Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alureon.CT / tdlcmd.dll


  • This topic is locked This topic is locked
32 replies to this topic

#1 ChuckLHead

ChuckLHead

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 14 December 2009 - 06:12 AM

Scanners such as McAfee, Windows Defender and MBAM keep reporting and removing tdlcmd.dll, identified as Alureon.CT by Win Defender. A recent MBAM cleaned files from a _restore path so I thought maybe that would finally be the last of it. Now, the tdlcmd.dll was just reported again my McAfee.

I downloaded and ran dds.scr. I downloaded but could not get RootRepeal to run. It started but seemed to just hang on one directory.

I've attached my dds Attach.txt log.

Below is my DDS.txt log.

Thanks in advance for help with this tenacious bugger!
ChuckLHead


DDS (Ver_09-12-01.01) - NTFSx86
Run by Gator at 7:56:29.40 on Sun 12/13/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.427 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\home\cag\MyStuff\BleepingComputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} - hxxps://ra.budco.com/ui/Axt.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxps://ra.budco.com/pdl/jt/msrdp.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://cag:8889/forms/jinitiator/jinit.exe
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://myvpn.ford.com/dana-cached/setup/JuniperSetupSP1.cab
TCP: {70D4873B-381D-4E98-84E6-40794F0D9EC2} = 216.255.181.94,88.214.193.21
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli rskr32.dll
Hosts: 10.10.75.12 bst12.dbamanager.com bst12
Hosts: 10.10.75.1 pix
Hosts: 10.10.75.5 3com
Hosts: 10.10.75.10 bst10
Hosts: 10.10.75.20 bst01

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gator\applic~1\mozilla\firefox\profiles\ob5zp4jp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13122.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-29 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-29 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-29 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-29 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-29 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-29 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-29 34248]
S3 Oracle-cagdevProcessManager;Oracle-cagdevProcessManager;c:\oracle\appserver\opmn\bin\opmn.exe -s --> c:\oracle\appserver\opmn\bin\opmn.exe -S [?]
S3 OracleDBConsolecagdev;OracleDBConsolecagdev;c:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe [2006-11-11 24064]
S3 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_1\bin\tnslsnr --> c:\oracle\product\10.2.0\db_1\bin\TNSLSNR [?]
S3 OracleServiceCAGDEV;OracleServiceCAGDEV;c:\oracle\product\10.2.0\db_1\bin\oracle.exe cagdev --> c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE CAGDEV [?]
S4 OracleJobSchedulerCAGDEV;OracleJobSchedulerCAGDEV;c:\oracle\product\10.2.0\db_1\bin\extjob.exe cagdev --> c:\oracle\product\10.2.0\db_1\bin\extjob.exe CAGDEV [?]
UnknownUnknown nanohska;nanohska; [x]

=============== Created Last 30 ================

2009-12-13 12:55:23 25600 ----a-w- c:\windows\system32\tdlcmd.dll
2009-12-05 12:59:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-20 23:20:13 30 ----a-w- c:\windows\system32\worker.info
2009-11-20 23:20:13 30 ----a-w- c:\windows\system32\thread.xml
2009-11-20 23:20:13 30 ----a-w- c:\windows\system32\config.data
2009-11-18 10:51:50 195456 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-12-05 12:59:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-07-06 14:50:18 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 7:57:54.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 14 December 2009 - 08:14 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste al logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

You are infected with a new nasty rootkit. Please do this...........

==========

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Spybot <--- Will interfere with our fix
uTorrent <--- A portal for infection

Additional instructions can be found here if needed.

==========

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

=========


Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  • Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  • Next, select File --> Save As, change file type to All Files (*.*), and save it as rk.bat in your c:\ folder.
  • A logfile will open (C:\mbr.log). Please paste the contents in your next reply.
=========

With your next post please provide:

* Combofix.txt
* Gmer log
* Mbr log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#3 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 14 December 2009 - 07:46 PM

thcbytes,

I downloaded and ran RKill, but the ComboFix from Link 1 would not run (my McAfee virus protection, spyware, system guard and script scanning were all shut off). I only received the following message in a Notepad window:

ComboFix is Offline.
Please visit http://download.bleepingcomputer.com/sUBs/ComboFix.html

I checked the URL listed and it's only a message that says ComboFix is not available for download.

I tried Link 2 and that only redirected me to the same URL (http://download.bleepingcomputer.com/sUBs/ComboFix.html).

Thanks.

ChuckLHead

#4 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 14 December 2009 - 09:44 PM

See my next post please.

Edited by thcbytes, 14 December 2009 - 09:46 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#5 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 14 December 2009 - 09:54 PM

Combofix has been up and down these last few days.

We are going to have to approach this the old fashion way manually until CF is up and running again!

Re-RKill by Grinler

==========

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

=========


Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  • Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  • Next, select File --> Save As, change file type to All Files (*.*), and save it as rk.bat in your c:\ folder.
  • A logfile will open (C:\mbr.log). Please paste the contents in your next reply.
==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* Exehelper
* Gmer log
* Mbr log
* OTL.txt
* Extra.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#6 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 15 December 2009 - 08:05 PM

Well, this is getting frustrating.

Again, I ran RKill. The DOS window closed, the screen flashed, and all of the icons disappeared. The screen refreshed and the icons came back.

I tried running GMER a few times. It runs for anywhere from more than 1 hour (the first run) to about 15 minutes on the last run. The screen goes black and computer looks like it's rebooting, but Windows never starts up again. The best I would be able to do is stop GMER shortly after it is through scanning the registry (it looks like) and save the log at that point and proceed (or try to proceed) to the next step.

I tried booting to safe mode but that's not working either. A list of programs / DLL's being loaded scrolls by, the screen flashes, and the machine reboots to Windows.

I'm getting a more uneasy feeling about this but hoping you have a few more tricks up your sleeve.

Thanks.

ChuckLHead

#7 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 15 December 2009 - 11:28 PM

Hang in there.
We will get it! :(

Do you have your Windows XP install disc? We might need it to perform some maintenance outside the Windows environment.
Do you have a clean computer to burn a program on?


Do this please....

Re-run Rkill

1. Download the file TDSSKiller.zip and extract it to your desktop.
2. Click start->run->copy-paste "%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v into the textbox and press enter.
3. report.txt should be generated into same location with TDSSKiller.exe. Post contents of that report, please.

==========

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop. Link in prior post if you did not download it yet.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT
  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.
==========

Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  • Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  • Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
  • Open your c:\folder right-click on fixme.bat and select Run as Administrator. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.
==========

With your next post please provide:

* TDSSKiller log
* OTL logs
* Mbr log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#8 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 16 December 2009 - 06:42 AM

Here are the logs:

- report.txt - from tdskiller

Host Name: CAG
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: OWNER-NameChanged
Registered Organization:
Product ID: XXXXX-OEM-XXXXXXX-XXXXX
Original Install Date: 11/8/2006, 1:44:25 AM
System Up Time: 0 Days, 9 Hours, 48 Minutes, 30 Seconds
System Manufacturer: Hewlett-Packard
System Model: HP Pavilion dv6000 (RG264UA#ABA)
System type: X86-based PC
Processor(s): 2 Processor(s) Installed.
[01]: x86 Family 15 Model 72 Stepping 2 AuthenticAMD ~1591 Mhz
[02]: x86 Family 15 Model 72 Stepping 2 AuthenticAMD ~1591 Mhz
BIOS Version: HP - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory: 991 MB
Available Physical Memory: 542 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,005 MB
Virtual Memory: In Use: 43 MB
Page File Location(s): C:\pagefile.sys
Domain: SWAMPLAND
Logon Server: \\CAG
Hotfix(s): 362 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: File 1
[97]: File 1
[98]: File 1
[99]: File 1
[100]: File 1
[101]: File 1
[102]: File 1
[103]: File 1
[104]: File 1
[105]: File 1
[106]: File 1
[107]: File 1
[108]: File 1
[109]: File 1
[110]: File 1
[111]: File 1
[112]: File 1
[113]: File 1
[114]: File 1
[115]: File 1
[116]: File 1
[117]: File 1
[118]: File 1
[119]: File 1
[120]: File 1
[121]: File 1
[122]: File 1
[123]: File 1
[124]: File 1
[125]: File 1
[126]: File 1
[127]: File 1
[128]: File 1
[129]: File 1
[130]: File 1
[131]: File 1
[132]: File 1
[133]: File 1
[134]: File 1
[135]: File 1
[136]: File 1
[137]: File 1
[138]: File 1
[139]: File 1
[140]: File 1
[141]: File 1
[142]: File 1
[143]: File 1
[144]: File 1
[145]: File 1
[146]: File 1
[147]: File 1
[148]: File 1
[149]: File 1
[150]: File 1
[151]: File 1
[152]: File 1
[153]: File 1
[154]: File 1
[155]: File 1
[156]: File 1
[157]: File 1
[158]: File 1
[159]: File 1
[160]: File 1
[161]: File 1
[162]: File 1
[163]: File 1
[164]: File 1
[165]: File 1
[166]: File 1
[167]: File 1
[168]: File 1
[169]: File 1
[170]: File 1
[171]: File 1
[172]: Q147222
[173]: KB887998 - QFE
[174]: KB930494 - QFE
[175]: M928366 - Update
[176]: S867460 - Update
[177]: KB900325 - Update
[178]: Q927978
[179]: Q936181
[180]: Q954430
[181]: KB898458 - Update
[182]: KB923723 - Update
[183]: KB929399
[184]: KB913800
[185]: KB917734_WMP10
[186]: KB926251
[187]: KB936782_WMP11
[188]: KB939683
[189]: KB954154_WM11
[190]: KB925398_WMP64
[191]: KB923689
[192]: KB941569
[193]: MSCompPackV1 - Update
[194]: KB873333 - Update
[195]: KB873339 - Update
[196]: KB883667 - Update
[197]: KB885250 - Update
[198]: KB885835 - Update
[199]: KB885836 - Update
[200]: KB885855 - Update
[201]: KB886185 - Update
[202]: KB887472 - Update
[203]: KB887998 - Update
[204]: KB888113 - Update
[205]: KB888239 - Update
[206]: KB888302 - Update
[207]: KB888795 - Update
[208]: KB890046 - Update
[209]: KB890546 - Update
[210]: KB890859 - Update
[211]: KB891220 - Update
[212]: KB891593 - Update
[213]: KB891781 - Update
[214]: KB892559 - Update
[215]: KB893066 - Update
[216]: KB893756 - Update
[217]: KB893803v2 - Update
[218]: KB894391 - Update
[219]: KB896256 - Update
[220]: KB896358 - Update
[221]: KB896422 - Update
[222]: KB896423 - Update
[223]: KB896424 - Update
[224]: KB896428 - Update
[225]: KB896727 - Update
[226]: KB898461 - Update
[227]: KB899337 - Update
[228]: KB899510 - Update
[229]: KB899587 - Update
[230]: KB899589 - Update
[231]: KB899591 - Update
[232]: KB900485 - Update
[233]: KB900725 - Update
[234]: KB901017 - Update
[235]: KB901190 - Update
[236]: KB901214 - Update
[237]: KB902400 - Update
[238]: KB902841 - Update
[239]: KB903235 - Update
[240]: KB904706 - Update
[241]: KB905414 - Update
[242]: KB905749 - Update
[243]: KB908519 - Update
[244]: KB908531 - Update
[245]: KB909095 - Update
[246]: KB910437 - Update
[247]: KB

NetWork Card(s): 5 NIC(s) Installed.
[01]: Broadcom 802.11b/g WLAN
Connection Name: Wireless Network Connection 2
[02]: 1394 Net Adapter
Connection Name: 1394 Connection
[03]: NVIDIA nForce Networking Controller
Connection Name: Main LAN Connection
Status: Media disconnected
[04]: Microsoft Loopback Adapter
Connection Name: Loopback Adapter Connection
[05]: Microsoft Loopback Adapter
Connection Name: Local Area Connection
6:0:33:781 2464 ForceUnloadDriver: NtUnloadDriver error 2
6:0:33:781 2464 ForceUnloadDriver: NtUnloadDriver error 2
6:0:33:781 2464 ForceUnloadDriver: NtUnloadDriver error 2
6:0:33:812 2464 main: Driver KLMD successfully dropped
6:0:33:984 2464 main: Driver KLMD successfully loaded
6:0:33:984 2464
Scanning Registry ...
6:0:34:15 2464 ScanServices: Searching service UACd.sys
6:0:34:15 2464 ScanServices: Open/Create key error 2
6:0:34:15 2464 ScanServices: Searching service TDSSserv.sys
6:0:34:15 2464 ScanServices: Open/Create key error 2
6:0:34:15 2464 ScanServices: Searching service gaopdxserv.sys
6:0:34:15 2464 ScanServices: Open/Create key error 2
6:0:34:15 2464 ScanServices: Searching service gxvxcserv.sys
6:0:34:15 2464 ScanServices: Open/Create key error 2
6:0:34:15 2464 ScanServices: Searching service MSIVXserv.sys
6:0:34:15 2464 ScanServices: Open/Create key error 2
6:0:34:15 2464 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
6:0:34:62 2464 UnhookRegistry: Kernel local addr: E10000
6:0:34:93 2464 UnhookRegistry: KeServiceDescriptorTable addr: E94700
6:0:34:593 2464 UnhookRegistry: KiServiceTable addr: E3D428
6:0:34:609 2464 UnhookRegistry: NtEnumerateKey service number (local): 47
6:0:34:609 2464 UnhookRegistry: NtEnumerateKey local addr: F5BDBE
6:0:34:640 2464 KLMD_OpenDevice: Trying to open KLMD device
6:0:34:640 2464 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
6:0:34:640 2464 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
6:0:34:640 2464 KLMD_ReadMem: Trying to ReadMemory 0x80500299[0x4]
6:0:34:640 2464 UnhookRegistry: NtEnumerateKey service number (kernel): 47
6:0:34:640 2464 KLMD_ReadMem: Trying to ReadMemory 0x80504544[0x4]
6:0:34:640 2464 UnhookRegistry: NtEnumerateKey real addr: 80622DBE
6:0:34:640 2464 UnhookRegistry: NtEnumerateKey calc addr: 80622DBE
6:0:34:640 2464 UnhookRegistry: No SDT hooks found on NtEnumerateKey
6:0:34:640 2464 KLMD_ReadMem: Trying to ReadMemory 0x80622DBE[0xA]
6:0:34:640 2464 UnhookRegistry: Splicing found on NtEnumerateKey
6:0:34:640 2464 KLMD_WriteMem: Trying to WriteMemory 0x80622DBE[0xA]
6:0:34:640 2464 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully
6:0:34:640 2464
Scanning Kernel memory ...
6:0:34:640 2464 KLMD_OpenDevice: Trying to open KLMD device
6:0:34:640 2464 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
6:0:34:640 2464 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
6:0:34:640 2464 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 868F7BB0
6:0:34:640 2464 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
6:0:34:640 2464 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8685CC68
6:0:34:640 2464 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8685CC68
6:0:34:640 2464 KLMD_ReadMem: Trying to ReadMemory 0x8685CC68[0x38]
6:0:34:640 2464 DetectCureTDL3: DRIVER_OBJECT addr: 868F7BB0
6:0:34:640 2464 KLMD_ReadMem: Trying to ReadMemory 0x868F7BB0[0xA8]
6:0:34:640 2464 KLMD_ReadMem: Trying to ReadMemory 0xE19257E8[0x208]
6:0:34:640 2464 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
6:0:34:640 2464 DetectCureTDL3: IrpHandler (0) addr: F74EDC30
6:0:34:640 2464 DetectCureTDL3: IrpHandler (1) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (2) addr: F74EDC30
6:0:34:640 2464 DetectCureTDL3: IrpHandler (3) addr: F74E7D9B
6:0:34:640 2464 DetectCureTDL3: IrpHandler (4) addr: F74E7D9B
6:0:34:640 2464 DetectCureTDL3: IrpHandler (5) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (6) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (7) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (8) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (9) addr: F74E8366
6:0:34:640 2464 DetectCureTDL3: IrpHandler (10) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (11) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (12) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (13) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (14) addr: F74E844D
6:0:34:640 2464 DetectCureTDL3: IrpHandler (15) addr: F74EBFC3
6:0:34:640 2464 DetectCureTDL3: IrpHandler (16) addr: F74E8366
6:0:34:640 2464 DetectCureTDL3: IrpHandler (17) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (18) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (19) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (20) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (21) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (22) addr: F74E9EF3
6:0:34:640 2464 DetectCureTDL3: IrpHandler (23) addr: F74EEA24
6:0:34:640 2464 DetectCureTDL3: IrpHandler (24) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (25) addr: 804F4544
6:0:34:640 2464 DetectCureTDL3: IrpHandler (26) addr: 804F4544
6:0:34:640 2464 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
6:0:34:640 2464 KLMD_ReadMem: DeviceIoControl error 1
6:0:34:640 2464 TDL3_StartIoHookDetect: Unable to get StartIo handler code
6:0:34:640 2464 TDL3_FileDetect: Processing driver: Disk
6:0:34:640 2464 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
6:0:34:640 2464 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
6:0:34:640 2464 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
6:0:34:734 2464 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 868B4C68
6:0:34:734 2464 KLMD_GetLowerDeviceObject: Trying to get lower device object for 868B4C68
6:0:34:734 2464 KLMD_ReadMem: Trying to ReadMemory 0x868B4C68[0x38]
6:0:34:734 2464 DetectCureTDL3: DRIVER_OBJECT addr: 868F7BB0
6:0:34:734 2464 KLMD_ReadMem: Trying to ReadMemory 0x868F7BB0[0xA8]
6:0:34:734 2464 KLMD_ReadMem: Trying to ReadMemory 0xE19257E8[0x208]
6:0:34:734 2464 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
6:0:34:734 2464 DetectCureTDL3: IrpHandler (0) addr: F74EDC30
6:0:34:734 2464 DetectCureTDL3: IrpHandler (1) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (2) addr: F74EDC30
6:0:34:734 2464 DetectCureTDL3: IrpHandler (3) addr: F74E7D9B
6:0:34:734 2464 DetectCureTDL3: IrpHandler (4) addr: F74E7D9B
6:0:34:734 2464 DetectCureTDL3: IrpHandler (5) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (6) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (7) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (8) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (9) addr: F74E8366
6:0:34:734 2464 DetectCureTDL3: IrpHandler (10) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (11) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (12) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (13) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (14) addr: F74E844D
6:0:34:734 2464 DetectCureTDL3: IrpHandler (15) addr: F74EBFC3
6:0:34:734 2464 DetectCureTDL3: IrpHandler (16) addr: F74E8366
6:0:34:734 2464 DetectCureTDL3: IrpHandler (17) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (18) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (19) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (20) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (21) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (22) addr: F74E9EF3
6:0:34:734 2464 DetectCureTDL3: IrpHandler (23) addr: F74EEA24
6:0:34:734 2464 DetectCureTDL3: IrpHandler (24) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (25) addr: 804F4544
6:0:34:734 2464 DetectCureTDL3: IrpHandler (26) addr: 804F4544
6:0:34:734 2464 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
6:0:34:734 2464 KLMD_ReadMem: DeviceIoControl error 1
6:0:34:734 2464 TDL3_StartIoHookDetect: Unable to get StartIo handler code
6:0:34:734 2464 TDL3_FileDetect: Processing driver: Disk
6:0:34:734 2464 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
6:0:34:734 2464 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
6:0:34:734 2464 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
6:0:34:750 2464 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 868F6C68
6:0:34:750 2464 KLMD_GetLowerDeviceObject: Trying to get lower device object for 868F6C68
6:0:34:750 2464 KLMD_ReadMem: Trying to ReadMemory 0x868F6C68[0x38]
6:0:34:750 2464 DetectCureTDL3: DRIVER_OBJECT addr: 868F7BB0
6:0:34:750 2464 KLMD_ReadMem: Trying to ReadMemory 0x868F7BB0[0xA8]
6:0:34:750 2464 KLMD_ReadMem: Trying to ReadMemory 0xE19257E8[0x208]
6:0:34:750 2464 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
6:0:34:750 2464 DetectCureTDL3: IrpHandler (0) addr: F74EDC30
6:0:34:750 2464 DetectCureTDL3: IrpHandler (1) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (2) addr: F74EDC30
6:0:34:750 2464 DetectCureTDL3: IrpHandler (3) addr: F74E7D9B
6:0:34:750 2464 DetectCureTDL3: IrpHandler (4) addr: F74E7D9B
6:0:34:750 2464 DetectCureTDL3: IrpHandler (5) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (6) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (7) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (8) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (9) addr: F74E8366
6:0:34:750 2464 DetectCureTDL3: IrpHandler (10) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (11) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (12) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (13) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (14) addr: F74E844D
6:0:34:750 2464 DetectCureTDL3: IrpHandler (15) addr: F74EBFC3
6:0:34:750 2464 DetectCureTDL3: IrpHandler (16) addr: F74E8366
6:0:34:750 2464 DetectCureTDL3: IrpHandler (17) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (18) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (19) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (20) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (21) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (22) addr: F74E9EF3
6:0:34:750 2464 DetectCureTDL3: IrpHandler (23) addr: F74EEA24
6:0:34:750 2464 DetectCureTDL3: IrpHandler (24) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (25) addr: 804F4544
6:0:34:750 2464 DetectCureTDL3: IrpHandler (26) addr: 804F4544
6:0:34:750 2464 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
6:0:34:750 2464 KLMD_ReadMem: DeviceIoControl error 1
6:0:34:750 2464 TDL3_StartIoHookDetect: Unable to get StartIo handler code
6:0:34:750 2464 TDL3_FileDetect: Processing driver: Disk
6:0:34:750 2464 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
6:0:34:750 2464 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
6:0:34:750 2464 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
6:0:34:765 2464 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86894AB8
6:0:34:765 2464 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86894AB8
6:0:34:765 2464 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8685E030
6:0:34:765 2464 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8685E030
6:0:34:765 2464 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 868EE658
6:0:34:765 2464 KLMD_GetLowerDeviceObject: Trying to get lower device object for 868EE658
6:0:34:765 2464 KLMD_ReadMem: Trying to ReadMemory 0x868EE658[0x38]
6:0:34:765 2464 DetectCureTDL3: DRIVER_OBJECT addr: 8685F0E0
6:0:34:765 2464 KLMD_ReadMem: Trying to ReadMemory 0x8685F0E0[0xA8]
6:0:34:765 2464 KLMD_ReadMem: Trying to ReadMemory 0xE18DCDA0[0x208]
6:0:34:765 2464 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvata, Driver Name: nvata
6:0:34:765 2464 DetectCureTDL3: IrpHandler (0) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (1) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (2) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (3) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (4) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (5) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (6) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (7) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (8) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (9) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (10) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (11) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (12) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (13) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (14) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (15) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (16) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (17) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (18) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (19) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (20) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (21) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (22) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (23) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (24) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (25) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: IrpHandler (26) addr: F72C8344
6:0:34:765 2464 DetectCureTDL3: All IRP handlers pointed to one addr: F72C8344
6:0:34:765 2464 KLMD_ReadMem: Trying to ReadMemory 0xF72C8344[0x400]
6:0:34:765 2464 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
6:0:34:765 2464 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
6:0:34:765 2464 KLMD_ReadMem: Trying to ReadMemory 0x86801364[0x4]
6:0:34:765 2464 TDL3_IrpHookDetect: New IrpHandler addr: 867EAF61
6:0:34:765 2464 KLMD_ReadMem: Trying to ReadMemory 0x867EAF61[0x400]
6:0:34:765 2464 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
6:0:34:765 2464 Driver "nvata" Irp handler infected by TDSS rootkit ... 6:0:34:765 2464 KLMD_WriteMem: Trying to WriteMemory 0x867EAFE7[0xD]
6:0:34:765 2464 cured
6:0:34:765 2464 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
6:0:34:765 2464 KLMD_ReadMem: DeviceIoControl error 1
6:0:34:765 2464 TDL3_StartIoHookDetect: Unable to get StartIo handler code
6:0:34:765 2464 TDL3_FileDetect: Processing driver: nvata
6:0:34:765 2464 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\nvata.sys, C:\WINDOWS\system32\Drivers\tsk_nvata.sys, SYSTEM\CurrentControlSet\Services\nvata, system32\Drivers\tsk_nvata.sys
6:0:34:765 2464 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\nvata.sys
6:0:34:765 2464 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\nvata.sys
6:0:34:828 2464 File C:\WINDOWS\system32\drivers\nvata.sys infected by TDSS rootkit ... 6:0:34:828 2464 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\nvata.sys
6:0:34:828 2464 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\nvata.sys
6:0:34:843 2464 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\tsk_nvata.sys
6:0:34:937 2464 TDL3_FileCure: Image path (system32\Drivers\tsk_nvata.sys) was set for service (SYSTEM\CurrentControlSet\Services\nvata)
6:0:34:937 2464 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\tsk_nvata.sys, C:\WINDOWS\system32\drivers\nvata.sys) success
6:0:34:937 2464 will be cured on next reboot
6:0:34:937 2464
Completed

Results:
6:0:34:937 2464 Infected objects in memory: 1
6:0:34:937 2464 Cured objects in memory: 1
6:0:34:937 2464 Infected objects on disk: 1
6:0:34:937 2464 Objects on disk cured on reboot: 1
6:0:34:937 2464 Objects on disk deleted on reboot: 0
6:0:34:937 2464 Registry nodes deleted on reboot: 0
6:0:34:937 2464

- otl.txt - from OTL

OTL logfile created on: 12/16/2009 6:11:41 AM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Gator\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

990.54 Mb Total Physical Memory | 583.07 Mb Available Physical Memory | 58.86% Memory free
2.33 Gb Paging File | 1.90 Gb Available in Paging File | 81.60% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 99.19 Gb Total Space | 24.25 Gb Free Space | 24.44% Space Free | Partition Type: NTFS
Drive D: | 11.56 Gb Total Space | 1.10 Gb Free Space | 9.49% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CAG
Current User Name: Gator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/15 05:53:54 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gator\Desktop\OTL.exe
PRC - [2009/12/05 07:59:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/05 07:59:09 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 13:48:48 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/08 15:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/10/30 09:36:36 | 00,256,576 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2006/10/30 09:36:32 | 00,492,608 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2006/08/18 03:00:00 | 00,143,426 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2006/07/11 23:55:34 | 00,102,400 | ---- | M] (CyberLink Corp.) -- C:\Program Files\HP\QuickPlay\QPService.exe
PRC - [2006/06/13 04:20:00 | 00,127,036 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2006/05/18 18:52:06 | 00,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2006/05/04 00:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
PRC - [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2006/04/01 00:01:48 | 00,761,946 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/03/15 23:00:00 | 00,117,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqtgsvc.exe
PRC - [2006/03/15 23:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2006/03/15 23:00:00 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe
PRC - [2005/08/11 18:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


========== Modules (SafeList) ==========

MOD - [2009/12/15 05:53:54 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gator\Desktop\OTL.exe
MOD - [2009/02/11 10:06:38 | 00,014,032 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2006/08/25 10:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/05 07:59:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 13:48:48 | 00,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/02/11 10:06:36 | 00,210,216 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/30 09:36:32 | 00,492,608 | ---- | M] (Apple Computer, Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2006/10/26 18:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/09/19 01:30:18 | 00,380,928 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\AppServer\opmn\bin\opmn.exe -- (Oracle-cagdevProcessManager)
SRV - [2006/08/18 03:00:00 | 00,143,426 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/06/12 15:27:28 | 00,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr)
SRV - [2006/05/18 18:52:06 | 00,049,152 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex)
SRV - [2006/03/15 23:00:00 | 00,117,248 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\mqtgsvc.exe -- (MSMQTriggers)
SRV - [2006/03/15 23:00:00 | 00,004,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\mqsvc.exe -- (MSMQ)
SRV - [2005/08/29 21:03:50 | 59,027,456 | ---- | M] (Oracle Corporation) [On_Demand | Stopped] -- c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE -- (OracleServiceCAGDEV)
SRV - [2005/08/29 18:32:22 | 00,102,400 | ---- | M] () [Disabled | Stopped] -- c:\oracle\product\10.2.0\db_1\Bin\extjob.exe -- (OracleJobSchedulerCAGDEV)
SRV - [2005/08/16 11:21:06 | 00,024,064 | ---- | M] (Oracle Corporation) [On_Demand | Stopped] -- C:\oracle\product\10.2.0\db_1\BIN\nmesrvc.exe -- (OracleDBConsolecagdev)
SRV - [2005/08/16 00:23:02 | 00,053,248 | ---- | M] (Oracle) [On_Demand | Stopped] -- C:\oracle\product\10.2.0\db_1\BIN\isqlplussvc.exe -- (OracleOraDb10g_home1iSQL*Plus)
SRV - [2005/08/15 22:57:48 | 00,204,800 | ---- | M] () [On_Demand | Stopped] -- C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe -- (OracleOraDb10g_home1TNSListener)
SRV - [2005/04/04 02:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/07/15 11:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/05/29 20:52:52 | 00,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/12/16 06:00:34 | 00,099,584 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\tsk_nvata.sys -- (nvata)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/08/07 04:30:17 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/06/23 10:01:42 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/06/23 10:01:40 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/04/09 13:23:02 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/06/20 04:52:06 | 00,225,920 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008/05/08 07:28:49 | 00,202,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rmcast.sys -- (RMCAST)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/08/10 11:08:48 | 00,024,456 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2007/07/06 05:05:47 | 00,072,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC)
DRV - [2006/11/02 15:57:04 | 00,036,624 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/09/19 15:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2006/08/29 14:12:28 | 00,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/29 14:11:08 | 00,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/08/29 14:10:56 | 00,728,576 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/08/18 03:00:00 | 03,687,552 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/08/09 15:40:58 | 00,009,600 | R--- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2006/06/19 14:26:58 | 00,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2006/06/19 07:37:34 | 00,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/13 04:20:00 | 00,094,460 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/06/13 04:20:00 | 00,088,476 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/06/13 04:20:00 | 00,086,844 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/06/13 04:20:00 | 00,025,724 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/06/13 04:20:00 | 00,014,716 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/06/13 04:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/06/13 04:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2006/06/12 02:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2006/06/06 15:39:56 | 00,061,952 | ---- | M] (Ricoh) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\5U870CAP.sys -- (5U870CAP_VID_1262&PID_25FD)
DRV - [2006/06/01 19:02:36 | 00,572,928 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/05/12 15:05:02 | 00,057,320 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/04/28 12:12:00 | 00,429,184 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/03/31 23:41:40 | 00,193,056 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/03/17 07:35:24 | 00,005,660 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/03/17 07:34:46 | 00,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2006/03/17 04:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/03/15 23:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2006/03/05 18:49:36 | 00,011,136 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2006/03/02 19:31:04 | 00,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/02 19:31:02 | 00,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/11/15 23:28:32 | 00,028,928 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/10/31 21:08:00 | 00,308,992 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/10/31 20:54:50 | 00,051,584 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/10/13 04:07:12 | 00,874,240 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2005/09/19 16:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/09/19 16:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2005/09/19 16:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/05/17 04:51:34 | 00,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/01/07 19:07:18 | 00,138,752 | ---- | M] (Windows Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 09:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 09:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/04 01:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/18 00:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 00:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 00:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 00:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 00:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 23:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 23:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 23:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 23:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 23:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 23:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 23:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 23:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 23:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 23:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 13:53:42 | 00,004,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\loop.sys -- (msloop)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.3
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9
FF - prefs.js..extensions.enabledItems: {3205B348-523A-4fac-9BC4-9939CBF583B0}:1.8
FF - prefs.js..extensions.enabledItems: [email protected]:0.6.3
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.type: 1


FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/12/11 05:35:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/22 07:21:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/06 06:40:08 | 00,000,000 | ---D | M]

[2008/08/28 18:27:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gator\Application Data\Mozilla\Extensions
[2009/12/14 19:15:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gator\Application Data\Mozilla\Firefox\Profiles\ob5zp4jp.default\extensions
[2009/07/07 05:24:50 | 00,000,000 | ---D | M] (Old Location Bar) -- C:\Documents and Settings\Gator\Application Data\Mozilla\Firefox\Profiles\ob5zp4jp.default\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
[2009/11/05 06:30:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gator\Application Data\Mozilla\Firefox\Profiles\ob5zp4jp.default\extensions\[email protected]
[2009/12/06 06:44:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gator\Application Data\Mozilla\Firefox\Profiles\ob5zp4jp.default\extensions\[email protected]
[2007/02/12 09:20:00 | 00,002,386 | ---- | M] () -- C:\Documents and Settings\Gator\Application Data\Mozilla\Firefox\Profiles\ob5zp4jp.default\searchplugins\siteadvisor.xml
[2009/12/14 19:15:55 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/04/05 03:38:20 | 00,053,355 | ---- | M] (Oracle Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPJinit13122.dll
[2006/01/18 11:50:00 | 00,319,488 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll

O1 HOSTS File: (2306 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 10.10.75.12 bst12.dbamanager.com bst12
O1 - Hosts: 127.0.0.1 cag
O1 - Hosts: 10.10.75.1 pix
O1 - Hosts: 10.10.75.5 3com
O1 - Hosts: 10.10.75.10 bst10
O1 - Hosts: 10.10.75.20 bst01
O1 - Hosts: 10.10.75.25 CCTV
O1 - Hosts: 10.10.75.30 fs01
O1 - Hosts: 10.10.75.31 fs02
O1 - Hosts: 10.10.75.40 monitor
O1 - Hosts: 10.10.75.129 cag
O1 - Hosts: 10.10.75.201 HP3500
O1 - Hosts: 57.33.0.182 eglukpi01
O1 - Hosts: 10.10.75.13 bst13
O1 - Hosts: 204.11.141.8 formsrv
O1 - Hosts: 204.11.141.1 router
O1 - Hosts: 204.11.141.2 vpn.bravesoft.com vpn
O1 - Hosts: 204.11.141.5 rdba rdba.bravesoft.com brms.bravesoft.com
O1 - Hosts: 204.11.141.13 cam
O1 - Hosts: 204.11.141.14 linksys
O1 - Hosts: 10.10.10.40 demolap
O1 - Hosts: 10.10.75.11 bst11 #database dev1 jump
O1 - Hosts: 10.9.22.218 tlpeuatdbgrid
O1 - Hosts: 10.9.22.146 tlpnprodgrid
O1 - Hosts: 10.9.22.144 tlpnproddb1.tsysecom.com
O1 - Hosts: 10 more lines...
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows Server 2003 DDK provider)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QPService] C:\Program Files\HP\QuickPlay\QPService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm ()
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} https://ra.budco.com/ui/Axt.cab (Caymas Secure Tunnel)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} https://ra.budco.com/pdl/jt/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} http://cag:8889/forms/jinitiator/jinit.exe (JInitiator 1.3.1.22)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://myvpn.ford.com/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupSP1 Control)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2001/07/27 22:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 14:01:14 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{5f7bd4c3-c35a-11de-8b6b-00163693be80}\Shell - "" = AutoRun
O33 - MountPoints2\{5f7bd4c3-c35a-11de-8b6b-00163693be80}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5f7bd4c3-c35a-11de-8b6b-00163693be80}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{a365b0dc-b84c-11db-8679-00163693be80}\Shell\AutoRun\command - "" = G:\wd_windows_tools\setup.exe -- File not found
O33 - MountPoints2\{f8ae3d75-f27e-11db-8718-00163693be80}\Shell - "" = AutoRun
O33 - MountPoints2\{f8ae3d75-f27e-11db-8718-00163693be80}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f8ae3d75-f27e-11db-8718-00163693be80}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\url.dll -- [2006/03/15 23:00:00 | 00,037,888 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891947461378048)

========== Files/Folders - Created Within 30 Days ==========

[2009/12/16 06:00:33 | 00,016,904 | ---- | C] (Kaspersky Lab, Parshin Yury) -- C:\WINDOWS\System32\drivers\KLMD.sys
[2009/12/15 19:34:55 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gator\Desktop\OTL.exe
[2009/12/15 05:46:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\SACore
[2009/12/07 01:42:15 | 00,134,408 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Gator\Desktop\TDSSKiller.exe
[2009/12/05 07:59:33 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/05 07:59:33 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/05 07:59:33 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/05 07:59:32 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/11/21 08:17:35 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Gator\Recent
[2009/11/18 05:51:50 | 00,195,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2009/11/18 05:50:09 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2008/12/31 09:05:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\VMware
[2008/12/30 07:54:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\VMware
[2008/12/23 06:50:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2007/07/03 08:01:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2007/02/12 06:08:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2007/02/12 06:08:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/01/26 11:55:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2007/01/18 12:22:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AdobeUM
[2006/11/09 06:30:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2006/09/23 05:45:44 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/09/23 05:45:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/09/23 05:45:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/09/24 10:49:16 | 00,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/16 06:09:01 | 00,000,041 | ---- | M] () -- C:\fixme.bat
[2009/12/16 06:08:31 | 09,437,184 | -H-- | M] () -- C:\Documents and Settings\Gator\NTUSER.DAT
[2009/12/16 06:07:16 | 00,453,442 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/16 06:07:16 | 00,391,638 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/16 06:07:16 | 00,056,124 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/16 06:07:11 | 00,014,361 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/16 06:05:53 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/12/16 06:03:31 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/16 06:03:26 | 00,001,179 | ---- | M] () -- C:\hpqp.ini
[2009/12/16 06:02:53 | 00,000,039 | ---- | M] () -- C:\XP_TV.ini
[2009/12/16 06:02:49 | 00,051,048 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/12/16 06:02:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/16 06:02:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/16 06:02:41 | 10,387,25120 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/16 06:02:39 | 00,099,584 | ---- | M] () -- C:\WINDOWS\System32\drivers\nvata.sys
[2009/12/16 06:01:12 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Gator\ntuser.ini
[2009/12/16 06:00:34 | 00,099,584 | ---- | M] () -- C:\WINDOWS\System32\drivers\tsk_nvata.sys
[2009/12/16 06:00:33 | 00,016,904 | ---- | M] (Kaspersky Lab, Parshin Yury) -- C:\WINDOWS\System32\drivers\KLMD.sys
[2009/12/15 05:53:54 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gator\Desktop\OTL.exe
[2009/12/15 05:53:16 | 00,077,312 | ---- | M] () -- C:\mbr.exe
[2009/12/15 05:53:16 | 00,077,312 | ---- | M] () -- C:\Documents and Settings\Gator\Desktop\mbr.exe
[2009/12/15 05:52:32 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Gator\Desktop\7yj69pko.exe
[2009/12/15 01:21:01 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/12/14 19:23:23 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\Gator\Desktop\rkill.pif
[2009/12/13 20:10:03 | 02,644,824 | -H-- | M] () -- C:\Documents and Settings\Gator\Local Settings\Application Data\IconCache.db
[2009/12/11 06:11:13 | 00,000,512 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/11 06:11:13 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/11 06:11:13 | 00,000,209 | -HS- | M] () -- C:\boot.ini
[2009/12/06 09:30:32 | 00,052,736 | ---- | M] () -- C:\Documents and Settings\Gator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/05 09:37:38 | 00,134,408 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Gator\Desktop\TDSSKiller.exe
[2009/12/05 07:59:08 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/05 07:59:08 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/05 07:59:08 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/05 07:59:08 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/05 07:59:07 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/20 21:27:20 | 00,000,030 | ---- | M] () -- C:\WINDOWS\System32\worker.info
[2009/11/20 21:27:20 | 00,000,030 | ---- | M] () -- C:\WINDOWS\System32\thread.xml
[2009/11/20 21:27:20 | 00,000,030 | ---- | M] () -- C:\WINDOWS\System32\config.data
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/16 06:08:47 | 00,000,041 | ---- | C] () -- C:\fixme.bat
[2009/12/16 06:00:34 | 00,099,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\tsk_nvata.sys
[2009/12/15 19:34:47 | 00,077,312 | ---- | C] () -- C:\Documents and Settings\Gator\Desktop\mbr.exe
[2009/12/15 06:01:44 | 00,077,312 | ---- | C] () -- C:\mbr.exe
[2009/12/15 06:01:25 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Gator\Desktop\7yj69pko.exe
[2009/12/14 19:23:20 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\Gator\Desktop\rkill.pif
[2009/11/20 18:20:13 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\worker.info
[2009/11/20 18:20:13 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\thread.xml
[2009/11/20 18:20:13 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\config.data
[2009/11/18 05:53:18 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/06/22 05:19:19 | 00,002,119 | ---- | C] () -- C:\Documents and Settings\Gator\Application Data\cUMBKq4rat.gif
[2009/06/22 05:19:19 | 00,000,607 | ---- | C] () -- C:\Documents and Settings\Gator\Application Data\cUMBKq4rzn.gif
[2009/06/22 05:19:19 | 00,000,598 | ---- | C] () -- C:\Documents and Settings\Gator\Application Data\cUMBKq4rby.gif
[2009/06/15 04:54:34 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\91398586.ini
[2007/09/21 04:21:15 | 00,001,367 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/08/10 11:08:48 | 00,024,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2007/07/09 09:28:44 | 00,036,962 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
[2007/06/01 14:16:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2007/06/01 14:16:00 | 00,000,126 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2007/03/05 15:57:03 | 00,254,464 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT2X.DLL
[2007/03/05 15:57:03 | 00,094,720 | ---- | C] () -- C:\WINDOWS\System32\SH30W32.DLL
[2007/03/05 15:57:03 | 00,080,624 | ---- | C] () -- C:\WINDOWS\System32\SH31W32.DLL
[2007/01/25 17:42:59 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\Gator\Local Settings\Application Data\PUTTY.RND
[2006/11/10 14:32:36 | 00,052,736 | ---- | C] () -- C:\Documents and Settings\Gator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/09 06:25:20 | 00,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2006/11/09 06:25:20 | 00,000,129 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2006/11/08 01:45:38 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Gator\Local Settings\Application Data\fusioncache.dat
[2006/11/08 01:45:38 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Gator\Local Settings\Application Data\DSwitch.txt
[2006/11/08 01:45:38 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Gator\Local Settings\Application Data\AtStart.txt
[2006/11/08 01:45:36 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Gator\Local Settings\Application Data\QSwitch.txt
[2006/09/23 06:32:17 | 00,000,174 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/09/23 06:28:18 | 00,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/09/23 06:15:16 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/09/23 06:04:54 | 00,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/08/18 03:00:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/08/18 03:00:00 | 01,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/08/18 03:00:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/08/18 03:00:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/08/18 03:00:00 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/06/29 14:18:14 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/29 13:49:18 | 00,000,368 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/06/29 13:46:56 | 00,000,359 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/06/29 13:43:40 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/03/15 23:00:00 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2006/03/04 02:07:34 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006/01/26 19:04:16 | 00,099,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvata.sys
[2005/12/02 13:09:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/05/05 21:06:32 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2004/09/16 15:24:26 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2003/05/07 13:21:26 | 00,172,056 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/12/15 05:53:16 | 00,077,312 | ---- | M] () -- C:\mbr.exe
[11 C:\*.tmp files -> C:\*.tmp -> ]


< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\agp440.sys
[2004/08/04 09:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\atapi.sys
[2004/08/04 08:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\eventlog.dll
[2006/03/15 23:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2007/01/30 13:44:22 | 00,028,672 | ---- | M] () MD5=9937F303C344C00849E8E5CA26CED439 -- C:\oracle\AppServer\perl\site\5.8.3\lib\MSWin32-x86-multi-thread\auto\Win32\EventLog\EventLog.dll
[2004/11/15 08:37:52 | 00,028,672 | ---- | M] () MD5=9937F303C344C00849E8E5CA26CED439 -- C:\oracle\owb_home\perl\site\5.8.3\lib\MSWin32-x86-multi-thread\auto\Win32\EventLog\EventLog.dll
[2004/11/15 08:37:52 | 00,028,672 | ---- | M] () MD5=9937F303C344C00849E8E5CA26CED439 -- C:\oracle\product\10.2.0\db_1\perl\site\5.8.3\lib\MSWin32-x86-multi-thread\auto\Win32\EventLog\EventLog.dll

< MD5 for: IASTOR.SYS >
[2005/10/13 04:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\SWSetup\HDD\iastor.sys
[2005/10/13 04:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\netlogon.dll
[2006/03/15 23:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/01/26 19:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SWSetup\Chipset\IDE\Win2K\sata_ide\nvata.sys
[2006/01/26 19:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SWSetup\Chipset\IDE\WinXP\sata_ide\nvata.sys
[2006/01/26 19:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SWSetup\Chipset\nvata.sys
[2009/12/16 06:02:39 | 00,099,584 | ---- | M] () MD5=C3C2485695C4F64F08D105EC54BEFB4B -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: NVATABUS.SYS >
[2006/01/26 19:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SWSetup\Chipset\IDE\Win2K\sataraid\nvatabus.sys
[2006/01/26 19:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SWSetup\Chipset\IDE\WinXP\sataraid\nvatabus.sys
[2006/01/26 19:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SWSetup\Chipset\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2006/03/15 23:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\scecli.dll
< End of report >


- extras.txt - from OTL

OTL Extras logfile created on: 12/16/2009 6:11:41 AM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Gator\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

990.54 Mb Total Physical Memory | 583.07 Mb Available Physical Memory | 58.86% Memory free
2.33 Gb Paging File | 1.90 Gb Available in Paging File | 81.60% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 99.19 Gb Total Space | 24.25 Gb Free Space | 24.44% Space Free | Partition Type: NTFS
Drive D: | 11.56 Gb Total Space | 1.10 Gb Free Space | 9.49% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CAG
Current User Name: Gator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\mqsvc.exe" = C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing -- (Microsoft Corporation)
"%windir%\system32\drivers\svchost.exe" = %windir%\system32\drivers\svchost.exe:*:Enabled:svchost -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\mqsvc.exe" = C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing -- (Microsoft Corporation)
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Computer, Inc.)
"C:\oracle\xml_publisher\jdk\bin\java.exe" = C:\oracle\xml_publisher\jdk\bin\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- (Sun Microsystems, Inc.)
"C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-03-05_03-51-16PM\jre\1.4.2\bin\javaw.exe" = C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-03-05_03-51-16PM\jre\1.4.2\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\oracle\Developer\jdk\bin\java.exe" = C:\oracle\Developer\jdk\bin\java.exe:*:Enabled:java -- File not found
"C:\oracle\Developer\BIN\rwbuilder.exe" = C:\oracle\Developer\BIN\rwbuilder.exe:*:Enabled:Reports Builder -- File not found
"C:\oracle\owb_home\jdk\jre\bin\javaw.exe" = C:\oracle\owb_home\jdk\jre\bin\javaw.exe:*:Enabled:javaw -- ()
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found
"C:\oracle\JDeveloper\jdk\bin\javaw.exe" = C:\oracle\JDeveloper\jdk\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- (Sun Microsystems, Inc.)
"C:\oracle\JDeveloper\jdev\bin\jdevW.exe" = C:\oracle\JDeveloper\jdev\bin\jdevW.exe:*:Enabled:Oracle JDeveloper -- ()
"C:\oracle\BIPublisher10132\jdk\bin\java.exe" = C:\oracle\BIPublisher10132\jdk\bin\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- (Sun Microsystems, Inc.)
"C:\oracle\Developer\BIN\frmweb.exe" = C:\oracle\Developer\BIN\frmweb.exe:*:Enabled:Oracle Forms Runform -- File not found
"C:\oracle\Developer\BIN\frmbld.exe" = C:\oracle\Developer\BIN\frmbld.exe:*:Enabled:Oracle Forms Designer -- File not found
"C:\oracle\Developer9i\jdk\bin\java.exe" = C:\oracle\Developer9i\jdk\bin\java.exe:*:Enabled:java -- File not found
"C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-08-12_09-27-43PM\jre\bin\javaw.exe" = C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-08-12_09-27-43PM\jre\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-08-13_07-57-07AM\jre\bin\javaw.exe" = C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-08-13_07-57-07AM\jre\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\oracle\Developer9i\bin\rwbuilder.exe" = C:\oracle\Developer9i\bin\rwbuilder.exe:*:Enabled:Reports Builder -- File not found
"C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-09-19_09-22-52PM\jre\bin\javaw.exe" = C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-09-19_09-22-52PM\jre\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-09-20_05-31-00AM\jre\1.4.2\bin\javaw.exe" = C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-09-20_05-31-00AM\jre\1.4.2\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-12-14_05-39-25AM\jre\1.4.2\bin\javaw.exe" = C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2007-12-14_05-39-25AM\jre\1.4.2\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\oracle\Developer10g\jdk\bin\java.exe" = C:\oracle\Developer10g\jdk\bin\java.exe:*:Enabled:java -- ()
"C:\oracle\Developer10g\BIN\rwbuilder.exe" = C:\oracle\Developer10g\BIN\rwbuilder.exe:*:Enabled:Reports Builder -- (Oracle Corporation)
"C:\oracle\Developer10g\BIN\frmweb.exe" = C:\oracle\Developer10g\BIN\frmweb.exe:*:Enabled:Oracle Forms Runform -- (Oracle Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- ()
"C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2008-10-30_06-55-18AM\jre\1.4.2\bin\javaw.exe" = C:\Documents and Settings\Gator\Local Settings\Temp\OraInstall2008-10-30_06-55-18AM\jre\1.4.2\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"%windir%\system32\drivers\svchost.exe" = %windir%\system32\drivers\svchost.exe:*:Enabled:svchost -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{09D8492A-C8E2-421E-927D-46800FB327A3}" = Wireless Home Network Setup
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic UDF Reader
"{13BCF6CB-2F54-4962-9B11-32F07048ACF3}" = HP User Guides 0031
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1CB34CE9-0E6B-493F-BB66-3425E5DF76E5}" = CP_CalendarTemplates1
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}" = CP_Package_Variety2
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations
"{25F6C900-C138-4888-A56C-91D3D063023A}" = HP Update
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{2A548002-9042-4083-A270-B67473DE1073}" = SkinsHP1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.10 A2
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FE0CFAB-584A-4AA5-B8CD-C32284CFA308}" = RandMap
"{4041C245-7099-4C96-9738-5EBC23827B3C}" = BufferChm
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 G2
"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 2.3
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{494D17B5-3369-4905-8C4B-80C972C5E0FF}" = CP_Panorama1Config
"{4DA4012B-39AF-48c2-B23B-A4D570D233A6}" = cp_LightScribeConfig
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}" = CP_Package_Variety1
"{52FBAE98-D389-4281-8C14-21B4046CCB4E}" = SonicAC3Encoder
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{54F0998F-73C8-4b51-8286-FE903C231BED}" = cp_PosterPrintConfig
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8
"{6A28AB0B-22B1-494C-AF61-B386EA1736C0}" = LightScribe 1.4.97.1
"{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}" = Power Tab Editor 1.7
"{766633B3-1AFA-44B6-A3FC-1DE991CD9C52}" = CP_Package_Basic1
"{79F8E1D4-36C1-439C-95FA-F695050B5B07}" = Sonic_PrimoSDK
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{80AE27BA-B0ED-4288-A8B9-D8194BCF4115}" = cp_UpdateProjectsConfig
"{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"{838A1BC9-95CA-4880-9BE3-2A7D23600A2B}" = Macromedia Shockwave Player
"{869C3062-4745-4949-B6C9-98AF24D89030}" = PhotoGallery
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91120000-003A-0000-0000-0000000FF1CE}" = Microsoft Office Project Standard 2007
"{91510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{939F8208-C8CE-4AFF-B7BA-ACEB2E74A6CB}" =
"{9D4ABB0C-F60B-44A6-956C-A4A63D5495C9}" = CueTour
"{A0146E8B-C065-4A10-82D0-2C9FC3BBCCBC}" = Oracle XML Publisher Desktop
"{A01FC76F-CC09-4658-9E37-5C2F635EE708}" = TourSetup
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AAE10BE5-F398-41C1-9AAF-A59EBF17DFDE}" = Norton Spyware Scan
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B11E71BA-498C-42D4-9F1A-9D7A89D9DA61}" = CP_AtenaShokunin1Config
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B16AF568-A644-483C-A6DA-5028CD019C8C}" = SonicMPEGEncoder
"{B510A987-487E-4C66-9F4F-D386AC275715}" = TextPad 4.7
"{B57F2FF0-5A25-4332-B503-4592B370C02F}" = CP_Package_Variety3
"{BBD3BF67-5B89-4CBB-BA58-5818ED5F3290}" = cp_OnlineProjectsConfig
"{CAFECAFE-0013-0001-0122-ABCDEFABCDEF}" = Oracle JInitiator 1.3.1.22
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B2}" = WinZip 11.2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DA0BF7AB-88EB-4675-8FA1-531EAD938821}" = SnagIt 8
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DB7E00C9-6DEF-489A-8112-D8F81614F45A}" = Vongo
"{EC397D90-720E-426D-B381-0A10C6FD5A49}" = HP Pavilion Webcam Demo
"{FB09F05F-85C6-4205-B28D-5BF071D276C3}" = muvee autoProducer 5.0
"{FC8D25A7-FF1B-41BB-BB3B-9A06C0A60AE0}" = InstantShareDevices
"074EEF5F-3BE8-4112-B253-C5D6CDE2924C" = Zuma Deluxe from Hewlett-Packard Laptops (remove only)
"0E5266B4-9069-401A-93AE-5FF9F1712016" = Insaniquarium Deluxe from Hewlett-Packard Laptops (remove only)
"103EFD47-9F2C-4490-95DD-AE6C442AFB92" = SCRABBLE from Hewlett-Packard Laptops (remove only)
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"1C3FDBBA-EBF7-4CDB-AD8A-A1125734AF86" = Tradewinds from Hewlett-Packard Laptops (remove only)
"320F055A-570F-4335-B026-16A836DB9549" = Final Drive Nitro from Hewlett-Packard Laptops (remove only)
"382C11F0-1A18-4F76-B8E0-15CA7F209C22" = Chuzzle Deluxe from Hewlett-Packard Laptops (remove only)
"384E0BF4-1E1F-45A6-B60E-42144A3F15CD" = Blackhawk Striker 2 from Hewlett-Packard Laptops (remove only)
"4C061F83-EE92-445A-A03F-184B0BD59242" = Jewel Quest from Hewlett-Packard Laptops (remove only)
"5658FB14-16A4-4DAE-946B-1457BE31572E" = Boggle Supreme from Hewlett-Packard Laptops (remove only)
"5758A0E8-A112-4A1D-82EC-EC72F7F16B88" = Lexibox Deluxe from Hewlett-Packard Laptops (remove only)
"5DE4D54F-AA79-43A4-9C8A-C173E7E2B025" = 5 Card Slingo from Hewlett-Packard Laptops (remove only)
"6E377D95-DF37-4E67-B64B-68C314600BCB" = Bejeweled 2 Deluxe from Hewlett-Packard Laptops (remove only)
"6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89" = FATE from Hewlett-Packard Laptops (remove only)
"7948472C-423F-4134-B68F-48D660A05D71" = Big Kahuna Reef from Hewlett-Packard Laptops (remove only)
"7A940E33-6993-404B-ABA6-ED62E8FBE615" = Bounce Symphony from Hewlett-Packard Laptops (remove only)
"7ED8A70C-9597-40BE-AEA0-0573182F1F51" = Super Granny from Hewlett-Packard Laptops (remove only)
"7F8C5718-1BA9-4AAE-96D2-2B04D05F2D54" = Polar Bowler from Hewlett-Packard Laptops (remove only)
"9F3399B2-9ED6-4339-84A2-686432638B86" = Blasterball 2 from Hewlett-Packard Laptops (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"B0202B33-E73D-4FCD-AC88-0B2971AFC116" = Slyder from Hewlett-Packard Laptops (remove only)
"B0769D17-E72A-4E87-A83F-1F7A3F080008" = Bookworm Deluxe from Hewlett-Packard Laptops (remove only)
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"C264D692-8E15-4141-96A2-5621332E5DD0" = Slingo Deluxe from Hewlett-Packard Laptops (remove only)
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_PCI_VEN_14F1&DEV_5045_at8ven5m" = Soft Data Fax Modem with SmartCP
"D2E44AA4-8665-4490-A6C9-2D0744B47B27" = Polar Golfer from Hewlett-Packard Laptops (remove only)
"DED8E2B5-BA9F-448F-84E8-0AEF79876F95" = Snowboard SuperJam
"Download Accelerator Plus (DAP)" = Download Accelerator Plus (DAP)
"E332F38A-75F6-4EF2-88CC-246E8A1CB5D7" = Oasis from Hewlett-Packard Laptops (remove only)
"E76A7EFF-7758-49EE-B3FA-9699830A2D6B" = Mah Jong Quest from Hewlett-Packard Laptops (remove only)
"E90E3AE9-73E4-4E5C-BB0F-673989A808D0" = Lemonade Tycoon 2 from Hewlett-Packard Laptops (remove only)
"E94C7046-2F7D-4D4D-B76F-C412DCCEAAC2" = Crystal Maze from Hewlett-Packard Laptops (remove only)
"EF860173-4FB7-4DE1-8BE8-5400F05A0DC5" = Puzzle Express from Hewlett-Packard Laptops (remove only)
"ESPNMotion" = ESPNMotion
"F2566CC2-D4C4-44ED-A838-3F8288D8D3FE" = Flip Words from Hewlett-Packard Laptops (remove only)
"FLV Player" = FLV Player 2.0, build 24
"Guitar Pro 5_is1" = Guitar Pro 5.0
"HP Game Console" = HP Game Console and games
"HP Imaging Device Functions" = HP Imaging Device Functions 6.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.0
"HP Rhapsody" = HP Rhapsody
"InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"InstallShield_{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"KaraFun_is1" = KaraFun 1.18
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Money2006b" = Microsoft Money 2006
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Netscape Browser" = Netscape Browser (remove only)
"Norton Spyware Scan provided by Yahoo!" = Norton Spyware Scan provided by Yahoo!
"NVIDIA Drivers" = NVIDIA Drivers
"PrimoPDF2.0" = PrimoPDF
"PRJSTDR" = Microsoft Office Project Standard 2007 Trial
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Skype_is1" = Skype 2.5
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"The Extractor1.4.1" = The Extractor
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinPatrol" = WinPatrol 2009
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Networks_Cache_Cleaner 5.5.0" = Juniper Networks Cache Cleaner 5.5.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/23/2009 7:44:37 AM | Computer Name = CAG | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 8.1.0.137, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/26/2009 9:07:08 AM | Computer Name = CAG | Source = Application Hang | ID = 1002
Description = Hanging application MSASCui.exe, version 1.1.1593.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/26/2009 9:07:16 AM | Computer Name = CAG | Source = Application Hang | ID = 1001
Description = Fault bucket 345095370.

Error - 11/28/2009 8:47:13 AM | Computer Name = CAG | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 12/1/2009 7:47:14 PM | Computer Name = CAG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 12/1/2009 7:47:16 PM | Computer Name = CAG | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 12/9/2009 6:29:39 AM | Computer Name = CAG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 12/13/2009 9:05:42 AM | Computer Name = CAG | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 3944 (0xf68) Thread address : 0x7C90EB94 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\PROGRAM FILES\COMMON
FILES\MICROSOFT SHARED\OFFICE11\MSO.DLL by **\WINWORD.EXE 4(0)(0) 4(0)(0) 7200(0)(0)

7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 12/13/2009 9:15:15 AM | Computer Name = CAG | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2009 11:26:30 AM | Computer Name = CAG | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 884 (0x374) Thread address : 0x7C90EB94 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\Gator\Desktop\AdbeRdr80_en_US.exe

by C:\WINDOWS\Explorer.EXE 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0)

5006(0)(0) 5004(0)(0)

[ System Events ]
Error - 12/14/2009 8:25:35 PM | Computer Name = CAG | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/15/2009 8:19:14 AM | Computer Name = CAG | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 12/15/2009 7:37:47 PM | Computer Name = CAG | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 12/15/2009 7:42:02 PM | Computer Name = CAG | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/15/2009 8:30:14 PM | Computer Name = CAG | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 12/15/2009 8:35:12 PM | Computer Name = CAG | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/15/2009 9:01:20 PM | Computer Name = CAG | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 12/15/2009 9:18:01 PM | Computer Name = CAG | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 12/16/2009 6:56:50 AM | Computer Name = CAG | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/16/2009 7:07:57 AM | Computer Name = CAG | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460


< End of report >


- mbr.log - from MBR

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll tsk_nvata.sys
kernel: MBR read successfully


Thanks.

ChuckLHead

Attached Files


Edited by ChuckLHead, 16 December 2009 - 07:36 AM.


#9 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 16 December 2009 - 10:08 AM

How is it running now?

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O1 - Hosts: 10.10.75.12 bst12.dbamanager.com bst12
    O1 - Hosts: 127.0.0.1 cag
    O1 - Hosts: 10.10.75.1 pix
    O1 - Hosts: 10.10.75.5 3com
    O1 - Hosts: 10.10.75.10 bst10
    O1 - Hosts: 10.10.75.20 bst01
    O1 - Hosts: 10.10.75.25 CCTV
    O1 - Hosts: 10.10.75.30 fs01
    O1 - Hosts: 10.10.75.31 fs02
    O1 - Hosts: 10.10.75.40 monitor
    O1 - Hosts: 10.10.75.129 cag
    O1 - Hosts: 10.10.75.201 HP3500
    O1 - Hosts: 57.33.0.182 eglukpi01
    O1 - Hosts: 10.10.75.13 bst13
    O1 - Hosts: 204.11.141.8 formsrv
    O1 - Hosts: 204.11.141.1 router
    O1 - Hosts: 204.11.141.2 vpn.bravesoft.com vpn
    O1 - Hosts: 204.11.141.5 rdba rdba.bravesoft.com brms.bravesoft.com
    O1 - Hosts: 204.11.141.13 cam
    O1 - Hosts: 204.11.141.14 linksys
    O1 - Hosts: 10.10.10.40 demolap
    O1 - Hosts: 10.10.75.11 bst11 #database dev1 jump
    O1 - Hosts: 10.9.22.218 tlpeuatdbgrid
    O1 - Hosts: 10.9.22.146 tlpnprodgrid
    O1 - Hosts: 10.9.22.144 tlpnproddb1.tsysecom.com
    O1 - Hosts: 10 more lines...
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    [2009/06/22 05:19:19 | 00,002,119 | ---- | C] () -- C:\Documents and Settings\Gator\Application Data\cUMBKq4rat.gif
    [2009/06/22 05:19:19 | 00,000,607 | ---- | C] () -- C:\Documents and Settings\Gator\Application Data\cUMBKq4rzn.gif
    [2009/06/22 05:19:19 | 00,000,598 | ---- | C] () -- C:\Documents and Settings\Gator\Application Data\cUMBKq4rby.gif
    [2009/06/15 04:54:34 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\91398586.ini
    
    :Files
    c:\windows\system32\tdlcmd.dll
    
    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
==========

Please update and run MBAM. Post a log.

==========

With your next post please provide:

* How is it running?
* OTL fix log
* MBAM log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#10 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 16 December 2009 - 09:40 PM

I ran the OTL fix. Rebooted.

Ran an MBAM full scan and rebooted.

Incredibly, so far, I'm not seeing the usual warnings from McAfee, WinDefender or MBAM.

The OTL Log is here:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
10.10.75.12 bst12.dbamanager.com bst12 removed from HOSTS file successfully
127.0.0.1 cag removed from HOSTS file successfully
10.10.75.1 pix removed from HOSTS file successfully
10.10.75.5 3com removed from HOSTS file successfully
10.10.75.10 bst10 removed from HOSTS file successfully
10.10.75.20 bst01 removed from HOSTS file successfully
10.10.75.25 CCTV removed from HOSTS file successfully
10.10.75.30 fs01 removed from HOSTS file successfully
10.10.75.31 fs02 removed from HOSTS file successfully
10.10.75.40 monitor removed from HOSTS file successfully
10.10.75.129 cag removed from HOSTS file successfully
10.10.75.201 HP3500 removed from HOSTS file successfully
57.33.0.182 eglukpi01 removed from HOSTS file successfully
10.10.75.13 bst13 removed from HOSTS file successfully
204.11.141.8 formsrv removed from HOSTS file successfully
204.11.141.1 router removed from HOSTS file successfully
204.11.141.13 cam removed from HOSTS file successfully
204.11.141.14 linksys removed from HOSTS file successfully
10.10.10.40 demolap removed from HOSTS file successfully
10.9.22.218 tlpeuatdbgrid removed from HOSTS file successfully
10.9.22.146 tlpnprodgrid removed from HOSTS file successfully
10.9.22.144 tlpnproddb1.tsysecom.com removed from HOSTS file successfully
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
C:\Documents and Settings\Gator\Application Data\cUMBKq4rat.gif moved successfully.
C:\Documents and Settings\Gator\Application Data\cUMBKq4rzn.gif moved successfully.
C:\Documents and Settings\Gator\Application Data\cUMBKq4rby.gif moved successfully.
C:\Documents and Settings\All Users\Application Data\91398586.ini moved successfully.
========== FILES ==========
File\Folder c:\windows\system32\tdlcmd.dll not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1573 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 2864944 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes

User: Gator
->Temp folder emptied: 11748849 bytes
->Temporary Internet Files folder emptied: 46170535 bytes
->Java cache emptied: 61117355 bytes
->FireFox cache emptied: 65829408 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 138798 bytes
->Temporary Internet Files folder emptied: 1902300 bytes

%systemdrive% .tmp files removed: 621951 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 47700 bytes
Windows Temp folder emptied: 1298054 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 156331 bytes
RecycleBin emptied: 136249019 bytes

Total Files Cleaned = 313.01 mb


OTL by OldTimer - Version 3.1.17.0 log created on 12162009_185455

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


The MBAM log is here: ----------------

Malwarebytes' Anti-Malware 1.42
Database version: 3379
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/16/2009 9:21:49 PM
mbam-log-2009-12-16 (21-21-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 370261
Time elapsed: 2 hour(s), 19 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I'll be interested to read your assessment. I'm concerned that I can't boot to safe mode.

Thanks.

ChuckLHead

#11 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 16 December 2009 - 10:25 PM

Looking good. :(

We need to repair Safe Mode
  • Please download Safe Boot Key Repair and save it to your desktop.
  • Run Posted Image by double clicking on it or Right-click on it and click Open
  • Copy and paste the resultant log here in your next reply.
==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
==========

Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  • Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  • Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
  • Open your c:\folder right-click on fixme.bat and select Run as Administrator. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.
==========

Give Gmer another try please.

==========

With your next post please provide:

* SafeMode log
* ESET log
* Mbr log
* Gmer log
* How is it running?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#12 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 18 December 2009 - 08:39 PM

In summary, the computer is running pretty well.

On the good side, I successfully booted to Safe Mode and there hasn't been a warning regarding the Alureon virus for a couple of days.

ESET only reported / quarantined files in the Spybot directory, which I had uninstalled. I went ahead and let ESET remove the files it quarantined.

MBR still reports the same info.

On the not-so-good side, GMER ran for about 1 hour and then I got the Blue Screen of Death so I don't have a log for this. I'm not sure what to make of that event.

The logs I could get are below.

I'm marking the start & stop of each log with a line of "@".

Safe Boot:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\MpfService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


ESET Log:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn3.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn5.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


MBR Log:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll tsk_nvata.sys
kernel: MBR read successfully

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


Thanks!

ChuckLHead

#13 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 18 December 2009 - 10:45 PM

Bad news about the rootkit scans but.....
I have a Beta of Combofix that we are testing. :(

Download and Run ComboFix (by sUBs)

Save it to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on kittyfix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#14 thcbytes

thcbytes

  • Members
  • 12,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 20 December 2009 - 04:13 PM

Do you still desire help?

You delay in reply has resulted in a dead link for my prior instructions.

The Beta no longer exists! It is not a Beta anymore. :(

Do this....

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from here:

Link

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#15 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 20 December 2009 - 04:58 PM

Yes. As you noticed, I have another post in the XP forums that opened which is in regard to a separate computer.

I had hoped to be back working on this by now.

I was hoping to have 1 good computer versus 2 with problems.

Out of curiosity, what are the risks of running combofix?

ChuckLHead




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users