TechSpot

Need help removing multiple malware

By kikehisy
Jan 17, 2011
  1. Hi,

    I've been battling a malware infection for the past 3 days and am really in need of assistance. This is my first post here, hoping someone can help. There have been several attacks. It is mostly adware/search hijacker stuff, but it is persistent. Even after running Malwarebytes and other programs that say there are no infected files, stuff comes back.

    Attack 1: Disk Optimizer (Sat 1/15)
    Attack 2: Virtumonde - and it seemed like other stuff too (Sat 1/15)
    Attack 3: Antivirus System 2011 (Mon 1/17)

    Also on 1/17, Norton Security Scan found ByteVerify Trojan – apparently this is related to Java, which might have to do with the random Java popups I was getting

    Admittedly, my attempts to deal with the problem have been somewhat haphazard,until I discovered this site, including doing a couple things your instructions say not to do (indisciminate running of combofix, updating programs to try to fix security vulnerabilities). Once I found your guidelines, however, I did everything in order as you said and got the logs, which are pasted below.

    Current symptoms:

    Internet Explorer somewhat works, but 1) is sometimes opening “dead” tabs; 2) on Google searches clicking on links leads to an ad site rather than the intended target; 3) occasionally new windows randomly open with ads or prompts to download some file or program; 4) frequent crashing

    Firefox is not opening at all

    Google Chrome opens but will not load a webpage.

    Occasional error message, “Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.”

    Occasional funky graphics

    At startup: “Error loading C\WINDOWS\pnagrx3.dll” - I believe this was quarantined or deleted by one of the antivirus programs on Saturday

    Please let me know what I should do - logs below - thanks! (note that on the dds log I have substituted "QQ" where my name appeared, for privacy)

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5543

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/17/2011 9:28:27 PM
    mbam-log-2011-01-17 (21-28-27).txt

    Scan type: Quick scan
    Objects scanned: 163436
    Time elapsed: 5 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    --

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-17 21:40:16
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD1200BEVS-75UST0 rev.01.01A01
    Running: step 4.exe; Driver: C:\DOCUME~1\ETHANS~1\LOCALS~1\Temp\axloapow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9CBB082E]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x9CBB0652]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x9CBB078C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A4B639B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A4B639B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A4B639B
    Device aswSP.SYS (avast! self protection module/AVAST Software)
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp

    --


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/30/2007 9:43:25 PM
    System Uptime: 1/17/2011 9:20:43 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0MY199
    Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz | Microprocessor | 1995/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 112 GiB total, 54.99 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP583: 10/19/2010 6:47:37 PM - System Checkpoint
    RP584: 10/23/2010 9:53:50 AM - System Checkpoint
    RP585: 10/24/2010 12:17:44 PM - Software Distribution Service 3.0
    RP586: 10/26/2010 10:01:11 AM - System Checkpoint
    RP587: 10/28/2010 8:46:51 AM - System Checkpoint
    RP588: 10/30/2010 9:55:46 AM - System Checkpoint
    RP589: 10/31/2010 12:53:49 PM - System Checkpoint
    RP590: 11/2/2010 12:00:46 AM - System Checkpoint
    RP591: 11/3/2010 11:43:42 AM - System Checkpoint
    RP592: 11/5/2010 8:31:00 AM - System Checkpoint
    RP593: 11/8/2010 9:15:03 AM - System Checkpoint
    RP594: 11/9/2010 9:17:11 AM - System Checkpoint
    RP595: 11/11/2010 10:17:22 AM - System Checkpoint
    RP596: 11/12/2010 11:51:26 AM - System Checkpoint
    RP597: 11/13/2010 10:14:28 PM - System Checkpoint
    RP598: 11/14/2010 11:06:56 PM - Software Distribution Service 3.0
    RP599: 11/16/2010 9:02:02 AM - System Checkpoint
    RP600: 11/20/2010 9:11:52 AM - System Checkpoint
    RP601: 11/23/2010 10:13:29 AM - System Checkpoint
    RP602: 11/25/2010 9:51:23 AM - System Checkpoint
    RP603: 11/26/2010 10:29:41 AM - System Checkpoint
    RP604: 11/27/2010 11:10:30 AM - System Checkpoint
    RP605: 11/29/2010 11:46:36 AM - System Checkpoint
    RP606: 11/30/2010 11:48:19 AM - System Checkpoint
    RP607: 12/10/2010 8:21:07 AM - System Checkpoint
    RP608: 12/11/2010 9:48:57 AM - System Checkpoint
    RP609: 12/17/2010 11:23:55 PM - System Checkpoint
    RP610: 12/19/2010 7:50:35 PM - System Checkpoint
    RP611: 12/21/2010 9:00:30 AM - System Checkpoint
    RP612: 12/27/2010 5:27:33 PM - System Checkpoint
    RP613: 12/29/2010 11:12:02 AM - System Checkpoint
    RP614: 12/30/2010 2:12:20 PM - System Checkpoint
    RP615: 1/1/2011 11:17:24 AM - System Checkpoint
    RP616: 1/2/2011 3:44:05 PM - System Checkpoint
    RP617: 1/4/2011 3:30:04 PM - System Checkpoint
    RP618: 1/6/2011 8:43:40 AM - System Checkpoint
    RP619: 1/9/2011 11:41:52 AM - System Checkpoint
    RP620: 1/10/2011 8:07:36 PM - System Checkpoint
    RP621: 1/12/2011 6:55:30 AM - System Checkpoint
    RP622: 1/13/2011 9:27:56 AM - System Checkpoint
    RP623: 1/16/2011 11:33:51 PM - System Checkpoint
    RP624: 1/17/2011 2:04:35 PM - Installed Windows XP -- Software Updates KB952011.
    RP625: 1/17/2011 2:07:20 PM - Installed QuickTime
    RP626: 1/17/2011 2:15:52 PM - Removed J2SE Runtime Environment 5.0 Update 6
    RP627: 1/17/2011 2:16:35 PM - Removed Java(TM) 6 Update 11
    RP628: 1/17/2011 2:17:59 PM - Removed Java(TM) 6 Update 3
    RP629: 1/17/2011 2:18:44 PM - Removed Java(TM) 6 Update 5
    RP630: 1/17/2011 2:19:51 PM - Removed Java(TM) 6 Update 7
    RP631: 1/17/2011 2:24:44 PM - Installed Java(TM) 6 Update 23
    RP632: 1/17/2011 2:35:37 PM - Removed Cisco Systems VPN Client 5.0.02.0090
    RP633: 1/17/2011 5:15:34 PM - avast! Free Antivirus Setup

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1
    Apple Application Support
    Apple Software Update
    ArcSoft Panorama Maker 3
    avast! Free Antivirus
    biolsp patch
    Broadcom ASF Management Applications
    Broadcom Management Programs
    Broadcom TPM Driver Installer
    burnatonce
    ClamWin Free Antivirus 0.95.3
    Conexant HDA D330 MDC V.92 Modem
    Dell Embassy Trust Suite by Wave Systems
    Dell Touchpad
    Document Manager Lite
    EMBASSY Security Center
    EMBASSY Security Setup
    EMBASSY Trust Suite by Wave Systems
    Encompass eFolder
    Encompass360 SmartClient
    ESC Home Page Plugin
    ETS Upgrade
    FLAC 1.2.1b (remove only)
    Google Chrome
    Google Desktop
    Google Earth
    Google Photos Screensaver
    Google Talk Plugin
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hp LaserJet 1000
    hp officejet 7100 series
    HP Photo Printing Software
    HP Share-to-Web
    ImagXpress
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless WiFi Software
    IntelliSonic Speech Enhancement
    Java Auto Updater
    Java(TM) 6 Update 23
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft LifeCam
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Ultimate 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft WSE 2.0 SP3 Runtime
    Modem Diagnostic Tool
    Move Media Player
    Mozilla Firefox (3.6.13)
    mProSafe
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB933579)
    mWlsSafe
    neroxml
    NetWaiting
    Nikon Message Center
    Norton Security Scan
    NTRU TCG Software Stack
    O2Micro USB Smart Card Reader
    OGA Notifier 2.0.0048.0
    Olympus Digital Wave Player
    Picasa 3
    PictureProject
    PictureProject In Touch Downloader 1.0
    Point
    Point 6.1
    PowerDVD
    Preboot Manager
    Private Information Manager
    QuickSet
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Secunia PSI (2.0.0.3001)
    Secure Update
    SecureW2 TTLS Client 3.3.2 for Windows
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Wizards
    SigmaTel Audio
    Skype web features
    Skype™ 5.1
    SmartClient Core
    SmartClient Installation Manager
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (KB2443839)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    upekmsi
    URL Assistant
    Vuze
    Vuze Toolbar
    Wave Infrastructure Installer
    Wave Support Software
    WebFldrs XP
    Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0)
    Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7)
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3

    ==== Event Viewer Messages From Past Week ========

    1/17/2011 9:15:10 PM, error: Service Control Manager [7034] - The Smart Client App Manager service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:10 PM, error: Service Control Manager [7034] - The SigmaTel Audio Service service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:10 PM, error: Service Control Manager [7034] - The Secunia Update Agent service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:10 PM, error: Service Control Manager [7034] - The Secunia PSI Agent service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:10 PM, error: Service Control Manager [7034] - The NICCONFIGSVC service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:10 PM, error: Service Control Manager [7034] - The MSCamSvc service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:10 PM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:10 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless SSO Service service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:09 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:09 PM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless WiFi Service service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:09 PM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:09 PM, error: Service Control Manager [7034] - The Broadcom ASF IP and SMBIOS Mailbox Monitor service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 9:15:09 PM, error: Service Control Manager [7031] - The ASKUpgrade service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/17/2011 9:15:09 PM, error: Service Control Manager [7031] - The ASKService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/17/2011 9:14:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Secunia Update Agent service to connect.
    1/17/2011 9:14:25 PM, error: Service Control Manager [7000] - The Secunia Update Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/17/2011 1:54:19 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    1/16/2011 9:24:21 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    1/15/2011 9:06:55 AM, error: Service Control Manager [7034] - The Smart Card service terminated unexpectedly. It has done this 1 time(s).
    1/15/2011 9:06:55 AM, error: Service Control Manager [7034] - The NTRU TSS v1.2.1.12 TCS service terminated unexpectedly. It has done this 1 time(s).
    1/15/2011 8:57:14 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips intelppm
    1/15/2011 8:56:05 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/15/2011 3:02:43 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/12/2011 6:30:31 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
    1/12/2011 6:30:31 AM, error: SideBySide [59] - Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
    1/12/2011 6:30:31 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
    1/10/2011 10:48:39 AM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

    ==== End Of File ===========================


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by QQ at 21:41:04.79 on Mon 01/17/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1316 [GMT -5:00]

    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    C:\WINDOWS\system32\KADxMain.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    svchost.exe
    C:\WINDOWS\vVX1000.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Secunia\PSI\psi_tray.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files\Ellie Mae\SCAppMgr\SCAppMgr.exe
    C:\Program Files\Secunia\PSI\PSIA.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Secunia\PSI\sua.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\QQ\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5071020
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8893
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\documents and settings\QQ\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [RNQYXiJlQCTsVhJ.exe] c:\documents and settings\all users\application data\RNQYXiJlQCTsVhJ.exe
    uRun: [Mqakumofutocal] rundll32.exe "c:\windows\pnagrx3.dll",Startup
    uRun: [nEjKG5gYOW] c:\documents and settings\all users\application data\nEjKG5gYOW.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
    mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
    mRun: [KADxMain] c:\windows\system32\KADxMain.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
    mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
    mRun: [VX1000] c:\windows\vVX1000.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [Google Updater] "c:\program files\google\google updater\GoogleUpdater.exe" -check_deprecation
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: c:\windows\system32\biolsp.dll
    DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.taylorbeanonline.com/scriptx/smsx.cab
    DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\QQ~1\applic~1\mozilla\firefox\profiles\2aolohio.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - component: c:\documents and settings\QQ\application data\mozilla\firefox\profiles\2aolohio.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\documents and settings\QQ\application data\mozilla\firefox\profiles\2aolohio.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\QQ\application data\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\QQ\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\QQ\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\QQ\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\picasa2\npPicasa2.dll
    FF - plugin: c:\program files\picasa2\npPicasa3.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\QQ\application data\Move Networks
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: XULRunner: {EE93ACF3-385D-4ECB-AD31-B6F42CB9B98F} - c:\documents and settings\QQ\local settings\application data\{EE93ACF3-385D-4ECB-AD31-B6F42CB9B98F}
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Ask Toolbar for Firefox: {E9A1DEE0-C623-4439-8932-001E7D17607D} - %profile%\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-17 294608]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
    R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-10-3 464264]
    R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-10-3 234888]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-17 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-17 40384]
    R2 SCAppMgr;Smart Client App Manager;c:\program files\ellie mae\scappmgr\SCAppMgr.exe [2009-5-21 65536]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
    R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-20 30192]
    S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

    =============== Created Last 30 ================

    2011-01-17 22:15:44 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-17 22:15:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2011-01-17 19:25:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-17 19:25:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-17 19:25:08 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-01-17 19:16:15 -------- d-----w- c:\windows\system32\appmgmt
    2011-01-17 18:54:04 -------- d-----w- c:\docume~1\QQ~1\locals~1\applic~1\Secunia PSI
    2011-01-17 18:53:52 -------- d-----w- c:\program files\Secunia
    2011-01-15 23:35:13 -------- d-----w- c:\docume~1\QQ~1\applic~1\Malwarebytes
    2011-01-15 23:34:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-15 23:34:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-01-15 23:34:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-15 23:34:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-15 13:33:53 -------- d-----w- c:\docume~1\QQ~1\locals~1\applic~1\{EE93ACF3-385D-4ECB-AD31-B6F42CB9B98F}

    ==================== Find3M ====================

    2010-12-29 04:34:53 741376 ----a-w- c:\windows\system32\GNetMX.ocx
    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
    2004-08-04 10:00:00 94784 --sh--w- c:\windows\twain.dll
    2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
    2010-09-18 06:53:25 974848 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12:01 413696 --sh--w- c:\windows\system32\msvcp60.dll
    2008-04-14 00:12:01 343040 --sh--w- c:\windows\system32\msvcrt.dll
    2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
    2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD1200BEVS-75UST0 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A4B6555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4bc7b0]; MOV EAX, [0x8a4bc82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A588AB8]
    3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A53FE78]
    \Driver\atapi[0x8A5B2C50] -> IRP_MJ_CREATE -> 0x8A4B6555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD1200BEVS-75UST0___________________01.01A01#5&16482f9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A4B639B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 21:42:59.60 ===============
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. kikehisy

    kikehisy TS Rookie Topic Starter

    Thanks Broni!

    After running TDSSKiller, Firefox and Chrome are working!

    Log below:

    2011/01/18 08:32:30.0875 TDSS rootkit removing tool 2.4.14.0 Jan 18 2011 09:33:51
    2011/01/18 08:32:30.0875 ================================================================================
    2011/01/18 08:32:30.0875 SystemInfo:
    2011/01/18 08:32:30.0875
    2011/01/18 08:32:30.0875 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/18 08:32:30.0875 Product type: Workstation
    2011/01/18 08:32:30.0875 ComputerName: QQ
    2011/01/18 08:32:30.0875 UserName: QQ
    2011/01/18 08:32:30.0875 Windows directory: C:\WINDOWS
    2011/01/18 08:32:30.0875 System windows directory: C:\WINDOWS
    2011/01/18 08:32:30.0875 Processor architecture: Intel x86
    2011/01/18 08:32:30.0875 Number of processors: 2
    2011/01/18 08:32:30.0875 Page size: 0x1000
    2011/01/18 08:32:30.0875 Boot type: Normal boot
    2011/01/18 08:32:30.0875 ================================================================================
    2011/01/18 08:32:31.0015 Initialize success
    2011/01/18 08:32:35.0218 ================================================================================
    2011/01/18 08:32:35.0218 Scan started
    2011/01/18 08:32:35.0218 Mode: Manual;
    2011/01/18 08:32:35.0218 ================================================================================
    2011/01/18 08:32:36.0875 Aavmker4 (479c9835b91147be1a92cb76fad9c6de) C:\WINDOWS\system32\drivers\Aavmker4.sys
    2011/01/18 08:32:37.0062 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2011/01/18 08:32:37.0125 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/18 08:32:37.0171 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/01/18 08:32:37.0187 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2011/01/18 08:32:37.0250 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/18 08:32:37.0281 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/18 08:32:37.0343 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/01/18 08:32:37.0359 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2011/01/18 08:32:37.0390 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2011/01/18 08:32:37.0406 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2011/01/18 08:32:37.0421 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/01/18 08:32:37.0453 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2011/01/18 08:32:37.0468 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2011/01/18 08:32:37.0515 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2011/01/18 08:32:37.0531 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2011/01/18 08:32:37.0578 ApfiltrService (b8d65da679a4a8d048783ede2691b5d4) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
    2011/01/18 08:32:37.0625 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
    2011/01/18 08:32:37.0656 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/01/18 08:32:37.0703 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2011/01/18 08:32:37.0718 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2011/01/18 08:32:37.0734 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2011/01/18 08:32:37.0796 aswFsBlk (cba53c5e29ae0a0ce76f9a2be3a40d9e) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2011/01/18 08:32:37.0843 aswMon2 (a1c52b822b7b8a5c2162d38f579f97b7) C:\WINDOWS\system32\drivers\aswMon2.sys
    2011/01/18 08:32:37.0875 aswRdr (b6e8c5874377a42756c282fac2e20836) C:\WINDOWS\system32\drivers\aswRdr.sys
    2011/01/18 08:32:37.0953 aswSP (b93a553c9b0f14263c8f016a44c3258c) C:\WINDOWS\system32\drivers\aswSP.sys
    2011/01/18 08:32:38.0000 aswTdi (1408421505257846eb336feeef33352d) C:\WINDOWS\system32\drivers\aswTdi.sys
    2011/01/18 08:32:38.0046 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/18 08:32:38.0093 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/18 08:32:38.0187 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/18 08:32:38.0218 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/18 08:32:38.0250 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    2011/01/18 08:32:38.0375 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
    2011/01/18 08:32:38.0437 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/18 08:32:38.0640 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2011/01/18 08:32:38.0656 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/18 08:32:38.0703 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/01/18 08:32:38.0734 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2011/01/18 08:32:38.0781 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/18 08:32:38.0828 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/18 08:32:38.0875 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/18 08:32:38.0953 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/01/18 08:32:38.0984 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2011/01/18 08:32:39.0000 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/01/18 08:32:39.0046 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2011/01/18 08:32:39.0125 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    2011/01/18 08:32:39.0156 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2011/01/18 08:32:39.0171 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2011/01/18 08:32:39.0187 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/18 08:32:39.0250 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/18 08:32:39.0281 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/18 08:32:39.0296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/18 08:32:39.0343 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/18 08:32:39.0406 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
    2011/01/18 08:32:39.0453 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    2011/01/18 08:32:39.0468 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
    2011/01/18 08:32:39.0500 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
    2011/01/18 08:32:39.0515 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2011/01/18 08:32:39.0578 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/18 08:32:39.0640 DXEC01 (549734664886d91222969845e4311d1b) C:\WINDOWS\system32\drivers\dxec01.sys
    2011/01/18 08:32:39.0687 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/01/18 08:32:39.0750 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/18 08:32:39.0781 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/01/18 08:32:39.0843 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/18 08:32:39.0875 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/01/18 08:32:39.0937 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/01/18 08:32:39.0953 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/18 08:32:39.0968 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/18 08:32:40.0046 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/18 08:32:40.0078 guardian2 (7dadeb7f2215b1f883267cad67f091c1) C:\WINDOWS\system32\Drivers\oz776.sys
    2011/01/18 08:32:40.0125 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/01/18 08:32:40.0171 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/01/18 08:32:40.0218 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2011/01/18 08:32:40.0281 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
    2011/01/18 08:32:40.0328 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
    2011/01/18 08:32:40.0406 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/18 08:32:40.0468 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2011/01/18 08:32:40.0500 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2011/01/18 08:32:40.0562 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/01/18 08:32:40.0812 ialm (200cca76cd0e0f7eec78fa56c29b4d67) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    2011/01/18 08:32:41.0046 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/18 08:32:41.0109 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2011/01/18 08:32:41.0140 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/01/18 08:32:41.0187 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/01/18 08:32:41.0234 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/01/18 08:32:41.0265 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/18 08:32:41.0296 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/18 08:32:41.0343 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/18 08:32:41.0375 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/18 08:32:41.0406 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/18 08:32:41.0453 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/18 08:32:41.0484 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/18 08:32:41.0531 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/18 08:32:41.0562 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/18 08:32:41.0625 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/01/18 08:32:41.0640 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/18 08:32:41.0703 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/18 08:32:41.0718 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/01/18 08:32:41.0750 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/01/18 08:32:41.0750 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/18 08:32:41.0796 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2011/01/18 08:32:41.0828 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/18 08:32:41.0875 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/18 08:32:41.0906 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/18 08:32:41.0984 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/18 08:32:42.0031 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/18 08:32:42.0078 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/18 08:32:42.0125 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/18 08:32:42.0171 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/01/18 08:32:42.0187 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/18 08:32:42.0250 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/01/18 08:32:42.0296 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/18 08:32:42.0343 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/01/18 08:32:42.0406 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/18 08:32:42.0421 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/18 08:32:42.0437 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/18 08:32:42.0453 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/18 08:32:42.0484 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/18 08:32:42.0531 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/18 08:32:42.0640 NETw4x32 (b5ab1108b377b5f3d37409fabda01453) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
    2011/01/18 08:32:42.0890 NETw5x32 (aa88346ab7849a1cb34bd3424febfece) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
    2011/01/18 08:32:43.0109 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/01/18 08:32:43.0156 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/18 08:32:43.0218 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/18 08:32:43.0265 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/18 08:32:43.0343 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/01/18 08:32:43.0437 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/18 08:32:43.0453 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/18 08:32:43.0484 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/01/18 08:32:43.0562 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/01/18 08:32:43.0578 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/18 08:32:43.0609 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/18 08:32:43.0625 PBADRV (e3e6e724d6a82ab6a2afbcb21180ffce) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
    2011/01/18 08:32:43.0640 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/18 08:32:43.0656 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/18 08:32:43.0671 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/01/18 08:32:43.0750 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2011/01/18 08:32:43.0765 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2011/01/18 08:32:43.0843 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/18 08:32:43.0859 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/18 08:32:43.0906 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
    2011/01/18 08:32:43.0906 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/18 08:32:43.0921 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/01/18 08:32:43.0937 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2011/01/18 08:32:43.0953 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2011/01/18 08:32:43.0984 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2011/01/18 08:32:44.0000 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2011/01/18 08:32:44.0015 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2011/01/18 08:32:44.0062 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/18 08:32:44.0078 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/18 08:32:44.0093 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/18 08:32:44.0109 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/18 08:32:44.0140 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/18 08:32:44.0156 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/18 08:32:44.0203 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/01/18 08:32:44.0234 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/18 08:32:44.0265 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/18 08:32:44.0312 s24trans (87940243ea2ad3ebe274f5409c5e9072) C:\WINDOWS\system32\DRIVERS\s24trans.sys
    2011/01/18 08:32:44.0359 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/18 08:32:44.0421 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/01/18 08:32:44.0453 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/01/18 08:32:44.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
    2011/01/18 08:32:44.0593 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2011/01/18 08:32:44.0640 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/01/18 08:32:44.0671 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2011/01/18 08:32:44.0718 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/18 08:32:44.0734 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/18 08:32:44.0781 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/18 08:32:44.0859 STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys
    2011/01/18 08:32:44.0921 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/01/18 08:32:44.0968 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/18 08:32:44.0984 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/18 08:32:45.0031 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2011/01/18 08:32:45.0046 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2011/01/18 08:32:45.0062 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2011/01/18 08:32:45.0078 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2011/01/18 08:32:45.0125 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/18 08:32:45.0218 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/18 08:32:45.0281 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/18 08:32:45.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/18 08:32:45.0343 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/18 08:32:45.0359 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2011/01/18 08:32:45.0406 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/18 08:32:45.0453 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2011/01/18 08:32:45.0500 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/18 08:32:45.0578 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/01/18 08:32:45.0640 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/01/18 08:32:45.0671 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/18 08:32:45.0703 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/18 08:32:45.0734 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/18 08:32:45.0796 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/18 08:32:45.0843 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/01/18 08:32:45.0906 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/18 08:32:45.0953 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2011/01/18 08:32:46.0000 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/01/18 08:32:46.0093 VNUSB (ae01e1ed5a81e0d268b91b4a6de5a872) C:\WINDOWS\system32\DRIVERS\VNUSB.sys
    2011/01/18 08:32:46.0156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/18 08:32:46.0343 VX1000 (f4fab0b9d43a65f79fc838c94006f643) C:\WINDOWS\system32\DRIVERS\VX1000.sys
    2011/01/18 08:32:47.0046 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/18 08:32:47.0140 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/18 08:32:47.0281 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2011/01/18 08:32:47.0437 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/01/18 08:32:47.0531 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/01/18 08:32:47.0593 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/01/18 08:32:47.0656 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/01/18 08:32:47.0718 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/01/18 08:32:47.0796 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/01/18 08:32:47.0812 ================================================================================
    2011/01/18 08:32:47.0812 Scan finished
    2011/01/18 08:32:47.0812 ================================================================================
    2011/01/18 08:32:47.0828 Detected object count: 1
    2011/01/18 08:32:56.0640 \HardDisk0 - will be cured after reboot
    2011/01/18 08:32:56.0640 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/01/18 08:33:01.0921 Deinitialize success
     
  4. kikehisy

    kikehisy TS Rookie Topic Starter

    Doing a bit of research on this tdl4 rootkit, it seems like a pretty bad deal, with backdoor capability. What would you advise in terms of changing passwords, etc - does it matter whether or not I used them during the infected period? I'm not really familiar with how password stealing works. If I do need to change passwords, can I do it from this machine once you let me know that it appears to be clean?
     
  5. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Good news :)

    Regarding passwords....you should change them, as soon, as possible, using some other healthy computer.
    Do not access any sites requiring using those passwords from THIS machine until we're done with cleaning.

    =======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  6. kikehisy

    kikehisy TS Rookie Topic Starter

    Thanks - here are the logs

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 141):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA4BC000 compbatt.sys
    0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xB9F4A000 pcmcia.sys
    0xBA0B8000 MountMgr.sys
    0xB9F2B000 ftdisk.sys
    0xB9F05000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA0C8000 VolSnap.sys
    0xB9EED000 atapi.sys
    0xBA0D8000 disk.sys
    0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9ECD000 fltmgr.sys
    0xB9EBB000 sr.sys
    0xBA0F8000 PxHelp20.sys
    0xB9EA4000 KSecDD.sys
    0xB9E17000 Ntfs.sys
    0xB9DEA000 NDIS.sys
    0xBA108000 PBADRV.sys
    0xBA118000 ohci1394.sys
    0xBA128000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xB9DD0000 Mup.sys
    0xBA148000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xB97B5000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB9243000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xB922F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xBA468000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB920B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA470000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB91E3000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB8E6C000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
    0xB8E41000 \SystemRoot\system32\DRIVERS\b57xp32.sys
    0xBA168000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xB8E1D000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
    0xBA478000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA480000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA178000 \SystemRoot\system32\DRIVERS\serial.sys
    0xBA59C000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA198000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA1A8000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB8DFA000 \SystemRoot\system32\DRIVERS\ks.sys
    0xBA5A4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xB9DAC000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xBA78A000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA1B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB9DA8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB8DE3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA1C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA1D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA488000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB8DD2000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA1E8000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA490000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA498000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB8DA2000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA1F8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA5D0000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB8D44000 \SystemRoot\system32\DRIVERS\update.sys
    0xB9D88000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA208000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA228000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5D4000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xA8AB8000 \SystemRoot\system32\drivers\sthda.sys
    0xA8A94000 \SystemRoot\system32\drivers\portcls.sys
    0xBA238000 \SystemRoot\system32\drivers\drmk.sys
    0xA8A7C000 \SystemRoot\system32\drivers\dxec01.sys
    0xA8A48000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
    0xA8956000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xA88A3000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xBA4A0000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA560000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xBA5DA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA6AC000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5DC000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA4B0000 \SystemRoot\System32\drivers\vga.sys
    0xBA5DE000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5E0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA340000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA360000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA564000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA8835000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA7B1C000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xBA258000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xA7ACC000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xBA368000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xBA574000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0xA7AAA000 \SystemRoot\System32\drivers\afd.sys
    0xBA268000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA7A7F000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA7A0F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA278000 \SystemRoot\System32\Drivers\Fips.SYS
    0xBA588000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xBA288000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xBA378000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xBA58C000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xBA298000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xBA2A8000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xBA2B8000 \SystemRoot\System32\Drivers\oz776.sys
    0xB8D38000 \SystemRoot\System32\Drivers\SMCLIB.SYS
    0xA7900000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xB8D34000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
    0xBA388000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xBA2F8000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA78E8000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA5F8000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA888B000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA398000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA6E5000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
    0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xBA4D4000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xA77CC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA77C4000 \SystemRoot\system32\DRIVERS\s24trans.sys
    0xA7561000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xA727C000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA7880000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA6CA9000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xBA5B8000 \??\C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
    0xA7431000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA6A49000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA6378000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA6214000 \SystemRoot\system32\DRIVERS\psi_mf.sys
    0xA62A4000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0xA53BC000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xA5391000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 70):
    0 System Idle Process
    4 System
    828 C:\WINDOWS\system32\smss.exe
    876 csrss.exe
    904 C:\WINDOWS\system32\winlogon.exe
    952 C:\WINDOWS\system32\services.exe
    964 C:\WINDOWS\system32\lsass.exe
    1144 C:\WINDOWS\system32\svchost.exe
    1216 svchost.exe
    1272 C:\WINDOWS\system32\svchost.exe
    1324 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    1420 svchost.exe
    1496 svchost.exe
    1840 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1304 C:\WINDOWS\system32\spoolsv.exe
    1672 scardsvr.exe
    700 C:\WINDOWS\explorer.exe
    1708 C:\Program Files\Apoint\Apoint.exe
    1724 C:\WINDOWS\system32\hkcmd.exe
    1716 C:\WINDOWS\system32\igfxpers.exe
    1736 C:\WINDOWS\stsystra.exe
    1744 C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    1752 C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    1760 C:\WINDOWS\system32\KADxMain.exe
    1780 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    1868 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    1872 C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    1904 C:\WINDOWS\vVX1000.exe
    1928 C:\Program Files\real\realplayer\Update\realsched.exe
    1944 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1952 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    1984 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    1996 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    2036 C:\WINDOWS\system32\ctfmon.exe
    2044 C:\Program Files\Skype\Phone\Skype.exe
    2084 C:\WINDOWS\system32\igfxsrvc.exe
    2332 C:\Program Files\Secunia\PSI\psi_tray.exe
    2408 C:\Program Files\Apoint\ApMsgFwd.exe
    2700 svchost.exe
    2932 C:\Program Files\Apoint\ApntEx.exe
    2952 C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    2964 C:\Program Files\Apoint\hidfind.exe
    3004 C:\Program Files\AskBarDis\bar\bin\AskService.exe
    3080 C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    3120 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    3412 C:\Program Files\Java\jre6\bin\jqs.exe
    3516 C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    3716 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    3752 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    3864 C:\Program Files\Ellie Mae\SCAppMgr\SCAppMgr.exe
    3964 C:\Program Files\Secunia\PSI\psia.exe
    392 C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
    584 C:\WINDOWS\system32\svchost.exe
    760 tcsd_win32.exe
    772 C:\WINDOWS\system32\dllhost.exe
    1524 C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
    2476 C:\WINDOWS\system32\dllhost.exe
    3360 wmiprvse.exe
    4048 C:\WINDOWS\system32\wbem\unsecapp.exe
    1656 msdtc.exe
    1516 wmiprvse.exe
    3452 C:\Program Files\Internet Explorer\iexplore.exe
    3652 C:\Program Files\Internet Explorer\iexplore.exe
    2568 C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
    3296 C:\Program Files\Internet Explorer\iexplore.exe
    1336 C:\Program Files\Internet Explorer\iexplore.exe
    1168 C:\Documents and Settings\QQ\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
    5788 C:\Program Files\Internet Explorer\iexplore.exe
    5048 C:\WINDOWS\system32\zstatus.exe
    1808 C:\Documents and Settings\QQ\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`04e71400 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1200BEVS-75UST0, Rev: 01.01A01

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!

    ComboFix 11-01-17.05 - QQ 01/18/2011 15:06:48.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1424 [GMT -5:00]
    Running from: c:\documents and settings\QQ\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\QQ\Local Settings\Application Data\{EE93ACF3-385D-4ECB-AD31-B6F42CB9B98F}
    c:\documents and settings\QQ\Local Settings\Application Data\{EE93ACF3-385D-4ECB-AD31-B6F42CB9B98F}\chrome.manifest
    c:\documents and settings\QQ\Local Settings\Application Data\{EE93ACF3-385D-4ECB-AD31-B6F42CB9B98F}\chrome\content\_cfg.js
    c:\documents and settings\QQ\Local Settings\Application Data\{EE93ACF3-385D-4ECB-AD31-B6F42CB9B98F}\chrome\content\overlay.xul
    c:\documents and settings\QQ\Local Settings\Application Data\{EE93ACF3-385D-4ECB-AD31-B6F42CB9B98F}\install.rdf

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
    .

    2011-01-17 22:16 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-17 22:16 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-17 22:16 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-17 22:16 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-17 22:15 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-01-17 22:15 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-01-17 22:15 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-01-17 22:15 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-17 22:15 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-17 22:15 . 2011-01-17 22:15 -------- d-----w- c:\program files\Alwil Software
    2011-01-17 22:15 . 2011-01-17 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-17 19:25 . 2011-01-17 19:25 -------- d-----w- c:\program files\Common Files\Java
    2011-01-17 19:25 . 2011-01-17 19:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-17 19:25 . 2011-01-17 19:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-17 19:25 . 2011-01-17 19:24 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-01-17 19:07 . 2011-01-17 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2011-01-17 19:06 . 2011-01-17 19:06 -------- d-----w- c:\program files\Common Files\Apple
    2011-01-17 19:06 . 2011-01-17 19:06 -------- d-----w- c:\program files\Apple Software Update
    2011-01-17 19:06 . 2011-01-17 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2011-01-17 18:54 . 2011-01-17 18:54 -------- d-----w- c:\documents and settings\QQ\Local Settings\Application Data\Secunia PSI
    2011-01-17 18:53 . 2011-01-17 18:53 -------- d-----w- c:\program files\Secunia
    2011-01-17 13:51 . 2011-01-17 13:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-01-15 23:35 . 2011-01-15 23:35 -------- d-----w- c:\documents and settings\QQ\Application Data\Malwarebytes
    2011-01-15 23:34 . 2011-01-15 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-15 23:34 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-15 23:34 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-15 23:34 . 2011-01-15 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-29 04:34 . 2009-05-27 21:12 741376 ----a-w- c:\windows\system32\GNetMX.ocx
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-01-17 19:30 . 2008-02-06 00:30 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2004-08-04 10:00 94784 --sh--w- c:\windows\twain.dll
    2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
    2010-09-18 06:53 974848 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12 413696 --sh--w- c:\windows\system32\msvcp60.dll
    2008-04-14 00:12 343040 --sh--w- c:\windows\system32\msvcrt.dll
    2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
    2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Google Update"="c:\documents and settings\QQ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
    "RNQYXiJlQCTsVhJ.exe"="c:\documents and settings\All Users\Application Data\RNQYXiJlQCTsVhJ.exe" [BU]
    "Mqakumofutocal"="c:\windows\pnagrx3.dll" [BU]
    "nEjKG5gYOW"="c:\documents and settings\All Users\Application Data\nEjKG5gYOW.exe" [BU]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 16943496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
    "Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
    "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
    "VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-28 274608]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-01-17 30192]
    "Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-01-17 161336]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    2001-07-03 13:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Documents and Settings\\QQ\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/17/2011 5:16 PM 294608]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
    R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [10/3/2009 9:26 AM 464264]
    R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [10/3/2009 9:27 AM 234888]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/17/2011 5:16 PM 17744]
    R2 SCAppMgr;Smart Client App Manager;c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe [5/21/2009 1:49 PM 65536]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 9:24 AM 993848]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 9:24 AM 399416]
    R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]
    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:37 AM 135664]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/20/2007 2:59 PM 30192]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2011-01-18 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-31 19:31]

    2011-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 14:37]

    2011-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 14:37]

    2011-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2217255891-2010983865-943666668-1005Core.job
    - c:\documents and settings\QQ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 02:47]

    2011-01-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2217255891-2010983865-943666668-1005UA.job
    - c:\documents and settings\QQ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 02:47]

    2011-01-15 c:\windows\Tasks\Norton Security Scan.job
    - c:\program files\Norton Security Scan\Nss.exe [2007-09-19 04:42]

    2011-01-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2217255891-2010983865-943666668-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

    2011-01-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2217255891-2010983865-943666668-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5071020
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8893
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\biolsp.dll
    FF - ProfilePath - c:\documents and settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\QQ\Application Data\Move Networks
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Ask Toolbar for Firefox: {E9A1DEE0-C623-4439-8932-001E7D17607D} - %profile%\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-18 15:16
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(956)
    c:\windows\system32\biolsp.dll

    - - - - - - - > 'explorer.exe'(3204)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\WiFi\bin\S24EvMon.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    c:\program files\Intel\WiFi\bin\WLKeeper.exe
    c:\windows\system32\msdtc.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\stsystra.exe
    c:\program files\Apoint\ApMsgFwd.exe
    c:\program files\Apoint\HidFind.exe
    c:\program files\Apoint\Apntex.exe
    c:\windows\system32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-18 15:23:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-18 20:23

    Pre-Run: 58,671,812,608 bytes free
    Post-Run: 58,740,645,888 bytes free

    - - End Of File - - F4B30998B6D437E45DA269D0E68723D1
     
  7. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\All Users\Application Data\RNQYXiJlQCTsVhJ.exe
    c:\windows\pnagrx3.dll
    c:\documents and settings\All Users\Application Data\nEjKG5gYOW.exe
    
    
    Folder::
    c:\program files\AskBarDis
    
    
    DDS::
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8893
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
    [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
    [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RNQYXiJlQCTsVhJ.exe"=-
    "Mqakumofutocal"=-
    "nEjKG5gYOW"=-
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  8. kikehisy

    kikehisy TS Rookie Topic Starter

    Here's the new combofix log. The pnagrx3 error at startup is now gone. I figured whatever we just did was intended to solve that, given the code.

    ComboFix 11-01-17.05 - QQ 01/18/2011 17:26:59.7.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1382 [GMT -5:00]
    Running from: c:\documents and settings\QQ\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\QQ\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\AskBarDis
    c:\program files\AskBarDis\bar\bin\askBar.dll
    c:\program files\AskBarDis\bar\bin\askPopStp.dll
    c:\program files\AskBarDis\bar\bin\AskService.exe
    c:\program files\AskBarDis\bar\bin\AskSplash.exe
    c:\program files\AskBarDis\bar\bin\AskTBApp.exe
    c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe
    c:\program files\AskBarDis\bar\bin\psvince.dll
    c:\program files\AskBarDis\bar\Cache\0F55E396
    c:\program files\AskBarDis\bar\Cache\0F55E53C
    c:\program files\AskBarDis\bar\Cache\0F55E711.bin
    c:\program files\AskBarDis\bar\Cache\0F55E7BD.bin
    c:\program files\AskBarDis\bar\Cache\0F55E83A.bin
    c:\program files\AskBarDis\bar\Cache\0F55E8B7.bin
    c:\program files\AskBarDis\bar\Cache\0F55E972.bin
    c:\program files\AskBarDis\bar\Cache\0F55EA2E.bin
    c:\program files\AskBarDis\bar\Cache\0F55EB37.bin
    c:\program files\AskBarDis\bar\Cache\files.ini
    c:\program files\AskBarDis\bar\History\search
    c:\program files\AskBarDis\bar\Settings\AskLogo.ico
    c:\program files\AskBarDis\bar\Settings\config.dat
    c:\program files\AskBarDis\bar\Settings\config.dat.bak
    c:\program files\AskBarDis\bar\Settings\prevcfg.htm
    c:\program files\AskBarDis\bar\Settings\prevCfg2.htm
    c:\program files\AskBarDis\unins000.dat
    c:\program files\AskBarDis\unins000.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ASKService
    -------\Legacy_ASKUpgrade
    -------\Legacy_ASKService
    -------\Legacy_ASKUpgrade
    -------\Service_ASKService
    -------\Service_ASKUpgrade
    -------\Service_ASKService
    -------\Service_ASKUpgrade


    ((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
    .

    2011-01-18 20:19 . 2011-01-18 20:19 -------- d-----w- c:\windows\LastGood.Tmp
    2011-01-17 22:16 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-17 22:16 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-17 22:16 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-17 22:16 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-17 22:15 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-01-17 22:15 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-01-17 22:15 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-01-17 22:15 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-17 22:15 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-17 22:15 . 2011-01-17 22:15 -------- d-----w- c:\program files\Alwil Software
    2011-01-17 22:15 . 2011-01-17 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-17 19:25 . 2011-01-17 19:25 -------- d-----w- c:\program files\Common Files\Java
    2011-01-17 19:25 . 2011-01-17 19:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-17 19:25 . 2011-01-17 19:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-17 19:25 . 2011-01-17 19:24 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-01-17 19:07 . 2011-01-17 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2011-01-17 19:06 . 2011-01-17 19:06 -------- d-----w- c:\program files\Common Files\Apple
    2011-01-17 19:06 . 2011-01-17 19:06 -------- d-----w- c:\program files\Apple Software Update
    2011-01-17 19:06 . 2011-01-17 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2011-01-17 18:54 . 2011-01-17 18:54 -------- d-----w- c:\documents and settings\QQ\Local Settings\Application Data\Secunia PSI
    2011-01-17 18:53 . 2011-01-17 18:53 -------- d-----w- c:\program files\Secunia
    2011-01-17 13:51 . 2011-01-17 13:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-01-15 23:35 . 2011-01-15 23:35 -------- d-----w- c:\documents and settings\QQ\Application Data\Malwarebytes
    2011-01-15 23:34 . 2011-01-15 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-15 23:34 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-15 23:34 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-15 23:34 . 2011-01-15 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-29 04:34 . 2009-05-27 21:12 741376 ----a-w- c:\windows\system32\GNetMX.ocx
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-01-17 19:30 . 2008-02-06 00:30 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2004-08-04 10:00 94784 --sh--w- c:\windows\twain.dll
    2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
    2010-09-18 06:53 974848 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12 413696 --sh--w- c:\windows\system32\msvcp60.dll
    2008-04-14 00:12 343040 --sh--w- c:\windows\system32\msvcrt.dll
    2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
    2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Google Update"="c:\documents and settings\QQ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 16943496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
    "Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
    "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
    "VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-28 274608]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-01-17 30192]
    "Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-01-17 161336]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    2001-07-03 13:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Documents and Settings\\QQ\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/17/2011 5:16 PM 294608]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/17/2011 5:16 PM 17744]
    R2 SCAppMgr;Smart Client App Manager;c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe [5/21/2009 1:49 PM 65536]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 9:24 AM 993848]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 9:24 AM 399416]
    R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]
    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:37 AM 135664]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/20/2007 2:59 PM 30192]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2011-01-18 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-31 19:31]

    2011-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 14:37]

    2011-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 14:37]

    2011-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2217255891-2010983865-943666668-1005Core.job
    - c:\documents and settings\QQ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 02:47]

    2011-01-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2217255891-2010983865-943666668-1005UA.job
    - c:\documents and settings\QQ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 02:47]

    2011-01-15 c:\windows\Tasks\Norton Security Scan.job
    - c:\program files\Norton Security Scan\Nss.exe [2007-09-19 04:42]

    2011-01-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2217255891-2010983865-943666668-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

    2011-01-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2217255891-2010983865-943666668-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5071020
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\biolsp.dll
    FF - ProfilePath - c:\documents and settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\QQ\Application Data\Move Networks
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Ask Toolbar for Firefox: {E9A1DEE0-C623-4439-8932-001E7D17607D} - %profile%\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-18 17:36
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(956)
    c:\windows\system32\biolsp.dll

    - - - - - - - > 'explorer.exe'(1004)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\WiFi\bin\S24EvMon.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\windows\stsystra.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    c:\program files\Apoint\ApMsgFwd.exe
    c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    c:\program files\Apoint\HidFind.exe
    c:\program files\Apoint\Apntex.exe
    c:\program files\Intel\WiFi\bin\WLKeeper.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\msdtc.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-18 17:40:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-18 22:40

    Pre-Run: 58,729,623,552 bytes free
    Post-Run: 58,725,195,776 bytes free

    - - End Of File - - 2A1F251BAF44B1485A30F9390C431095
     
  9. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Looks good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  10. kikehisy

    kikehisy TS Rookie Topic Starter

    The computer has pretty much worked like a charm since we eliminated that rootkit! The only issue came when I deactivated the Spybot TeaTimer realtime protection to run ComboFix. The icon I used, on the right side of the taskbar, disappeared (and I was not able to recover it through taskbar properties), so I could not turn the protection back on. I can't find that setting when I open Spybot from the program list, strangely. But it might not be a big deal long term - obviously Spybot didn't stop whatever attacked me, so perhaps I should go another direction for realtime spyware protection when all is said and done here. Does the Avast realtime protection that I now have enabled cover everything that Spybot does, thus rending Spybot superfluous?

    Here's the first part of the OTL log - the site is making me shorten it b/c the whole thing exceeds the character limit for one post

    OTL logfile created on: 1/18/2011 6:19:26 PM - Run 1
    OTL by OldTimer - Version 3.2.20.2 Folder = C:\Documents and Settings\QQ\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 111.70 Gb Total Space | 54.70 Gb Free Space | 48.97% Space Free | Partition Type: NTFS

    Computer Name: QQ | User Name: QQ | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/01/18 18:16:59 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\QQ\Desktop\OTL.exe
    PRC - [2011/01/17 17:46:05 | 000,065,536 | ---- | M] (Ellie Mae, Inc.) -- C:\Program Files\Ellie Mae\SCAppMgr\SCAppMgr.exe
    PRC - [2011/01/17 14:30:46 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    PRC - [2011/01/13 03:47:34 | 003,396,624 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2011/01/13 03:47:33 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2011/01/10 09:24:20 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
    PRC - [2011/01/10 09:24:20 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
    PRC - [2011/01/10 09:24:20 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
    PRC - [2010/11/28 13:48:31 | 000,274,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
    PRC - [2008/08/20 17:38:30 | 000,860,160 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    PRC - [2008/08/20 17:28:34 | 000,348,160 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
    PRC - [2008/08/20 17:27:36 | 001,368,064 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    PRC - [2008/08/20 17:18:34 | 000,905,216 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    PRC - [2008/08/20 17:08:02 | 000,466,944 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/05/17 16:45:33 | 000,271,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    PRC - [2007/05/14 14:21:40 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    PRC - [2007/04/15 21:49:16 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe
    PRC - [2007/04/15 21:49:08 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
    PRC - [2007/04/15 21:49:08 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
    PRC - [2007/04/15 21:49:08 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
    PRC - [2007/02/18 23:27:16 | 000,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
    PRC - [2007/02/18 23:26:32 | 000,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
    PRC - [2007/02/01 09:21:22 | 001,466,368 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    PRC - [2007/01/30 15:32:42 | 000,102,400 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    PRC - [2007/01/22 11:53:02 | 000,212,992 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    PRC - [2006/12/19 14:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    PRC - [2006/10/20 17:23:38 | 000,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/01/18 18:16:59 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\QQ\Desktop\OTL.exe
    MOD - [2011/01/13 03:47:35 | 000,189,728 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\snxhk.dll
    MOD - [2010/11/28 13:48:54 | 000,040,448 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    MOD - [2009/07/12 00:02:02 | 000,653,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
    MOD - [2009/07/12 00:02:00 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
    MOD - [2007/05/18 11:45:32 | 000,102,400 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hccutils.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - [2011/01/17 17:46:05 | 000,065,536 | ---- | M] (Ellie Mae, Inc.) [Auto | Running] -- C:\Program Files\Ellie Mae\SCAppMgr\SCAppMgr.exe -- (SCAppMgr)
    SRV - [2011/01/17 14:30:46 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-051210-111108)
    SRV - [2011/01/13 03:47:33 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2011/01/10 09:24:20 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
    SRV - [2011/01/10 09:24:20 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
    SRV - [2008/08/20 17:38:30 | 000,860,160 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
    SRV - [2008/08/20 17:28:34 | 000,348,160 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
    SRV - [2008/08/20 17:18:34 | 000,905,216 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor)
    SRV - [2008/08/20 17:08:02 | 000,466,944 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
    SRV - [2007/05/17 16:45:33 | 000,271,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
    SRV - [2007/05/14 14:21:40 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
    SRV - [2007/02/18 23:27:16 | 000,090,112 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe -- (STacSV)
    SRV - [2007/02/01 09:21:22 | 001,466,368 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
    SRV - [2007/01/29 21:59:58 | 000,487,424 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
    SRV - [2006/12/19 14:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2011/01/13 03:41:16 | 000,294,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/01/13 03:40:16 | 000,047,440 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/01/13 03:40:04 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2011/01/13 03:37:30 | 000,023,632 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/01/13 03:37:11 | 000,029,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2011/01/13 03:37:09 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
    DRV - [2008/08/29 00:34:30 | 003,632,384 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
    DRV - [2008/08/04 12:32:26 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
    DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
    DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
    DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
    DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
    DRV - [2007/08/12 18:05:34 | 002,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
    DRV - [2007/05/18 11:45:40 | 005,707,744 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
    DRV - [2007/04/15 21:49:08 | 000,132,608 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2007/04/10 16:46:53 | 001,966,312 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
    DRV - [2007/03/18 15:44:38 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2007/02/18 23:27:34 | 001,228,296 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
    DRV - [2007/01/31 18:19:04 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
    DRV - [2007/01/31 18:19:02 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2007/01/31 18:19:02 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
    DRV - [2007/01/30 17:37:18 | 000,056,320 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
    DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2006/12/19 14:21:52 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)
    DRV - [2006/11/02 12:32:32 | 000,097,536 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec01.sys -- (DXEC01)
    DRV - [2006/08/28 15:00:44 | 000,019,968 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys -- (PBADRV)
    DRV - [2006/04/07 03:06:38 | 000,038,496 | R--- | M] (OLYMPUS IMAGING CORP.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VNUSB.sys -- (VNUSB)
    DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
    DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
    DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
    DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
    DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
    DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
    DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
    DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
    DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
    DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
    DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
    DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
    DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
    DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
    DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
    DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5071020
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5071020


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5071020
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5071020
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2217255891-2010983865-943666668-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKU\S-1-5-21-2217255891-2010983865-943666668-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-2217255891-2010983865-943666668-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-2217255891-2010983865-943666668-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Ask"
    FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
    FF - prefs.js..browser.search.order.1: "Ask"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
    FF - prefs.js..extensions.enabledItems: {E9A1DEE0-C623-4439-8932-001E7D17607D}:2.1.0.5
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
    FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
    FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q="

    FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2008/11/24 14:42:32 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/11/28 13:48:55 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/17 17:39:54 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/17 14:25:08 | 000,000,000 | ---D | M]

    [2008/11/30 09:07:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\QQ\Application Data\Mozilla\Extensions
    [2011/01/18 15:37:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\extensions
    [2009/11/04 14:28:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/01/15 08:46:19 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    [2009/10/03 09:26:47 | 000,000,000 | ---D | M] ("Ask Toolbar for Firefox") -- C:\Documents and Settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
    [2010/11/28 13:45:22 | 000,000,000 | ---D | M] (vShare) -- C:\Documents and Settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\extensions\vshare@toolbar
    [2009/10/03 14:01:38 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\searchplugins\ask.xml
    [2011/01/18 08:37:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/01/17 14:25:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    [2010/11/28 13:48:55 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
    [2009/11/21 14:29:46 | 000,000,000 | ---D | M] (Move Media Player) -- C:\DOCUMENTS AND SETTINGS\QQ\APPLICATION DATA\MOVE NETWORKS
    [2011/01/17 14:24:56 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/01/17 14:24:54 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

    O1 HOSTS File: ([2011/01/18 17:35:06 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
    O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
    O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
    O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
    O3 - HKU\S-1-5-21-2217255891-2010983865-943666668-1005\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
    O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe (Wave Systems Corp.)
    O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
    O4 - HKLM..\Run: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (Google)
    O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel(R) Corporation)
    O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe (Knowles Acoustics)
    O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
    O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
    O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-2217255891-2010983865-943666668-1005..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2217255891-2010983865-943666668-1005\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKU\S-1-5-21-2217255891-2010983865-943666668-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-2217255891-2010983865-943666668-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-2217255891-2010983865-943666668-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
    O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} https://www.taylorbeanonline.com/scriptx/smsx.cab (MeadCo ScriptX)
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/FacebookPhotoUploader2.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\QQ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\QQ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (56308606093492224)

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/01/18 18:16:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\QQ\Desktop\OTL.exe
    [2011/01/18 08:07:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QQ\Desktop\tdsskiller
    [2011/01/17 17:42:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Desktop
    [2011/01/17 17:16:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
    [2011/01/17 17:16:03 | 000,294,608 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011/01/17 17:16:03 | 000,017,744 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011/01/17 17:16:01 | 000,047,440 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011/01/17 17:16:01 | 000,023,632 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011/01/17 17:15:59 | 000,100,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011/01/17 17:15:59 | 000,094,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011/01/17 17:15:59 | 000,029,392 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2011/01/17 17:15:44 | 000,188,216 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2011/01/17 17:15:44 | 000,038,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011/01/17 17:15:34 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
    [2011/01/17 17:15:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2011/01/17 17:05:23 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\QQ\Desktop\TFC.exe
    [2011/01/17 14:25:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2011/01/17 14:16:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
    [2011/01/17 14:08:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
    [2011/01/17 14:08:01 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
    [2011/01/17 14:07:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
    [2011/01/17 14:06:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
    [2011/01/17 14:06:43 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
    [2011/01/17 14:06:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
    [2011/01/17 14:01:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
    [2011/01/17 13:54:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QQ\Local Settings\Application Data\Secunia PSI
    [2011/01/17 13:53:52 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
    [2011/01/17 13:52:46 | 001,739,024 | ---- | C] (Secunia) -- C:\Documents and Settings\QQ\Desktop\PSISetup.exe
    [2011/01/17 08:51:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2011/01/15 18:35:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\QQ\Application Data\Malwarebytes
    [2011/01/15 18:35:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/01/15 18:34:59 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/01/15 18:34:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/01/15 18:34:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/01/15 18:34:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/01/15 10:31:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2011/01/15 09:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Real
    [2011/01/15 09:58:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2011/01/15 08:56:55 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/01/15 08:55:34 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
    [2011/01/15 08:42:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

    ========== Files - Modified Within 30 Days ==========

    [2011/01/18 18:19:00 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2217255891-2010983865-943666668-1005.job
    [2011/01/18 18:18:59 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2217255891-2010983865-943666668-1005.job
    [2011/01/18 18:16:59 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\QQ\Desktop\OTL.exe
    [2011/01/18 17:59:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/01/18 17:39:55 | 000,446,384 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/01/18 17:39:55 | 000,073,424 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/01/18 17:38:00 | 000,001,006 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2217255891-2010983865-943666668-1005UA.job
    [2011/01/18 17:36:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/01/18 17:35:39 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
    [2011/01/18 17:35:06 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/01/18 17:34:56 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/01/18 17:34:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/01/18 17:34:46 | 2136,961,024 | -HS- | M] () -- C:\hiberfil.sys
    [2011/01/18 15:00:06 | 004,157,342 | R--- | M] () -- C:\Documents and Settings\QQ\Desktop\ComboFix.exe
    [2011/01/18 14:52:10 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\MBRCheck.exe
    [2011/01/18 08:08:05 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/01/18 08:06:28 | 001,236,025 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\tdsskiller.zip
    [2011/01/17 18:38:04 | 000,000,954 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2217255891-2010983865-943666668-1005Core.job
    [2011/01/17 17:46:33 | 000,002,700 | ---- | M] () -- C:\WINDOWS\System32\InstallUtil.InstallLog
    [2011/01/17 17:16:04 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2011/01/17 17:16:00 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2011/01/17 17:07:03 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\dds.scr
    [2011/01/17 17:06:24 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\step 4.exe
    [2011/01/17 17:05:30 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\QQ\Desktop\TFC.exe
    [2011/01/17 14:36:06 | 000,001,594 | ---- | M] () -- C:\WINDOWS\VPNUnInstall.MIF
    [2011/01/17 14:14:57 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
    [2011/01/17 14:08:23 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
    [2011/01/17 14:06:46 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2011/01/17 14:01:10 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
    [2011/01/17 13:54:00 | 000,000,753 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
    [2011/01/17 13:52:57 | 001,739,024 | ---- | M] (Secunia) -- C:\Documents and Settings\QQ\Desktop\PSISetup.exe
    [2011/01/17 13:44:08 | 000,719,873 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\iExplore.exe
    [2011/01/15 18:35:00 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/01/15 08:34:45 | 000,000,422 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan.job
    [2011/01/15 08:33:39 | 000,000,272 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~nEjKG5gYOW
    [2011/01/15 08:33:39 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~nEjKG5gYOWr
    [2011/01/15 08:33:38 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\nEjKG5gYOW
    [2011/01/14 14:00:03 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
    [2011/01/13 03:47:35 | 000,038,848 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011/01/13 03:47:32 | 000,188,216 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2011/01/13 03:41:16 | 000,294,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011/01/13 03:40:16 | 000,047,440 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011/01/13 03:40:04 | 000,100,176 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011/01/13 03:39:50 | 000,094,544 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011/01/13 03:37:30 | 000,023,632 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011/01/13 03:37:11 | 000,029,392 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2011/01/13 03:37:09 | 000,017,744 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011/01/02 23:33:19 | 002,720,256 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\Sloan Family Update - Jan 2011.doc
    [2010/12/31 11:23:23 | 000,005,102 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\report1.tsv
    [2010/12/31 11:18:25 | 000,002,554 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\report.tsv
    [2010/12/30 10:50:30 | 000,001,342 | ---- | M] () -- C:\WINDOWS\winpoint.ini
    [2010/12/28 23:34:53 | 000,741,376 | ---- | M] (Genesis 2000, Inc.) -- C:\WINDOWS\System32\GNetMX.ocx
    [2010/12/27 23:06:20 | 001,508,210 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\DSCF6398.JPG
    [2010/12/27 23:03:52 | 001,496,519 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\DSCF6399.JPG
    [2010/12/26 23:17:41 | 000,041,454 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\greece1.jpg
    [2010/12/26 23:17:29 | 000,037,054 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\greece2.jpg
    [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
     
  11. kikehisy

    kikehisy TS Rookie Topic Starter

    OTL log, part 2

    ========== Files Created - No Company Name ==========

    [2011/01/18 14:59:51 | 004,157,342 | R--- | C] () -- C:\Documents and Settings\QQ\Desktop\ComboFix.exe
    [2011/01/18 14:52:10 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\MBRCheck.exe
    [2011/01/18 08:06:28 | 001,236,025 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\tdsskiller.zip
    [2011/01/17 17:16:04 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2011/01/17 17:07:01 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\dds.scr
    [2011/01/17 17:06:21 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\step 4.exe
    [2011/01/17 14:35:11 | 000,001,594 | ---- | C] () -- C:\WINDOWS\VPNUnInstall.MIF
    [2011/01/17 14:08:23 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
    [2011/01/17 14:01:10 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
    [2011/01/17 13:54:00 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
    [2011/01/17 13:44:06 | 000,719,873 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\iExplore.exe
    [2011/01/15 19:12:33 | 2136,961,024 | -HS- | C] () -- C:\hiberfil.sys
    [2011/01/15 18:35:00 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/01/15 08:33:39 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~nEjKG5gYOW
    [2011/01/15 08:33:39 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~nEjKG5gYOWr
    [2011/01/15 08:33:37 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\nEjKG5gYOW
    [2011/01/02 23:33:19 | 002,720,256 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\Sloan Family Update - Jan 2011.doc
    [2010/12/31 11:23:38 | 000,005,102 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\report1.tsv
    [2010/12/31 11:18:41 | 000,002,554 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\report.tsv
    [2010/12/27 23:06:17 | 001,508,210 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\DSCF6398.JPG
    [2010/12/27 23:03:47 | 001,496,519 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\DSCF6399.JPG
    [2010/12/26 23:17:50 | 000,041,454 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\greece1.jpg
    [2010/12/26 23:17:28 | 000,037,054 | ---- | C] () -- C:\Documents and Settings\QQ\Desktop\greece2.jpg
    [2010/08/25 09:57:03 | 000,002,731 | ---- | C] () -- C:\WINDOWS\DevMgr.ini
    [2010/08/25 09:50:34 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
    [2009/12/16 15:17:25 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\QQ\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/12/15 15:49:08 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
    [2009/12/01 22:14:17 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\OdiOlDVR.dll
    [2009/12/01 22:14:17 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\OdiAPI.dll
    [2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2008/01/24 11:50:27 | 000,233,525 | ---- | C] () -- C:\WINDOWS\System32\isutil.dll
    [2008/01/24 11:47:59 | 000,000,271 | ---- | C] () -- C:\WINDOWS\apptune.ini
    [2007/11/09 11:30:27 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
    [2007/11/02 18:53:21 | 000,000,058 | ---- | C] () -- C:\WINDOWS\mchguid.ini
    [2007/11/02 18:53:21 | 000,000,058 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mchguid.ini
    [2007/11/02 18:49:37 | 000,003,679 | ---- | C] () -- C:\WINDOWS\GrAddrBk.ini
    [2007/11/02 18:49:37 | 000,000,995 | ---- | C] () -- C:\WINDOWS\GRACE.INI
    [2007/11/02 18:49:32 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\QQ\Local Settings\Application Data\fusioncache.dat
    [2007/11/02 18:47:52 | 000,001,342 | ---- | C] () -- C:\WINDOWS\winpoint.ini
    [2007/10/20 15:01:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2007/10/20 14:53:32 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
    [2007/10/20 14:50:19 | 001,736,704 | ---- | C] () -- C:\WINDOWS\System32\Tsp1.dll
    [2007/10/20 14:48:31 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
    [2007/10/20 14:48:31 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
    [2007/10/20 14:22:58 | 000,910,304 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
    [2007/10/20 14:22:58 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4831.dll
    [2007/10/20 14:21:57 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2007/08/24 11:50:24 | 000,010,875 | ---- | C] () -- C:\WINDOWS\ESOA.INI
    [2007/08/24 11:50:24 | 000,000,053 | ---- | C] () -- C:\WINDOWS\PRSRVDLL.INI
    [2007/01/31 20:16:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
    [2007/01/31 20:11:14 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\OEM_Resources.dll
    [2007/01/31 20:08:44 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
    [2007/01/31 20:08:36 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
    [2007/01/31 20:08:26 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
    [2007/01/31 20:08:18 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
    [2007/01/31 20:08:08 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
    [2007/01/31 20:08:00 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
    [2007/01/31 20:07:50 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
    [2007/01/31 20:07:42 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
    [2007/01/31 20:07:34 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
    [2007/01/31 20:07:24 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
    [2007/01/31 13:09:46 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
    [2007/01/31 13:09:26 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
    [2007/01/31 13:09:06 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
    [2007/01/31 13:08:46 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
    [2007/01/31 13:08:26 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
    [2007/01/31 13:08:06 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
    [2007/01/31 13:07:46 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
    [2007/01/31 13:07:26 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
    [2007/01/31 13:07:04 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
    [2007/01/31 13:06:46 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
    [2007/01/30 15:31:50 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
    [2007/01/30 15:30:30 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
    [2007/01/02 09:14:20 | 000,835,584 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
    [2006/08/25 13:31:08 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\GN32.DLL
    [2006/08/25 13:31:08 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\GNetParserX.dll
    [2006/08/25 13:31:08 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\GNS2KZIP.DLL
    [2006/08/14 11:02:10 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll
    [2006/01/24 09:33:16 | 000,221,184 | ---- | C] () -- C:\WINDOWS\System32\ExpLoansFromGenesis.dll
    [2004/09/10 12:34:00 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
    [2004/09/10 12:34:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
    [2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2004/08/11 17:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2002/11/23 17:48:16 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll

    ========== LOP Check ==========

    [2007/10/20 14:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
    [2011/01/17 17:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2009/10/03 09:27:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
    [2007/11/09 11:30:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
    [2009/05/26 06:49:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
    [2007/11/09 11:26:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
    [2007/10/20 14:48:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
    [2010/05/09 17:58:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
    [2010/05/13 14:16:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
    [2010/01/15 10:56:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2007/11/09 11:30:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
    [2007/10/20 14:50:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
    [2007/10/20 14:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Wave Systems Corp
    [2009/10/09 15:31:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\QQ\Application Data\Azureus
    [2010/05/13 16:59:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\QQ\Application Data\Dropbox
    [2010/08/24 14:49:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\QQ\Application Data\EllieMae
    [2010/01/15 11:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\QQ\Application Data\Encompass
    [2010/03/10 08:26:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\QQ\Application Data\ePASS
    [2009/05/26 06:49:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\QQ\Application Data\muvee Technologies
    [2007/11/09 11:26:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\QQ\Application Data\Nikon
    [2008/08/21 19:41:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\QQ\Application Data\Orbit
    [2011/01/18 08:06:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\QQ\Application Data\Wave Systems Corp
    [2008/01/27 21:31:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\Orbit
    [2008/08/01 00:07:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\Wave Systems Corp

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/05/09 15:07:44 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/08/26 08:15:57 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 22:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
    [2011/01/15 19:33:12 | 000,016,623 | ---- | M] () -- C:\ComboFix log 1-15.txt
    [2011/01/18 15:37:02 | 000,018,532 | ---- | M] () -- C:\ComboFix log 1-18 #1.txt
    [2011/01/18 17:57:33 | 000,018,556 | ---- | M] () -- C:\ComboFix.txt
    [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2007/10/20 14:23:48 | 000,005,961 | RH-- | M] () -- C:\dell.sdr
    [2010/08/27 15:49:35 | 000,000,872 | ---- | M] () -- C:\FDLOG.TXT
    [2011/01/18 17:34:46 | 2136,961,024 | -HS- | M] () -- C:\hiberfil.sys
    [2007/10/31 14:01:03 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
    [2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
    [2007/10/20 14:48:49 | 000,000,000 | ---- | M] () -- C:\Log.txt
    [2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
    [2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/08/04 23:37:57 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/01/18 17:34:44 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
    [2008/04/09 14:25:00 | 000,001,455 | ---- | M] () -- C:\POINTEXP.TXT
    [2011/01/17 13:47:45 | 000,000,359 | ---- | M] () -- C:\rkill.log
    [2011/01/18 08:10:31 | 000,051,564 | ---- | M] () -- C:\TDSSKiller.2.4.14.0_18.01.2011_08.09.31_log.txt
    [2011/01/18 09:08:49 | 000,051,532 | ---- | M] () -- C:\TDSSKiller.2.4.14.0_18.01.2011_08.32.30_log.txt
    [2011/01/18 08:36:27 | 000,050,998 | ---- | M] () -- C:\TDSSKiller.2.4.14.0_18.01.2011_08.36.03_log.txt

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2004/08/11 17:14:22 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2010/05/10 17:34:12 | 000,017,920 | ---- | M] (Ellie Mae Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\EFOLDERPPROC.DLL
    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2002/05/27 13:37:24 | 000,049,152 | ---- | M] (Zenographics, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\IMFPRINT.DLL
    [2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
    [2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    [2002/05/27 13:37:24 | 000,036,864 | ---- | M] (Zenographics, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\zpppcl.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/01/13 03:47:35 | 000,038,848 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >
    [2009/04/23 21:31:32 | 000,001,642 | -H-- | M] () -- C:\Documents and Settings\QQ\Application Data\Microsoft\LastFlashConfig.WFC

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2004/08/11 17:06:14 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2004/08/11 17:06:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2004/08/11 17:06:14 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/08/04 23:42:52 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >
    [2007/10/20 14:49:07 | 000,000,360 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\wave_license.txt

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2007/10/30 20:43:57 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\QQ\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2004/08/11 17:20:42 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\QQ\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/08/26 08:02:05 | 027,386,280 | ---- | M] ( ) -- C:\Documents and Settings\QQ\Desktop\AdbeRdr920_en_US.exe
    [2011/01/18 15:00:06 | 004,157,342 | R--- | M] () -- C:\Documents and Settings\QQ\Desktop\ComboFix.exe
    [2011/01/17 13:44:08 | 000,719,873 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\iExplore.exe
    [2011/01/18 14:52:10 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\MBRCheck.exe
    [2009/10/31 12:06:18 | 001,794,456 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\MoveMediaPlayerWin_071701000002.exe
    [2011/01/18 18:16:59 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\QQ\Desktop\OTL.exe
    [2011/01/17 13:52:57 | 001,739,024 | ---- | M] (Secunia) -- C:\Documents and Settings\QQ\Desktop\PSISetup.exe
    [2008/12/21 18:06:50 | 035,346,368 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\R202964.exe
    [2009/07/07 09:14:09 | 000,721,004 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\securew2_332.exe
    [2009/11/08 20:36:14 | 004,938,616 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\QQ\Desktop\Silverlight.exe
    [2011/01/17 17:06:24 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\QQ\Desktop\step 4.exe
    [2011/01/17 17:05:30 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\QQ\Desktop\TFC.exe
    [2007/11/01 00:28:04 | 526,428,264 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\QQ\Desktop\X12-30307 (MS Office Ultimate).exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >
    [2007/04/10 16:46:53 | 000,013,023 | ---- | M] () -- C:\WINDOWS\VX1000.src

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2007/10/30 20:43:56 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\QQ\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/01/18 18:18:58 | 001,605,632 | ---- | M] () -- C:\Documents and Settings\QQ\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 19:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 01:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 01:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 12:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 19:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2004/08/04 01:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/08/04 01:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/08/04 01:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 01:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 01:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\QQ\Desktop\AdbeRdr920_en_US.exe:SummaryInformation

    < End of report >
     
  12. kikehisy

    kikehisy TS Rookie Topic Starter

    Extras log

    OTL Extras logfile created on: 1/18/2011 6:19:26 PM - Run 1
    OTL by OldTimer - Version 3.2.20.2 Folder = C:\Documents and Settings\QQ\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 111.70 Gb Total Space | 54.70 Gb Free Space | 48.97% Space Free | Partition Type: NTFS

    Computer Name: QQ | User Name: QQ | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    [HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus -- (Vuze Inc.)
    "C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
    "C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
    "C:\Documents and Settings\QQ\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\QQ\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{07CEBBBD-E6EF-4265-BC65-777BD5C1FCD7}" = Point
    "{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
    "{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
    "{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 23
    "{27D45E1B-A636-4F95-8798-4F0204D5A13A}" = Encompass eFolder
    "{27E25625-DB51-42E6-BEB7-0C8DC878770C}" = Broadcom ASF Management Applications
    "{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
    "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{35748B06-FCFC-4700-8285-DAD41689E4FE}" = Broadcom TPM Driver Installer
    "{37C5A56A-00EA-347B-B7A1-5628BED56702}" = Google Talk Plugin
    "{3A4FFB84-D070-4DA5-AB7B-D41D87FD8D19}" = Norton Security Scan
    "{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}" = Preboot Manager
    "{3E9C4FBE-4E6C-4389-A4B3-4AE027D0BF2E}" = Encompass360 SmartClient
    "{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
    "{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
    "{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
    "{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}" = Google Photos Screensaver
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
    "{52A7C6A6-6B88-47D1-922E-9F8A7E089E6A}" = Intel(R) PROSet/Wireless WiFi Software
    "{53333479-6A52-4816-8497-5C52B67ED339}" = EMBASSY Security Setup
    "{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
    "{568AEE95-B0FB-4FD9-B7E7-4C8B6A3180C9}" = SmartClient Core
    "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{5B7D68A3-C39B-4BC5-BDF1-22085290C43C}" = Point 6.1
    "{5DE8AE5E-240B-4DA7-8BCF-DA269FFC9D8B}" = SmartClient Installation Manager
    "{63AFACBC-4795-4A1B-8037-5085DC03FC54}" = Microsoft LifeCam
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{72FECEA1-E87F-4192-89FA-D0FBF92885BB}" = ETS Upgrade
    "{748F4870-8350-11D3-B0BF-080009FB4A19}" = HP Share-to-Web
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
    "{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{9556CFD4-3F7E-4D1C-958B-759703E9CC21}" = O2Micro USB Smart Card Reader
    "{975C8028-51D8-44A9-9585-82E9810FE96A}" = hp LaserJet 1000
    "{9C538746-C2DC-40FC-B1FB-D4EA7966ABEB}" = Skype™ 5.1
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
    "{A5F68DC8-0278-4AD8-B413-861509B5F25B}" = ArcSoft Panorama Maker 3
    "{A618BB0D-8B88-45FF-83CD-783B4AE59AA0}" = NTRU TCG Software Stack
    "{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Embassy Trust Suite by Wave Systems
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
    "{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
    "{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
    "{D31F958E-7353-4DEB-83E8-35B02F2EE20A}" = Wave Infrastructure Installer
    "{D9FCA292-1186-421F-8D93-9A5D272AD5D0}" = IntelliSonic Speech Enhancement
    "{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
    "{E6095BEA-8C97-4342-B771-13BB72AC1D88}" = biolsp patch
    "{E738A392-F690-4A9D-808E-7BAF80E0B398}" = ESC Home Page Plugin
    "{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
    "{F05E2B98-DA04-4FFA-8D08-DA218E6A2B47}" = Point
    "{F1802FA6-54E9-4B24-BD2A-B50866819795}" = EMBASSY Trust Suite by Wave Systems
    "{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
    "{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
    "{F751F153-0D23-4ED5-85D5-BAE46893D1F9}" = Point
    "{FB91E774-867B-4567-ACE7-8144EF036068}" = Olympus Digital Wave Player
    "{FBEC50B7-537C-4A0E-8B0B-F7A8F8BF13CE}" = upekmsi
    "{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
    "{FF3999BE-1A7B-4738-88AA-97BF14094A4A}" = PictureProject
    "5FD5E95A18EBF60A056BA7A51A2E794E4216D3DD" = Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7)
    "840EF3FB8C7BFBB007E46E18F107E8CC6DD522EA" = Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0)
    "8461-7759-5462-8226" = Vuze
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "avast5" = avast! Free Antivirus
    "burnatonce_is1" = burnatonce
    "ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.95.3
    "CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
    "FLAC" = FLAC 1.2.1b (remove only)
    "Google Chrome" = Google Chrome
    "Google Desktop" = Google Desktop
    "Google Updater" = Google Updater
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "hp officejet 7100 series 1282748222" = hp officejet 7100 series
    "HP Photo Printing Software" = HP Photo Printing Software
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
    "InstallShield_{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
    "InstallShield_{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
    "InstallShield_{53333479-6A52-4816-8497-5C52B67ED339}" = EMBASSY Security Setup
    "InstallShield_{72FECEA1-E87F-4192-89FA-D0FBF92885BB}" = ETS Upgrade
    "InstallShield_{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
    "InstallShield_{E738A392-F690-4A9D-808E-7BAF80E0B398}" = ESC Home Page Plugin
    "InstallShield_{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
    "InstallShield_{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "Picasa 3" = Picasa 3
    "PictureProject In Touch Downloader" = PictureProject In Touch Downloader 1.0
    "ProInst" = Intel PROSet Wireless
    "RealPlayer 12.0" = RealPlayer
    "Secunia PSI" = Secunia PSI (2.0.0.3001)
    "SecureW2 TTLS Client" = SecureW2 TTLS Client 3.3.2 for Windows
    "ULTIMATER" = Microsoft Office Ultimate 2007
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2217255891-2010983865-943666668-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Move Media Player" = Move Media Player

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 1/17/2011 11:36:26 PM | Computer Name = QQ | Source = Application Hang | ID = 1002
    Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 1/17/2011 11:42:08 PM | Computer Name = QQ | Source = Application Hang | ID = 1002
    Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 1/17/2011 11:49:59 PM | Computer Name = QQ | Source = Application Error | ID = 1000
    Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
    module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

    Error - 1/18/2011 12:30:33 AM | Computer Name = QQ | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 1/18/2011 12:30:34 AM | Computer Name = QQ | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 1/18/2011 8:59:23 AM | Computer Name = QQ | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 1/18/2011 8:59:24 AM | Computer Name = QQ | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 1/18/2011 9:29:23 AM | Computer Name = QQ | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
    Description =

    Error - 1/18/2011 11:10:22 AM | Computer Name = QQ | Source = Microsoft Office 12 | ID = 2001
    Description = Rejected Safe Mode action : Microsoft Office Outlook.

    Error - 1/18/2011 6:36:06 PM | Computer Name = QQ | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
    Description =

    [ System Events ]
    Error - 1/18/2011 4:16:44 PM | Computer Name = QQ | Source = DCOM | ID = 10016
    Description = The machine-default permission settings do not grant Local Activation
    permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

    to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
    can be modified using the Component Services administrative tool.

    Error - 1/18/2011 4:16:46 PM | Computer Name = QQ | Source = DCOM | ID = 10016
    Description = The machine-default permission settings do not grant Local Activation
    permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

    to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
    can be modified using the Component Services administrative tool.

    Error - 1/18/2011 4:16:46 PM | Computer Name = QQ | Source = DCOM | ID = 10016
    Description = The machine-default permission settings do not grant Local Activation
    permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

    to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
    can be modified using the Component Services administrative tool.

    Error - 1/18/2011 6:26:43 PM | Computer Name = QQ | Source = Service Control Manager | ID = 7034
    Description = The Smart Card service terminated unexpectedly. It has done this
    1 time(s).

    Error - 1/18/2011 6:26:43 PM | Computer Name = QQ | Source = Service Control Manager | ID = 7034
    Description = The NTRU TSS v1.2.1.12 TCS service terminated unexpectedly. It has
    done this 1 time(s).

    Error - 1/18/2011 6:32:32 PM | Computer Name = QQ | Source = Service Control Manager | ID = 7034
    Description = The ASKService service terminated unexpectedly. It has done this
    1 time(s).

    Error - 1/18/2011 6:32:32 PM | Computer Name = QQ | Source = Service Control Manager | ID = 7034
    Description = The ASKUpgrade service terminated unexpectedly. It has done this
    1 time(s).

    Error - 1/18/2011 6:35:44 PM | Computer Name = QQ | Source = DCOM | ID = 10016
    Description = The machine-default permission settings do not grant Local Activation
    permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

    to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
    can be modified using the Component Services administrative tool.

    Error - 1/18/2011 6:35:45 PM | Computer Name = QQ | Source = DCOM | ID = 10016
    Description = The machine-default permission settings do not grant Local Activation
    permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

    to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
    can be modified using the Component Services administrative tool.

    Error - 1/18/2011 6:35:45 PM | Computer Name = QQ | Source = DCOM | ID = 10016
    Description = The machine-default permission settings do not grant Local Activation
    permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

    to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
    can be modified using the Component Services administrative tool.


    < End of report >
     
  13. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Good news :)

    Now....
    To start with, there is no perfect security program.
    If your computer habits are flawed, no program will protect you.
    Then, Spybot is rather a tool of the past, so you can uninstall it altogether.

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      FF - prefs.js..browser.search.defaultenginename: "Ask"
      FF - prefs.js..browser.search.order.1: "Ask"
      FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q="
      [2009/10/03 14:01:38 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\searchplugins\ask.xml
      O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
      O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/...oUploader2.cab (Reg Error: Key error.)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2010/05/09 17:58:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
      [2010/05/13 14:16:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
      @Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2
      @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\QQ\Desktop\AdbeRdr920_en_US.exe:SummaryInformation
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =======================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  14. kikehisy

    kikehisy TS Rookie Topic Starter

    Logs below. After running OTL, the Microsoft Update icon finally reappeared in the toolbar, but I did not run it yet.

    In SecurityCheck, I am guessing the Java and Adobe messages might be the false warnings that you mentioned? (given that I just updated them yesterday)

    I was also surprised that SecurityCheck did not find Spybot, even though I have not uninstalled it yet.

    All processes killed
    ========== OTL ==========
    Prefs.js: "Ask" removed from browser.search.defaultenginename
    Prefs.js: "Ask" removed from browser.search.order.1
    Prefs.js: "http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=" removed from keyword.URL
    File C:\Documents and Settings\QQ\Application Data\Mozilla\Firefox\Profiles\2aolohio.default\searchplugins\ask.xml not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\ deleted successfully.
    Starting removal of ActiveX control {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}
    C:\WINDOWS\Downloaded Program Files\ImageUploader4.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}\ not found.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\WINDOWS\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    C:\Documents and Settings\All Users\Application Data\SITEguard folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\STOPzilla!\Quarantine folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\STOPzilla! folder moved successfully.
    Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 .
    Unable to delete ADS C:\Documents and Settings\QQ\Desktop\AdbeRdr920_en_US.exe:SummaryInformation .
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: QQ
    ->Temp folder emptied: 17136 bytes
    ->Temporary Internet Files folder emptied: 22829503 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 57966986 bytes
    ->Google Chrome cache emptied: 6166406 bytes
    ->Flash cache emptied: 2128 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 65536 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 5642 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 83.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: QQ
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.20.2 log created on 01182011_204439

    Files\Folders moved on Reboot...
    C:\Documents and Settings\QQ\Local Settings\Temporary Internet Files\Content.IE5\PYSIARWO\background_button_green_full[1].png moved successfully.
    File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    -------------------

    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Free Antivirus
    ClamWin Free Antivirus 0.95.3
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 23
    Out of date Java installed!
    Adobe Flash Player 10.1.102.64
    Adobe Reader 9.4.1
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.13)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Alwil Software Avast5 AvastSvc.exe
    Alwil Software Avast5 avastUI.exe
    ``````````End of Log````````````


    [start of ESET log]

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinProlacop.zip Win32/Bagle.gen.zip worm
     
  15. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinProlacop.zip
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =======================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
     
  16. kikehisy

    kikehisy TS Rookie Topic Starter

    Thanks! I will get to these last steps and post logs tomorrow night - very busy day tomorrow.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    No problem :)
     
  18. kikehisy

    kikehisy TS Rookie Topic Starter

    Last OTL logs are below. A couple other things:

    1. When I installed the newest Adobe Reader, it automatically installed McAfee Security Scan. Should I just remove that?

    2. Should I remove ESET scanner, or is there a value to keeping it?

    Thanks!

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinProlacop.zip moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56502 bytes

    User: QQ
    ->Temp folder emptied: 64698 bytes
    ->Temporary Internet Files folder emptied: 73323147 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 57230542 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 3551 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 871395 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 126.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: QQ
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.20.2 log created on 01192011_213210

    Files\Folders moved on Reboot...
    File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    ---

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: QQ
    ->Temp folder emptied: 17054 bytes
    ->Temporary Internet Files folder emptied: 1470260 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 2.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: QQ
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.20.2 log created on 01192011_214023

    Files\Folders moved on Reboot...
    File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  19. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Yes.

    2. Up to you...

    Whenever ready....
     
  20. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    The issue appears to be resolved.
     
  21. kikehisy

    kikehisy TS Rookie Topic Starter

    Everything was working fine until tonight. Then, a little bit ago, I returned to the computer after being away for a few minutes and found it unresponsive with a black screen. I turned it off and back on, and after a few minutes where web browsers would not open, a box popped up and said "The system has recovered from a serious error." It then gave me some info, which I have posted below, along with the contents of a Microsoft webpage that popped up. I have not installed any new drivers or programs to my knowledge. Any idea what this stuff means, and if it might be connected to the malware issue from before?

    Error Signature
    BCCode : 10000050 BCP1 : A3549000 BCP2 : 00000000 BCP3 : 8052E549
    BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 256_1

    The following files will be sent with this error report:
    C:\DOCUME~1\QQ~1\LOCALS~1\Temp\WER44aa.dir00\Mini012811-01.dmp
    C:\DOCUME~1\QQ~1\LOCALS~1\Temp\WER44aa.dir00\sysdata.xml

    A Microsoft.com webpage then popped up, saying the following:

    Troubleshoot a problem with a device driver
    You received this message because a device driver installed on your computer caused Windows to stop unexpectedly. This type of error is referred to as a "stop error." A stop error requires you to restart your computer.

    Steps to address this problem
    Use Windows Update to check for updated drivers


    Click to go online to the Windows Update website


    Click Custom to check for available updates.

    In the left pane, under Select by Type, click Hardware, Optional. Select the updates for a device driver, click Review and install updates, and then click Install Updates.

    Note
    We recommend that you install all High-Priority updates. These updates improve your computer's security and stability.

    Steps to work around this problem
    Warning
    These steps are designed to address a particular problem but might do so by temporarily disabling or removing some functionality on your computer.

    If this problem occurred after you installed a new hardware device on your computer, the problem might be caused by the device driver. Go online to learn how to use the Dell Driver Reset Tool or uninstall the driver.

    How do I disable or uninstall a device driver?

    Click Start, and then click Control Panel. If you are using Classic View, click Switch to Category View.
    Click Performance and Maintenance, and then click System.
    Click the Hardware tab, and then click Device Manager.
    Click the plus sign (+) next to the faulting device. You should now see the device listed.
    Right-click the device, and then click Disable or Uninstall.
    If this problem occurred after you installed new software, the software might have installed a driver that caused the problem. Try uninstalling the software.

    How do I uninstall a program?


    Click Start, click Control Panel, and then click Add or Remove Programs.

    Click Change or Remove Programs, click the program you want to remove, and then click Change/Remove or Remove.

    Note
    If the program that you want to uninstall isn't listed, it might not have been created for your version of Windows. To uninstall the program, check the information that came with the program or contact the manufacturer for more information.


    If you don't know the specific driver or software, go online to learn more about performing a System Restore.

    For information about your support options, go online to the Support.Dell.Com website.
     
  22. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Is the computer bootable?
     
  23. kikehisy

    kikehisy TS Rookie Topic Starter

    Yes, it started working again after the episode. But this morning when I woke up it couldn't find any wireless networks, so I had to restart it again, and now it is working again.
     
  24. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Let me know, if anything else comes up.
    Hope not :)
     
  25. kikehisy

    kikehisy TS Rookie Topic Starter

    I just ran Malwarebytes and found one issue. Is this something I should be concerned with? Possibly connected to the problems I experienced in the past 24 hours?

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\ndo8thb2ikwe (Malware.Trace) -> Quarantined and deleted successfully.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...