TechSpot

XP anti-spyware alerts - can not remove them

By tgugino
May 7, 2011
  1. Hi Broni - You helped me out a few months ago with a spyware/virus issue. I meant to send you a donation after you helped me but I forgot, so I just sent you a donation. I have another spyware/virus issue. Bad karma I guess.

    Here is the symptoms this time....
    I get XP Anti-spyware alerts popups when I first turn on my computer. I am not able to run Malwarebytes Anti-malware at all. I try to execute it but it never launches. Also, my Internet Explorer will not work at all but Firefox works.

    Thanks!
     
  2. Broni

    Broni Malware Annihilator Posts: 52,915   +344

  3. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    I ran thru the steps outlined but now i have more malware. The one i can see
    Are windows security center, xp total security 2011, and windowsrecovery.
    I can not get to any programs from windows start or a browser. I cant
    Open windows explorer.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    I need to know, what exactly has been done, regarding steps from the link I provided.
     
  5. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    I completed the 18 steps process from bleepingcomputer.com (http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011). More specifically…

    From step 3…I copied the registry file to a thumb drive from a clean computer. Then executed it on the infected computer. It ran successfully.

    From step 4…Downloaded and ran the rkill program. After I ran the rkill program the XP Anti-spyware malware appeared to be removed. There was other kinds of malware popups still present so I ran the rkill again.

    From steps 5 thru 17…I already had Malwarebytes Antimalware and a current update file so I did not have to download it. I ran the Malwarebytes program and had it reboot to remove some of the files.

    After the reboot there were other malware popups on the screen. The names of the malware are Windows Security Center, and XP Total Security 2011. The computer was usable for a day or two. Now, when i turn it on when I go to start, program files there are no programs available. Help!
     
  6. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Thank you :)
    We'll try to fix your issues.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    I am not able to get to a browser or any program on my computer. I have the combofix on a thumbdrive. Do you want me to install it from the thumbdrive and run it in safe mode?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Combofix doesn't require installation.
    Simply copy/paste combofix.exe file from a thumbdrive to your Desktop.
     
  9. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    ComboFix 11-05-11.02 - Authorized User 05/11/2011 22:51:08.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.489 [GMT -7:00]
    Running from: c:\documents and settings\Authorized User\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\18800420.exe
    c:\documents and settings\All Users\Application Data\KMsAsKYhhcwX.exe
    c:\documents and settings\All Users\Application Data\Tarma Installer
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
    c:\documents and settings\Authorized User\Application Data\7DEB2F60F4ED7FC4F140AEB6D3CF9BF7
    c:\documents and settings\Authorized User\Application Data\7DEB2F60F4ED7FC4F140AEB6D3CF9BF7\enemies-names.txt
    c:\documents and settings\Authorized User\Application Data\7DEB2F60F4ED7FC4F140AEB6D3CF9BF7\local.ini
    c:\documents and settings\Authorized User\Application Data\7DEB2F60F4ED7FC4F140AEB6D3CF9BF7\lsrslt.ini
    c:\documents and settings\Authorized User\Application Data\Adobe\plugs
    c:\documents and settings\Authorized User\Application Data\Adobe\plugs\mmc166.exe
    c:\documents and settings\Authorized User\Application Data\Adobe\plugs\mmc17611546.txt
    c:\documents and settings\Authorized User\Application Data\Adobe\plugs\mmc19076484.txt
    c:\documents and settings\Authorized User\Application Data\Adobe\shed
    c:\documents and settings\Authorized User\Application Data\Adobe\shed\thr1.chm
    c:\documents and settings\Authorized User\Desktop\Windows Recovery.lnk
    c:\documents and settings\Authorized User\Local Settings\Application Data\{DEDC2E0C-95BF-4748-BB4A-37DC166F0EBD}
    c:\documents and settings\Authorized User\Local Settings\Application Data\{DEDC2E0C-95BF-4748-BB4A-37DC166F0EBD}\chrome.manifest
    c:\documents and settings\Authorized User\Local Settings\Application Data\{DEDC2E0C-95BF-4748-BB4A-37DC166F0EBD}\chrome\content\_cfg.js
    c:\documents and settings\Authorized User\Local Settings\Application Data\{DEDC2E0C-95BF-4748-BB4A-37DC166F0EBD}\chrome\content\overlay.xul
    c:\documents and settings\Authorized User\Local Settings\Application Data\{DEDC2E0C-95BF-4748-BB4A-37DC166F0EBD}\install.rdf
    c:\documents and settings\Authorized User\Local Settings\Application Data\kah.exe
    c:\documents and settings\Authorized User\Start Menu\Programs\Windows Recovery
    c:\documents and settings\Authorized User\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
    c:\documents and settings\Authorized User\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
    c:\documents and settings\NetworkService\Local Settings\Application Data\oimdvhemc.exe
    c:\windows\erimayob.dll
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\wpcap.dll
    c:\windows\usap32.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_ITLPERF
    -------\Legacy_NPF
    -------\Service_itlperf
    -------\Service_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-12 06:11 . 2011-05-12 06:11 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKslb65270d2.sys
    2011-05-11 03:41 . 2011-05-11 19:46 0 ---ha-w- c:\windows\Egogifa.bin
    2011-05-11 03:32 . 2011-05-11 03:32 69632 ---ha-w- c:\windows\system32\Spool\prtprocs\w32x86\191EC.tmp
    2011-05-11 03:32 . 2011-05-11 03:32 116224 ---ha-w- c:\windows\system32\drivers\573ED.sys
    2011-05-11 03:27 . 2011-05-11 03:27 116224 ---ha-w- c:\windows\system32\drivers\184E7.sys
    2011-05-05 21:29 . 2011-04-11 07:04 7071056 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\mpengine.dll
    2011-05-01 20:15 . 2011-05-01 20:15 -------- d--h--w- c:\documents and settings\Authorized User\Application Data\com.Shutterfly.ExpressUploader
    2011-05-01 20:15 . 2011-05-01 20:15 -------- d--h--w- c:\program files\Shutterfly
    2011-04-20 06:33 . 2011-04-20 06:33 -------- d--h--w- c:\documents and settings\Authorized User\Local Settings\Application Data\Help
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-11 07:04 . 2011-01-27 06:26 7071056 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-03-07 05:33 . 2010-02-08 20:22 692736 ---ha-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2006-03-15 12:00 420864 ---ha-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2006-03-15 12:00 1857920 ---ha-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06 . 2006-03-15 12:00 916480 ---ha-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2006-03-15 12:00 43520 ---ha-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06 . 2006-03-15 12:00 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41 . 2006-03-15 12:00 385024 ---ha-w- c:\windows\system32\html.iec
    2011-02-17 13:18 . 2006-03-15 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2006-03-15 12:00 357888 ---ha-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2010-02-08 22:01 5120 ---ha-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56 . 2006-03-15 12:00 290432 ---ha-w- c:\windows\system32\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2010-12-20 18:09 191488 ---h--w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-22 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    c:\documents and settings\Authorized User\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
    Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    2008-06-18 20:47 24692 ---ha-w- c:\windows\system32\ckpNotify.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2006-02-10 05:05 344064 ---ha-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ---ha-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2004-08-10 12:04 59392 ---ha-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2005-03-23 01:20 339968 ---ha-w- c:\windows\stsystra.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_SERVICE.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_GUI.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SCC.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_SDS.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_DIAGNOSTICS.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    .
    R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [6/18/2008 1:46 PM 2235760]
    R1 MpKslb65270d2;MpKslb65270d2;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKslb65270d2.sys [5/11/2011 11:11 PM 28752]
    R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [6/18/2008 1:46 PM 47504]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 7:24 AM 993848]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 7:24 AM 399416]
    R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [6/18/2008 1:46 PM 121136]
    R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [6/18/2008 1:46 PM 673872]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
    S1 MpKsl061513f6;MpKsl061513f6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC32A209-938B-4B8B-AB29-77E0BAFCD9A7}\MpKsl061513f6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC32A209-938B-4B8B-AB29-77E0BAFCD9A7}\MpKsl061513f6.sys [?]
    S1 MpKsl15bface4;MpKsl15bface4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10885448-923F-4079-89B6-4F221D712EB7}\MpKsl15bface4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10885448-923F-4079-89B6-4F221D712EB7}\MpKsl15bface4.sys [?]
    S1 MpKsl16885805;MpKsl16885805;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F842F218-FCC4-4680-A130-5E14C832D314}\MpKsl16885805.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F842F218-FCC4-4680-A130-5E14C832D314}\MpKsl16885805.sys [?]
    S1 MpKsl17f46cf0;MpKsl17f46cf0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{640FB5CB-1B92-4751-8780-F7BAC192405F}\MpKsl17f46cf0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{640FB5CB-1B92-4751-8780-F7BAC192405F}\MpKsl17f46cf0.sys [?]
    S1 MpKsl33c45e86;MpKsl33c45e86;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AED1BF2F-E483-4711-BFB4-5483AE5FB810}\MpKsl33c45e86.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AED1BF2F-E483-4711-BFB4-5483AE5FB810}\MpKsl33c45e86.sys [?]
    S1 MpKsl3e3f363c;MpKsl3e3f363c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04079C83-26D2-4B80-B5DC-EAC7ECB02D7D}\MpKsl3e3f363c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04079C83-26D2-4B80-B5DC-EAC7ECB02D7D}\MpKsl3e3f363c.sys [?]
    S1 MpKsl405a6f0e;MpKsl405a6f0e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D46091C4-BE92-4452-9C03-1F6E1567DED3}\MpKsl405a6f0e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D46091C4-BE92-4452-9C03-1F6E1567DED3}\MpKsl405a6f0e.sys [?]
    S1 MpKsl513dcd34;MpKsl513dcd34;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsl513dcd34.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsl513dcd34.sys [?]
    S1 MpKsl56ec2b77;MpKsl56ec2b77;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{54A285B3-A1FF-48E3-B073-6E97138E1669}\MpKsl56ec2b77.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{54A285B3-A1FF-48E3-B073-6E97138E1669}\MpKsl56ec2b77.sys [?]
    S1 MpKsl5f162894;MpKsl5f162894;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl5f162894.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl5f162894.sys [?]
    S1 MpKsl75d8a54d;MpKsl75d8a54d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD45B153-C634-452F-9C58-CC4072518881}\MpKsl75d8a54d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD45B153-C634-452F-9C58-CC4072518881}\MpKsl75d8a54d.sys [?]
    S1 MpKsl84e40c9b;MpKsl84e40c9b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{820E8304-E726-4EAB-8807-4CEE73109126}\MpKsl84e40c9b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{820E8304-E726-4EAB-8807-4CEE73109126}\MpKsl84e40c9b.sys [?]
    S1 MpKsl89203d0e;MpKsl89203d0e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl89203d0e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl89203d0e.sys [?]
    S1 MpKsl910bd2c1;MpKsl910bd2c1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{93146F18-A4BB-4686-BB27-72FC618C5EE3}\MpKsl910bd2c1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{93146F18-A4BB-4686-BB27-72FC618C5EE3}\MpKsl910bd2c1.sys [?]
    S1 MpKsl947b1d84;MpKsl947b1d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{603233DA-244D-475E-971A-84674287D356}\MpKsl947b1d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{603233DA-244D-475E-971A-84674287D356}\MpKsl947b1d84.sys [?]
    S1 MpKsla23455bb;MpKsla23455bb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{99A9DC82-A80E-4600-8CCD-F1207E590B1E}\MpKsla23455bb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{99A9DC82-A80E-4600-8CCD-F1207E590B1E}\MpKsla23455bb.sys [?]
    S1 MpKslab3aefc8;MpKslab3aefc8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D29AC71-2CFF-470B-B855-5A55F8001634}\MpKslab3aefc8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D29AC71-2CFF-470B-B855-5A55F8001634}\MpKslab3aefc8.sys [?]
    S1 MpKslac7aa5fa;MpKslac7aa5fa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A00ECDFB-06A7-48C5-91FE-12D34C310C97}\MpKslac7aa5fa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A00ECDFB-06A7-48C5-91FE-12D34C310C97}\MpKslac7aa5fa.sys [?]
    S1 MpKslb75bce4e;MpKslb75bce4e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A4BFA0B3-0869-44DE-87F7-D0AE75F19EA7}\MpKslb75bce4e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A4BFA0B3-0869-44DE-87F7-D0AE75F19EA7}\MpKslb75bce4e.sys [?]
    S1 MpKslbdc3eaad;MpKslbdc3eaad;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslbdc3eaad.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslbdc3eaad.sys [?]
    S1 MpKslc5068168;MpKslc5068168;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF1E8281-70E6-466D-93DF-5E444E22926D}\MpKslc5068168.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF1E8281-70E6-466D-93DF-5E444E22926D}\MpKslc5068168.sys [?]
    S1 MpKslc6686e02;MpKslc6686e02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslc6686e02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslc6686e02.sys [?]
    S1 MpKslceae29de;MpKslceae29de;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKslceae29de.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKslceae29de.sys [?]
    S1 MpKsld090f9ae;MpKsld090f9ae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A348B8E5-B1CC-4D49-935F-5E2E42345215}\MpKsld090f9ae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A348B8E5-B1CC-4D49-935F-5E2E42345215}\MpKsld090f9ae.sys [?]
    S1 MpKsld11fc161;MpKsld11fc161;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81B403C1-E1F8-4BDA-BD1C-A288B0C47C46}\MpKsld11fc161.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81B403C1-E1F8-4BDA-BD1C-A288B0C47C46}\MpKsld11fc161.sys [?]
    S1 MpKsldb97fd3e;MpKsldb97fd3e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsldb97fd3e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsldb97fd3e.sys [?]
    S1 MpKsldbdb4505;MpKsldbdb4505;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsldbdb4505.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsldbdb4505.sys [?]
    S1 MpKslf75da7e9;MpKslf75da7e9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEDA0814-EF67-4A30-9707-7A96C0C2A927}\MpKslf75da7e9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEDA0814-EF67-4A30-9707-7A96C0C2A927}\MpKslf75da7e9.sys [?]
    S1 MpKslfd821756;MpKslfd821756;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B63C1DE-28A6-4B08-A676-2FB257EE961D}\MpKslfd821756.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B63C1DE-28A6-4B08-A676-2FB257EE961D}\MpKslfd821756.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2010 8:13 PM 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2010 8:13 PM 136176]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLB65270D2
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    itlsvc REG_MULTI_SZ itlperf
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 03:13]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 03:13]
    .
    2011-05-12 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
    .
    2011-05-12 c:\windows\Tasks\User_Feed_Synchronization-{58EDDB7F-CF96-43AD-B4A6-4C4C32437150}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    Trusted Zone: intuit.com\ttlc
    DPF: Garmin Communicator Plug-In
    DPF: {9C3EFB8A-DC20-484B-B905-5E337A988C5D} - hxxp://camera3.dunkirk.wnyric.org/LNetCam.cab
    FF - ProfilePath - c:\documents and settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\x0dabe5s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Gqaregexinoduse - c:\windows\usap32.dll
    HKCU-Run-KMsAsKYhhcwX - c:\documents and settings\All Users\Application Data\KMsAsKYhhcwX.exe
    HKLM-Run-Nyaroniqi - c:\windows\erimayob.dll
    Notify-itlntfy - itlnfw32.dll
    AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Authorized User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-11 23:12
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160828AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8671353B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,2f,4b,ab,e4,d1,2b,4d,ae,46,5a,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,2f,4b,ab,e4,d1,2b,4d,ae,46,5a,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(744)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'lsass.exe'(804)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3588)
    c:\windows\system32\WININET.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\program files\CheckPoint\SecureClient\bin\SR_Service.exe
    c:\program files\CheckPoint\SecureClient\bin\SR_Watchdog.exe
    c:\program files\CheckPoint\SecureClient\bin\SR_GUI.Exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\dllhost.exe
    c:\program files\iTunes\iTunes.exe
    c:\windows\system32\msiexec.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
    c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-11 23:32:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-12 06:32
    .
    Pre-Run: 83,203,092,480 bytes free
    Post-Run: 83,597,586,432 bytes free
    .
    - - End Of File - - F5434E5E86E9299F594CF7F6C65AF320
     
  10. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Egogifa.bin
    c:\windows\system32\Spool\prtprocs\w32x86\191EC.tmp
    c:\windows\system32\drivers\573ED.sys
    c:\windows\system32\drivers\184E7.sys
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=dword:00000001
    "DisableNotifications"=-
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  11. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    I added the script to the combofix program, and tried to run the program. I got a message that said there was a newer version available so I downloaded it. However, I am not able to run the program. I downloaded the combofix from both the download sites but still was not able to run it. The error I get is "You appear to have a corrupt download. Please download a fresho copy of combofix.exe. You can close combofix by clicking the right corner of the progress bar.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Delete your Combofix file, download fresh one and try again.
    If still a problem, run it from Safe Mode.
     
  13. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    One thing worth noting. When I ran it in safe mode it asked me whether I wanted to download a newer version. I declined to download a new version though. Here is the log....

    ComboFix 11-05-11.02 - Authorized User 05/12/2011 21:36:51.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.523 [GMT -7:00]
    Running from: c:\documents and settings\Authorized User\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Authorized User\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    FILE ::
    "c:\windows\Egogifa.bin"
    "c:\windows\system32\drivers\184E7.sys"
    "c:\windows\system32\drivers\573ED.sys"
    "c:\windows\system32\Spool\prtprocs\w32x86\191EC.tmp"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\Egogifa.bin
    c:\windows\system32\Spool\prtprocs\w32x86\191EC.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-13 04:23 . 2011-05-13 04:24 -------- d-----w- C:\32788R22FWJFW
    2011-05-13 02:10 . 2011-05-13 02:10 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl32a2a365.sys
    2011-05-12 06:31 . 2011-05-12 06:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2011-05-12 06:31 . 2011-05-12 06:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2011-05-12 06:31 . 2011-05-12 06:31 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
    2011-05-12 06:26 . 2011-05-12 06:31 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
    2011-05-05 21:29 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\mpengine.dll
    2011-05-01 20:15 . 2011-05-01 20:15 -------- d-----w- c:\documents and settings\Authorized User\Application Data\com.Shutterfly.ExpressUploader
    2011-05-01 20:15 . 2011-05-01 20:15 -------- d-----w- c:\program files\Shutterfly
    2011-04-20 06:33 . 2011-04-20 06:33 -------- d-----w- c:\documents and settings\Authorized User\Local Settings\Application Data\Help
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-11 07:04 . 2011-01-27 06:26 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-03-07 05:33 . 2010-02-08 20:22 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2006-03-15 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2006-03-15 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06 . 2006-03-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2006-03-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06 . 2006-03-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41 . 2006-03-15 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 13:18 . 2006-03-15 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2006-03-15 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2010-02-08 22:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56 . 2006-03-15 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-05-12_06.12.56 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-05-13 04:33 . 2011-05-13 04:33 16384 c:\windows\temp\Perflib_Perfdata_404.dat
    + 2010-12-02 02:36 . 2011-05-12 06:31 380928 c:\windows\Installer\{FAE36873-1941-4076-A9A5-48812B5EA0B7}\iTunesIco.exe
    - 2010-12-02 02:36 . 2010-12-02 02:36 380928 c:\windows\Installer\{FAE36873-1941-4076-A9A5-48812B5EA0B7}\iTunesIco.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2010-12-20 18:09 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-22 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    c:\documents and settings\Authorized User\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
    Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    2008-06-18 20:47 24692 ----a-w- c:\windows\system32\ckpNotify.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\itlntfy]
    [BU]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2006-02-10 05:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2004-08-10 12:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2005-03-23 01:20 339968 ----a-w- c:\windows\stsystra.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_SERVICE.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_GUI.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SCC.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_SDS.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_DIAGNOSTICS.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [6/18/2008 1:46 PM 2235760]
    R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [6/18/2008 1:46 PM 47504]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 7:24 AM 993848]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 7:24 AM 399416]
    R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [6/18/2008 1:46 PM 121136]
    R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [6/18/2008 1:46 PM 673872]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
    S1 MpKsl061513f6;MpKsl061513f6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC32A209-938B-4B8B-AB29-77E0BAFCD9A7}\MpKsl061513f6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC32A209-938B-4B8B-AB29-77E0BAFCD9A7}\MpKsl061513f6.sys [?]
    S1 MpKsl15bface4;MpKsl15bface4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10885448-923F-4079-89B6-4F221D712EB7}\MpKsl15bface4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10885448-923F-4079-89B6-4F221D712EB7}\MpKsl15bface4.sys [?]
    S1 MpKsl16885805;MpKsl16885805;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F842F218-FCC4-4680-A130-5E14C832D314}\MpKsl16885805.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F842F218-FCC4-4680-A130-5E14C832D314}\MpKsl16885805.sys [?]
    S1 MpKsl17f46cf0;MpKsl17f46cf0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{640FB5CB-1B92-4751-8780-F7BAC192405F}\MpKsl17f46cf0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{640FB5CB-1B92-4751-8780-F7BAC192405F}\MpKsl17f46cf0.sys [?]
    S1 MpKsl33c45e86;MpKsl33c45e86;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AED1BF2F-E483-4711-BFB4-5483AE5FB810}\MpKsl33c45e86.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AED1BF2F-E483-4711-BFB4-5483AE5FB810}\MpKsl33c45e86.sys [?]
    S1 MpKsl3e3f363c;MpKsl3e3f363c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04079C83-26D2-4B80-B5DC-EAC7ECB02D7D}\MpKsl3e3f363c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04079C83-26D2-4B80-B5DC-EAC7ECB02D7D}\MpKsl3e3f363c.sys [?]
    S1 MpKsl405a6f0e;MpKsl405a6f0e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D46091C4-BE92-4452-9C03-1F6E1567DED3}\MpKsl405a6f0e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D46091C4-BE92-4452-9C03-1F6E1567DED3}\MpKsl405a6f0e.sys [?]
    S1 MpKsl513dcd34;MpKsl513dcd34;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsl513dcd34.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsl513dcd34.sys [?]
    S1 MpKsl56ec2b77;MpKsl56ec2b77;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{54A285B3-A1FF-48E3-B073-6E97138E1669}\MpKsl56ec2b77.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{54A285B3-A1FF-48E3-B073-6E97138E1669}\MpKsl56ec2b77.sys [?]
    S1 MpKsl5f162894;MpKsl5f162894;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl5f162894.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl5f162894.sys [?]
    S1 MpKsl75d8a54d;MpKsl75d8a54d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD45B153-C634-452F-9C58-CC4072518881}\MpKsl75d8a54d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD45B153-C634-452F-9C58-CC4072518881}\MpKsl75d8a54d.sys [?]
    S1 MpKsl84e40c9b;MpKsl84e40c9b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{820E8304-E726-4EAB-8807-4CEE73109126}\MpKsl84e40c9b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{820E8304-E726-4EAB-8807-4CEE73109126}\MpKsl84e40c9b.sys [?]
    S1 MpKsl89203d0e;MpKsl89203d0e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl89203d0e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl89203d0e.sys [?]
    S1 MpKsl910bd2c1;MpKsl910bd2c1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{93146F18-A4BB-4686-BB27-72FC618C5EE3}\MpKsl910bd2c1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{93146F18-A4BB-4686-BB27-72FC618C5EE3}\MpKsl910bd2c1.sys [?]
    S1 MpKsl947b1d84;MpKsl947b1d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{603233DA-244D-475E-971A-84674287D356}\MpKsl947b1d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{603233DA-244D-475E-971A-84674287D356}\MpKsl947b1d84.sys [?]
    S1 MpKsla23455bb;MpKsla23455bb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{99A9DC82-A80E-4600-8CCD-F1207E590B1E}\MpKsla23455bb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{99A9DC82-A80E-4600-8CCD-F1207E590B1E}\MpKsla23455bb.sys [?]
    S1 MpKslab3aefc8;MpKslab3aefc8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D29AC71-2CFF-470B-B855-5A55F8001634}\MpKslab3aefc8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D29AC71-2CFF-470B-B855-5A55F8001634}\MpKslab3aefc8.sys [?]
    S1 MpKslac7aa5fa;MpKslac7aa5fa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A00ECDFB-06A7-48C5-91FE-12D34C310C97}\MpKslac7aa5fa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A00ECDFB-06A7-48C5-91FE-12D34C310C97}\MpKslac7aa5fa.sys [?]
    S1 MpKslb75bce4e;MpKslb75bce4e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A4BFA0B3-0869-44DE-87F7-D0AE75F19EA7}\MpKslb75bce4e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A4BFA0B3-0869-44DE-87F7-D0AE75F19EA7}\MpKslb75bce4e.sys [?]
    S1 MpKslbdc3eaad;MpKslbdc3eaad;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslbdc3eaad.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslbdc3eaad.sys [?]
    S1 MpKslc5068168;MpKslc5068168;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF1E8281-70E6-466D-93DF-5E444E22926D}\MpKslc5068168.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF1E8281-70E6-466D-93DF-5E444E22926D}\MpKslc5068168.sys [?]
    S1 MpKslc6686e02;MpKslc6686e02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslc6686e02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslc6686e02.sys [?]
    S1 MpKslceae29de;MpKslceae29de;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKslceae29de.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKslceae29de.sys [?]
    S1 MpKsld090f9ae;MpKsld090f9ae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A348B8E5-B1CC-4D49-935F-5E2E42345215}\MpKsld090f9ae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A348B8E5-B1CC-4D49-935F-5E2E42345215}\MpKsld090f9ae.sys [?]
    S1 MpKsld11fc161;MpKsld11fc161;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81B403C1-E1F8-4BDA-BD1C-A288B0C47C46}\MpKsld11fc161.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81B403C1-E1F8-4BDA-BD1C-A288B0C47C46}\MpKsld11fc161.sys [?]
    S1 MpKsldb97fd3e;MpKsldb97fd3e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsldb97fd3e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsldb97fd3e.sys [?]
    S1 MpKsldbdb4505;MpKsldbdb4505;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsldbdb4505.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsldbdb4505.sys [?]
    S1 MpKslf75da7e9;MpKslf75da7e9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEDA0814-EF67-4A30-9707-7A96C0C2A927}\MpKslf75da7e9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEDA0814-EF67-4A30-9707-7A96C0C2A927}\MpKslf75da7e9.sys [?]
    S1 MpKslfd821756;MpKslfd821756;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B63C1DE-28A6-4B08-A676-2FB257EE961D}\MpKslfd821756.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B63C1DE-28A6-4B08-A676-2FB257EE961D}\MpKslfd821756.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2010 8:13 PM 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2010 8:13 PM 136176]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    itlsvc REG_MULTI_SZ itlperf
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
    .
    2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 03:13]
    .
    2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 03:13]
    .
    2011-05-13 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
    .
    2011-05-12 c:\windows\Tasks\User_Feed_Synchronization-{58EDDB7F-CF96-43AD-B4A6-4C4C32437150}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    Trusted Zone: intuit.com\ttlc
    DPF: Garmin Communicator Plug-In
    DPF: {9C3EFB8A-DC20-484B-B905-5E337A988C5D} - hxxp://camera3.dunkirk.wnyric.org/LNetCam.cab
    FF - ProfilePath - c:\documents and settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\x0dabe5s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-12 21:49
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160828AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86D2153B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,2f,4b,ab,e4,d1,2b,4d,ae,46,5a,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,2f,4b,ab,e4,d1,2b,4d,ae,46,5a,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(748)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'lsass.exe'(808)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-05-12 21:54:41
    ComboFix-quarantined-files.txt 2011-05-13 04:54
    ComboFix2.txt 2011-05-12 06:32
    .
    Pre-Run: 83,129,118,720 bytes free
    Post-Run: 83,516,174,336 bytes free
    .
    - - End Of File - - 62E648943A111C8EC7EE6781E94F351D
     
  14. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Good :)

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    ====================================================================

    Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
     
  15. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    After i ran malwarebytes program i got a Windows Security Center malware popup. Here are the logs from the bootkit remover and malwarebytes programs.

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...

    *********************
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6566

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/12/2011 10:30:07 PM
    mbam-log-2011-05-12 (22-30-07).txt

    Scan type: Quick scan
    Objects scanned: 154246
    Time elapsed: 7 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Authorized User\Local Settings\Application Data\kah.exe" -a "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Authorized User\Local Settings\Application Data\kah.exe" -a "firefox.exe") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Authorized User\Local Settings\Application Data\kah.exe" -a "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  16. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    In my previous post are the logs from your directions. But now I have the search engine redirect issue. WHen I search with bing and google I am directed to a bogus site not related to what I am selecting in the search results.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    We'll try to fix it. Your computer is still seriously infected.

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  18. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    2011/05/14 08:39:21.0739 3248 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
    2011/05/14 08:39:22.0239 3248 ================================================================================
    2011/05/14 08:39:22.0239 3248 SystemInfo:
    2011/05/14 08:39:22.0239 3248
    2011/05/14 08:39:22.0239 3248 OS Version: 5.1.2600 ServicePack: 3.0
    2011/05/14 08:39:22.0239 3248 Product type: Workstation
    2011/05/14 08:39:22.0239 3248 ComputerName: AUTHORIZ-55F50F
    2011/05/14 08:39:22.0239 3248 UserName: Authorized User
    2011/05/14 08:39:22.0239 3248 Windows directory: C:\WINDOWS
    2011/05/14 08:39:22.0239 3248 System windows directory: C:\WINDOWS
    2011/05/14 08:39:22.0239 3248 Processor architecture: Intel x86
    2011/05/14 08:39:22.0239 3248 Number of processors: 2
    2011/05/14 08:39:22.0239 3248 Page size: 0x1000
    2011/05/14 08:39:22.0239 3248 Boot type: Normal boot
    2011/05/14 08:39:22.0239 3248 ================================================================================
    2011/05/14 08:39:28.0612 3248 Initialize success
    2011/05/14 08:39:36.0704 1944 ================================================================================
    2011/05/14 08:39:36.0704 1944 Scan started
    2011/05/14 08:39:36.0704 1944 Mode: Manual;
    2011/05/14 08:39:36.0704 1944 ================================================================================
    2011/05/14 08:39:37.0095 1944 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/14 08:39:37.0235 1944 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/05/14 08:39:37.0392 1944 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/14 08:39:37.0454 1944 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/14 08:39:37.0657 1944 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/14 08:39:37.0751 1944 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/14 08:39:37.0860 1944 ati2mtag (a7dd7088e2c987dbcb3f4d6d56f723bd) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/05/14 08:39:38.0423 1944 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/14 08:39:38.0501 1944 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/14 08:39:38.0548 1944 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/14 08:39:38.0782 1944 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/14 08:39:38.0844 1944 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/14 08:39:38.0938 1944 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/14 08:39:39.0016 1944 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/14 08:39:39.0172 1944 CP_OMDRV (a690ebaffffb0d46e2a39f105b61e92f) C:\WINDOWS\system32\drivers\omdrv.sys
    2011/05/14 08:39:39.0297 1944 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/14 08:39:39.0391 1944 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/14 08:39:39.0500 1944 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/14 08:39:39.0563 1944 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/14 08:39:39.0625 1944 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/14 08:39:39.0672 1944 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/14 08:39:39.0735 1944 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/05/14 08:39:39.0813 1944 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/14 08:39:39.0875 1944 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/14 08:39:39.0953 1944 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/14 08:39:39.0985 1944 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/05/14 08:39:40.0078 1944 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/05/14 08:39:40.0188 1944 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/14 08:39:40.0266 1944 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/14 08:39:40.0500 1944 FW1 (19a7c0ec2aef62882fc011f0330cc987) C:\WINDOWS\system32\DRIVERS\fw.sys
    2011/05/14 08:39:40.0672 1944 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/05/14 08:39:40.0735 1944 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/14 08:39:40.0813 1944 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/05/14 08:39:40.0844 1944 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/14 08:39:40.0969 1944 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2011/05/14 08:39:41.0031 1944 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2011/05/14 08:39:41.0094 1944 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2011/05/14 08:39:41.0156 1944 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
    2011/05/14 08:39:41.0266 1944 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    2011/05/14 08:39:41.0391 1944 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/14 08:39:41.0500 1944 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/14 08:39:41.0562 1944 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/14 08:39:41.0641 1944 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/05/14 08:39:41.0687 1944 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/14 08:39:41.0766 1944 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/05/14 08:39:41.0812 1944 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/14 08:39:41.0875 1944 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/14 08:39:41.0953 1944 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/14 08:39:42.0015 1944 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/14 08:39:42.0078 1944 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/14 08:39:42.0140 1944 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/14 08:39:42.0203 1944 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/14 08:39:42.0234 1944 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/05/14 08:39:42.0297 1944 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/14 08:39:42.0359 1944 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/14 08:39:42.0484 1944 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/05/14 08:39:42.0531 1944 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
    2011/05/14 08:39:42.0562 1944 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/14 08:39:42.0609 1944 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/14 08:39:42.0656 1944 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/05/14 08:39:42.0734 1944 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/14 08:39:42.0781 1944 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/14 08:39:42.0859 1944 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/14 08:39:42.0937 1944 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
    2011/05/14 08:39:43.0140 1944 MpKsl107ae35d (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02D9F4F-3140-4A3C-A1DC-09021BD55E5B}\MpKsl107ae35d.sys
    2011/05/14 08:39:43.0499 1944 MpKsld686a90a (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02D9F4F-3140-4A3C-A1DC-09021BD55E5B}\MpKsld686a90a.sys
    2011/05/14 08:39:43.0656 1944 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/14 08:39:43.0765 1944 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/14 08:39:43.0921 1944 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/14 08:39:44.0031 1944 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/14 08:39:44.0109 1944 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/14 08:39:44.0171 1944 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/14 08:39:44.0218 1944 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/14 08:39:44.0296 1944 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/14 08:39:44.0390 1944 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/14 08:39:44.0484 1944 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/14 08:39:44.0515 1944 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/14 08:39:44.0546 1944 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/14 08:39:44.0609 1944 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/14 08:39:44.0687 1944 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/14 08:39:44.0796 1944 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/14 08:39:44.0984 1944 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/14 08:39:45.0062 1944 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/14 08:39:45.0140 1944 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/14 08:39:45.0202 1944 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/14 08:39:45.0233 1944 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/14 08:39:45.0280 1944 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/14 08:39:45.0327 1944 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/14 08:39:45.0358 1944 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/14 08:39:45.0452 1944 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/14 08:39:45.0530 1944 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/05/14 08:39:45.0608 1944 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/05/14 08:39:45.0858 1944 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/14 08:39:45.0921 1944 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/05/14 08:39:45.0983 1944 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
    2011/05/14 08:39:46.0015 1944 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/14 08:39:46.0077 1944 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/14 08:39:46.0186 1944 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/14 08:39:46.0233 1944 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/14 08:39:46.0264 1944 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/14 08:39:46.0296 1944 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/14 08:39:46.0405 1944 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/14 08:39:46.0483 1944 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/14 08:39:46.0546 1944 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/05/14 08:39:46.0639 1944 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/14 08:39:46.0733 1944 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/14 08:39:46.0827 1944 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/14 08:39:46.0889 1944 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/05/14 08:39:46.0983 1944 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/05/14 08:39:47.0124 1944 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/14 08:39:47.0233 1944 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/14 08:39:47.0311 1944 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/14 08:39:47.0374 1944 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/14 08:39:47.0452 1944 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
    2011/05/14 08:39:47.0608 1944 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/14 08:39:47.0655 1944 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/14 08:39:47.0780 1944 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/14 08:39:47.0889 1944 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/14 08:39:47.0967 1944 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/14 08:39:47.0983 1944 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/14 08:39:48.0045 1944 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/14 08:39:48.0108 1944 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/14 08:39:48.0186 1944 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/14 08:39:48.0248 1944 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/05/14 08:39:48.0327 1944 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/05/14 08:39:48.0373 1944 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/14 08:39:48.0405 1944 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/14 08:39:48.0467 1944 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/05/14 08:39:48.0530 1944 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/05/14 08:39:48.0561 1944 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/14 08:39:48.0592 1944 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/05/14 08:39:48.0639 1944 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/14 08:39:48.0748 1944 VNASC (c272d6670d59f6c32b0915426f9b95a2) C:\WINDOWS\system32\DRIVERS\vnasc.sys
    2011/05/14 08:39:48.0873 1944 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/14 08:39:49.0014 1944 VPN-1 (51e55602c186bd11a9cbbed9c61adb29) C:\WINDOWS\System32\drivers\vpn.sys
    2011/05/14 08:39:49.0201 1944 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/14 08:39:49.0326 1944 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/14 08:39:49.0389 1944 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2011/05/14 08:39:49.0514 1944 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
    2011/05/14 08:39:49.0639 1944 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/05/14 08:39:49.0670 1944 ================================================================================
    2011/05/14 08:39:49.0670 1944 Scan finished
    2011/05/14 08:39:49.0670 1944 ================================================================================
    2011/05/14 08:39:49.0686 3368 Detected object count: 1
    2011/05/14 08:40:14.0508 3368 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    2011/05/14 08:40:14.0508 3368 \HardDisk1 - ok
    2011/05/14 08:40:14.0508 3368 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
    2011/05/14 08:40:32.0238 2660 Deinitialize success
     
  19. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Good :)

    How is redirection?

    Re-run Bootkit Remover and Combofix.
    Post fresh logs.
     
  20. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    Redirect seems to be fixed. Here are the bootkit remover and combofix logs...

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    ****************************

    ComboFix 11-05-11.02 - Authorized User 05/14/2011 9:21.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.532 [GMT -7:00]
    Running from: c:\documents and settings\Authorized User\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-14 15:43 . 2011-05-14 15:43 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02D9F4F-3140-4A3C-A1DC-09021BD55E5B}\MpKsldfb55c72.sys
    2011-05-13 05:52 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02D9F4F-3140-4A3C-A1DC-09021BD55E5B}\mpengine.dll
    2011-05-13 05:17 . 2011-05-13 05:17 -------- d-----w- C:\bootkit_remover
    2011-05-13 05:12 . 2011-05-13 05:12 -------- d-----w- c:\program files\7-Zip
    2011-05-12 06:31 . 2011-05-12 06:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2011-05-12 06:31 . 2011-05-12 06:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2011-05-12 06:31 . 2011-05-12 06:31 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
    2011-05-12 06:26 . 2011-05-12 06:31 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
    2011-05-01 20:15 . 2011-05-01 20:15 -------- d-----w- c:\documents and settings\Authorized User\Application Data\com.Shutterfly.ExpressUploader
    2011-05-01 20:15 . 2011-05-01 20:15 -------- d-----w- c:\program files\Shutterfly
    2011-04-20 06:33 . 2011-04-20 06:33 -------- d-----w- c:\documents and settings\Authorized User\Local Settings\Application Data\Help
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-11 07:04 . 2011-01-27 06:26 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-03-07 05:33 . 2010-02-08 20:22 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2006-03-15 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2006-03-15 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06 . 2006-03-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2006-03-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06 . 2006-03-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41 . 2006-03-15 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 13:18 . 2006-03-15 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2006-03-15 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2010-02-08 22:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56 . 2006-03-15 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-05-12_06.12.56 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-05-14 15:43 . 2011-05-14 15:43 16384 c:\windows\temp\Perflib_Perfdata_118.dat
    + 2010-02-09 19:44 . 2011-02-03 01:11 222080 c:\windows\system32\MpSigStub.exe
    - 2010-02-09 19:44 . 2010-10-19 18:41 222080 c:\windows\system32\MpSigStub.exe
    + 2010-12-02 02:36 . 2011-05-12 06:31 380928 c:\windows\Installer\{FAE36873-1941-4076-A9A5-48812B5EA0B7}\iTunesIco.exe
    - 2010-12-02 02:36 . 2010-12-02 02:36 380928 c:\windows\Installer\{FAE36873-1941-4076-A9A5-48812B5EA0B7}\iTunesIco.exe
    + 2010-02-08 23:43 . 2011-05-13 13:47 42181064 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2010-12-20 18:09 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-22 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    c:\documents and settings\Authorized User\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
    Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    2008-06-18 20:47 24692 ----a-w- c:\windows\system32\ckpNotify.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\itlntfy]
    [BU]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2006-02-10 05:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2004-08-10 12:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2005-03-23 01:20 339968 ----a-w- c:\windows\stsystra.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_SERVICE.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_GUI.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SCC.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_SDS.EXE"=
    "c:\\Program Files\\CheckPoint\\SecureClient\\bin\\SR_DIAGNOSTICS.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [6/18/2008 1:46 PM 2235760]
    R1 MpKsldfb55c72;MpKsldfb55c72;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02D9F4F-3140-4A3C-A1DC-09021BD55E5B}\MpKsldfb55c72.sys [5/14/2011 8:43 AM 28752]
    R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [6/18/2008 1:46 PM 47504]
    R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 7:24 AM 993848]
    R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 7:24 AM 399416]
    R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [6/18/2008 1:46 PM 121136]
    R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [6/18/2008 1:46 PM 673872]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
    S1 MpKsl061513f6;MpKsl061513f6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC32A209-938B-4B8B-AB29-77E0BAFCD9A7}\MpKsl061513f6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC32A209-938B-4B8B-AB29-77E0BAFCD9A7}\MpKsl061513f6.sys [?]
    S1 MpKsl15bface4;MpKsl15bface4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10885448-923F-4079-89B6-4F221D712EB7}\MpKsl15bface4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10885448-923F-4079-89B6-4F221D712EB7}\MpKsl15bface4.sys [?]
    S1 MpKsl16885805;MpKsl16885805;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F842F218-FCC4-4680-A130-5E14C832D314}\MpKsl16885805.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F842F218-FCC4-4680-A130-5E14C832D314}\MpKsl16885805.sys [?]
    S1 MpKsl17f46cf0;MpKsl17f46cf0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{640FB5CB-1B92-4751-8780-F7BAC192405F}\MpKsl17f46cf0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{640FB5CB-1B92-4751-8780-F7BAC192405F}\MpKsl17f46cf0.sys [?]
    S1 MpKsl33c45e86;MpKsl33c45e86;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AED1BF2F-E483-4711-BFB4-5483AE5FB810}\MpKsl33c45e86.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AED1BF2F-E483-4711-BFB4-5483AE5FB810}\MpKsl33c45e86.sys [?]
    S1 MpKsl3e3f363c;MpKsl3e3f363c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04079C83-26D2-4B80-B5DC-EAC7ECB02D7D}\MpKsl3e3f363c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04079C83-26D2-4B80-B5DC-EAC7ECB02D7D}\MpKsl3e3f363c.sys [?]
    S1 MpKsl405a6f0e;MpKsl405a6f0e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D46091C4-BE92-4452-9C03-1F6E1567DED3}\MpKsl405a6f0e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D46091C4-BE92-4452-9C03-1F6E1567DED3}\MpKsl405a6f0e.sys [?]
    S1 MpKsl513dcd34;MpKsl513dcd34;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsl513dcd34.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsl513dcd34.sys [?]
    S1 MpKsl56ec2b77;MpKsl56ec2b77;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{54A285B3-A1FF-48E3-B073-6E97138E1669}\MpKsl56ec2b77.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{54A285B3-A1FF-48E3-B073-6E97138E1669}\MpKsl56ec2b77.sys [?]
    S1 MpKsl5f162894;MpKsl5f162894;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl5f162894.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl5f162894.sys [?]
    S1 MpKsl75d8a54d;MpKsl75d8a54d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD45B153-C634-452F-9C58-CC4072518881}\MpKsl75d8a54d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD45B153-C634-452F-9C58-CC4072518881}\MpKsl75d8a54d.sys [?]
    S1 MpKsl84e40c9b;MpKsl84e40c9b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{820E8304-E726-4EAB-8807-4CEE73109126}\MpKsl84e40c9b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{820E8304-E726-4EAB-8807-4CEE73109126}\MpKsl84e40c9b.sys [?]
    S1 MpKsl89203d0e;MpKsl89203d0e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl89203d0e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsl89203d0e.sys [?]
    S1 MpKsl910bd2c1;MpKsl910bd2c1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{93146F18-A4BB-4686-BB27-72FC618C5EE3}\MpKsl910bd2c1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{93146F18-A4BB-4686-BB27-72FC618C5EE3}\MpKsl910bd2c1.sys [?]
    S1 MpKsl947b1d84;MpKsl947b1d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{603233DA-244D-475E-971A-84674287D356}\MpKsl947b1d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{603233DA-244D-475E-971A-84674287D356}\MpKsl947b1d84.sys [?]
    S1 MpKsla23455bb;MpKsla23455bb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{99A9DC82-A80E-4600-8CCD-F1207E590B1E}\MpKsla23455bb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{99A9DC82-A80E-4600-8CCD-F1207E590B1E}\MpKsla23455bb.sys [?]
    S1 MpKslab3aefc8;MpKslab3aefc8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D29AC71-2CFF-470B-B855-5A55F8001634}\MpKslab3aefc8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D29AC71-2CFF-470B-B855-5A55F8001634}\MpKslab3aefc8.sys [?]
    S1 MpKslac7aa5fa;MpKslac7aa5fa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A00ECDFB-06A7-48C5-91FE-12D34C310C97}\MpKslac7aa5fa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A00ECDFB-06A7-48C5-91FE-12D34C310C97}\MpKslac7aa5fa.sys [?]
    S1 MpKslb75bce4e;MpKslb75bce4e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A4BFA0B3-0869-44DE-87F7-D0AE75F19EA7}\MpKslb75bce4e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A4BFA0B3-0869-44DE-87F7-D0AE75F19EA7}\MpKslb75bce4e.sys [?]
    S1 MpKslbdc3eaad;MpKslbdc3eaad;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslbdc3eaad.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslbdc3eaad.sys [?]
    S1 MpKslc5068168;MpKslc5068168;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF1E8281-70E6-466D-93DF-5E444E22926D}\MpKslc5068168.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF1E8281-70E6-466D-93DF-5E444E22926D}\MpKslc5068168.sys [?]
    S1 MpKslc6686e02;MpKslc6686e02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslc6686e02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F03593FE-1D50-4321-AC3F-3FC456AF21AB}\MpKslc6686e02.sys [?]
    S1 MpKslceae29de;MpKslceae29de;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKslceae29de.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKslceae29de.sys [?]
    S1 MpKsld090f9ae;MpKsld090f9ae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A348B8E5-B1CC-4D49-935F-5E2E42345215}\MpKsld090f9ae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A348B8E5-B1CC-4D49-935F-5E2E42345215}\MpKsld090f9ae.sys [?]
    S1 MpKsld11fc161;MpKsld11fc161;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81B403C1-E1F8-4BDA-BD1C-A288B0C47C46}\MpKsld11fc161.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81B403C1-E1F8-4BDA-BD1C-A288B0C47C46}\MpKsld11fc161.sys [?]
    S1 MpKsldb97fd3e;MpKsldb97fd3e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsldb97fd3e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{324E67EF-B688-423B-A019-3C428F57CA5E}\MpKsldb97fd3e.sys [?]
    S1 MpKsldbdb4505;MpKsldbdb4505;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsldbdb4505.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B60253-2265-4ADD-8287-5880144D5DB4}\MpKsldbdb4505.sys [?]
    S1 MpKslf75da7e9;MpKslf75da7e9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEDA0814-EF67-4A30-9707-7A96C0C2A927}\MpKslf75da7e9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DEDA0814-EF67-4A30-9707-7A96C0C2A927}\MpKslf75da7e9.sys [?]
    S1 MpKslfd821756;MpKslfd821756;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B63C1DE-28A6-4B08-A676-2FB257EE961D}\MpKslfd821756.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B63C1DE-28A6-4B08-A676-2FB257EE961D}\MpKslfd821756.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2010 8:13 PM 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2010 8:13 PM 136176]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLDFB55C72
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    itlsvc REG_MULTI_SZ itlperf
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
    .
    2011-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 03:13]
    .
    2011-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 03:13]
    .
    2011-05-14 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
    .
    2011-05-14 c:\windows\Tasks\User_Feed_Synchronization-{58EDDB7F-CF96-43AD-B4A6-4C4C32437150}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    Trusted Zone: intuit.com\ttlc
    DPF: Garmin Communicator Plug-In
    DPF: {9C3EFB8A-DC20-484B-B905-5E337A988C5D} - hxxp://camera3.dunkirk.wnyric.org/LNetCam.cab
    FF - ProfilePath - c:\documents and settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\x0dabe5s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-14 09:32
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,2f,4b,ab,e4,d1,2b,4d,ae,46,5a,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,2f,4b,ab,e4,d1,2b,4d,ae,46,5a,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(608)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-05-14 09:34:28
    ComboFix-quarantined-files.txt 2011-05-14 16:34
    ComboFix2.txt 2011-05-13 04:54
    ComboFix3.txt 2011-05-12 06:32
    .
    Pre-Run: 83,001,348,096 bytes free
    Post-Run: 83,412,082,688 bytes free
    .
    - - End Of File - - 761CED9D82A2E8829CB819F798E34F51
     
  21. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Perfect!

    Update MBAM, run "Quick scan" and post fresh log.

    When done....

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  22. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6579

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/14/2011 10:41:17 AM
    mbam-log-2011-05-14 (10-41-17).txt

    Scan type: Quick scan
    Objects scanned: 150468
    Time elapsed: 10 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  23. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    OTL logfile created on: 5/14/2011 10:45:48 AM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Authorized User\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,022.00 Mb Total Physical Memory | 552.00 Mb Available Physical Memory | 54.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 74.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.00 Gb Total Space | 77.67 Gb Free Space | 52.12% Space Free | Partition Type: NTFS
    Drive D: | 315.83 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Unable to calculate disk information.
    Drive F: | 1.89 Gb Total Space | 1.75 Gb Free Space | 92.77% Space Free | Partition Type: FAT

    Computer Name: AUTHORIZ-55F50F | User Name: Authorized User | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/05/14 10:43:10 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Authorized User\Desktop\OTL.exe
    PRC - [2011/01/10 07:24:20 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
    PRC - [2011/01/10 07:24:20 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
    PRC - [2011/01/10 07:24:20 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
    PRC - [2010/11/30 14:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    PRC - [2010/10/27 20:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    PRC - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    PRC - [2009/07/10 14:49:24 | 000,323,584 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    PRC - [2008/06/18 13:46:54 | 002,691,185 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecureClient\bin\SR_GUI.exe
    PRC - [2008/06/18 13:46:52 | 000,036,982 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecureClient\bin\SR_Watchdog.exe
    PRC - [2008/06/18 13:46:50 | 000,106,613 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecureClient\bin\SR_Service.exe
    PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/09/28 21:09:14 | 000,700,416 | ---- | M] () -- C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/05/14 10:43:10 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Authorized User\Desktop\OTL.exe
    MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/01/10 07:24:20 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
    SRV - [2011/01/10 07:24:20 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
    SRV - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
    SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
    SRV - [2008/06/18 13:46:52 | 000,036,982 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\SecureClient\bin\SR_Watchdog.exe -- (SR_Watchdog)
    SRV - [2008/06/18 13:46:50 | 000,106,613 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\SecureClient\bin\SR_Service.exe -- (SR_Service)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2011/05/14 09:49:21 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D9B20AA-17E7-4D1A-A1E7-1413D5338949}\MpKsl91086f72.sys -- (MpKsl91086f72)
    DRV - [2010/09/01 01:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
    DRV - [2008/06/18 13:46:58 | 000,047,504 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\omdrv.sys -- (CP_OMDRV)
    DRV - [2008/06/18 13:46:56 | 002,235,760 | ---- | M] (Check Point Software Technologies) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fw.sys -- (FW1)
    DRV - [2008/06/18 13:46:54 | 000,121,136 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vnasc.sys -- (VNASC)
    DRV - [2008/06/18 13:46:52 | 000,673,872 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\vpn.sys -- (VPN-1)
    DRV - [2006/02/09 21:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2005/11/16 16:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
    DRV - [2003/11/17 16:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
    DRV - [2003/11/17 16:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2003/11/17 16:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.bing.com/?pc=Z007&form=ZGAPHP
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.bing.com/?pc=Z007&form=ZGAPHP
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKU\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
    IE - HKU\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKU\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKU\S-1-5-21-776561741-1897051121-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-776561741-1897051121-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.bing.com/?pc=ZUGO&form=ZGAPHP"
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..network.proxy.no_proxies_on: "*.local"
    FF - prefs.js..network.proxy.type: 0

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/05 15:53:30 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/06 06:07:43 | 000,000,000 | ---D | M]

    [2011/03/01 22:29:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Extensions
    [2011/05/12 16:22:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\x0dabe5s.default\extensions
    [2011/03/01 22:39:47 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\x0dabe5s.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/03/01 22:26:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/01/26 22:53:21 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

    O1 HOSTS File: ([2011/05/12 21:49:43 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
    O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
    O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll (Yontoo Technology, Inc.)
    O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
    O3 - HKU\S-1-5-21-776561741-1897051121-725345543-1003\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-776561741-1897051121-725345543-1003..\Run: [CTSyncU.exe] C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe ()
    O4 - HKU\S-1-5-21-776561741-1897051121-725345543-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
    O4 - Startup: C:\Documents and Settings\Authorized User\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
    O4 - Startup: C:\Documents and Settings\Authorized User\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-776561741-1897051121-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O15 - HKU\S-1-5-21-776561741-1897051121-725345543-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1265749295359 (MUWebControl Class)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {9C3EFB8A-DC20-484B-B905-5E337A988C5D} http://camera3.dunkirk.wnyric.org/LNetCam.cab (LNCActiveX Control)
    O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: Garmin Communicator Plug-In Reg Error: Value error. (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: GinaDLL - (ckpginashim.dll) - C:\WINDOWS\System32\ckpginashim.dll (Check Point Software Technologies)
    O20 - Winlogon\Notify\ckpNotify: DllName - ckpNotify.dll - C:\WINDOWS\System32\ckpNotify.dll (Check Point Software Technologies)
    O20 - Winlogon\Notify\itlntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O24 - Desktop WallPaper: C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/02/08 13:25:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2003/05/19 12:48:54 | 000,000,000 | R--D | M] - D:\Autoplay -- [ CDFS ]
    O32 - AutoRun File - [2001/01/05 08:13:36 | 000,313,344 | R--- | M] (Adobe Systems, Incorporated) - D:\AutoPlay.exe -- [ CDFS ]
    O32 - AutoRun File - [2001/01/10 16:11:12 | 000,000,049 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O35 - HKU\S-1-5-21-776561741-1897051121-725345543-1003..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\S-1-5-21-776561741-1897051121-725345543-1003\...exe [@ = exefile] -- "%1" %*

    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.ffds - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/05/14 10:43:08 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Authorized User\Desktop\OTL.exe
    [2011/05/14 08:37:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Desktop\tdsskiller
    [2011/05/13 13:21:28 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Authorized User\Desktop\TDSSKiller.exe
    [2011/05/13 06:56:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Desktop\web_of_trust_safe_browsing_tool-20110323-fx+sm
    [2011/05/12 22:17:18 | 000,083,968 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Authorized User\Desktop\remover.exe
    [2011/05/12 22:17:18 | 000,000,000 | ---D | C] -- C:\bootkit_remover
    [2011/05/12 22:12:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
    [2011/05/12 22:12:54 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
    [2011/05/12 20:58:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
    [2011/05/11 23:31:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
    [2011/05/11 23:31:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
    [2011/05/11 22:59:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Windows Digital Media Enhancements
    [2011/05/11 22:59:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\TurboTax 2010
    [2011/05/11 22:59:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\TurboTax 2009
    [2011/05/11 22:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Spybot - Search & Destroy
    [2011/05/11 22:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Shutterfly
    [2011/05/11 22:59:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\QuickTime
    [2011/05/11 22:59:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Picasa 3
    [2011/05/11 22:59:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Mozilla Firefox
    [2011/05/11 22:59:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Microsoft Silverlight
    [2011/05/11 22:59:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Microsoft Office
    [2011/05/11 22:59:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/05/11 22:59:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Kodak
    [2011/05/11 22:59:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\iTunes
    [2011/05/11 22:59:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\HP
    [2011/05/11 22:59:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Google Earth
    [2011/05/11 22:59:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Games
    [2011/05/11 22:59:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Creative
    [2011/05/11 22:59:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Combined Community Codec Pack
    [2011/05/11 22:59:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Check Point VPN-1 SecureClient
    [2011/05/11 22:59:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\ArcSoft Print Creations
    [2011/05/11 22:59:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\ArcSoft Connect
    [2011/05/11 22:59:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Administrative Tools
    [2011/05/11 22:40:27 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/05/11 22:40:27 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/05/11 22:40:27 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/05/11 22:40:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/05/11 22:39:36 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/05/11 13:31:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Authorized User\Recent
    [2011/05/09 13:51:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
    [2011/05/07 14:47:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2011/05/06 20:01:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
    [2011/05/06 06:11:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
    [2011/05/01 13:15:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Application Data\com.Shutterfly.ExpressUploader
    [2011/05/01 13:15:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Shutterfly
    [2011/05/01 13:15:16 | 000,000,000 | ---D | C] -- C:\Program Files\Shutterfly
    [2011/04/19 23:33:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\Help
    [2011/04/19 23:33:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Application Data\Help

    ========== Files - Modified Within 30 Days ==========

    [2011/05/14 10:46:01 | 000,000,904 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/05/14 10:43:10 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Authorized User\Desktop\OTL.exe
    [2011/05/14 08:48:01 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2011/05/14 08:43:41 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/05/14 08:43:41 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/05/14 08:42:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/05/14 08:35:51 | 001,280,208 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\tdsskiller.zip
    [2011/05/14 08:35:25 | 000,000,549 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
    [2011/05/14 08:31:05 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/05/14 08:21:08 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{58EDDB7F-CF96-43AD-B4A6-4C4C32437150}.job
    [2011/05/13 13:21:28 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Authorized User\Desktop\TDSSKiller.exe
    [2011/05/12 22:13:06 | 000,039,605 | ---- | M] () -- C:\bootkit_remover.rar
    [2011/05/12 22:12:35 | 001,110,476 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\7z920.exe
    [2011/05/12 21:49:43 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/05/11 20:46:58 | 004,346,463 | R--- | M] () -- C:\Documents and Settings\Authorized User\Desktop\ComboFix.exe
    [2011/05/11 12:54:58 | 000,016,116 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\30xbu6q33b6g07e
    [2011/05/11 12:54:57 | 000,016,116 | -HS- | M] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\30xbu6q33b6g07e
    [2011/05/11 12:46:12 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Vreladuxo.dat
    [2011/05/10 20:31:20 | 000,000,128 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18800420r
    [2011/05/10 20:31:20 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18800420
    [2011/05/10 20:22:08 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18800420
    [2011/05/10 20:06:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Authorized User\2gweorjqjutp92vjy9gake
    [2011/05/09 17:41:48 | 000,016,044 | -HS- | M] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\3x41wrg1bdk74r644p5lin01f7k5jp7s5l3846d5642xs
    [2011/05/09 17:41:48 | 000,016,044 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3x41wrg1bdk74r644p5lin01f7k5jp7s5l3846d5642xs
    [2011/05/09 13:40:43 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\Microsoft Office Word 2003.lnk
    [2011/05/06 06:12:35 | 000,225,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/05/05 21:30:07 | 000,001,889 | ---- | M] () -- C:\WINDOWS\lsrslt.ini
    [2011/05/01 13:14:20 | 001,660,744 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\DesktopUploader1.0.0.4.exe
    [2011/04/30 09:46:00 | 014,959,616 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
    [2011/04/30 09:46:00 | 007,774,208 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
    [2011/04/15 23:46:06 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/04/15 23:43:25 | 000,475,576 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/04/15 23:43:25 | 000,076,228 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

    ========== Files Created - No Company Name ==========

    [2011/05/14 08:35:45 | 001,280,208 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\tdsskiller.zip
    [2011/05/14 08:35:25 | 000,000,549 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
    [2011/05/12 22:14:28 | 000,039,605 | ---- | C] () -- C:\bootkit_remover.rar
    [2011/05/12 22:12:22 | 001,110,476 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\7z920.exe
    [2011/05/12 20:53:37 | 004,346,463 | R--- | C] () -- C:\Documents and Settings\Authorized User\Desktop\ComboFix.exe
    [2011/05/11 22:59:45 | 000,001,837 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    [2011/05/11 22:59:45 | 000,001,808 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    [2011/05/11 22:59:45 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
    [2011/05/11 22:59:21 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Windows Movie Maker.lnk
    [2011/05/11 22:59:21 | 000,000,716 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Secunia PSI.lnk
    [2011/05/11 22:59:21 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Windows Messenger.lnk
    [2011/05/11 22:59:20 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Adobe Reader X.lnk
    [2011/05/11 22:59:20 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\MSN.lnk
    [2011/05/11 22:59:20 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Apple Software Update.lnk
    [2011/05/11 22:59:20 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2011/05/11 22:40:27 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/05/11 22:40:27 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/05/11 22:40:27 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/05/11 22:40:27 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/05/11 22:40:27 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/05/10 20:31:20 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18800420r
    [2011/05/10 20:31:19 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18800420
    [2011/05/10 20:21:29 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18800420
    [2011/05/10 20:09:03 | 000,016,116 | -HS- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\30xbu6q33b6g07e
    [2011/05/10 20:09:03 | 000,016,116 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\30xbu6q33b6g07e
    [2011/05/10 20:06:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Authorized User\2gweorjqjutp92vjy9gake
    [2011/05/06 19:57:51 | 000,016,044 | -HS- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\3x41wrg1bdk74r644p5lin01f7k5jp7s5l3846d5642xs
    [2011/05/06 19:57:51 | 000,016,044 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3x41wrg1bdk74r644p5lin01f7k5jp7s5l3846d5642xs
    [2011/05/05 21:30:07 | 000,001,889 | ---- | C] () -- C:\WINDOWS\lsrslt.ini
    [2011/05/01 13:14:04 | 001,660,744 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\DesktopUploader1.0.0.4.exe
    [2011/03/01 22:29:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2011/02/03 23:26:33 | 000,982,320 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/01/19 22:30:37 | 000,000,089 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2011/01/19 21:31:58 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Vreladuxo.dat
    [2010/11/30 07:03:56 | 000,219,262 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    [2010/11/29 22:30:34 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/10/24 22:59:44 | 000,141,186 | ---- | C] () -- C:\WINDOWS\hpoins14.dat
    [2010/10/24 22:59:44 | 000,002,000 | ---- | C] () -- C:\WINDOWS\hpomdl14.dat
    [2010/10/09 08:04:27 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\drivers\default.bin.old
    [2010/10/09 08:04:27 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\default.bin.old
    [2010/06/05 16:51:04 | 000,000,022 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\kodakpcd.ini
    [2010/05/26 13:08:13 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/05/08 18:06:56 | 000,042,384 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/04/11 08:58:03 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\drivers\default.bin
    [2010/04/11 08:58:03 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\default.bin
    [2010/02/10 19:43:59 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2010/02/08 18:31:07 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
    [2010/02/08 18:30:45 | 000,114,630 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2010/02/08 13:27:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2010/02/08 12:15:26 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2010/02/08 03:52:50 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2010/02/08 03:51:44 | 000,225,616 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2008/06/18 13:47:02 | 000,004,133 | ---- | C] () -- C:\WINDOWS\entrust.ini
    [2008/06/18 13:46:50 | 000,106,588 | ---- | C] () -- C:\WINDOWS\System32\fwnetcfg.dll
    [2006/03/15 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2006/03/15 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2006/03/15 05:00:00 | 000,475,576 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2006/03/15 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2006/03/15 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2006/03/15 05:00:00 | 000,076,228 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2006/03/15 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2006/03/15 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2006/03/15 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2006/03/15 05:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2006/03/15 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2006/03/15 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2011/01/24 21:27:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Chat Republic Games
    [2010/06/21 16:17:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2010/03/01 20:54:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    [2011/05/01 13:15:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\com.Shutterfly.ExpressUploader
    [2010/11/29 22:14:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\GARMIN
    [2010/02/11 16:24:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Skinux
    [2011/05/14 08:48:01 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
    [2011/05/14 08:21:08 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{58EDDB7F-CF96-43AD-B4A6-4C4C32437150}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/02/08 13:25:25 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/02/08 19:50:20 | 000,000,209 | ---- | M] () -- C:\Boot.bak
    [2011/01/25 21:53:52 | 000,000,325 | RHS- | M] () -- C:\boot.ini
    [2011/05/12 22:13:06 | 000,039,605 | ---- | M] () -- C:\bootkit_remover.rar
    [2004/08/04 00:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/05/14 09:34:29 | 000,025,385 | ---- | M] () -- C:\ComboFix.txt
    [2010/02/08 13:25:25 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2010/04/11 09:01:01 | 000,000,045 | ---- | M] () -- C:\error.log
    [2010/02/08 13:25:25 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2011/01/26 22:58:24 | 000,019,521 | ---- | M] () -- C:\JavaRa.log
    [2010/02/08 13:25:25 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2006/03/15 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2010/02/08 15:30:13 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/05/14 08:42:29 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
    [2011/05/09 21:01:29 | 000,000,423 | ---- | M] () -- C:\rkill.log
    [2010/10/09 08:04:27 | 000,000,005 | ---- | M] () -- C:\sr_tde.all
    [2011/05/14 08:40:32 | 000,038,240 | ---- | M] () -- C:\TDSSKiller.2.5.1.0_14.05.2011_08.39.21_log.txt

    < %systemroot%\Fonts\*.com >
    [2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2010/02/08 13:24:54 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007/03/28 14:57:34 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5ha.dll
    [2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 03:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2010/02/08 03:50:56 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2010/02/08 03:50:56 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2010/02/08 03:50:56 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >

    < %USERPROFILE%\Desktop\*.exe >
    [2011/05/12 22:12:35 | 001,110,476 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\7z920.exe
    [2009/01/20 12:58:58 | 010,566,658 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\azvpn6023.exe
    [2011/05/11 20:46:58 | 004,346,463 | R--- | M] () -- C:\Documents and Settings\Authorized User\Desktop\ComboFix.exe
    [2011/05/01 13:14:20 | 001,660,744 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\DesktopUploader1.0.0.4.exe
    [2011/01/24 22:38:08 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Authorized User\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/01/25 21:24:50 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\MBRCheck.exe
    [2011/01/24 23:22:04 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\nkdx6u10.exe
    [2011/05/14 10:43:10 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Authorized User\Desktop\OTL.exe
    [2010/09/01 15:33:49 | 000,083,968 | ---- | M] (eSage Lab) -- C:\Documents and Settings\Authorized User\Desktop\remover.exe
    [2011/01/26 23:10:12 | 000,879,028 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\SecurityCheck.exe
    [2011/05/13 13:21:28 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Authorized User\Desktop\TDSSKiller.exe
    [2011/01/26 23:13:41 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Authorized User\Desktop\TFC.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2007/11/28 22:45:18 | 001,394,568 | ---- | M] () -- C:\Documents and Settings\Authorized User\My Documents\install_easyshare.exe
    [2010/12/02 23:12:58 | 034,452,784 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\Authorized User\My Documents\QuickTimeInstaller.exe

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2010/02/08 15:38:16 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Authorized User\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/05/14 09:33:08 | 000,458,752 | -HS- | M] () -- C:\Documents and Settings\Authorized User\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2006/03/15 05:00:00 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 17:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 02:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 02:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 07:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 10:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 17:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 11:07:23 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 11:07:23 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 11:07:24 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 02:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 02:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    < End of report >
     
  24. tgugino

    tgugino TS Rookie Topic Starter Posts: 39

    extras log....

    OTL Extras logfile created on: 5/14/2011 10:45:48 AM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Authorized User\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,022.00 Mb Total Physical Memory | 552.00 Mb Available Physical Memory | 54.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 74.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.00 Gb Total Space | 77.67 Gb Free Space | 52.12% Space Free | Partition Type: NTFS
    Drive D: | 315.83 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Unable to calculate disk information.
    Drive F: | 1.89 Gb Total Space | 1.75 Gb Free Space | 92.77% Space Free | Partition Type: FAT

    Computer Name: AUTHORIZ-55F50F | User Name: Authorized User | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Classes\<extension>]

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 1
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\CheckPoint\SecureClient\bin\SR_SERVICE.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SR_SERVICE.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient service -- (Check Point Software Technologies)
    "C:\Program Files\CheckPoint\SecureClient\bin\SR_GUI.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application -- (Check Point Software Technologies)
    "C:\Program Files\CheckPoint\SecureClient\bin\SCC.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line -- (Check Point Software Technologies)
    "C:\Program Files\CheckPoint\SecureClient\bin\SR_SDS.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent -- (Check Point Software Technologies)
    "C:\Program Files\CheckPoint\SecureClient\bin\SR_DIAGNOSTICS.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics -- (Check Point Software Technologies)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)
    "C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
    "C:\Program Files\CheckPoint\SecureClient\bin\SR_SERVICE.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SR_SERVICE.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient service -- (Check Point Software Technologies)
    "C:\Program Files\CheckPoint\SecureClient\bin\SR_GUI.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application -- (Check Point Software Technologies)
    "C:\Program Files\CheckPoint\SecureClient\bin\SCC.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line -- (Check Point Software Technologies)
    "C:\Program Files\CheckPoint\SecureClient\bin\SR_SDS.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent -- (Check Point Software Technologies)
    "C:\Program Files\CheckPoint\SecureClient\bin\SR_DIAGNOSTICS.EXE" = C:\Program Files\CheckPoint\SecureClient\bin\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics -- (Check Point Software Technologies)
    "C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
    "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
    "{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
    "{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
    "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
    "{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
    "{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
    "{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
    "{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
    "{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{1D10C273-3F95-42A2-8371-AB6B1F59821B}" = WOT for Internet Explorer
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
    "{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 23
    "{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
    "{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
    "{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
    "{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
    "{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{360EDFB0-EAA2-012B-AD16-000000000000}" = TurboTax 2009 wcaiper
    "{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
    "{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
    "{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
    "{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
    "{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
    "{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
    "{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
    "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
    "{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
    "{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
    "{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
    "{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
    "{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
    "{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
    "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
    "{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
    "{706BB40A-4102-4c89-8107-DC68C4EBD19B}" = HP Deskjet All-In-One Software 9.0
    "{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
    "{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
    "{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
    "{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
    "{87FF0E39-8490-4EB4-A557-FF12F712EF7E}" = TurboTax 2010 wcaiper
    "{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
    "{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
    "{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
    "{93F54611-2701-454e-94AB-623F458D9E6B}" = DeviceDiscovery
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
    "{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}" = Creative ZEN V Series (R2)
    "{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
    "{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
    "{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = iSEEK AnswerWorks English Runtime
    "{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
    "{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9C365A3-06C0-43b4-A2DB-EDF0A6079AA9}" = DJ_AIO_Software
    "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
    "{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
    "{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
    "{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
    "{AEB7E9C1-B5D9-47FD-BE46-5AC0DDDE7BCC}" = Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2
    "{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
    "{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
    "{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B4B1F18B-5CED-4f8f-8A8F-1BD0503C222E}" = DJ_AIO_ProductContext
    "{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
    "{B6B69D92-6CD8-4086-8D1D-7945BDA4AE5A}" = F4100_Help
    "{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
    "{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C768790F-04FB-11E0-9B2C-001AA037B01E}" = Google Earth
    "{C8192B14-5B56-2E27-6652-8AA650091D6E}" = Shutterfly Express Uploader
    "{C9D88AF8-7B0A-4200-BFBC-7827A7535096}" = F4100_doccd
    "{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
    "{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
    "{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
    "{D46D081B-F60E-467E-A7C4-117B70D76731}" = HP Update
    "{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
    "{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
    "{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
    "{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
    "{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
    "{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
    "{F56D6F46-1D62-4734-BF12-6457A1ED17BD}" = DJ_AIO_Software_min
    "{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
    "{F8FED11D-3584-4a72-8B26-E0951B655797}" = F4100
    "{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
    "{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
    "{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
    "{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
    "7-Zip" = 7-Zip 9.20
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "All ATI Software" = ATI - Software Uninstall Utility
    "ATI Display Driver" = ATI Display Driver
    "AudibleManager" = AudibleManager
    "CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
    "com.Shutterfly.ExpressUploader" = Shutterfly Express Uploader
    "Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
    "Creative Removable Disk Manager" = Creative Removable Disk Manager
    "ESET Online Scanner" = ESET Online Scanner v3
    "HP Imaging Device Functions" = HP Imaging Device Functions 9.0
    "HP Photosmart Essential" = HP Photosmart Essential 2.01
    "HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
    "HPExtendedCapabilities" = HP Customer Participation Program 9.0
    "ie8" = Windows Internet Explorer 8
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
    "Picasa 3" = Picasa 3
    "PROSet" = Intel(R) PRO Network Connections Drivers
    "Secunia PSI" = Secunia PSI (2.0.0.3001)
    "SysInfo" = Creative System Information
    "TurboTax 2009" = TurboTax 2009
    "TurboTax 2010" = TurboTax 2010
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "ZENcast Organizer" = ZENcast Organizer

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 5/10/2011 11:12:01 PM | Computer Name = AUTHORIZ-55F50F | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
    module wininet.dll, version 8.0.6001.19044, fault address 0x0007971d.

    Error - 5/10/2011 11:47:03 PM | Computer Name = AUTHORIZ-55F50F | Source = Media Center Scheduler | ID = 0
    Description =

    Error - 5/11/2011 12:03:10 AM | Computer Name = AUTHORIZ-55F50F | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 80070424, P2 beginsearch, P3 search, P4
    3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
    P8 NIL, P9 NIL, P10 NIL.

    Error - 5/12/2011 1:01:39 AM | Computer Name = AUTHORIZ-55F50F | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 80070424, P2 beginsearch, P3 search, P4
    3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
    P8 NIL, P9 NIL, P10 NIL.

    Error - 5/12/2011 2:11:39 AM | Computer Name = AUTHORIZ-55F50F | Source = Media Center Scheduler | ID = 0
    Description =

    Error - 5/12/2011 2:41:59 AM | Computer Name = AUTHORIZ-55F50F | Source = Media Center Scheduler | ID = 0
    Description =

    Error - 5/12/2011 7:12:16 PM | Computer Name = AUTHORIZ-55F50F | Source = Media Center Scheduler | ID = 0
    Description =

    Error - 5/13/2011 1:43:21 AM | Computer Name = AUTHORIZ-55F50F | Source = Media Center Scheduler | ID = 0
    Description =

    Error - 5/13/2011 1:52:05 AM | Computer Name = AUTHORIZ-55F50F | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 80080005, P2 beginsearch, P3 search, P4
    3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
    P8 NIL, P9 NIL, P10 NIL.

    Error - 5/14/2011 11:26:30 AM | Computer Name = AUTHORIZ-55F50F | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 3.0.8107.0,
    P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
    P8 NIL, P9 NIL, P10 NIL.

    [ System Events ]
    Error - 5/13/2011 1:50:04 AM | Computer Name = AUTHORIZ-55F50F | Source = DCOM | ID = 10010
    Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
    with DCOM within the required timeout.

    Error - 5/13/2011 1:52:04 AM | Computer Name = AUTHORIZ-55F50F | Source = DCOM | ID = 10010
    Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
    with DCOM within the required timeout.

    Error - 5/13/2011 1:52:04 AM | Computer Name = AUTHORIZ-55F50F | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.103.1094.0 Update Source: %%859 Update Stage:
    %%852 Source Path: Default URL Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

    Current
    Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80080005 Error
    description: Server execution failed

    Error - 5/13/2011 2:11:37 AM | Computer Name = AUTHORIZ-55F50F | Source = FW1 | ID = 1
    Description = FW1: FW-1: last packet seen -3 seconds ago, assuming -->

    Error - 5/13/2011 2:11:37 AM | Computer Name = AUTHORIZ-55F50F | Source = FW1 | ID = 1
    Description = FW1: -->clock change.

    Error - 5/13/2011 9:35:18 AM | Computer Name = AUTHORIZ-55F50F | Source = Service Control Manager | ID = 7000
    Description = The Parallel port driver service failed to start due to the following
    error: %%1058

    Error - 5/14/2011 11:16:09 AM | Computer Name = AUTHORIZ-55F50F | Source = Service Control Manager | ID = 7000
    Description = The Parallel port driver service failed to start due to the following
    error: %%1058

    Error - 5/14/2011 11:17:40 AM | Computer Name = AUTHORIZ-55F50F | Source = Windows Update Agent | ID = 16
    Description = Unable to Connect: Windows is unable to connect to the automatic updates
    service and therefore cannot download and install updates according to the set
    schedule. Windows will continue to try to establish a connection.

    Error - 5/14/2011 11:26:29 AM | Computer Name = AUTHORIZ-55F50F | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.103.1631.0 Update Source: %%859 Update Stage:
    %%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error
    code: 0x80072efe Error description: The connection with the server was terminated
    abnormally

    Error - 5/14/2011 11:43:18 AM | Computer Name = AUTHORIZ-55F50F | Source = Service Control Manager | ID = 7000
    Description = The Parallel port driver service failed to start due to the following
    error: %%1058


    < End of report >
     
  25. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O15 - HKU\S-1-5-21-776561741-1897051121-725345543-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
      O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} Reg Error: Value error. (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O16 - DPF: Garmin Communicator Plug-In Reg Error: Value error. (Reg Error: Key error.)
      [2011/05/11 12:54:58 | 000,016,116 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\30xbu6q33b6g07e
      [2011/05/11 12:54:57 | 000,016,116 | -HS- | M] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\30xbu6q33b6g07e
      [2011/05/11 12:46:12 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Vreladuxo.dat
      [2011/05/10 20:31:20 | 000,000,128 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18800420r
      [2011/05/10 20:31:20 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18800420
      [2011/05/10 20:22:08 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18800420
      [2011/05/10 20:06:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Authorized User\2gweorjqjutp92vjy9gake
      [2011/05/09 17:41:48 | 000,016,044 | -HS- | M] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\3x41wrg1bdk74r644p5lin01f7k5jp7s5l3846d5642xs
      [2011/05/09 17:41:48 | 000,016,044 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3x41wrg1bdk74r644p5lin01f7k5jp7s5l3846d5642xs
      
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =======================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...