Inactive Trojan-Clicker.Win32.Wistler.a and MEM:Rootkit.Win32.TDSS.fa

[Clive Jackson]

Greetings.

I'm running Windows XP on Dell Latitude E6500. I am not that tech savvy, but can try whatever I need. This is a work/home laptop, but complete swiping seems like a hard way to recover from this. I followed directions in Prelim 8-Step Removal, but was unable to achieve proper results for DDS. Maybe Vipre is interfering, but I don't know how to disable script blocking. Kapersky Virus Removal Tool 2010 finds the Trojan-Clicker.Win32.Wistler.a in \Device\Harddisk0\DR0 and MEM:Rootkit.Win32.TDSS.fa in Hidden startup objects, but cannot disinfect them. The only option is to "Skip". I believe this problem was acquired from infected websites and not from a download - maybe streaming.


Indications: Computer Startup hiccups and sometimes does not yield desktop or task bar. Some appearance settings are altered. Function has slowed. Most programs running correctly, except Itunes. Additional svchost.exe's plus more apparently unneeded .exe's are running as indicated under Window Task Manager Processes. I think this results in acquiring additional temp files for internet sites I know I didn't visit. Also, some browser queries are redirected. Cannot access Microsoft Updates website at all.

Please help. See the mbam-log.txt and gmer.log respectively below:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5464

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/5/2011 12:09:57 PM
mbam-log-2011-01-05 (12-09-57).txt

Scan type: Quick scan
Objects scanned: 181120
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





GMER

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-05 12:22:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD16 rev.11.0
Running: 51uthev1.exe; Driver: C:\DOCUME~1\darin\LOCALS~1\Temp\kwldypod.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVT-75ZCT2___________________11.01A11#4&3ac9d9dd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

 

[Clive Jackson]

dds update

DDS (Ver_10-12-12.02) - NTFSx86
Run by Darin at 15:53:25.75 on Wed 01/05/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3024 [GMT -6:00]

AV: Sunbelt VIPRE *Enabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r213367\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\darin\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Google Update] "c:\documents and settings\darin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SBAMTray] c:\program files\sunbelt software\sbeagent\SBAMTray.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\darin\startm~1\programs\startup\setup_~1.lnk - c:\program files\kaperski virus removal tool\setup_9.0.0.722_04.01.2011_18-33\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252531585453
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252531643703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\darin\applic~1\mozilla\firefox\profiles\a02fw7hr.default\
FF - prefs.js: browser.startup.homepage - hxxps://ccs.coair.com/CCS/Default.aspx|http://www.ccsmax.com/
FF - plugin: c:\documents and settings\darin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\darin\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\darin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

============= SERVICES / DRIVERS ===============

R0 49152812;49152812 Boot Guard Driver;c:\windows\system32\drivers\49152812.sys [2011-1-4 37392]
R1 49152811;49152811;c:\windows\system32\drivers\49152811.sys [2011-1-4 128016]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2009-9-10 86552]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-1-18 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-9-24 203056]
R1 setup_9.0.0.722_04.01.2011_18-33drv;setup_9.0.0.722_04.01.2011_18-33drv;c:\windows\system32\drivers\4915281.sys [2011-1-4 315408]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-4-9 447264]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\sunbelt software\sbeagent\SBAMSvc.exe [2010-1-4 1012080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-1-18 69936]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-9-4 112512]
R3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-9-4 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-9-4 244368]
R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2009-9-4 148056]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-9-4 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-9-4 280096]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-9-4 232744]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-10 133104]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2009-9-10 24876]

=============== File Associations ===============

.scr=AutoCADLTScriptFile

=============== Created Last 30 ================

2011-01-04 16:09:51 37392 ----a-w- c:\windows\system32\drivers\49152812.sys
2011-01-04 16:09:51 315408 ----a-w- c:\windows\system32\drivers\4915281.sys
2011-01-04 16:09:51 128016 ----a-w- c:\windows\system32\drivers\49152811.sys
2011-01-04 16:09:50 -------- d-----w- c:\program files\Kaperski Virus Removal Tool
2011-01-04 02:14:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-03 16:34:49 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-03 16:34:49 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-03 16:32:20 -------- d-----w- c:\program files\iTunes
2011-01-03 16:32:20 -------- d-----w- c:\program files\iPod
2010-12-27 20:13:29 -------- d-----w- c:\program files\iPod(2)
2010-12-27 20:13:26 -------- d-----w- c:\program files\iTunes(2)
2010-12-27 19:53:18 -------- d-----w- c:\program files\QuickTime(2)
2010-12-21 18:19:13 -------- d-----w- c:\program files\GanttProject

==================== Find3M ====================

2010-12-30 05:28:42 108544 --sha-r- c:\windows\system32\msaud324.dll
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD16 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B01E555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b0247b0]; MOV EAX, [0x8b02482c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B02D558]
3 CLASSPNP[0xBA8E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A64C1B0]
\Driver\iaStor[0x8B02C770] -> IRP_MJ_CREATE -> 0x8B01E555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVT-75ZCT2___________________11.01A11#4&3ac9d9dd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 15:54:14.42 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/9/2009 4:21:08 PM
System Uptime: 1/5/2011 3:24:25 PM (0 hours ago)

Motherboard: Dell Inc. | | 0X564R
Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | Microprocessor | 2393/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 99.64 GiB free.
D: is CDROM ()
U: is NetworkDisk (NTFS) - 1 GiB total, 17.69 GiB free.
X: is NetworkDisk (NTFS) - 110 GiB total, 0 GiB free.

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ROOT\LEGACY_ASFALRT\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_ASFALRT\0000
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SonicWALL VPN Adapter
Device ID: ROOT\RCVPN\0000
Manufacturer: SonicWALL, Inc.
Name: SonicWALL VPN Adapter
PNP Device ID: ROOT\RCVPN\0000
Service: rcvpn

==== System Restore Points ===================

RP159: 10/5/2010 9:19:26 AM - _05-Oct-2010 09:19:23 AM
RP160: 10/6/2010 10:30:36 AM - _06-Oct-2010 10:30:31 AM
RP161: 10/7/2010 9:29:25 AM - _07-Oct-2010 09:29:21 AM
RP162: 10/8/2010 9:33:17 AM - _08-Oct-2010 09:33:13 AM
RP163: 10/11/2010 9:26:35 AM - _11-Oct-2010 09:26:31 AM
RP164: 10/12/2010 10:03:45 AM - _12-Oct-2010 10:03:41 AM
RP165: 10/13/2010 8:41:26 AM - _13-Oct-2010 08:41:22 AM
RP166: 10/14/2010 11:48:37 AM - _14-Oct-2010 11:48:33 AM
RP167: 10/15/2010 9:21:09 AM - _15-Oct-2010 09:21:05 AM
RP168: 10/18/2010 9:26:28 AM - _18-Oct-2010 09:26:24 AM
RP169: 10/19/2010 9:14:53 AM - _19-Oct-2010 09:14:49 AM
RP170: 10/20/2010 9:34:56 AM - _20-Oct-2010 09:34:51 AM
RP171: 10/21/2010 12:03:07 AM - _21-Oct-2010 12:03:01 AM
RP172: 10/21/2010 12:04:44 AM - Software Distribution Service 3.0
RP173: 10/21/2010 12:04:59 AM - Software Distribution Service 3.0
RP174: 10/21/2010 12:05:19 AM - Software Distribution Service 3.0
RP175: 10/21/2010 12:05:33 AM - Software Distribution Service 3.0
RP176: 10/21/2010 12:05:49 AM - Software Distribution Service 3.0
RP177: 10/21/2010 12:06:01 AM - Software Distribution Service 3.0
RP178: 10/21/2010 12:08:07 AM - Software Distribution Service 3.0
RP179: 10/21/2010 12:08:29 AM - Software Distribution Service 3.0
RP180: 10/21/2010 12:08:40 AM - Software Distribution Service 3.0
RP181: 10/21/2010 12:08:51 AM - Software Distribution Service 3.0
RP182: 10/21/2010 12:09:06 AM - Software Distribution Service 3.0
RP183: 10/21/2010 12:11:10 AM - Software Distribution Service 3.0
RP184: 10/21/2010 12:11:28 AM - Software Distribution Service 3.0
RP185: 10/21/2010 12:11:41 AM - Software Distribution Service 3.0
RP186: 10/21/2010 12:11:57 AM - Software Distribution Service 3.0
RP187: 10/21/2010 12:12:17 AM - Software Distribution Service 3.0
RP188: 10/21/2010 12:12:28 AM - Software Distribution Service 3.0
RP189: 10/21/2010 12:12:41 AM - Software Distribution Service 3.0
RP190: 10/21/2010 12:12:53 AM - Software Distribution Service 3.0
RP191: 10/21/2010 12:13:10 AM - Software Distribution Service 3.0
RP192: 10/22/2010 10:11:12 AM - _22-Oct-2010 10:11:07 AM
RP193: 10/23/2010 12:27:55 AM - _23-Oct-2010 12:27:51 AM
RP194: 10/24/2010 12:16:20 AM - _24-Oct-2010 12:16:15 AM
RP195: 10/25/2010 11:42:27 AM - _25-Oct-2010 11:42:23 AM
RP196: 10/26/2010 9:36:29 AM - _26-Oct-2010 09:36:26 AM
RP197: 10/27/2010 9:26:03 AM - _27-Oct-2010 09:26:00 AM
RP198: 10/28/2010 9:48:28 AM - _28-Oct-2010 09:48:25 AM
RP199: 10/29/2010 9:39:31 AM - _29-Oct-2010 09:39:28 AM
RP200: 11/1/2010 9:26:46 AM - _01-Nov-2010 09:26:43 AM
RP201: 11/2/2010 10:53:27 AM - _02-Nov-2010 10:53:23 AM
RP202: 11/3/2010 9:38:52 AM - _03-Nov-2010 09:38:49 AM
RP203: 11/4/2010 12:07:03 PM - System Checkpoint
RP204: 11/5/2010 12:36:55 PM - System Checkpoint
RP205: 11/6/2010 6:28:49 PM - System Checkpoint
RP206: 11/9/2010 9:53:56 AM - System Checkpoint
RP207: 11/11/2010 10:49:35 AM - System Checkpoint
RP208: 11/15/2010 12:43:24 PM - System Checkpoint
RP209: 11/16/2010 1:01:02 PM - System Checkpoint
RP210: 11/18/2010 12:00:10 AM - System Checkpoint
RP211: 11/19/2010 12:50:09 PM - System Checkpoint
RP212: 11/22/2010 9:31:45 AM - System Checkpoint
RP213: 11/23/2010 1:05:28 PM - System Checkpoint
RP214: 11/29/2010 1:41:47 PM - System Checkpoint
RP215: 12/1/2010 4:44:11 PM - System Checkpoint
RP216: 12/3/2010 12:31:49 AM - System Checkpoint
RP217: 12/6/2010 12:34:15 PM - System Checkpoint
RP218: 12/7/2010 12:46:07 PM - System Checkpoint
RP219: 12/8/2010 4:27:19 PM - System Checkpoint
RP220: 12/10/2010 12:48:58 PM - System Checkpoint
RP221: 12/13/2010 10:39:44 AM - System Checkpoint
RP222: 12/14/2010 4:48:09 PM - System Checkpoint
RP223: 12/16/2010 11:25:18 AM - System Checkpoint
RP224: 12/19/2010 6:33:18 PM - System Checkpoint
RP225: 12/21/2010 1:13:47 AM - System Checkpoint
RP226: 12/22/2010 1:52:04 PM - System Checkpoint
RP227: 12/23/2010 8:01:23 PM - System Checkpoint
RP228: 12/24/2010 8:44:04 PM - System Checkpoint
RP229: 12/25/2010 9:44:05 PM - System Checkpoint
RP230: 12/26/2010 10:44:03 PM - System Checkpoint
RP231: 12/28/2010 1:42:14 PM - System Checkpoint
RP232: 1/2/2011 11:48:55 AM - System Checkpoint
RP233: 1/3/2011 10:30:38 AM - Restore Operation
RP234: 1/3/2011 12:34:35 PM - Installed Windows Defender
RP235: 1/3/2011 12:36:08 PM - Installed Windows Defender
RP236: 1/3/2011 3:24:29 PM - Restore Operation

==== Installed Programs ======================

2007 Microsoft Office system
Adobe Acrobat 9 Standard - English, Français, Deutsch
Adobe Acrobat 9.4.1 - CPSID_83708
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
AirPort
All Day Battery Life Configuration
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoCAD LT 2008 - English
Autodesk DWF Viewer 7
BioAPI Framework
Bonjour
Broadcom USH Host Components
Canon Camera Access Library
Canon Camera Support Core Library
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Pro9000 II series Printer Driver
Canon Pro9000 Mark II series User Registration
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.6
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Easy-PhotoPrint Pro
Canon Utilities EOS Utility
Canon Utilities My Printer
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities Solution Menu
Canon Utilities WFT-E1/E2/E3/E4 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Choice Guard
COMcheck 3.7.0
COMcheck 3.7.1
Compatibility Pack for the 2007 Office system
Dell Backup and Recovery Manager
Dell ControlPoint System Manager
Dell Driver Download Manager
Dell Security Device Driver Pack
Dell Touchpad
Dell Webcam Central
DW WLAN Card Utility
Free RAR Extract Frog
Google Calendar Sync
Google Chrome
Google Earth
Google SketchUp 7
Google Talk Plugin
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945436)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Index.dat Analyzer v2.0
Integrated Webcam Driver (1.06.03.0309)
Intel(R) Network Connections 13.0.42.0
Intel(R) PRO Alerting Agent
Intel® Matrix Storage Manager
iTunes
Java(TM) 6 Update 17
Junk Mail filter update
Malwarebytes' Anti-Malware
MFCLOC
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft XML Parser
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PowerDVD DX
QuickTime
Recuva
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE 10.3
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Safari
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Segoe UI
Serif PhotoPlus SE
Skype™ 4.1
SonicWALL Global VPN Client
SonicWALL Global VPN Client 4.0.0.835
Spybot - Search & Destroy
SRS Premium Sound
Sunbelt Enterprise Agent
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VLC media player 0.9.2
WebEx
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
ZipGenius 6 (6.3.1.2612)

==== Event Viewer Messages From Past Week ========

12/30/2010 11:17:39 AM, error: NetBT [4321] - The name "TOWNSITE :1d" could not be registered on the Interface with IP address 192.168.1.113. The machine with the IP address 192.168.1.113 did not allow the name to be claimed by this machine.
12/30/2010 11:12:29 AM, error: NetBT [4321] - The name "TOWNSITE :1d" could not be registered on the Interface with IP address 192.168.1.113. The machine with the IP address 192.168.1.104 did not allow the name to be claimed by this machine.
12/29/2010 10:36:00 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
1/5/2011 3:15:12 PM, error: Service Control Manager [7034] - The VIPRE Enterprise Agent service terminated unexpectedly. It has done this 2 time(s).
1/5/2011 12:12:13 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The VIPRE Enterprise Agent service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The Dell ControlPoint System Manager service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The Dell ControlPoint Button Service service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:44:33 AM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:44:33 AM, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/5/2011 11:43:52 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:52 AM, error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The DW WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Credential Vault Host Storage service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Credential Vault Host Control Service service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Audio Service service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The ASF Agent service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:51 AM, error: Service Control Manager [7034] - The Adobe Active File Monitor V6 service terminated unexpectedly. It has done this 1 time(s).
1/5/2011 11:43:51 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/4/2011 3:41:00 PM, error: NETLOGON [5719] - No Domain Controller is available for domain TOWNSITE due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
1/3/2011 12:00:50 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
1/3/2011 12:00:50 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/3/2011 12:00:50 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/3/2011 10:36:49 AM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
1/3/2011 10:26:00 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/2/2011 8:41:00 PM, error: NETLOGON [5719] - No Domain Controller is available for domain TOWNSITE due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot! First thing I'd like you to do it forget about all those other scans you ran and what they found. Second thing is to run only what I direct you to do. Malware cleaning is an orderly process- it's not a scan here or there, hoping to fix what's wrong!
==============================================
There is a rootkit on the system. The question is whether it's on the MBR, so we will check that first:

Please download MBR Rootkit Detector and save it on your desktop.

• Pause/Stop all antivirus/spyware active protection.
• Then double click on mbr.exe to run it.
• Select Run when you receive a Security Warning
• The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
• A log file will the be created on your desktop where you ran mbr.exe
• Copy and paste the contents of mbr.log on your next reply.

============================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
========================================
Question about TOWNSITE
I note several errors trying to reach Domain "TOWNSITE :1d" but I don't see any indication of this Domain in your logs. Can you tell me what this is please?

 

[Clive Jackson]

MBR and Combofix

Bobbye, thank you for much needed assistance. It is very appreciated.

My "X:" drive connects to Townsite's file server whenever I attach the ethernet Cat5 cable to my computer. It also supplies my hard internet connection. Since infection, I have been connecting and disconnecting the cable to minimize possible exposure to those files. From today forward I will try to simply use the wireless internet connection to further avoid exposure to those files. No programs are run from the Townsite server, only shared file storage. Is this a problem?

Two notes: Combofix had to reboot the computer for a rootkit matter; is this ok? Also, Combofix indicated that Vipre was active even though I ended its process by Task Manager. I don't know any other way to to disable Vipre.

Please find the logs you requested below:




Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD16 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVT-75ZCT2___________________11.01A11#4&3ac9d9dd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel



ComboFix 11-01-05.06 - Darin 01/06/2011 10:03:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3141 [GMT -6:00]
Running from: c:\documents and settings\darin\Desktop\Housekeeping\ComboFix.exe
AV: Sunbelt VIPRE *Enabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
PEV Error: LocalSettingsFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\regedit.com
c:\windows\system32\cmd.com

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
.

2011-01-04 16:09 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\49152812.sys
2011-01-04 16:09 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\4915281.sys
2011-01-04 16:09 . 2009-09-25 22:59 128016 ----a-w- c:\windows\system32\drivers\49152811.sys
2011-01-04 16:09 . 2011-01-04 18:04 -------- d-----w- c:\program files\Kaperski Virus Removal Tool
2011-01-04 02:39 . 2011-01-04 02:39 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-01-04 02:14 . 2011-01-04 02:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-03 16:34 . 2011-01-03 16:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-03 16:32 . 2011-01-03 16:32 -------- d-----w- c:\program files\QuickTime
2011-01-03 16:32 . 2011-01-04 20:10 -------- d-----w- c:\program files\iTunes
2011-01-03 16:32 . 2011-01-04 20:10 -------- d-----w- c:\program files\iPod
2010-12-30 18:08 . 2011-01-03 16:31 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-21 18:19 . 2011-01-03 16:33 -------- d-----w- c:\program files\GanttProject

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 00:09 . 2010-04-20 16:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-04-20 16:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\darin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-10 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2010-01-04 669008]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-02-03 2670592]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

c:\documents and settings\darin\Start Menu\Programs\Startup\
setup_9.0.0.722_04.01.2011_18-33.lnk - c:\program files\Kaperski Virus Removal Tool\setup_9.0.0.722_04.01.2011_18-33\startup.exe [2011-1-4 72208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 23:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-09-23 09:42 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-09-11 06:43 67488 -c--a-w- c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2008-03-17 16:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-12-11 16:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
2008-10-17 15:41 442536 ------w- c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 07:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-08-28 00:06 13537280 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2008-08-28 00:07 90112 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-08-28 00:07 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-02-05 02:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-09-02 20:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 10:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\darin\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\darin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R0 49152812;49152812 Boot Guard Driver;c:\windows\system32\drivers\49152812.sys [1/4/2011 10:09 AM 37392]
R1 49152811;49152811;c:\windows\system32\drivers\49152811.sys [1/4/2011 10:09 AM 128016]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [9/10/2009 8:27 AM 86552]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/18/2010 9:33 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 8:22 AM 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [9/24/2009 12:23 PM 203056]
R1 setup_9.0.0.722_04.01.2011_18-33drv;setup_9.0.0.722_04.01.2011_18-33drv;c:\windows\system32\drivers\4915281.sys [1/4/2011 10:09 AM 315408]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 4:56 AM 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 10:07 AM 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 9:19 AM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 9:19 AM 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [4/9/2009 1:02 PM 447264]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 9:53 AM 374152]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [1/4/2010 5:02 PM 1012080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/18/2010 9:35 AM 69936]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/4/2009 4:12 AM 112512]
R3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 4:28 AM 42832]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [9/4/2009 4:12 AM 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [9/4/2009 4:12 AM 244368]
R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [9/4/2009 4:12 AM 148056]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [9/4/2009 4:12 AM 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [9/4/2009 4:12 AM 280096]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [9/4/2009 1:58 AM 232744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/10/2009 8:13 AM 133104]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [9/10/2009 8:27 AM 24876]
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-01-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-10 14:09]

2011-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-10 14:13]

2011-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-10 14:13]

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955818812-2593963823-2349310179-1238Core.job
- c:\documents and settings\darin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 14:13]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955818812-2593963823-2349310179-1238UA.job
- c:\documents and settings\darin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-10 14:13]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955818812-2593963823-2349310179-1417Core.job
- c:\documents and settings\msadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-13 03:28]

2011-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955818812-2593963823-2349310179-1417UA.job
- c:\documents and settings\msadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-13 03:28]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\darin\Application Data\Mozilla\Firefox\Profiles\a02fw7hr.default\
FF - prefs.js: browser.startup.homepage - hxxps://ccs.coair.com/CCS/Default.aspx|http://www.ccsmax.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-06 10:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD16 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B015555]<<
c:\docume~1\darin\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b01b7b0]; MOV EAX, [0x8b01b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B05C770]
3 CLASSPNP[0xBA8E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AFD8B10]
\Driver\iaStor[0x8B023B38] -> IRP_MJ_CREATE -> 0x8B015555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVT-75ZCT2___________________11.01A11#4&3ac9d9dd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-01-06 10:16:07
ComboFix-quarantined-files.txt 2011-01-06 16:15

Pre-Run: 106,823,573,504 bytes free
Post-Run: 106,785,112,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - 59AB818152E3DA7AD85A8374636BEB8D