12:38:17.0375 4044 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/02/19 12:38:17.0593 4044 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/02/19 12:38:17.0843 4044 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/02/19 12:38:18.0062 4044 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/02/19 12:38:18.0156 4044 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/02/19 12:38:18.0515 4044 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/02/19 12:38:18.0734 4044 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/02/19 12:38:18.0890 4044 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/02/19 12:38:18.0984 4044 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/02/19 12:38:19.0109 4044 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/02/19 12:38:19.0187 4044 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/02/19 12:38:19.0671 4044 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2011/02/19 12:38:19.0781 4044 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2011/02/19 12:38:20.0015 4044 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/02/19 12:38:20.0171 4044 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/02/19 12:38:20.0281 4044 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/02/19 12:38:20.0375 4044 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/02/19 12:38:20.0546 4044 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2011/02/19 12:38:20.0656 4044 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2011/02/19 12:38:20.0828 4044 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2011/02/19 12:38:20.0984 4044 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2011/02/19 12:38:21.0093 4044 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2011/02/19 12:38:21.0187 4044 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/02/19 12:38:21.0296 4044 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/02/19 12:38:21.0406 4044 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/02/19 12:38:21.0531 4044 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/02/19 12:38:21.0703 4044 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/02/19 12:38:21.0859 4044 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/02/19 12:38:22.0078 4044 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/02/19 12:38:22.0250 4044 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/02/19 12:38:22.0406 4044 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/02/19 12:38:22.0656 4044 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/02/19 12:38:22.0828 4044 senfilt (9a4c4a4b191200f12085d188be70e4e3) C:\WINDOWS\system32\drivers\senfilt.sys
    2011/02/19 12:38:22.0953 4044 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/02/19 12:38:23.0062 4044 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/02/19 12:38:23.0156 4044 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/02/19 12:38:23.0312 4044 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2011/02/19 12:38:23.0406 4044 slabbus (1b07ad8cce612ac298dd29763d579cda) C:\WINDOWS\system32\DRIVERS\slabbus.sys
    2011/02/19 12:38:23.0500 4044 slabser (4d3d895660b22fdaa48e80381870fa8d) C:\WINDOWS\system32\DRIVERS\slabser.sys
    2011/02/19 12:38:23.0609 4044 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/02/19 12:38:23.0734 4044 smwdm (479533bacc58b1edf916855bcd139556) C:\WINDOWS\system32\drivers\smwdm.sys
    2011/02/19 12:38:23.0859 4044 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2011/02/19 12:38:24.0015 4044 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/02/19 12:38:24.0125 4044 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/02/19 12:38:24.0234 4044 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/02/19 12:38:24.0406 4044 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys
    2011/02/19 12:38:24.0593 4044 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys
    2011/02/19 12:38:24.0765 4044 Stltrk2k (31a9fea9ffafce0f2d1d712cfd6af568) C:\WINDOWS\system32\drivers\Stltrk2k.sys
    2011/02/19 12:38:24.0937 4044 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/02/19 12:38:25.0046 4044 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/02/19 12:38:25.0140 4044 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/02/19 12:38:25.0265 4044 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2011/02/19 12:38:25.0421 4044 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2011/02/19 12:38:25.0515 4044 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2011/02/19 12:38:25.0625 4044 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2011/02/19 12:38:25.0718 4044 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/02/19 12:38:25.0843 4044 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/02/19 12:38:26.0062 4044 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/02/19 12:38:26.0218 4044 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/02/19 12:38:26.0359 4044 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/02/19 12:38:26.0500 4044 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys
    2011/02/19 12:38:26.0671 4044 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys
    2011/02/19 12:38:26.0828 4044 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys
    2011/02/19 12:38:27.0015 4044 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys
    2011/02/19 12:38:27.0187 4044 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys
    2011/02/19 12:38:27.0343 4044 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys
    2011/02/19 12:38:27.0515 4044 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys
    2011/02/19 12:38:27.0687 4044 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys
    2011/02/19 12:38:27.0875 4044 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys
    2011/02/19 12:38:28.0093 4044 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2011/02/19 12:38:28.0281 4044 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/02/19 12:38:28.0453 4044 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2011/02/19 12:38:28.0625 4044 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/02/19 12:38:28.0812 4044 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/02/19 12:38:28.0968 4044 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/02/19 12:38:29.0203 4044 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/02/19 12:38:29.0375 4044 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/02/19 12:38:29.0531 4044 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/02/19 12:38:29.0656 4044 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/02/19 12:38:29.0750 4044 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/02/19 12:38:29.0953 4044 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/02/19 12:38:30.0109 4044 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2011/02/19 12:38:30.0203 4044 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/02/19 12:38:30.0296 4044 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/02/19 12:38:30.0406 4044 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/02/19 12:38:30.0609 4044 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/02/19 12:38:30.0843 4044 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/02/19 12:38:31.0000 4044 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/02/19 12:38:31.0156 4044 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/02/19 12:38:31.0234 4044 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/02/19 12:38:31.0234 4044 ================================================================================
    2011/02/19 12:38:31.0234 4044 Scan finished
    2011/02/19 12:38:31.0234 4044 ================================================================================
    2011/02/19 12:38:31.0250 2952 Detected object count: 1
    2011/02/19 12:38:51.0343 2952 \HardDisk0 - will be cured after reboot
    2011/02/19 12:38:51.0343 2952 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/02/19 12:39:04.0406 1208 Deinitialize success
  6. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Good news :)
    We're not done yet, though.
    We have to make sure, your computer is totally clean.

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  7. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    Ran MBRCheck and ComboFix

    Broni,
    I just finished running MBRCheck and ComboFix.
    The logs follow.
    Am I virus free yet? Thanks for your help. You've
    been a life saver!
    BigSand

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 185):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EF000 \WINDOWS\system32\hal.dll
    0xF8A37000 \WINDOWS\system32\KDCOM.DLL
    0xF8947000 \WINDOWS\system32\BOOTVID.dll
    0xF84E8000 ACPI.sys
    0xF8A39000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF84D7000 pci.sys
    0xF8537000 isapnp.sys
    0xF8AFF000 pciide.sys
    0xF87B7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF8A3B000 aliide.sys
    0xF8A3D000 cmdide.sys
    0xF8A3F000 toside.sys
    0xF8A41000 viaide.sys
    0xF8A43000 intelide.sys
    0xF8547000 MountMgr.sys
    0xF84B8000 ftdisk.sys
    0xF87BF000 PartMgr.sys
    0xF8557000 VolSnap.sys
    0xF894B000 cpqarray.sys
    0xF84A0000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF8488000 atapi.sys
    0xF894F000 aha154x.sys
    0xF87C7000 sparrow.sys
    0xF8953000 symc810.sys
    0xF8567000 aic78xx.sys
    0xF8957000 dac960nt.sys
    0xF8577000 ql10wnt.sys
    0xF895B000 amsint.sys
    0xF87CF000 asc.sys
    0xF895F000 asc3550.sys
    0xF87D7000 mraid35x.sys
    0xF87DF000 i2omp.sys
    0xF8963000 ini910u.sys
    0xF8587000 ql1240.sys
    0xF8597000 aic78u2.sys
    0xF87E7000 symc8xx.sys
    0xF87EF000 sym_hi.sys
    0xF87F7000 sym_u3.sys
    0xF87FF000 ABP480N5.SYS
    0xF8807000 asc3350p.sys
    0xF8A45000 cd20xrnt.sys
    0xF85A7000 ultra.sys
    0xF846F000 adpu160m.sys
    0xF880F000 dpti2o.sys
    0xF85B7000 ql1080.sys
    0xF85C7000 ql1280.sys
    0xF85D7000 ql12160.sys
    0xF8817000 perc2.sys
    0xF8A47000 perc2hib.sys
    0xF881F000 hpn.sys
    0xF8967000 cbidf2k.sys
    0xF8443000 dac2w2k.sys
    0xF85E7000 disk.sys
    0xF85F7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF8423000 fltmgr.sys
    0xF8411000 sr.sys
    0xF83B4000 mfehidk.sys
    0xF839E000 drvmcdb.sys
    0xF8607000 PxHelp20.sys
    0xF8387000 KSecDD.sys
    0xF82FA000 Ntfs.sys
    0xF82CD000 NDIS.sys
    0xF8617000 sisagp.sys
    0xF8627000 viaagp.sys
    0xF82B3000 Mup.sys
    0xF8637000 agp440.sys
    0xF8647000 alim1541.sys
    0xF8657000 amdagp.sys
    0xF8667000 agpCPQ.sys
    0xF86E7000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF788A000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xF7876000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF88BF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF7852000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF88C7000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF86F7000 \SystemRoot\system32\DRIVERS\IntelC53.sys
    0xF782F000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7708000 \SystemRoot\system32\DRIVERS\IntelC51.sys
    0xF7673000 \SystemRoot\system32\DRIVERS\IntelC52.sys
    0xF88CF000 \SystemRoot\system32\DRIVERS\mohfilt.sys
    0xF88D7000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF764D000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xF88DF000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF8707000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF88E7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF8717000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF8273000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7639000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF8727000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF8A75000 \SystemRoot\system32\drivers\sscdbhk5.sys
    0xF8737000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF8747000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF75F9000 \SystemRoot\system32\drivers\smwdm.sys
    0xF75D5000 \SystemRoot\system32\drivers\portcls.sys
    0xF8757000 \SystemRoot\system32\drivers\drmk.sys
    0xF7577000 \SystemRoot\system32\drivers\senfilt.sys
    0xF8BAA000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7563000 \SystemRoot\system32\DRIVERS\mfendisk.sys
    0xF8767000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF81B2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF754C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF8777000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF8787000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF88EF000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF753B000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF8797000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7517000 \SystemRoot\system32\drivers\mfeavfk.sys
    0xF74B9000 \SystemRoot\system32\drivers\mfefirek.sys
    0xF88F7000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF88FF000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF87A7000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF8907000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF8A83000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF7420000 \SystemRoot\system32\DRIVERS\update.sys
    0xF79D8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF81EB000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7A89000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF8A93000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF8A23000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xF8283000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF8AA7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF8C68000 \SystemRoot\System32\Drivers\Null.SYS
    0xF8AA9000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF8877000 \SystemRoot\system32\drivers\ssrtln.sys
    0xF8887000 \SystemRoot\System32\drivers\vga.sys
    0xF8AAB000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF8AAD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF888F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF8897000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF827B000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xEF0D4000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xEF07B000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xEF068000 \SystemRoot\system32\drivers\mfetdi2k.sys
    0xEF042000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xEF01A000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEEFF8000 \SystemRoot\System32\drivers\afd.sys
    0xF86B7000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xEEFCD000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xEEF35000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF86C7000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF86D7000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF88B7000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF72E2000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0xF7418000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF72DE000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF7372000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF7410000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF72DA000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xEF20A000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xEEA36000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF8A67000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF828F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xEF13F000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF8B2D000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF020000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF042000 \SystemRoot\System32\ialmdev5.DLL
    0xBF077000 \SystemRoot\System32\ialmdd5.DLL
    0xF7392000 \SystemRoot\system32\drivers\drvnddm.sys
    0xF8C3E000 \SystemRoot\system32\dla\tfsndres.sys
    0xEE9A8000 \SystemRoot\system32\dla\tfsnifs.sys
    0xEF16F000 \SystemRoot\system32\dla\tfsnopio.sys
    0xF8A6F000 \SystemRoot\system32\dla\tfsnpool.sys
    0xEF12F000 \SystemRoot\system32\dla\tfsnboio.sys
    0xEEADE000 \SystemRoot\system32\dla\tfsncofs.sys
    0xF8C3F000 \SystemRoot\system32\dla\tfsndrct.sys
    0xEE98F000 \SystemRoot\system32\dla\tfsnudf.sys
    0xEE976000 \SystemRoot\system32\dla\tfsnudfa.sys
    0xEE9E2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xEE821000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEEA4E000 \SystemRoot\system32\drivers\sysaudio.sys
    0xEE2B1000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF8ACF000 \SystemRoot\System32\Drivers\ASCTRM.SYS
    0xF8AD1000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
    0xEE209000 \SystemRoot\system32\DRIVERS\srv.sys
    0xEE312000 \SystemRoot\System32\Drivers\Stltrk2k.SYS
    0xEDD1C000 \SystemRoot\System32\Drivers\HTTP.sys
    0xEDFF9000 \SystemRoot\system32\drivers\cfwids.sys
    0xF8A55000 \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
    0xED5DF000 \SystemRoot\system32\drivers\mfeapfk.sys
    0xED5B4000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

    Processes (total 42):
    0 System Idle Process
    4 System
    936 C:\WINDOWS\SYSTEM32\smss.exe
    988 csrss.exe
    1012 C:\WINDOWS\SYSTEM32\winlogon.exe
    1056 C:\WINDOWS\SYSTEM32\services.exe
    1068 C:\WINDOWS\SYSTEM32\lsass.exe
    1248 C:\WINDOWS\SYSTEM32\svchost.exe
    1336 svchost.exe
    1456 C:\WINDOWS\SYSTEM32\svchost.exe
    1512 svchost.exe
    1608 svchost.exe
    1968 C:\WINDOWS\explorer.exe
    104 C:\WINDOWS\SYSTEM32\spoolsv.exe
    432 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    476 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    496 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    512 C:\WINDOWS\SYSTEM32\hkcmd.exe
    528 C:\WINDOWS\SYSTEM32\igfxpers.exe
    536 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
    544 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
    552 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    580 C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
    668 C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
    696 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    812 C:\Program Files\McAfee.com\Agent\mcagent.exe
    852 C:\Program Files\DellSupport\DSAgnt.exe
    880 C:\WINDOWS\SYSTEM32\ctfmon.exe
    928 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    976 C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    1404 svchost.exe
    1576 C:\WINDOWS\SYSTEM32\dlcxcoms.exe
    1720 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    1820 C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    1896 C:\WINDOWS\SYSTEM32\svchost.exe
    1936 C:\Program Files\Google\Update\GoogleUpdate.exe
    1500 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    2056 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    3364 alg.exe
    3312 wmiprvse.exe
    3768 C:\WINDOWS\SYSTEM32\wscntfy.exe
    3088 C:\Documents and Settings\Tom\Desktop\Virus Removal Tools\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

    PhysicalDrive0 Model Number: ST380011A, Rev: 8.16

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Dell MBR code detected
    SHA1: 84B95CE8A54B7C5C3AAF149934FC46FB70FF8365


    Done!
    ==================
    ComboFix 11-02-19.01 - Tom 02/19/2011 18:26:15.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.287 [GMT -6:00]
    Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Thumbs.db
    c:\windows\inf\cc_43.inf
    c:\windows\regsvr32.exe

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
    .

    2011-02-19 01:28 . 2011-02-19 01:28 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes
    2011-02-19 01:28 . 2011-02-19 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-19 01:28 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-19 01:28 . 2011-02-19 01:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-19 01:28 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-18 16:37 . 2011-02-18 16:37 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-02-18 14:23 . 2011-02-18 14:23 -------- d-----w- c:\documents and settings\LocalService\IETldCache
    2011-02-18 04:05 . 2011-02-18 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
    2011-02-18 04:05 . 2011-02-18 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\nLiAnDm15405
    2011-02-18 03:08 . 2011-02-18 03:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2004-08-04 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-04 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2004-08-04 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2004-08-04 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2004-08-04 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2004-08-04 11:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:38 . 2004-08-04 11:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2004-08-04 11:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2000-09-24 06:27 . 2000-09-24 06:27 33554896 -c--a-w- c:\program files\fo-psp7.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
    "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
    "dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
    "MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Tom\Start Menu\Programs\Startup\
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-5-15 479232]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
    backup=c:\windows\pss\Billminder.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
    backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
    backup=c:\windows\pss\ymetray.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
    2008-08-13 23:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Dock]
    2010-02-25 14:02 581632 ----a-w- c:\documents and settings\Tom\My Documents\RCA easyRip\EZDock.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2009-05-27 02:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2000-07-19 14:00 176183 -c--a-w- c:\program files\Microsoft Money\System\Money Express.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2004-12-06 21:46 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2004-06-30 19:33 1388544 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-02-22 09:25 144784 -c--a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
    "c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
    "c:\\Program Files\\CoreFTP\\coreftp.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\SYSTEM32\\dlcxcoms.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [8/26/2010 10:49 AM 84072]
    R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/26/2010 10:48 AM 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/26/2010 10:48 AM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/26/2010 10:48 AM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/26/2010 10:49 AM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/26/2010 10:49 AM 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [8/26/2010 10:49 AM 55840]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [8/26/2010 10:49 AM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/26/2010 10:49 AM 88544]
    S2 0140671298049203mcinstcleanup;McAfee Application Installer Cleanup (0140671298049203);c:\windows\TEMP\014067~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\014067~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
    S2 gupdate1c9930c59c2e53d;Google Update Service (gupdate1c9930c59c2e53d);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2009 9:35 PM 133104]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [2/18/2011 7:28 PM 38224]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/26/2010 10:49 AM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [8/26/2010 10:49 AM 84264]
    S3 o1394bul;o1394bul;\??\c:\docume~1\Tom\LOCALS~1\Temp\o1394bul.sys --> c:\docume~1\Tom\LOCALS~1\Temp\o1394bul.sys [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-19 c:\windows\Tasks\User_Feed_Synchronization-{D970BD0A-0F5F-4CF1-84FA-3D05B05AC1F1}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://m.www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
    TCP: {563E7741-AF29-4C3D-9A67-22D07B8521F8} = 206.9.64.100
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Easy Dock - (no file)
    HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    HKLM-Run-Easy Dock - (no file)
    MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    AddRemove-ScreensaversInstaller - c:\program files\Screensavers.com\Installer\bin\siuninst.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-19 18:43
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2881188650-3112352510-1338976571-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-02-19 18:49:44
    ComboFix-quarantined-files.txt 2011-02-20 00:49

    Pre-Run: 50,944,163,840 bytes free
    Post-Run: 51,073,155,072 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - EE6EEAA83F1165A8961B8AAD2A460324
  8. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\docume~1\Tom\LOCALS~1\Temp\o1394bul.sys
    
    
    Driver::
    o1394bul
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  9. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    Re-ran Combofix with script

    Broni,
    I re-ran the combofix with the script. The log follows.
    Thanks, BigSand

    ComboFix 11-02-19.02 - Tom 02/20/2011 9:17.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.259 [GMT -6:00]
    Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    FILE ::
    "c:\docume~1\Tom\LOCALS~1\Temp\o1394bul.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_O1394BUL
    -------\Service_o1394bul


    ((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
    .

    2011-02-19 01:28 . 2011-02-19 01:28 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes
    2011-02-19 01:28 . 2011-02-19 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-19 01:28 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-19 01:28 . 2011-02-19 01:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-19 01:28 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-18 16:37 . 2011-02-18 16:37 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-02-18 14:23 . 2011-02-18 14:23 -------- d-----w- c:\documents and settings\LocalService\IETldCache
    2011-02-18 04:05 . 2011-02-18 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
    2011-02-18 04:05 . 2011-02-18 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\nLiAnDm15405
    2011-02-18 03:08 . 2011-02-18 03:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2004-08-04 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-04 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2004-08-04 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2004-08-04 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2004-08-04 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2004-08-04 11:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:38 . 2004-08-04 11:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2004-08-04 11:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2000-09-24 06:27 . 2000-09-24 06:27 33554896 -c--a-w- c:\program files\fo-psp7.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
    "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
    "dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
    "MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Tom\Start Menu\Programs\Startup\
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-5-15 479232]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
    backup=c:\windows\pss\Billminder.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
    backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
    backup=c:\windows\pss\ymetray.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
    2008-08-13 23:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Dock]
    2010-02-25 14:02 581632 ----a-w- c:\documents and settings\Tom\My Documents\RCA easyRip\EZDock.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2009-05-27 02:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2000-07-19 14:00 176183 -c--a-w- c:\program files\Microsoft Money\System\Money Express.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2004-12-06 21:46 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2004-06-30 19:33 1388544 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-02-22 09:25 144784 -c--a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
    "c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
    "c:\\Program Files\\CoreFTP\\coreftp.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\SYSTEM32\\dlcxcoms.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [8/26/2010 10:49 AM 84072]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [8/26/2010 10:49 AM 55840]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [8/26/2010 10:49 AM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/26/2010 10:49 AM 88544]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [2/18/2011 7:28 PM 38224]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/26/2010 10:49 AM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [8/26/2010 10:49 AM 84264]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-20 c:\windows\Tasks\User_Feed_Synchronization-{D970BD0A-0F5F-4CF1-84FA-3D05B05AC1F1}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://m.www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
    TCP: {563E7741-AF29-4C3D-9A67-22D07B8521F8} = 206.9.64.100
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-20 09:36
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2881188650-3112352510-1338976571-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2816)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Microsoft Office\Office10\msohev.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\dlcxcoms.exe
    c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
    c:\program files\Google\Update\GoogleUpdate.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
    c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-20 09:52:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-20 15:52
    ComboFix2.txt 2011-02-20 00:49

    Pre-Run: 51,050,090,496 bytes free
    Post-Run: 50,974,015,488 bytes free

    - - End Of File - - FC0AAACDCE50DECBDCA97BBEF52A53AF
  10. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Well done :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  11. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    Ran OTL scan

    Brodi, following is the OTL.txt log part 1
    (file too large for it's entirely.
    Thank you, BigSand

    OTL logfile created on: 2/20/2011 12:40:55 PM - Run 1
    OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Tom\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    510.00 Mb Total Physical Memory | 273.00 Mb Available Physical Memory | 54.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 71.69 Gb Total Space | 47.44 Gb Free Space | 66.18% Space Free | Partition Type: NTFS

    Computer Name: DJRZ4761 | User Name: Tom | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/02/20 12:35:10 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
    PRC - [2010/10/13 21:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    PRC - [2010/10/13 21:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    PRC - [2010/09/30 12:10:36 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
    PRC - [2010/08/24 13:57:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    PRC - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/05/15 18:13:10 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    PRC - [2007/03/15 10:09:36 | 000,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
    PRC - [2007/01/12 10:57:28 | 000,292,336 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
    PRC - [2006/11/03 16:04:46 | 000,304,008 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
    PRC - [2006/10/11 15:48:50 | 000,532,480 | ---- | M] ( ) -- C:\WINDOWS\SYSTEM32\dlcxcoms.exe
    PRC - [2005/06/10 10:44:02 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    PRC - [2001/07/03 08:17:04 | 000,065,536 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    PRC - [2001/07/03 08:11:52 | 000,057,344 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/02/20 12:35:10 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
    MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
    SRV - File not found [Auto | Stopped] -- -- (0140671298049203mcinstcleanup) McAfee Application Installer Cleanup (0140671298049203)
    SRV - [2010/10/13 21:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
    SRV - [2010/10/13 21:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
    SRV - [2010/10/07 20:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2010/08/24 13:57:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
    SRV - [2007/03/07 14:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
    SRV - [2006/10/11 15:48:50 | 000,532,480 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\dlcxcoms.exe -- (dlcx_device)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys -- (MBAMSwissArmy)
    DRV - [2010/10/13 21:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2010/10/13 21:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfefirek.sys -- (mfefirek)
    DRV - [2010/10/13 21:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys -- (mfeavfk)
    DRV - [2010/10/13 21:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys -- (mfeapfk)
    DRV - [2010/10/13 21:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfendisk.sys -- (mfendiskmp)
    DRV - [2010/10/13 21:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfendisk.sys -- (mfendisk)
    DRV - [2010/10/13 21:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mferkdet.sys -- (mferkdet)
    DRV - [2010/10/13 21:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfetdi2k.sys -- (mfetdi2k)
    DRV - [2010/10/13 21:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cfwids.sys -- (cfwids)
    DRV - [2010/10/13 21:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys -- (mfebopk)
    DRV - [2008/04/13 12:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
    DRV - [2008/04/13 12:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
    DRV - [2007/02/25 11:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
    DRV - [2006/10/05 15:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
    DRV - [2005/05/31 04:33:00 | 000,100,605 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)
    DRV - [2005/05/31 04:33:00 | 000,098,716 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)
    DRV - [2005/05/31 04:33:00 | 000,086,876 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)
    DRV - [2005/05/31 04:33:00 | 000,034,845 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)
    DRV - [2005/05/31 04:33:00 | 000,025,725 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)
    DRV - [2005/05/31 04:33:00 | 000,015,069 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)
    DRV - [2005/05/31 04:33:00 | 000,006,365 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)
    DRV - [2005/05/31 04:33:00 | 000,004,125 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)
    DRV - [2005/05/31 04:33:00 | 000,002,241 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)
    DRV - [2005/05/13 09:37:28 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)
    DRV - [2005/05/13 09:37:20 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)
    DRV - [2005/04/22 02:22:00 | 000,088,352 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
    DRV - [2005/04/21 01:56:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)
    DRV - [2004/12/06 15:46:10 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
    DRV - [2004/11/20 14:32:06 | 000,082,768 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\slabser.sys -- (slabser)
    DRV - [2004/11/20 14:32:06 | 000,051,040 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\slabbus.sys -- (slabbus) Uniden USB Composite Device driver (WDM)
    DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS -- (nv)
    DRV - [2004/06/15 22:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
    DRV - [2004/04/26 09:49:56 | 000,381,056 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
    DRV - [2004/03/05 22:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
    DRV - [2004/03/05 22:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
    DRV - [2004/03/05 22:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
    DRV - [2002/12/13 02:06:40 | 000,129,875 | R--- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mr97310c.sys -- (MR97310_USB_DUAL_CAMERA)
    DRV - [2002/01/24 10:23:40 | 000,013,545 | ---- | M] (SCM Microsystems Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\STLTRK2K.sys -- (Stltrk2k)
    DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
    DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
    DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
    DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
    DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
    DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
    DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
    DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
    DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
    DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
    DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
    DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
    DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
    DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
    DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
    IE - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    IE - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/02/19 13:35:25 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/02/20 09:35:29 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101103132358.dll (McAfee, Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O3 - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [DLCXCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.DLL ()
    O4 - HKLM..\Run: [dlcxmon.exe] C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe ()
    O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
    O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Dell PC Fax\fm3032.exe ()
    O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
    O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 926\memcard.exe ()
    O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
    O4 - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
    O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\Tom\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
    O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
    O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2010/12/15 19:20:58 | 000,000,000 | ---D | M] - C:\Automotive Painting -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: AppMgmt - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\SYSTEM32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\SYSTEM32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\TSSOFT32.ACM (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\Ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\Ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\Ir50_32.dll (Intel Corporation)
    Drivers32: wave - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/02/20 12:35:00 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
    [2011/02/20 09:52:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2011/02/20 09:35:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2011/02/19 18:23:06 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/02/19 18:17:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/02/19 18:17:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/02/19 18:17:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/02/19 18:17:09 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/02/19 18:16:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/02/19 18:16:10 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/02/19 09:03:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Desktop\AC Heating
    [2011/02/18 19:28:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Application Data\Malwarebytes
    [2011/02/18 19:28:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/02/18 19:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/02/18 19:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/02/18 19:28:14 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/02/18 19:28:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/02/18 19:10:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Desktop\Virus Removal Tools
    [2011/02/17 22:05:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
    [2011/02/17 22:05:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nLiAnDm15405
    [2011/02/17 21:08:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2011/02/17 21:08:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2011/02/05 21:30:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\My Documents\TaxACT 2010
    [2009/12/01 10:16:37 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxhcp.dll
    [2009/12/01 10:16:36 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxinpa.dll
    [2009/12/01 10:16:36 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxiesc.dll
    [2009/12/01 10:16:35 | 000,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxusb1.dll
    [2009/12/01 10:16:34 | 001,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxserv.dll
    [2009/12/01 10:16:34 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxprox.dll
    [2009/12/01 10:16:34 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxpplc.dll
    [2009/12/01 10:16:33 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxpmui.dll
    [2009/12/01 10:16:33 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxlmpm.dll
    [2009/12/01 10:16:31 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxhbn3.dll
    [2009/12/01 10:16:28 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxcomc.dll
    [2009/12/01 10:16:28 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxcomm.dll
    [2000/09/24 00:27:18 | 033,554,896 | ---- | C] (Installshield Software Corporation) -- C:\Program Files\fo-psp7.exe

    ========== Files - Modified Within 30 Days ==========

    [2011/02/20 12:35:10 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
    [2011/02/20 11:09:53 | 000,214,960 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\Type M copper pipe.mht
    [2011/02/20 10:29:14 | 011,461,409 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\C'aire VC410822-95V2 Specs.mht
    [2011/02/20 09:36:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
    [2011/02/20 09:35:29 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
    [2011/02/20 09:35:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
    [2011/02/20 09:35:07 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
    [2011/02/20 09:12:06 | 004,271,240 | R--- | M] () -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe
    [2011/02/19 20:47:12 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{D970BD0A-0F5F-4CF1-84FA-3D05B05AC1F1}.job
    [2011/02/19 19:35:46 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\Tom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/02/19 19:28:37 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
    [2011/02/19 18:23:13 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
    [2011/02/19 17:14:04 | 000,000,220 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\Internet searches redirect to unwanted pages - TechSpot#post1007290.url
    [2011/02/19 11:56:36 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/02/19 09:05:10 | 003,499,214 | R--- | M] () -- C:\My Money Backup.mbf
    [2011/02/19 09:05:10 | 003,497,984 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\My Money.mny
    [2011/02/18 08:00:16 | 000,000,444 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
    [2011/02/10 08:25:05 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/02/09 18:35:24 | 000,004,908 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\Jeep Bill.rtf
    [2011/02/09 12:26:05 | 000,228,000 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/02/09 09:20:57 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/02/09 08:44:56 | 000,000,061 | ---- | M] () -- C:\WINDOWS\TaxACT10.ini
    [2011/02/08 19:38:31 | 000,000,082 | ---- | M] () -- C:\WINDOWS\MPLAYER.INI
    [2011/02/07 14:15:52 | 000,000,931 | ---- | M] () -- C:\WINDOWS\System32\msxkwn.vxp
    [2011/02/05 21:29:46 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TaxACT 2010.lnk
    [2011/02/05 17:40:19 | 000,000,061 | ---- | M] () -- C:\WINDOWS\TaxACT09.ini

    ========== Files Created - No Company Name ==========

    [2011/02/20 11:09:51 | 000,214,960 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\Type M copper pipe.mht
    [2011/02/20 10:28:57 | 011,461,409 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\C'aire VC410822-95V2 Specs.mht
    [2011/02/19 18:23:12 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/02/19 18:23:08 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/02/19 18:17:09 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/02/19 18:17:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/02/19 18:17:09 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/02/19 18:17:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/02/19 18:17:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/02/19 18:00:42 | 004,271,240 | R--- | C] () -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe
    [2011/02/19 17:14:04 | 000,000,220 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\Internet searches redirect to unwanted pages - TechSpot#post1007290.url
    [2011/02/18 10:39:43 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys
    [2011/02/18 08:27:53 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/02/18 08:00:16 | 000,000,444 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
    [2011/02/10 08:25:05 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2011/02/09 14:42:56 | 000,004,908 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\Jeep Bill.rtf
    [2011/02/05 21:29:45 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TaxACT 2010.lnk
    [2011/02/05 21:29:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\TaxACT10.ini
    [2010/01/29 18:41:46 | 000,000,061 | ---- | C] () -- C:\WINDOWS\TaxACT09.ini
    [2009/12/01 10:35:24 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2009/12/01 10:35:24 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\41EAAFFA1C.sys
    [2009/12/01 10:26:33 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlcxvs.dll
    [2009/12/01 10:26:28 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\dlcxcoin.dll
    [2009/12/01 10:18:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\DLPRMON.DLL
    [2009/12/01 10:18:10 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\DLPMONUI.DLL
    [2009/12/01 10:16:37 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\dlcxinst.dll
    [2009/12/01 10:16:35 | 000,454,656 | ---- | C] () -- C:\WINDOWS\System32\dlcxutil.dll
    [2009/12/01 10:16:32 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcxinsb.dll
    [2009/12/01 10:16:32 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcxins.dll
    [2009/12/01 10:16:32 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\dlcxjswr.dll
    [2009/12/01 10:16:32 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlcxinsr.dll
    [2009/12/01 10:16:30 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\dlcxgrd.dll
    [2009/12/01 10:16:29 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcxcub.dll
    [2009/12/01 10:16:29 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcxcu.dll
    [2009/12/01 10:16:29 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcxcur.dll
    [2009/01/30 15:10:01 | 000,000,075 | ---- | C] () -- C:\WINDOWS\TaxACT08.ini
    [2008/04/16 16:43:56 | 000,000,221 | ---- | C] () -- C:\WINDOWS\SOFTEK.INI
    [2008/01/23 21:15:55 | 000,000,074 | ---- | C] () -- C:\WINDOWS\TaxACT07.ini
    [2007/12/23 19:50:27 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Tom\Application Data\Sounds
    [2007/12/23 19:50:27 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
    [2007/01/21 19:55:08 | 000,000,141 | ---- | C] () -- C:\WINDOWS\TaxACT06.ini
    [2006/12/23 09:08:39 | 000,000,087 | ---- | C] () -- C:\WINDOWS\Santas Workshop.ini
    [2006/11/09 15:14:37 | 000,000,059 | ---- | C] () -- C:\WINDOWS\LTDLGFILE14N.INI
    [2006/09/22 05:42:38 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcxcaps.dll
    [2006/09/06 04:13:14 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcxcfg.dll
    [2006/08/25 19:21:40 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.dll
    [2006/08/08 13:58:04 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\dlcxdrs.dll
    [2006/03/19 18:03:04 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlcxcnv4.dll
    [2006/02/15 20:17:35 | 000,000,073 | ---- | C] () -- C:\WINDOWS\APOapp.INI
    [2006/02/15 20:16:21 | 000,000,091 | ---- | C] () -- C:\WINDOWS\marscam.ini
    [2006/02/15 20:13:12 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\mr310exv.dll
    [2006/02/15 20:13:12 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\mr310exd.dll
    [2006/02/12 11:34:57 | 000,000,128 | ---- | C] () -- C:\WINDOWS\TaxACT05.ini
    [2005/08/15 15:38:07 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
    [2005/04/25 08:02:50 | 000,006,093 | ---- | C] () -- C:\WINDOWS\pi2000.ini
    [2005/04/25 07:51:20 | 000,000,021 | ---- | C] () -- C:\WINDOWS\arcsuite.ini
    [2005/03/26 06:55:37 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\Tom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2005/01/31 19:42:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
    [2005/01/31 19:42:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
    [2005/01/31 18:57:35 | 000,001,081 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
    [2005/01/31 18:57:35 | 000,000,749 | ---- | C] () -- C:\WINDOWS\intuprof.ini
    [2005/01/28 09:59:38 | 000,000,127 | ---- | C] () -- C:\WINDOWS\TaxACT04.ini
    [2005/01/15 19:25:33 | 000,000,098 | ---- | C] () -- C:\WINDOWS\TaxACT03.ini
    [2005/01/14 14:32:59 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2005/01/11 19:33:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
    [2004/12/31 19:39:51 | 000,000,213 | ---- | C] () -- C:\WINDOWS\btw.ini
    [2004/12/31 19:39:50 | 000,111,104 | ---- | C] () -- C:\WINDOWS\System32\MVCL13N.DLL
    [2004/12/31 19:36:45 | 000,000,057 | ---- | C] () -- C:\WINDOWS\VDECK.INI
    [2004/12/31 19:31:18 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
    [2004/12/31 19:29:18 | 000,001,405 | ---- | C] () -- C:\WINDOWS\viewer.ini
    [2004/12/31 19:29:15 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\CPUINF32.DLL
    [2004/12/31 19:29:02 | 000,023,076 | ---- | C] () -- C:\WINDOWS\System32\LANDDLL2.DLL
    [2004/12/31 19:28:55 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\gif89.dll
    [2004/12/31 19:28:40 | 000,000,806 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
    [2004/12/30 09:52:53 | 000,002,805 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
    [2004/12/29 15:30:23 | 000,000,225 | ---- | C] () -- C:\WINDOWS\QTW.INI
    [2004/12/29 15:11:48 | 000,014,544 | ---- | C] () -- C:\WINDOWS\HORSES.DLL
    [2004/12/13 09:13:54 | 000,000,291 | ---- | C] () -- C:\WINDOWS\WSST_Screen_Saver.ini
    [2004/12/11 17:11:09 | 000,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
    [2004/12/11 09:20:51 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
    [2004/12/09 13:24:31 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Tom\Application Data\PFP120JPR.{PB
    [2004/12/09 13:24:31 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Tom\Application Data\PFP120JCM.{PB
    [2004/12/09 12:49:25 | 000,000,882 | ---- | C] () -- C:\WINDOWS\dellstat.ini
    [2004/12/06 15:48:40 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2004/12/06 15:42:03 | 000,000,478 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2004/12/06 15:12:08 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2004/09/15 22:03:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2004/08/10 13:13:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
    [2004/08/10 13:03:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2004/08/04 05:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
    [2004/04/20 11:08:08 | 000,000,276 | ---- | C] () -- C:\WINDOWS\System32\DLBTPLC.INI
    [2001/08/13 19:09:48 | 000,659,520 | ---- | C] () -- C:\WINDOWS\System32\vbid3lib.dll
    [2000/09/24 12:08:16 | 000,004,750 | ---- | C] () -- C:\Program Files\fosi.nfo
    [2000/09/24 12:03:52 | 000,000,388 | ---- | C] () -- C:\Program Files\file_id.diz
    [2000/04/14 15:50:02 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
    [1998/06/11 13:08:06 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
    [1980/01/01 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
     
  12. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    OTL.txt part 2

    ========== LOP Check ==========

    [2007/12/23 19:50:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
    [2010/02/10 16:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
    [2007/12/23 19:51:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
    [2011/02/18 10:36:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nLiAnDm15405
    [2004/12/27 17:25:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Softdisk LLC
    [2007/12/23 19:50:27 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data\Specifications
    [2007/12/14 17:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
    [2011/02/17 22:05:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
    [2007/12/23 19:50:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
    [2004/12/06 15:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2007/02/23 21:24:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno
    [2007/11/29 15:29:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
    [2005/01/15 10:35:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\CoreFTP
    [2010/01/04 22:11:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\eMachineShop
    [2005/01/19 15:35:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\FTW
    [2004/12/09 21:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\Leadertech
    [2007/01/09 15:11:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\Musicmatch
    [2008/02/03 16:27:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\Nikon
    [2010/01/04 22:08:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\PGP
    [2008/01/07 22:32:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\Super-Cow
    [2010/11/10 18:52:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\Template
    [2007/01/28 20:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\Viewpoint
    [2011/02/19 20:47:12 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D970BD0A-0F5F-4CF1-84FA-3D05B05AC1F1}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2006/02/05 18:42:30 | 002,307,114 | ---- | M] () -- C:\00.bmp
    [2006/02/15 20:20:41 | 000,009,657 | ---- | M] () -- C:\005.jpg
    [2005/02/21 08:30:39 | 000,133,480 | ---- | M] () -- C:\30yrreunion.rtf
    [2005/04/19 17:15:35 | 000,039,424 | ---- | M] () -- C:\30yrreunion4-15.xls
    [2006/05/02 10:10:00 | 000,008,011 | ---- | M] () -- C:\5352T-16.aux
    [2006/04/20 00:54:00 | 000,000,126 | ---- | M] () -- C:\5352T-16.sdw
    [2008/11/16 08:42:44 | 009,048,792 | ---- | M] () -- C:\5352T-16.sid
    [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/05/04 06:36:38 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/02/19 18:23:13 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/02/20 09:52:34 | 000,014,659 | ---- | M] () -- C:\ComboFix.txt
    [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2010/10/04 07:01:05 | 000,000,087 | ---- | M] () -- C:\data.txt
    [2004/12/06 15:16:02 | 000,004,517 | RH-- | M] () -- C:\DELL.SDR
    [2009/12/01 09:54:15 | 000,000,360 | ---- | M] () -- C:\dlbt.log
    [2011/02/19 15:29:23 | 000,022,325 | ---- | M] () -- C:\dlcx.log
    [2010/12/13 21:40:46 | 000,003,455 | ---- | M] () -- C:\Early Nelson P1.jpg
    [2007/05/06 12:28:28 | 000,034,816 | ---- | M] () -- C:\Goodbye.doc
    [2011/02/20 09:35:07 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
    [2004/08/10 13:14:36 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
    [2004/08/10 13:04:08 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
    [2004/12/06 15:46:48 | 000,000,746 | -H-- | M] () -- C:\IPH.PH
    [2009/08/17 18:13:16 | 000,001,096 | ---- | M] () -- C:\Live Updater_log.txt
    [2010/09/06 20:22:39 | 000,000,000 | ---- | M] () -- C:\Log.txt
    [2007/05/31 07:15:59 | 000,028,160 | ---- | M] () -- C:\Moving Expenses.doc
    [2007/11/27 09:29:15 | 000,000,168 | ---- | M] () -- C:\mpecu.txt
    [2004/08/10 13:04:08 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
    [2011/02/19 09:05:10 | 003,499,214 | R--- | M] () -- C:\My Money Backup.mbf
    [2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/08/27 12:31:59 | 000,250,048 | RHS- | M] () -- C:\NTLDR
    [2011/02/20 09:35:05 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
    [2008/02/13 14:27:32 | 001,462,000 | ---- | M] () -- C:\sbwsetup.exe
    [2008/01/07 22:21:35 | 030,113,792 | ---- | M] () -- C:\SupercowSetup.exe
    [2004/12/06 15:47:02 | 000,000,087 | ---- | M] () -- C:\SystemInfo.ini
    [2011/02/19 12:39:04 | 000,054,156 | ---- | M] () -- C:\TDSSKiller.2.4.17.0_19.02.2011_12.37.40_log.txt
    [2010/09/19 16:35:14 | 000,065,100 | ---- | M] () -- C:\teel1.jpg
    [2008/05/14 06:56:01 | 000,000,146 | ---- | M] () -- C:\YServer.txt
    [2007/01/16 15:39:24 | 000,056,624 | -H-- | M] () -- C:\ZbThumbnail.info

    < %systemroot%\Fonts\*.com >

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2004/08/10 13:03:42 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\DESKTOP.INI

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/10/19 23:33:26 | 000,117,760 | ---- | M] () -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\dlcxdrpp.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >
    [2005/08/13 12:06:29 | 000,031,540 | ---- | M] () -- C:\WINDOWS\2005 Hrvt fest.JPG
    [2005/03/19 20:06:10 | 000,016,782 | ---- | M] () -- C:\WINDOWS\bobcat.JPG
    [2006/10/07 20:46:42 | 000,050,359 | ---- | M] () -- C:\WINDOWS\dog.jpg
    [2006/11/03 09:03:43 | 000,030,868 | ---- | M] () -- C:\WINDOWS\dog11.jpg
    [2005/11/19 23:37:11 | 000,026,398 | ---- | M] () -- C:\WINDOWS\jessie.JPG
    [2005/11/19 23:38:32 | 000,028,001 | ---- | M] () -- C:\WINDOWS\jessie1.JPG
    [2009/05/17 05:39:32 | 000,159,705 | ---- | M] () -- C:\WINDOWS\pond stream.jpg
    [2006/12/15 10:46:41 | 000,370,946 | ---- | M] () -- C:\WINDOWS\RedneckTimeOut.jpg
    [2008/02/09 13:26:40 | 000,019,406 | ---- | M] () -- C:\WINDOWS\Remer 1950's.JPG
    [2007/03/21 05:47:56 | 000,049,765 | ---- | M] () -- C:\WINDOWS\Remer Motel.JPG
    [2005/09/03 18:18:13 | 000,067,943 | ---- | M] () -- C:\WINDOWS\steam tractor.JPG
    [2005/09/03 18:18:50 | 000,067,963 | ---- | M] () -- C:\WINDOWS\steam tractor1.JPG
    [2006/05/06 18:59:38 | 000,029,123 | ---- | M] () -- C:\WINDOWS\vicki.JPG
    [2006/09/06 16:13:39 | 000,051,128 | ---- | M] () -- C:\WINDOWS\vickis boyfriend.JPG

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2004/12/13 09:13:52 | 000,466,944 | ---- | M] () -- C:\WINDOWS\Christmas Dreams.scr
    [2004/12/27 17:25:38 | 000,249,856 | ---- | M] ( ) -- C:\WINDOWS\US Airways Caribbean.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2000/09/24 12:03:52 | 000,000,388 | ---- | M] () -- C:\Program Files\file_id.diz
    [2000/09/24 00:27:18 | 033,554,896 | ---- | M] (Installshield Software Corporation) -- C:\Program Files\fo-psp7.exe
    [2000/09/24 12:08:16 | 000,004,750 | ---- | M] () -- C:\Program Files\fosi.nfo

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2004/08/10 12:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.SAV
    [2004/08/10 12:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.SAV
    [2004/08/10 12:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/08/27 12:39:45 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\DESKTOP.INI

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2004/12/09 12:37:03 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\DESKTOP.INI
    [2004/08/10 13:08:38 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/02/20 09:12:06 | 004,271,240 | R--- | M] () -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe
    [2011/02/20 12:35:10 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2004/08/04 05:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\ADDINS\FXSEXT.ECF

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2004/12/09 12:37:02 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Tom\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2009/02/27 09:02:31 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\Tom\Cookies\desktop.ini
    [2011/02/20 12:30:30 | 000,868,352 | ---- | M] () -- C:\Documents and Settings\Tom\Cookies\INDEX.DAT

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 21:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\INF\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 18:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 01:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\LOGOWIN.GIF
    [2004/08/04 01:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\LVBACK.GIF
    [2008/05/02 08:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 11:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 18:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2004/08/04 01:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\NEWALERT.WAV
    [2004/08/04 01:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\NEWEMAIL.WAV
    [2004/08/04 01:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\ONLINE.WAV
    [2004/08/04 01:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\TYPE.WAV
    [2004/08/04 01:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\XPMSGR.CHM

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [1996/08/27 02:12:00 | 000,004,176 | R--- | M] (Apple Computer, Inc.) -- C:\WINDOWS\SYSTEM\QTNOTIFY.EXE

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 88 bytes -> C:\5352T-16.sid:SummaryInformation

    < End of report >
  13. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    OTL Extras.txt

    OTL Extras logfile created on: 2/20/2011 12:40:55 PM - Run 1
    OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Tom\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    510.00 Mb Total Physical Memory | 273.00 Mb Available Physical Memory | 54.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 71.69 Gb Total Space | 47.44 Gb Free Space | 66.18% Space Free | Partition Type: NTFS

    Computer Name: DJRZ4761 | User Name: Tom | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 1
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
    "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Dell Inc\Dell Picture Studio v3.0\launch.exe" = C:\Program Files\Dell Inc\Dell Picture Studio v3.0\launch.exe:*:Disabled:Jasc Paint Shop Photo Album 5 Application -- (Jasc Software)
    "C:\WINDOWS\SYSTEM32\USMT\MIGWIZ.EXE" = C:\WINDOWS\SYSTEM32\USMT\MIGWIZ.EXE:*:Disabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
    "C:\Program Files\CoreFTP\coreftp.exe" = C:\Program Files\CoreFTP\coreftp.exe:*:Enabled:Core FTP App -- (Core FTP)
    "C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
    "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
    "C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox -- (Yahoo! Inc.)
    "C:\WINDOWS\SYSTEM32\dlcxcoms.exe" = C:\WINDOWS\SYSTEM32\dlcxcoms.exe:*:Enabled:Dell 926 Server -- ( )
    "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
    "{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
    "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
    "{1344A4F3-6362-4059-B4F6-E01EABD04B75}" = Wave MP3 Editor - Evaluation
    "{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel(R) PROSet for Wired Connections
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
    "{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
    "{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
    "{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
    "{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
    "{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
    "{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
    "{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
    "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
    "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
    "{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{35AD3ED1-6708-4850-A809-9AA8C35BC36C}" = LandDesigner 3D
    "{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
    "{369B36BE-3D64-4641-9AEA-808D436FE130}" = Microsoft Picture It! Express 7.0
    "{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
    "{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
    "{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
    "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
    "{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}" = Microsoft Works Suite Add-in for Microsoft Word
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.3
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{6B36DEBF-27D0-4B1E-858D-D397091C6C7D}" = HP Precisionscan Pro 3.1
    "{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
    "{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
    "{7148F0A8-6813-11D6-A77B-00B0D0142060}" = Java 2 Runtime Environment, SE v1.4.2_06
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{748F4870-8350-11D3-B0BF-080009FB4A19}" = HP Share-to-Web
    "{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
    "{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant
    "{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
    "{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
    "{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
    "{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
    "{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
    "{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
    "{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
    "{A3E77D20-647C-40E2-B69B-C120D4D58190}" = G5a922EN
    "{A53AB16A-8DC1-11D6-B494-008048C29C40}" = USB MMC-SD Reader
    "{A850DE1D-279E-420C-8AA0-CDA32ABBBC43}" = Uniden Cordless Telephone Customization Tool
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.6
    "{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
    "{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
    "{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
    "{B136E4A4-7660-4F15-9752-EF8E6BA7866D}" = Family Tree Maker 2005
    "{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{D085A1B6-90A4-11D3-82B7-00C04FA309DE}" = Microsoft Money 2001
    "{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
    "{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4
    "{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 ESD
    "{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
    "{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
    "{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
    "{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
    "{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
    "{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}" = Yahoo! Music Jukebox
    "{EFBF0C90-1254-4951-A957-CB452371187E}" = MapCreate U.S.A 6.3
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F8D0829C-9C6F-11D3-8080-00C04FA329AA}" = Microsoft Works 6.0
    "{FAF7F1D7-C0E7-47EA-8AAA-84E4F9EA3C94}" = Works Suite OS Pack
    "3D Deck" = Sierra 3D Deck
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "ArcExplorer 2.0" = ESRI ArcExplorer 2.0
    "AXIS Media Control Embedded" = AXIS Media Control Embedded
    "Core FTP Lite 1.3b" = Core FTP Lite 1.3b
    "Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
    "Dell PC Fax" = Dell PC Fax
    "Dell Photo AIO Printer 926" = Dell Photo AIO Printer 926
    "eMachineShop_is1" = eMachineShop
    "EZ Calendar" = EZ Calendar
    "FTW" = Family Tree Maker
    "Garden Encyclopedia" = Sierra Garden Encyclopedia
    "Garden Planner" = Sierra Garden Planner
    "GedHTree Version 2.70" = GedHTree Version 2.70
    "HP PhotoSmart 210/215 Camera Software" = HP PhotoSmart 210/215 Camera Software (by ArcSoft)
    "i-detect" = i-detect
    "i-detect 30-Day Trial" = i-detect 30-Day Trial
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "Indeo® software" = Indeo® software
    "Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
    "Macromedia Shockwave Player" = Macromedia Shockwave Player
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "MSC" = McAfee AntiVirus Plus
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "MSNINST" = MSN
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "Ortho® Home Gardener's Problem Solver" = Ortho® Home Gardener's Problem Solver
    "OziExplorer 3.95_is1" = OziExplorer 3.95
    "PROSet" = Intel(R) PRO Network Adapters and Drivers
    "Quicken 2002 Deluxe" = Quicken 2002 Deluxe
    "RCA Detective™_is1" = RCA Detective™ 3.0.0.101
    "RCA easyRip_is1" = RCA easyRip 2.4.2.0
    "RCA Updater_is1" = RCA Updater 1.0.4.0
    "RealPlayer 6.0" = RealPlayer Basic
    "Savings Bond Wizard" = Savings Bond Wizard
    "Sierra Interior Design Collection" = Sierra Interior Design Collection
    "Sierra Photo Garden Designer" = Sierra Photo Garden Designer
    "Sierra Photo Home Interiors" = Sierra Photo Home Interiors
    "StreetPlugin" = Learn2 Player (Uninstall Only)
    "Supercow_is1" = Supercow
    "TaxACT 2003" = TaxACT 2003
    "TaxACT 2004" = TaxACT 2004
    "TaxACT 2005" = TaxACT 2005
    "TaxACT 2006" = TaxACT 2006
    "TaxACT 2007" = TaxACT 2007
    "TaxACT 2008" = TaxACT 2008
    "TaxACT 2008 Minnesota" = TaxACT 2008 Minnesota
    "TaxACT 2009" = TaxACT 2009
    "TaxACT 2009 Minnesota" = TaxACT 2009 Minnesota
    "TaxACT 2010" = TaxACT 2010
    "TaxACT 2010 Minnesota" = TaxACT 2010 Minnesota
    "TaxACT Minnesota 2004" = TaxACT Minnesota 2004
    "TaxACT Minnesota 2005" = TaxACT Minnesota 2005
    "TaxACT Minnesota 2006" = TaxACT Minnesota 2006
    "TaxACT Minnesota 2007" = TaxACT Minnesota 2007
    "UAC1COMM&10C4&805A" = Uniden USB to UART Bridge Controller
    "US Airways Caribbean" = US Airways Caribbean Screen Saver
    "ViewpointMediaPlayer" = Viewpoint Media Player
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Works2001Setup" = Microsoft Works 2001 Setup Launcher
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "Yahoo! Messenger" = Yahoo! Messenger

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2881188650-3112352510-1338976571-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 1/29/2011 8:12:40 PM | Computer Name = DJRZ4761 | Source = Application Hang | ID = 1002
    Description = Hanging application YahooMessenger.exe, version 9.0.0.2162, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 1/29/2011 8:13:10 PM | Computer Name = DJRZ4761 | Source = Application Hang | ID = 1001
    Description = Fault bucket 1293692381.

    Error - 2/13/2011 10:23:26 AM | Computer Name = DJRZ4761 | Source = Application Error | ID = 1000
    Description = Faulting application dlcxaiox.exe, version 4.22.0.8, faulting module
    dlcxdrs.dll, version 0.1.25.0, fault address 0x0003a3b4.

    Error - 2/13/2011 10:23:35 AM | Computer Name = DJRZ4761 | Source = Application Error | ID = 1001
    Description = Fault bucket 492024363.

    Error - 2/13/2011 10:55:11 AM | Computer Name = DJRZ4761 | Source = Application Hang | ID = 1002
    Description = Hanging application dlcxaiox.exe, version 4.22.0.8, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 2/17/2011 11:59:02 PM | Computer Name = DJRZ4761 | Source = Application Error | ID = 1000
    Description = Faulting application , version 0.0.0.0, faulting module unknown, version
    0.0.0.0, fault address 0x7c922235.

    Error - 2/17/2011 11:59:37 PM | Computer Name = DJRZ4761 | Source = Application Error | ID = 1001
    Description = Fault bucket 2064199148.

    Error - 2/18/2011 12:40:16 PM | Computer Name = DJRZ4761 | Source = McLogEvent | ID = 5022
    Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 3

    Error - 2/19/2011 8:15:59 PM | Computer Name = DJRZ4761 | Source = Application Error | ID = 1000
    Description = Faulting application pev.exe, version 0.0.0.0, faulting module , version
    0.0.0.0, fault address 0x0008d560.

    Error - 2/20/2011 11:10:28 AM | Computer Name = DJRZ4761 | Source = Application Error | ID = 1000
    Description = Faulting application pev.exe, version 0.0.0.0, faulting module pev.exe,
    version 0.0.0.0, fault address 0x0008d560.

    [ System Events ]
    Error - 2/18/2011 10:18:50 PM | Computer Name = DJRZ4761 | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 2/18/2011 10:18:50 PM | Computer Name = DJRZ4761 | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 2/18/2011 10:18:50 PM | Computer Name = DJRZ4761 | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 2/18/2011 10:18:50 PM | Computer Name = DJRZ4761 | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 2/18/2011 10:18:50 PM | Computer Name = DJRZ4761 | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 2/18/2011 10:18:50 PM | Computer Name = DJRZ4761 | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 2/18/2011 10:18:51 PM | Computer Name = DJRZ4761 | Source = Service Control Manager | ID = 7023
    Description = The Application Management service terminated with the following error:
    %%126

    Error - 2/19/2011 2:31:16 PM | Computer Name = DJRZ4761 | Source = DCOM | ID = 10010
    Description = The server {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2} did not register
    with DCOM within the required timeout.

    Error - 2/20/2011 11:41:36 AM | Computer Name = DJRZ4761 | Source = DCOM | ID = 10010
    Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
    with DCOM within the required timeout.

    Error - 2/20/2011 11:42:59 AM | Computer Name = DJRZ4761 | Source = DCOM | ID = 10010
    Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
    with DCOM within the required timeout.


    < End of report >
  14. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
      O3 - HKU\S-1-5-21-2881188650-3112352510-1338976571-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
      O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
      O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2009/12/01 10:35:24 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\41EAAFFA1C.sys
      [2004/12/06 15:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      [2007/01/28 20:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tom\Application Data\Viewpoint
      @Alternate Data Stream - 88 bytes -> C:\5352T-16.sid:SummaryInformation
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
      "DisableMonitoring" =-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =======================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  15. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    Installed Java, removed Old Java, ran OTL

    Brodi,
    I installed the new version of Java, and ran the Java removal tool. It had an error the first time while it was running, and had to close. I re-ran it without any error messages.
    I then ran OTL again, and that log follows.
    I will next try security check.
    Thanks, BigSand

    All processes killed
    ========== OTL ==========
    Registry value HKEY_USERS\S-1-5-21-2881188650-3112352510-1338976571-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
    Registry value HKEY_USERS\S-1-5-21-2881188650-3112352510-1338976571-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{d81ca86b-ef63-42af-bee3-4502d9a03c2d}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d81ca86b-ef63-42af-bee3-4502d9a03c2d}\ deleted successfully.
    Starting removal of ActiveX control {02BCC737-B171-4746-94C9-0D8A0B2C0089}
    C:\WINDOWS\Downloaded Program Files\ieawsdc.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\WINDOWS\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    C:\WINDOWS\SYSTEM32\41EAAFFA1C.sys moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome\BH00 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
    C:\Documents and Settings\Tom\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
    C:\Documents and Settings\Tom\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
    C:\Documents and Settings\Tom\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
    C:\Documents and Settings\Tom\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
    C:\Documents and Settings\Tom\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
    C:\Documents and Settings\Tom\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
    C:\Documents and Settings\Tom\Application Data\Viewpoint folder moved successfully.
    ADS C:\5352T-16.sid:SummaryInformation deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\\DisableMonitoring deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\\DisableMonitoring deleted successfully.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Application Data

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 2995 bytes

    User: Tom
    ->Temp folder emptied: 9374419 bytes
    ->Temporary Internet Files folder emptied: 19593426 bytes
    ->Java cache emptied: 2223668 bytes
    ->Flash cache emptied: 2900 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 30.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Application Data

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: Tom
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.20.6 log created on 02202011_184329

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  16. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    Ran Security Check

    Brodi, here are the results of Security Check.
    Thanks, BigSand

    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    McAfee AntiVirus Plus
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 24
    Java(TM) SE Runtime Environment 6 Update 1
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_06
    Out of date Java installed!
    Adobe Flash Player
    Adobe Reader 8.2.6
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````
  17. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Hmmm...I still see number of old Java versions installed.
    Go to Add\Remove and uninstall:

    Java(TM) SE Runtime Environment 6 Update 1
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_06


    ============================================================

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

    ==================================================================

    ...and Eset....
  18. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    ESETScan log

    Brodi,
    Following is the ESETScan log.
    It found one virus. Please advise me
    on it's removal.
    Thanks, BigSand

    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2021\A0192233.exe a variant of Win32/Kryptik.KUO trojan
     
  19. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    That particular item is in one of your restore point, which are we about to reset.

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
  20. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    JAVA removal

    Brodi,
    I removed the old versions that you listed, with the exception of
    the last two, which would not uninstall.
    Please advise on how to uninstall these two.

    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_06


    I will study up on the Adobe program you mention.
    Also, I intend to donate to your cause when we're
    done.
    Thanks, BigSand
  21. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    You can try to re-run JavaRa one more time.
    If that won't help, leave them alone.
    Most likely just dead registry entries.
    Nothing to worry about.
  22. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    Thanks for all your help Broni

    Broni,
    Going to bed..... had enough for one day, lol.
    You sure know your stuff!
    My computer seems to be working great now.....
    faster, and no problems with my searches getting
    redirrected!!!

    I will download the other "preventive" measures
    you mention on the thread tomorrow, and figure
    out what I want to do with Adobe.

    Will I have access to the tread for a while yet?

    I've made a donation to your cause via PayPal.
    Thanks!!
    BigSand
  23. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    The thread will be open.

    Thank you for your donation :)
  24. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    The issue seems to be resolved.
  25. BigSand

    BigSand Newcomer, in training Topic Starter Posts: 38

    RE: Issue Resolved

    Yes, Thanks! Things are working pretty well now. Scan's yesterday found no issues. Only issue is when I'm in Yahoo, select a link, then hit my browser's
    back arrow....... sometimes it try's to go to something call "Blue Lithium" ads,
    but the page does not load. Research shows that Blue Lithium is owned by Yahoo, but I was not able to cure the problem.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.