Suspected Malware- Symantec email scanner returns spam went connected to certain ISPs

Solved
By Nomad607
Nov 6, 2010
Topic Status:
Not open for further replies.
  1. For the last month I have been having problems when I connect to certain wireless networks (seems to be ISP dependent) where I get lots of Symantec Email Scanner alerts saying that my emails were rejected by the service provider. The message subjects look like spam and the recipients are random from what I can tell. Occasionally Symantec will quarantine 'Backdoor.Tidserv.I!inf' but never removes it.

    Newly updated Symantec, Malwarebytes and Spybot don't pick up anything. Any ideas?
    My logs are as follows:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5054

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    11/5/2010 3:04:57 PM
    mbam-log-2010-11-05 (15-04-57).txt

    Scan type: Quick scan
    Objects scanned: 133182
    Time elapsed: 8 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\System User\My Documents\downloads\IWON(2).exe (Adware.Iwon) -> Quarantined and deleted successfully.
    C:\Documents and Settings\System User\My Documents\downloads\IWON.exe (Adware.Iwon) -> Quarantined and deleted successfully.
    C:\zrpt.xml (Malware.Trace) -> Quarantined and deleted successfully.

    GMER 1.0.15.15507 - http://www.gmer.net
    Rootkit scan 2010-11-06 13:33:27
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 HTS548040M9AT00 MG2OA5DA
    Running: r6n1tnmq.exe; Driver: C:\DOCUME~1\SYSTEM~1\LOCALS~1\Temp\kwkyafoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT 833C6A70 ZwAlertResumeThread
    SSDT 83382898 ZwAlertThread
    SSDT 8338B608 ZwAllocateVirtualMemory
    SSDT 833902B8 ZwConnectPort
    SSDT spxo.sys ZwCreateKey [0xF74800E0]
    SSDT 833712D8 ZwCreateMutant
    SSDT 835060B0 ZwCreateThread
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA68B2690]
    SSDT spxo.sys ZwEnumerateKey [0xF749ECA4]
    SSDT spxo.sys ZwEnumerateValueKey [0xF749F032]
    SSDT 833C3FC0 ZwFreeVirtualMemory
    SSDT 8372D170 ZwImpersonateAnonymousToken
    SSDT 831910B8 ZwImpersonateThread
    SSDT 834FC0B0 ZwMapViewOfSection
    SSDT 83723170 ZwOpenEvent
    SSDT spxo.sys ZwOpenKey [0xF74800C0]
    SSDT 83526120 ZwOpenProcessToken
    SSDT 8339CB18 ZwOpenThreadToken
    SSDT spxo.sys ZwQueryKey [0xF749F10A]
    SSDT 835FEBB0 ZwQueryValueKey
    SSDT 833934F8 ZwResumeThread
    SSDT 8306A828 ZwSetContextThread
    SSDT 833EEF30 ZwSetInformationProcess
    SSDT 833C7990 ZwSetInformationThread
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA68B28E0]
    SSDT 83543348 ZwSuspendProcess
    SSDT 833730B0 ZwSuspendThread
    SSDT 8351F1A8 ZwTerminateProcess
    SSDT 8337ECD0 ZwTerminateThread
    SSDT 8337AC08 ZwUnmapViewOfSection
    SSDT 833A9980 ZwWriteVirtualMemory

    INT 0x3B ? 83598F00
    INT 0x3B ? 83598F00
    INT 0x3B ? 83598F00
    INT 0x3B ? 83598F00
    INT 0x3E ? 8376BBF8
    INT 0x3F ? 8376BBF8

    ---- Kernel code sections - GMER 1.0.15 ----

    ? spxo.sys The system cannot find the file specified. !
    .rsrc C:\WINDOWS\system32\drivers\agp440.sys entry point in ".rsrc" section [0xF75FA814]
    .text USBPORT.SYS!DllUnload F6AD562C 5 Bytes JMP 835984E0
    .text awzqcuns.SYS F6793386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
    .text awzqcuns.SYS F67933AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    .text awzqcuns.SYS F67933C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
    .text awzqcuns.SYS F67933C9 1 Byte [30]
    .text awzqcuns.SYS F67933C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007B000A
    .text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007C000A
    .text C:\WINDOWS\System32\svchost.exe[1188] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007A000C
    .text C:\WINDOWS\System32\svchost.exe[1188] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0094000A
    .text C:\WINDOWS\System32\svchost.exe[1188] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 0091000A
    .text C:\WINDOWS\Explorer.EXE[2384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A9000A
    .text C:\WINDOWS\Explorer.EXE[2384] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AA000A
    .text C:\WINDOWS\Explorer.EXE[2384] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3792] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FE000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3792] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FC000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3792] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3988] USER32.dll!TrackPopupMenu 77D94F16 5 Bytes JMP 10405CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8376D2D8
    IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74B1C4C] spxo.sys
    IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74B1CA0] spxo.sys
    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7481042] spxo.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F748113E] spxo.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74810C0] spxo.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7481800] spxo.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74816D6] spxo.sys
    IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 835985E0
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7490E9C] spxo.sys
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlInitUnicodeString] 00021083
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!swprintf] 01B05E00
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeSetEvent] 5DE58B5B
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 7E8366C3
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 0F740028
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 89320C8D
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmFreeMappingAddress] 0002288B
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 46B70F00
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 66D00328
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmUnmapIoSpace] 002A7E83
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 0C8D1574
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IofCompleteRequest] 248B8932
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 0F000002
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IofCallDriver] 832A46B7
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmAllocateMappingAddress] E08303C0
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 66D003FC
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoConnectInterrupt] 002C7E83
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoDetachDevice] 0C8D1E74
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeWaitForSingleObject] 208B8932
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeInitializeEvent] 8A000002
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 83880846
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlInitAnsiString] 000001C0
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 2C4EB70F
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoQueueWorkItem] 8303C183
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmMapIoSpace] D103FCE1
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2E7E8366
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoReportDetectedDevice] 8D1C7400
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoReportResourceForDetection] 83893204
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 00000218
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!NlsMbCodePageTag] 2E4EB70F
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!PoRequestPowerIrp] 021C8B89
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] B70F0000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] E0C12E46
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!sprintf] 03D00304
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0CB389F2
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ObfDereferenceObject] 80000002
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0975013E
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 1B42E853
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ZwClose] C4830000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] B05E5F04
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] E58B5B01
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CCCCC35D
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!PoStartNextPowerIrp] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!PoCallDriver] 53EC8B55
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoCreateDevice] 08758B56
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0214BE83
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 57000000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ZwOpenKey] 45C60674
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 1EEB010B
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoStartTimer] 020C868B
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeInitializeTimer] C0850000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoInitializeTimer] 808A1074
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeInitializeDpc] 00000804
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeInitializeSpinLock] A03CF024
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoInitializeIrp] 0B45950F
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ZwCreateKey] 45C604EB
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 458A000B
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 88C0840B
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ZwSetValueKey] 840F0946
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000C1
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 14B30E8B
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoStartPacket] 1C8286C6
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 88010000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C859E
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoFreeMdl] A19E8800
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmUnlockPages] C600001C
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 001C8686
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 86C60100
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 00001CA2
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 70518B01
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8D52006A
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoStartNextPacket] 001C8886
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeBugCheckEx] 55E85000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 8B000023
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeSetTimer] 70518B0E
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeCancelTimer] 8D52016A
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!_allmul] 001CA486
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmProbeAndLockPages] 41E85000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!_except_handler3] 8B000023
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!PoSetPowerState] 18C4830E
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 1C8D9E88
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 9E880000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!_aulldiv] 00001CA9
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!strstr] 0E798366
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!_strupr] 74AAB000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeQuerySystemTime] 8186C636
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 1A00001C
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!KeTickCount] 1C8386C6
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] C6020000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoDeleteDevice] 001C8E86
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 86C60200
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00001CAA
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoAllocateIrp] 959E8802
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoAllocateMdl] 8800001C
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB19E
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmLockPagableDataSection] 96868800
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8800001C
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CB286
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!ExFreePoolWithTag] C61AEB00
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoFreeIrp] 001C8186
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!IoFreeWorkItem] 86C61200
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!InitSafeBootMode] 00001C83
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlCompareMemory] 8E868801
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 8800001C
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!memmove] 001CAA86
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[ntoskrnl.exe!MmHighestUserAddress] 80968B00
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!KeGetCurrentIrql] 89000001
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!KfRaiseIrql] 0001BC83
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!KfLowerIrql] 24468B00
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!HalGetInterruptVector] 89820C8D
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!KfReleaseSpinLock] 000000BD
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!READ_PORT_USHORT] 83660000
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00
    IAT \SystemRoot\System32\Drivers\awzqcuns.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284
  2. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    Continued~


    ---- Devices - GMER 1.0.15 ----

    Device 8376A1F8
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device 829C51F8
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
    Device \Driver\NetBT \Device\NetBT_Tcpip_{31E48630-6EAC-4A93-86B0-7CABB2131E7D} 835751F8
    Device \Driver\sptd \Device\3897234640 spxo.sys

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\usbuhci \Device\USBPDO-0 834E41F8
    Device \Driver\PCI_PNP2912 \Device\00000051 spxo.sys
    Device \Driver\usbuhci \Device\USBPDO-1 834E41F8
    Device \Driver\usbuhci \Device\USBPDO-2 834E41F8
    Device \Driver\usbehci \Device\USBPDO-3 834E3500

    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Ftdisk \Device\HarddiskVolume1 837DC1F8
    Device \Driver\Cdrom \Device\CdRom0 83579500
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 83638AEA
    Device \Driver\atapi \Device\Ide\IdePort0 8376B1F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 83638AEA
    Device \Driver\atapi \Device\Ide\IdePort1 8376B1F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 83638AEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8376B1F8
    Device \Driver\Cdrom \Device\CdRom1 83579500
    Device \Driver\NetBT \Device\NetBt_Wins_Export 835751F8
    Device \Driver\NetBT \Device\NetbiosSmb 835751F8

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\usbuhci \Device\USBFDO-0 834E41F8
    Device \Driver\usbuhci \Device\USBFDO-1 834E41F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82C79500
    Device \Driver\usbuhci \Device\USBFDO-2 834E41F8
    Device 82C79500
    Device \Driver\usbehci \Device\USBFDO-3 834E3500
    Device \Driver\Ftdisk \Device\FtControl 837DC1F8
    Device \Driver\awzqcuns \Device\Scsi\awzqcuns1Port2Path0Target0Lun0 834511F8
    Device \Driver\awzqcuns \Device\Scsi\awzqcuns1 834511F8
    Device \FileSystem\Cdfs \Cdfs 82C8B1F8
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS548040M9AT00_________________________MG2OA5DA#5&2cae0b77&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF3 0xCE 0xA2 0x22 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC2 0xBE 0x33 0x53 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2A 0xE1 0xF0 0x1B ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF3 0xCE 0xA2 0x22 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC2 0xBE 0x33 0x53 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2A 0xE1 0xF0 0x1B ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF3 0xCE 0xA2 0x22 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC2 0xBE 0x33 0x53 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2A 0xE1 0xF0 0x1B ...

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 78139904 (+255): rootkit-like behavior;

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\agp440.sys suspicious modification; TDL3 <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----

    DDS locks up when after about 2 minutes of work...

    Any suggestions?
  3. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Welcome aboard [​IMG]

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  4. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    Thanks for the quick reply Broni!

    Here's what we got:

    2010/11/06 17:10:15.0533 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43
    2010/11/06 17:10:15.0533 ================================================================================
    2010/11/06 17:10:15.0533 SystemInfo:
    2010/11/06 17:10:15.0533
    2010/11/06 17:10:15.0533 OS Version: 5.1.2600 ServicePack: 2.0
    2010/11/06 17:10:15.0533 Product type: Workstation
    2010/11/06 17:10:15.0533 ComputerName: SYSTEM-D002F5BF
    2010/11/06 17:10:15.0533 UserName: System User
    2010/11/06 17:10:15.0533 Windows directory: C:\WINDOWS
    2010/11/06 17:10:15.0533 System windows directory: C:\WINDOWS
    2010/11/06 17:10:15.0533 Processor architecture: Intel x86
    2010/11/06 17:10:15.0533 Number of processors: 1
    2010/11/06 17:10:15.0533 Page size: 0x1000
    2010/11/06 17:10:15.0533 Boot type: Normal boot
    2010/11/06 17:10:15.0533 ================================================================================
    2010/11/06 17:10:16.0905 Initialize success
    2010/11/06 17:10:23.0314 ================================================================================
    2010/11/06 17:10:23.0314 Scan started
    2010/11/06 17:10:23.0314 Mode: Manual;
    2010/11/06 17:10:23.0314 ================================================================================
    2010/11/06 17:10:26.0809 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/11/06 17:10:26.0899 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2010/11/06 17:10:27.0019 aeaudio (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\aeaudio.sys
    2010/11/06 17:10:27.0059 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2010/11/06 17:10:27.0129 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    2010/11/06 17:10:27.0240 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2010/11/06 17:10:27.0270 agp440 (aaca23182c18f7268820bc00a6d13704) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2010/11/06 17:10:27.0270 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\agp440.sys. Real md5: aaca23182c18f7268820bc00a6d13704, Fake md5: 08fd04aa961bdc77fb983f328334e3d7
    2010/11/06 17:10:27.0280 agp440 - detected Rootkit.Win32.TDSS.tdl3 (0)
    2010/11/06 17:10:27.0540 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/11/06 17:10:27.0590 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/11/06 17:10:28.0031 ati2mtag (5719f857136ee618f6ec7a5ccd9fb7ab) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2010/11/06 17:10:28.0281 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/11/06 17:10:28.0381 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/11/06 17:10:28.0471 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/11/06 17:10:28.0562 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/11/06 17:10:28.0652 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/11/06 17:10:28.0792 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/11/06 17:10:28.0872 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/11/06 17:10:28.0922 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/11/06 17:10:29.0072 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2010/11/06 17:10:29.0222 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2010/11/06 17:10:30.0454 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/11/06 17:10:31.0025 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/11/06 17:10:32.0918 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2010/11/06 17:10:34.0780 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/11/06 17:10:35.0582 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/11/06 17:10:38.0025 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/11/06 17:10:39.0057 E1000 (4de4bae4accb5a49fa85801d4f226355) C:\WINDOWS\system32\DRIVERS\e1000325.sys
    2010/11/06 17:10:40.0859 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2010/11/06 17:10:43.0513 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2010/11/06 17:10:44.0775 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/11/06 17:10:44.0815 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/11/06 17:10:44.0865 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2010/11/06 17:10:44.0925 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/11/06 17:10:44.0965 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2010/11/06 17:10:45.0025 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/11/06 17:10:45.0065 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/11/06 17:10:45.0095 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/11/06 17:10:45.0145 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/11/06 17:10:45.0236 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2010/11/06 17:10:45.0276 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2010/11/06 17:10:45.0446 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2010/11/06 17:10:45.0516 HSFHWICH (5bf94348801cddf7b2f3855830f93569) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
    2010/11/06 17:10:45.0626 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
    2010/11/06 17:10:46.0027 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/11/06 17:10:46.0708 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/11/06 17:10:46.0808 IBMPMDRV (15dddb0cf28ba9877927b4b7125173b0) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
    2010/11/06 17:10:46.0898 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/11/06 17:10:47.0028 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/11/06 17:10:47.0088 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/11/06 17:10:47.0128 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/11/06 17:10:47.0178 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/11/06 17:10:47.0238 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/11/06 17:10:47.0278 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/11/06 17:10:47.0308 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/11/06 17:10:47.0369 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys
    2010/11/06 17:10:47.0409 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/11/06 17:10:47.0459 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/11/06 17:10:47.0519 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/11/06 17:10:47.0599 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/11/06 17:10:47.0649 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/11/06 17:10:47.0699 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/11/06 17:10:47.0869 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2010/11/06 17:10:47.0959 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/11/06 17:10:48.0009 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2010/11/06 17:10:48.0060 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/11/06 17:10:48.0140 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/11/06 17:10:48.0180 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/11/06 17:10:48.0240 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/11/06 17:10:48.0320 MRxSmb (6f2d483b97b395544e59749c47963c6a) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/11/06 17:10:48.0410 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/11/06 17:10:48.0450 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/11/06 17:10:48.0490 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/11/06 17:10:48.0550 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/11/06 17:10:48.0590 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/11/06 17:10:48.0650 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/11/06 17:10:48.0700 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/11/06 17:10:48.0761 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/11/06 17:10:49.0041 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101029.003\naveng.sys
    2010/11/06 17:10:49.0181 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101029.003\navex15.sys
    2010/11/06 17:10:49.0412 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/11/06 17:10:49.0482 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/11/06 17:10:49.0552 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/11/06 17:10:49.0622 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/11/06 17:10:49.0692 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/11/06 17:10:49.0762 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/11/06 17:10:49.0842 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/11/06 17:10:49.0892 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/11/06 17:10:50.0032 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/11/06 17:10:50.0072 NSCIRDA (6216798d29c3ba9d0d6f40bbbab694a5) C:\WINDOWS\system32\DRIVERS\nscirda.sys
    2010/11/06 17:10:50.0133 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/11/06 17:10:50.0263 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/11/06 17:10:50.0313 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/11/06 17:10:50.0343 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/11/06 17:10:50.0413 P1110VID (56ebd7c43be8c9e129d452828c1532d8) C:\WINDOWS\system32\DRIVERS\P1110Vid.sys
    2010/11/06 17:10:50.0463 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/11/06 17:10:50.0503 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/11/06 17:10:50.0523 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/11/06 17:10:50.0763 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/11/06 17:10:50.0914 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    2010/11/06 17:10:50.0934 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2010/11/06 17:10:51.0144 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/11/06 17:10:51.0244 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/11/06 17:10:51.0354 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/11/06 17:10:51.0525 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/11/06 17:10:51.0755 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2010/11/06 17:10:51.0865 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/11/06 17:10:51.0895 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/11/06 17:10:51.0935 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/11/06 17:10:51.0975 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/11/06 17:10:51.0995 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/11/06 17:10:52.0055 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/11/06 17:10:52.0115 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/11/06 17:10:52.0175 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/11/06 17:10:52.0346 SAVRT (2861c841b03def48402e63277d9cac22) C:\Program Files\Symantec AntiVirus\savrt.sys
    2010/11/06 17:10:52.0386 SAVRTPEL (54484c13e4d9b268c66d59e9ccb570e6) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
    2010/11/06 17:10:52.0466 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/11/06 17:10:52.0566 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/11/06 17:10:52.0596 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/11/06 17:10:52.0656 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/11/06 17:10:52.0746 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/11/06 17:10:52.0887 smwdm (1319ea66a96250d59665d133c0ff7cd0) C:\WINDOWS\system32\drivers\smwdm.sys
    2010/11/06 17:10:52.0977 SPBBCDrv (60053e9c1fc4f6887c296c19cb825244) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    2010/11/06 17:10:53.0047 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2010/11/06 17:10:53.0157 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
    2010/11/06 17:10:53.0157 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
    2010/11/06 17:10:53.0167 sptd - detected Locked file (1)
    2010/11/06 17:10:53.0247 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/11/06 17:10:53.0307 Srv (ab9c79ed12d65e800aaad3d72a04792f) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/11/06 17:10:53.0427 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/11/06 17:10:53.0477 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/11/06 17:10:53.0527 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/11/06 17:10:53.0698 SymEvent (c5eafb6a8c73fb26b73ee613c1a5aef6) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    2010/11/06 17:10:53.0818 SYMREDRV (5f9055055dc4900f74fb690b61448be4) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    2010/11/06 17:10:53.0948 SYMTDI (5561a9d2d1b6529a95cbbffaed7791c1) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    2010/11/06 17:10:54.0108 SynTP (31801b16a0da62afa55e49f1e4c16045) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2010/11/06 17:10:54.0198 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/11/06 17:10:54.0299 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/11/06 17:10:54.0429 Tcpip6 (00586ed87ab564b03870a2a3dcc84b55) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
    2010/11/06 17:10:54.0539 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/11/06 17:10:54.0599 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/11/06 17:10:54.0669 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/11/06 17:10:54.0879 tunmp (87a0e9e18c10a9e454238e3330e2a26d) C:\WINDOWS\system32\DRIVERS\tunmp.sys
    2010/11/06 17:10:55.0010 TwoTrack (17687545f77a648af7f9f1064eb61191) C:\WINDOWS\system32\DRIVERS\TwoTrack.sys
    2010/11/06 17:10:55.0110 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/11/06 17:10:55.0240 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/11/06 17:10:55.0791 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/11/06 17:10:55.0891 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/11/06 17:10:55.0961 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/11/06 17:10:56.0051 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/11/06 17:10:56.0111 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/11/06 17:10:56.0151 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/11/06 17:10:56.0191 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/11/06 17:10:56.0221 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2010/11/06 17:10:56.0281 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/11/06 17:10:56.0442 w29n51 (f0608f3b5b6d16f4870e867f9d069b6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
    2010/11/06 17:10:56.0612 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/11/06 17:10:56.0682 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/11/06 17:10:56.0892 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2010/11/06 17:10:57.0052 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/11/06 17:10:57.0193 ================================================================================
    2010/11/06 17:10:57.0193 Scan finished
    2010/11/06 17:10:57.0193 ================================================================================
    2010/11/06 17:10:57.0213 Detected object count: 2
    2010/11/06 17:19:45.0472 agp440 (aaca23182c18f7268820bc00a6d13704) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2010/11/06 17:19:45.0472 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\agp440.sys. Real md5: aaca23182c18f7268820bc00a6d13704, Fake md5: 08fd04aa961bdc77fb983f328334e3d7
    2010/11/06 17:19:46.0995 Backup copy found, using it..
    2010/11/06 17:19:47.0075 C:\WINDOWS\system32\DRIVERS\agp440.sys - will be cured after reboot
    2010/11/06 17:19:47.0075 Rootkit.Win32.TDSS.tdl3(agp440) - User select action: Cure
    2010/11/06 17:19:47.0075 Locked file(sptd) - User select action: Skip
    2010/11/06 17:19:52.0883 Deinitialize success


    Reboot was required but there was no prompting after the reboot.
  5. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Good job :)
    We just got rid of a rootkit.

    See, if DDS will run now.
  6. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    Sorry Broni, not doing. Still causes a lockup about 2/3 through.
  7. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    That's fine. I just needed to know.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  8. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    Combofix is locking up in normal as well as safemode; I just get an hourglass after I click through the disclaimer window. rKill doesn't catch anything.
  9. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Do you run rKill first and then Combofix right away?
  10. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    Yes. And the only process terminated was rkill.
  11. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Did you try to rename Combofix before saving the file?
     
  12. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    I saved it on another computer, renamed it and then transferred it with a jumpdrive onto the desktop of the infected computer and ran it.
  13. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  14. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    More food for thought:

    OTL logfile created on: 11/6/2010 10:53:52 PM - Run 1
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\System User\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    767.00 Mb Total Physical Memory | 239.00 Mb Available Physical Memory | 31.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.26 Gb Total Space | 1.92 Gb Free Space | 5.16% Space Free | Partition Type: NTFS

    Computer Name: SYSTEM-D002F5BF | User Name: System User | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/11/06 22:52:26 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\System User\desktop\OTL.exe
    PRC - [2008/10/20 22:18:26 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
    PRC - [2008/10/06 11:14:18 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    PRC - [2008/09/30 17:41:14 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
    PRC - [2008/09/30 17:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    PRC - [2008/09/30 17:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
    PRC - [2008/09/29 10:17:54 | 000,038,176 | ---- | M] (Lenovo) -- C:\WINDOWS\system32\ibmpmsvc.exe
    PRC - [2008/06/24 18:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    PRC - [2008/06/24 18:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    PRC - [2008/06/24 18:17:34 | 000,053,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    PRC - [2007/07/26 19:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    PRC - [2004/08/04 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/11/06 22:52:26 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\System User\desktop\OTL.exe
    MOD - [2004/08/04 07:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/01/07 09:15:53 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2008/10/20 22:18:26 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
    SRV - [2008/09/30 17:41:08 | 000,116,664 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
    SRV - [2008/09/30 17:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
    SRV - [2008/09/30 17:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
    SRV - [2008/09/29 10:17:54 | 000,038,176 | ---- | M] (Lenovo) [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
    SRV - [2008/08/20 15:50:30 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
    SRV - [2008/06/24 18:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
    SRV - [2008/06/24 18:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
    SRV - [2007/09/12 18:27:24 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
    SRV - [2007/07/26 19:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
    SRV - [2005/11/22 16:20:28 | 000,036,864 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\acs.exe -- (ACS)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\PCASp50.sys -- (PCASp50)
    DRV - [2010/10/18 03:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101029.003\NAVEX15.SYS -- (NAVEX15)
    DRV - [2010/10/18 03:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101029.003\NAVENG.SYS -- (NAVENG)
    DRV - [2010/07/15 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2009/10/19 14:30:57 | 000,721,904 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
    DRV - [2009/07/16 13:17:15 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2008/10/06 10:47:36 | 000,225,696 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
    DRV - [2008/09/29 10:17:16 | 000,023,848 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
    DRV - [2008/08/20 15:50:02 | 000,188,808 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
    DRV - [2008/08/20 15:49:56 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
    DRV - [2008/06/20 04:52:06 | 000,225,920 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
    DRV - [2008/05/28 11:31:24 | 000,337,280 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
    DRV - [2008/05/28 11:31:24 | 000,054,656 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
    DRV - [2008/01/07 14:36:16 | 002,216,064 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
    DRV - [2007/07/26 19:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
    DRV - [2007/02/06 23:38:32 | 001,133,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2006/04/06 18:33:48 | 000,068,608 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P1110Vid.sys -- (P1110VID)
    DRV - [2005/10/18 16:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
    DRV - [2005/10/18 16:52:38 | 000,242,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
    DRV - [2005/10/18 16:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2004/08/03 18:00:52 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)
    DRV - [2001/08/17 08:48:14 | 000,011,520 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TwoTrack.sys -- (TwoTrack)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

    IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

    ========== FireFox ==========

    FF - prefs.js..browser.search.order.1: "Google"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "google.com"
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: silvermelxt@pardal.de:1.3.1
    FF - prefs.js..extensions.enabledItems: {D674C3B2-E476-4B19-9142-AEE78D537C35}:1.9.1
    FF - prefs.js..extensions.enabledItems: {5c876f30-10ce-11dd-bd0b-0800200c9a66}:3.5
    FF - prefs.js..keyword.URL: "http://search.search-go.net/?sid=10101054100&s="
    FF - prefs.js..network.proxy.type: 4

    FF - user.js..browser.search.selectedEngine: "Google"
    FF - user.js..browser.search.order.1: "Google"
    FF - user.js..keyword.URL: "http://search.search-go.net/?sid=10101054100&s="

    FF - HKLM\software\mozilla\Firefox\Extensions\\{D674C3B2-E476-4B19-9142-AEE78D537C35}: C:\Documents and Settings\System User\Local Settings\Application Data\{D674C3B2-E476-4B19-9142-AEE78D537C35} [2010/08/19 01:40:54 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/04 22:02:02 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/04 22:01:48 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/17 13:10:23 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

    [2009/07/16 13:45:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\Mozilla\Extensions
    [2010/11/06 17:25:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\Mozilla\Firefox\Profiles\3wpntdag.default\extensions
    [2009/08/18 10:33:02 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\System User\Application Data\Mozilla\Firefox\Profiles\3wpntdag.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2009/07/16 23:11:55 | 000,000,000 | ---D | M] (Aero Fox Silver) -- C:\Documents and Settings\System User\Application Data\Mozilla\Firefox\Profiles\3wpntdag.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}
    [2009/07/16 23:21:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\Mozilla\Firefox\Profiles\3wpntdag.default\extensions\chromifox@altmusictv.com
    [2010/01/22 18:52:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\Mozilla\Firefox\Profiles\3wpntdag.default\extensions\silvermelxt@pardal.de
    [2009/07/16 23:11:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\System User\Application Data\Mozilla\Firefox\Profiles\3wpntdag.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\mac\browser\extensions
    [2009/07/16 23:11:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\System User\Application Data\Mozilla\Firefox\Profiles\3wpntdag.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\mac\mozapps\extensions
    [2009/07/16 23:11:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\System User\Application Data\Mozilla\Firefox\Profiles\3wpntdag.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\win\browser\extensions
    [2009/07/16 23:11:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\System User\Application Data\Mozilla\Firefox\Profiles\3wpntdag.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\win\mozapps\extensions
    [2010/11/06 14:13:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/08/18 09:17:34 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

    O1 HOSTS File: ([2010/10/04 20:03:27 | 000,420,575 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.0scan.com
    O1 - Hosts: 127.0.0.1 0scan.com
    O1 - Hosts: 127.0.0.1 1000gratisproben.com
    O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
    O1 - Hosts: 127.0.0.1 1001namen.com
    O1 - Hosts: 127.0.0.1 www.1001namen.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 www.1-2005-search.com
    O1 - Hosts: 127.0.0.1 1-2005-search.com
    O1 - Hosts: 14506 more lines...
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
    O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 216.165.129.158 216.170.153.146
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\System User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\System User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/12 11:16:19 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/11/06 22:52:21 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\System User\Desktop\OTL.exe
    [2010/11/06 22:00:03 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
    [2010/11/06 18:28:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
    [2010/11/06 17:10:09 | 001,329,752 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\System User\Desktop\TDSSKiller.exe
    [2010/11/05 14:33:13 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/11/03 21:02:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/11/03 20:29:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
    [4 C:\Documents and Settings\System User\Desktop\*.tmp files -> C:\Documents and Settings\System User\Desktop\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2010/11/06 22:53:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
    [2010/11/06 22:52:26 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\System User\Desktop\OTL.exe
    [2010/11/06 22:48:45 | 000,053,248 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\proposal2.doc
    [2010/11/06 22:16:15 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/11/06 22:11:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/11/06 20:34:26 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\System User\Desktop\~$oposal2.doc
    [2010/11/06 20:23:39 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\Awesomeness.doc
    [2010/11/06 13:11:29 | 000,295,424 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\r6n1tnmq.exe
    [2010/11/05 14:32:29 | 003,903,424 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\ComboFix.exe
    [2010/11/05 10:24:49 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\System User\Desktop\~$esomeness.doc
    [2010/11/04 20:29:57 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
    [2010/11/03 21:44:21 | 000,001,490 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\Spider.lnk
    [2010/11/03 21:03:55 | 001,066,638 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
    [2010/11/03 10:12:00 | 001,329,752 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\System User\Desktop\TDSSKiller.exe
    [2010/11/01 09:11:57 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
    [2010/10/18 21:23:42 | 000,393,674 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\SecA2 lipoprotein research.pdf
    [2010/10/18 21:18:40 | 000,372,028 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\SecA2 research.pdf
    [2010/10/18 21:09:12 | 000,391,732 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\sodC.pdf
    [2010/10/17 22:44:53 | 000,592,819 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\JBC secA2.pdf
    [2010/10/17 22:36:45 | 000,276,760 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\sec systems review.pdf
    [2010/10/17 22:09:57 | 000,146,361 | ---- | M] () -- C:\Documents and Settings\System User\Desktop\phagosome stress response.pdf
    [4 C:\Documents and Settings\System User\Desktop\*.tmp files -> C:\Documents and Settings\System User\Desktop\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/11/06 20:34:26 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\System User\Desktop\~$oposal2.doc
    [2010/11/06 20:34:25 | 000,053,248 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\proposal2.doc
    [2010/11/06 13:11:26 | 000,295,424 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\r6n1tnmq.exe
    [2010/11/05 14:32:20 | 003,903,424 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\ComboFix.exe
    [2010/11/05 10:24:49 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\System User\Desktop\~$esomeness.doc
    [2010/11/04 20:23:15 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\Awesomeness.doc
    [2010/11/03 21:03:37 | 001,066,638 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
    [2010/11/01 09:11:57 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
    [2010/11/01 09:11:57 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
    [2010/10/18 21:23:42 | 000,393,674 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\SecA2 lipoprotein research.pdf
    [2010/10/18 21:18:40 | 000,372,028 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\SecA2 research.pdf
    [2010/10/18 21:09:12 | 000,391,732 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\sodC.pdf
    [2010/10/17 22:44:53 | 000,592,819 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\JBC secA2.pdf
    [2010/10/17 22:36:45 | 000,276,760 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\sec systems review.pdf
    [2010/10/17 22:09:57 | 000,146,361 | ---- | C] () -- C:\Documents and Settings\System User\Desktop\phagosome stress response.pdf
    [2010/09/18 14:58:00 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
    [2010/09/18 14:58:00 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
    [2010/08/19 00:21:55 | 000,001,948 | ---- | C] () -- C:\WINDOWS\lsrslt.ini
    [2010/08/19 00:21:01 | 000,002,853 | ---- | C] () -- C:\WINDOWS\utokupuj.dll
    [2010/06/21 17:47:22 | 000,819,200 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2010/06/21 17:47:21 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2009/10/29 14:56:36 | 000,001,356 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
    [2009/10/19 14:30:56 | 000,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
    [2009/10/06 15:37:10 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
    [2009/10/03 00:44:06 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\System User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/10/02 07:36:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
    [2009/07/21 11:04:36 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
    [2009/07/20 14:40:52 | 000,001,156 | ---- | C] () -- C:\WINDOWS\CDPlayer.ini
    [2009/07/16 22:10:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009/07/07 16:47:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2009/06/12 06:16:07 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

    ========== LOP Check ==========

    [2010/07/06 14:25:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
    [2009/10/19 14:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
    [2009/10/06 15:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
    [2009/07/20 10:00:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GraphPad Software
    [2009/10/06 15:42:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
    [2009/10/06 15:32:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
    [2010/11/04 22:04:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/01/27 06:51:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thomson.ResearchSoft.Installers
    [2009/10/06 15:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
    [2010/08/19 14:06:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update
    [2010/08/18 22:58:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\0A0B9427FE2BF92C999FAFB34FC6013D
    [2009/06/12 13:10:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\Canneverbe_Limited
    [2010/01/23 15:10:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\Chinaweal Longteng
    [2009/10/19 14:42:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\DAEMON Tools Lite
    [2010/01/27 06:12:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\EndNote
    [2009/07/17 09:11:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\GetRightToGo
    [2010/05/13 12:14:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\GlarySoft
    [2009/07/20 10:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\GraphPad Software
    [2009/10/06 15:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\muvee Technologies
    [2009/10/06 15:33:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\Nikon
    [2009/07/16 13:46:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\Thunderbird
    [2010/11/06 22:53:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\Updater.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/06/12 11:16:19 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/09/18 16:03:48 | 000,000,211 | RHS- | M] () -- C:\boot.ini
    [2009/06/12 11:16:19 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2009/06/12 11:16:19 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2009/06/12 11:16:19 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2004/08/04 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2010/09/18 17:42:07 | 000,250,032 | RHS- | M] () -- C:\ntldr
    [2010/11/06 22:10:50 | 1207,959,552 | -HS- | M] () -- C:\pagefile.sys
    [2010/11/06 22:27:29 | 000,000,381 | ---- | M] () -- C:\rkill.log
    [2010/11/06 17:19:52 | 000,042,062 | ---- | M] () -- C:\TDSSKiller.2.4.6.0_06.11.2010_17.10.15_log.txt
    [2010/11/06 17:30:57 | 000,040,500 | ---- | M] () -- C:\TDSSKiller.2.4.6.0_06.11.2010_17.29.40_log.txt
    [2010/11/06 20:41:49 | 000,079,008 | ---- | M] () -- C:\TDSSKiller.2.4.6.0_06.11.2010_20.40.33_log.txt

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/12 11:15:47 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/05/01 12:00:00 | 000,022,528 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD87.DLL
    [2006/05/01 12:00:00 | 000,065,024 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP87.DLL
    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007/10/20 19:21:50 | 000,278,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
    [2003/06/18 17:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >
    [2010/08/22 10:28:56 | 000,001,754 | -H-- | M] () -- C:\Documents and Settings\System User\Application Data\Microsoft\LastFlashConfig.WFC

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2009/06/12 06:13:58 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2009/06/12 06:13:58 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2009/06/12 06:13:57 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2009/07/21 11:18:03 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/07/21 14:33:23 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\System User\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2009/07/21 14:33:22 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\System User\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/11/05 14:32:29 | 003,903,424 | ---- | M] () -- C:\Documents and Settings\System User\desktop\ComboFix.exe
    [2010/11/06 22:52:26 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\System User\desktop\OTL.exe
    [2010/11/06 13:11:29 | 000,295,424 | ---- | M] () -- C:\Documents and Settings\System User\desktop\r6n1tnmq.exe
    [2010/11/03 10:12:00 | 001,329,752 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\System User\desktop\TDSSKiller.exe
    [4 C:\Documents and Settings\System User\Desktop\*.tmp files -> C:\Documents and Settings\System User\Desktop\*.tmp -> ]

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2009/07/21 14:33:23 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\System User\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010/11/06 22:49:20 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\System User\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2004/08/04 07:00:00 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2004/08/04 07:00:00 | 000,028,672 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 01:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 01:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/04/13 19:11:59 | 000,082,944 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2004/08/04 01:06:34 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2004/08/04 01:06:34 | 001,667,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2004/08/04 07:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/08/04 07:00:00 | 000,018,052 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/08/04 07:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 01:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 01:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-10-04 22:39:27


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

    < End of report >
  15. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    I still need Extras.txt
  16. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    My apologies!

    OTL Extras logfile created on: 11/6/2010 10:53:52 PM - Run 1
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\System User\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    767.00 Mb Total Physical Memory | 239.00 Mb Available Physical Memory | 31.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.26 Gb Total Space | 1.92 Gb Free Space | 5.16% Space Free | Partition Type: NTFS

    Computer Name: SYSTEM-D002F5BF | User Name: System User | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found
    https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
    Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
    Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
    "{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{35B73650-6899-11DA-6784-00232A9018BE}" = GraphPad Prism 5
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4EC8B911-98AB-4819-B5EE-D32E8A0A8AAA}_is1" = DVDx 2
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
    "{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}" = ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
    "{AD8A1013-4E46-4E02-85C2-3168C3328432}" = Symantec AntiVirus
    "{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
    "{FF3999BE-1A7B-4738-88AA-97BF14094A4A}" = PictureProject
    "7-Zip" = 7-Zip 4.65
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Photoshop 7.0" = Adobe Photoshop 7.0
    "ATI Display Driver" = ATI Display Driver
    "CCleaner" = CCleaner
    "CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = ThinkPad Integrated 56K Modem
    "Creative PD1110" = Creative WebCam NX Driver (2.00.04.0000)
    "Glary Utilities_is1" = Glary Utilities 2.22.0.896
    "InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
    "ISI ResearchSoft - Export Helper" = ISI ResearchSoft - Export Helper
    "LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "MediaMonkey_is1" = MediaMonkey 3.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
    "Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
    "Picasa 3" = Picasa 3
    "PictureProject In Touch Downloader" = PictureProject In Touch Downloader 1.0
    "Power Management Driver" = ThinkPad Power Management Driver
    "PROSet" = Intel(R) PRO Network Connections Drivers
    "SynTPDeinstKey" = ThinkPad UltraNav Driver
    "VLC media player" = VLC media player 0.9.9
    "Xvid_is1" = Xvid 1.2.2 final uninstall

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 8/19/2010 1:34:19 AM | Computer Name = SYSTEM-D002F5BF | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 8/19/2010 12:43:13 PM | Computer Name = SYSTEM-D002F5BF | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 8/19/2010 12:43:14 PM | Computer Name = SYSTEM-D002F5BF | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 8/19/2010 12:43:14 PM | Computer Name = SYSTEM-D002F5BF | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 8/19/2010 12:43:15 PM | Computer Name = SYSTEM-D002F5BF | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 8/19/2010 12:43:15 PM | Computer Name = SYSTEM-D002F5BF | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 8/19/2010 12:53:46 PM | Computer Name = SYSTEM-D002F5BF | Source = Symantec AntiVirus | ID = 16711726
    Description = Security Risk Found!Risk: Downloader in File: C:\WINDOWS\Temp\bpro_cd714_1890.exe
    by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

    Error - 8/19/2010 12:53:47 PM | Computer Name = SYSTEM-D002F5BF | Source = Symantec AntiVirus | ID = 16711685
    Description = Risk Found!Risk: Downloader in File: C:\WINDOWS\Temp\bpro_cd714_1890.exe
    by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

    Error - 8/19/2010 12:53:52 PM | Computer Name = SYSTEM-D002F5BF | Source = Symantec AntiVirus | ID = 16711731
    Description = Security Risk Found!Risk: Downloader in File: C:\WINDOWS\Temp\bpro_cd714_1890.exe
    by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

    Error - 8/19/2010 12:57:14 PM | Computer Name = SYSTEM-D002F5BF | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
    AntiVirus\VPC32.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\pwvxqgcsf\pkcgysdshdw.exe
    (PID 4260) Time: Thursday, August 19, 2010 11:57:14 AM

    [ System Events ]
    Error - 11/6/2010 10:23:33 PM | Computer Name = SYSTEM-D002F5BF | Source = Service Control Manager | ID = 7000
    Description = The Upload Manager service failed to start due to the following error:
    %%1079

    Error - 11/6/2010 10:28:54 PM | Computer Name = SYSTEM-D002F5BF | Source = Service Control Manager | ID = 7000
    Description = The Upload Manager service failed to start due to the following error:
    %%1079

    Error - 11/6/2010 10:41:29 PM | Computer Name = SYSTEM-D002F5BF | Source = Service Control Manager | ID = 7000
    Description = The Upload Manager service failed to start due to the following error:
    %%1079

    Error - 11/6/2010 10:48:05 PM | Computer Name = SYSTEM-D002F5BF | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 11/6/2010 10:48:32 PM | Computer Name = SYSTEM-D002F5BF | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service StiSvc with
    arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

    Error - 11/6/2010 10:48:54 PM | Computer Name = SYSTEM-D002F5BF | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    eeCtrl Fips intelppm SAVRT SAVRTPEL SPBBCDrv SYMTDI

    Error - 11/6/2010 10:58:39 PM | Computer Name = SYSTEM-D002F5BF | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 11/6/2010 10:59:06 PM | Computer Name = SYSTEM-D002F5BF | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    eeCtrl Fips intelppm SAVRT SAVRTPEL SPBBCDrv SYMTDI

    Error - 11/6/2010 10:59:16 PM | Computer Name = SYSTEM-D002F5BF | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service StiSvc with
    arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

    Error - 11/6/2010 11:11:15 PM | Computer Name = SYSTEM-D002F5BF | Source = Service Control Manager | ID = 7000
    Description = The Upload Manager service failed to start due to the following error:
    %%1079


    < End of report >
  17. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    You're running very low on C drive free space.

    ========================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
      IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
      O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
      [4 C:\Documents and Settings\System User\Desktop\*.tmp files -> C:\Documents and Settings\System User\Desktop\*.tmp -> ]
      [2010/08/19 00:21:55 | 000,001,948 | ---- | C] () -- C:\WINDOWS\lsrslt.ini
      [2010/08/19 00:21:01 | 000,002,853 | ---- | C] () -- C:\WINDOWS\utokupuj.dll
      [2010/08/18 22:58:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\System User\Application Data\0A0B9427FE2BF92C999FAFB34FC6013D
      @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
  18. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    Here goes:

    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy\ deleted successfully.
    C:\Documents and Settings\System User\Desktop\~WRL0003.tmp deleted successfully.
    C:\Documents and Settings\System User\Desktop\~WRL0005.tmp deleted successfully.
    C:\Documents and Settings\System User\Desktop\~WRL0422.tmp deleted successfully.
    C:\Documents and Settings\System User\Desktop\~WRL3796.tmp deleted successfully.
    C:\WINDOWS\lsrslt.ini moved successfully.
    C:\WINDOWS\utokupuj.dll moved successfully.
    C:\Documents and Settings\System User\Application Data\0A0B9427FE2BF92C999FAFB34FC6013D folder moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 24832 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Administrator.SYSTEM-D002F5BF
    ->Temp folder emptied: 416654 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: System User
    ->Temp folder emptied: 7703047 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 68896661 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1013 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 68333 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 1183536 bytes

    Total Files Cleaned = 75.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: Administrator.SYSTEM-D002F5BF

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: System User
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.17.3 log created on 11072010_001954

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  19. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Delete your Combofix file, download fresh one (rename it before saving) and see, if it'll run now.
    Don't forget to disable Norton.

    Bed time for me, so I'll catch you tomorrow morning :)
  20. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    Still nothing. In regular or safemode.
  21. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    That's fine.

    One question.
    I can see, you're running pretty old Norton's version. Are you still getting updates for that program?

    How is computer doing at the moment?

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  22. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    I can still get updates no problem for my Symantec...

    Here's the next batch of stuff:

    Security Check
    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 2
    Out of date service pack!!
    Internet Explorer 6 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Symantec AntiVirus
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 22
    Out of date Java installed!
    Adobe Flash Player 10.0.42.34
    Adobe Reader 9.3.3
    Mozilla Firefox (3.6.12) Firefox Out of Date!
    Mozilla Thunderbird (2.0.0) Thunderbird Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Symantec AntiVirus DefWatch.exe
    Symantec AntiVirus Rtvscan.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````

    ESET
    C:\_OTL\MovedFiles\11072010_001954\C_Documents and Settings\System User\Application Data\0A0B9427FE2BF92C999FAFB34FC6013D\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\_OTL\MovedFiles\11072010_001954\C_Documents and Settings\System User\Application Data\0A0B9427FE2BF92C999FAFB34FC6013D\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\_OTL\MovedFiles\11072010_001954\C_WINDOWS\utokupuj.dll Win32/Adware.SpywareProtect2009 application
  23. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    You need to update IE to at least ver. 7.
    You need to install Service Pack 3.
    Both, very important!

    ========================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current (including SP3!!)

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
  24. Nomad607

    Nomad607 Newcomer, in training Topic Starter Posts: 20

    I had installed SP3 previously and had problems with wireless internet; it doesn't pick up any networks in range. As soon as I rolled it back, the problems with the wireless went away.

    On your request, I reinstalled it and the same wireless problem returned. Any suggestions?
  25. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    We'll try to fix it. SP3 is a must.

    I assume, we're dealing with laptop here, correct?
    If so, what brand and model?
    Will wired connection work?
    Do you have any errors in Device Manager?

    =======================================================================

    With wireless button ON (very important!)...

    1. Click Start>Run (Start>"Start search" in Vista).

    2. Type in (or copy and paste):

    cmd /c ping google.com>%temp%\$.$&notepad %temp%\$.$

    and press Enter.

    3. Notepad will open.

    4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.

    ***********************************************

    Go Start>Run ("Start search" in Vista), type in:
    cmd
    Click OK (hit Enter in Vista).

    At Command Prompt, paste this:
    ipconfig /all>c:\ipconfig_all.txt&notepad c:\ipconfig_all.txt&exit
    Hit Enter.

    Copy and paste what you see in Notepad into a Reply here.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.