Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get TDSSKiller to run


  • This topic is locked This topic is locked
14 replies to this topic

#1 93falcon

93falcon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 17 April 2011 - 02:15 AM

I was infected with WindowsFixDisk and ran the guide to uninstall it. That seemed to work fine until I got to the step where I run TDSSKiller. I also ran that per the guide and got to step 3 where you get the security warning and select "Run." I selected "Run" but nothing happened.

I have run RKill and Malwarebytes again and come up clean; however, I am still getting the re-direct.

I also ran the unhide.exe utility and that has seemed to work.

I have not run the Secunia Personal Software Inspector.

I was able to get Symantic updated and ran a full scan. That located 3 items which it quaranteened. I thought that had actually taken care of it, as windows were not just popping up anymore. However, when I go into IE, I still get the re-direct on a google search.

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:13 AM

Posted 17 April 2011 - 06:53 AM

Hello 93falcon ! Welcome to BleepingComputer Forums! :welcome:



My name is Georgi and and I will be helping you with your computer problems.



Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





Please download ComboFix from the link below:


Link 2


During the download, rename Combofix.exe to sVchost.exe


Save it to your Desktop <-- Important!!!


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#3 93falcon

93falcon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 17 April 2011 - 11:08 PM

Georgi,

Ran ComboFix as requested and log follows. I inserted the text and attached a copy of the file. Wasn't sure how you preferred to get this information.

Also, I don't know if this is a separate issue or not, but when I rebooted it wanted me to save a new Normal template in Word. I cancelled that but thought I would bring it up all the same.

ComboFix 11-04-16.03 - Joe 04/17/2011 21:12:43.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.596 [GMT -5:00]
Running from: c:\documents and settings\Joe\Desktop\sVchost.exe.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Joe\g2mdlhlpx.exe
c:\documents and settings\Joe\Local Settings\Application Data\sjy.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-03-18 to 2011-04-18 )))))))))))))))))))))))))))))))
.
.
2011-04-16 01:21 . 2011-04-16 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-04-15 04:48 . 2011-04-15 04:48 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2011-04-15 04:47 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-15 04:47 . 2011-04-15 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-15 04:47 . 2011-04-15 05:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-15 04:20 . 2011-04-15 04:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-14 03:48 . 2011-04-14 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-04-14 03:41 . 2011-04-15 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-04-14 03:41 . 2011-04-14 03:42 -------- d-----w- c:\windows\system32\drivers\AVG
2011-04-14 03:40 . 2011-04-14 03:40 -------- d-----w- c:\program files\AVG
2011-04-14 03:34 . 2011-04-15 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-04-14 03:10 . 2011-04-14 03:10 -------- d-----w- c:\documents and settings\Joe\Application Data\Sammsoft
2011-04-14 03:10 . 2011-04-15 04:14 -------- d-----w- c:\program files\ARO 2011
2011-03-22 01:19 . 2011-03-22 01:20 -------- d-----w- C:\Troopmaster Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2010-04-20 01:14 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2001-08-23 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2010-04-20 05:23 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2001-08-23 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-23 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-04-21 08:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2001-08-23 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2010-04-20 05:23 186880 ------w- c:\windows\system32\encdec.dll
2011-02-09 13:53 . 2010-04-20 05:23 270848 ------w- c:\windows\system32\sbe.dll
2011-02-08 13:33 . 2001-08-23 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2010-04-20 00:52 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-04-20 00:52 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2001-08-23 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mnumsg.exe"="c:\program files\MyShoppingGenie\mnumsg.exe" [2010-05-19 568672]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 67584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-20 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-20 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-20 149024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
.
c:\documents and settings\Joe\Start Menu\Programs\Startup\
AutoMailer.lnk - c:\troopmaster software\AutoMailer\AutoMailer.exe [2011-3-21 73728]
Network Client.lnk - c:\program files\ActiHealth\AHClient.exe [2010-10-17 5578224]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2007-5-15 130864]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-15 22:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-15 22:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)
.
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 5:08 PM 182576]
R3 EraserUtilDrvI10;EraserUtilDrvI10;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys [4/16/2011 8:24 PM 102448]
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [4/19/2010 9:42 PM 44544]
R3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [4/19/2010 2:46 PM 23936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/18/2010 11:52 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/14/2011 11:47 PM 38224]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-18 16:51]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-18 16:51]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.foxnews.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-hpqSRMon - (no file)
Notify-TPSvc - TPSvc.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-17 21:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
.
- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-04-17 21:30:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-18 02:30
.
Pre-Run: 2,500,694,016 bytes free
Post-Run: 2,525,990,912 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - AE8B11C1B5687C715C82071B3A60815A

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:13 AM

Posted 18 April 2011 - 06:39 AM

Hi 93falcon,



Since we are going to edit the registry to repair some registry settings to default we must proceed with caution.



Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe





We need to run an OTL Fix



  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications"=dword:00000000
    "EnableFirewall"=dword:00000001
    :commands
    [reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.





Run Scan with Malwarebytes



I see you have Malwarebytes' Anti-Malware installed on your computer.
Please start the application by double-click on it's icon.
Once the program has loaded go to the UPDATE tab and check for updates.
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to a convenient location and post the results in your next reply.





Did you uninstalled AVG completely?There are a few AVG related folders in the log.
Use the following tool to completely eliminate all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.

AVG Remover





Also, I don't know if this is a separate issue or not, but when I rebooted it wanted me to save a new Normal template in Word. I cancelled that but thought I would bring it up all the same.






Does this happens every time ? Did you tried to reinstall the application and then to try it again ?



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#5 93falcon

93falcon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 18 April 2011 - 09:46 PM

Georgi,

I downloaded and installed ERUNT. I also backed up my registry. Was I supposed to restore my registry per the green instructions? I wasn't sure if I did this now or if things got really messed up.

I downloaded and ran the OTL fix program per the instructions. It ran a report, but I can't find where I saved it. I tried running it again, and while it rebooted my machine, I didn't see another report pop up. Does the program keep a log that I can retrieve?

Updated Malwarebytes and ran it. That log is attached.

I ran the AVG remover tool. Downloaded it to my desktop and ran it. It said that it would probably need to reboot my machine a couple of times, but it never did. It also produced a log, which I have also attached.

The Word error actually happens when I try to open Outlook. The initial error message that pops up is "File Conversion - ~$nereader6.sprint.dot" It then wants me to convert the file to Window's (Default). I have been selecting "Cancel." It then sends me to Word and a pop-up says that word cannot open this document type. I cancel that window and cancel Word. It seems to go away at that point. That happens every time I open Outlook now. I have taken no corrective action on that as I didn't want to mess up anything else we were doing.

Attached Files



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:13 AM

Posted 19 April 2011 - 05:26 AM

Hi 93falcon,



I downloaded and installed ERUNT. I also backed up my registry. Was I supposed to restore my registry per the green instructions? I wasn't sure if I did this now or if things got really messed up.




Nope. The last sentence is added for your safety in case something happens with the real fix. Please don't do it.



I downloaded and ran the OTL fix program per the instructions. It ran a report, but I can't find where I saved it. I tried running it again, and while it rebooted my machine, I didn't see another report pop up. Does the program keep a log that I can retrieve?




Please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.

Copy/paste the contents of that document back here in your next post.



The Word error actually happens when I try to open Outlook. The initial error message that pops up is "File Conversion - ~$nereader6.sprint.dot" It then wants me to convert the file to Window's (Default). I have been selecting "Cancel." It then sends me to Word and a pop-up says that word cannot open this document type. I cancel that window and cancel Word. It seems to go away at that point. That happens every time I open Outlook now. I have taken no corrective action on that as I didn't want to mess up anything else we were doing.




The ~$nereader6.sprint.dot is a temporary file and should be deleted from the C:\Documents and Settings\Joe\Application Data\Microsoft\Word\Startup folder.

Close all Office applications before deleting the ~$nereader6.sprint.dot and you may have to "Show hidden files and folders" (My Computer > Tools > Folder Options > View > select "Show hidden files and folders") to see the ~$nereader6.sprint.dot.

If you no longer get an error message, then the problem is solved. If you get a different error message, post back with more information.





I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Please do not delete anything just yet. I want to see the report first !
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#7 93falcon

93falcon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 19 April 2011 - 11:36 AM

1. OTL file is attached. I had three, but this is the latest one:

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\security center\\"AntiVirusOverride"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\security center\\"FirewallOverride"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus\\"DisableMonitoring"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"DisableNotifications"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"EnableFirewall"|dword:00000001 /E : value set successfully!
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.22.3 log created on 04182011_212541

2. Deleted the file.

3. Ran ESET as requested. I have also attached it as a file, but the log is:

C:\Qoobox\Quarantine\C\Documents and Settings\Joe\Local Settings\Application Data\sjy.exe.vir a variant of Win32/Injector.FVQ trojan
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir a variant of Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP373\A0028025.exe Win32/Adware.XPAntiSpyware.AB application
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP373\A0028026.exe Win32/Adware.XPAntiSpyware.AB application
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP373\A0028343.exe Win32/Adware.ErrorClean application
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP377\A0030047.exe a variant of Win32/Injector.FVQ trojan
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP377\A0030049.dll a variant of Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP377\A0030062.sys Win32/Olmasco.E trojan
H:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\BEBPXDNZ\Page[3].htm HTML/TrojanClicker.IFrame.NAC trojan
H:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\KH670TQJ\Page[2].htm HTML/TrojanClicker.IFrame.NAC trojan
H:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\KH670TQJ\Page[4].htm HTML/TrojanClicker.IFrame.NAC trojan
H:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Win32/Adware.FunWeb application
H:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Win32/Adware.FunWeb application
H:\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Win32/Adware.FunWeb application
H:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Win32/Adware.FunWeb application
H:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Win32/Adware.FunWeb application
H:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL Win32/Adware.FunWeb application
H:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Win32/Adware.FunWeb application
H:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Win32/Toolbar.MyWebSearch.K application
H:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE Win32/Toolbar.MyWebSearch application
H:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Win32/Toolbar.MyWebSearch application
H:\Program Files\NoAdware\nutilities.dll Win32/NoAdware application
H:\WINDOWS\system32\f3PSSavr.scr Win32/Toolbar.MyWebSearch application

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:13 AM

Posted 19 April 2011 - 08:43 PM

Hi 93falcon,



Some of the detected files are in the Combofix quarantine folder.

C:\Qoobox\Quarantine\C\Documents and Settings\Joe\Local Settings\Application Data\sjy.exe.vir a variant of Win32/Injector.FVQ trojan
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir a variant of Win32/Toolbar.Zugo application

We will delete them at the end of the cleaning process.



Those ESET detections are in the System Restore Cache.

C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP373\A0028025.exe Win32/Adware.XPAntiSpyware.AB application
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP373\A0028026.exe Win32/Adware.XPAntiSpyware.AB application
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP373\A0028343.exe Win32/Adware.ErrorClean application
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP377\A0030047.exe a variant of Win32/Injector.FVQ trojan
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP377\A0030049.dll a variant of Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{5C9F8E3A-6245-4969-B78A-FEB0D4948C95}\RP377\A0030062.sys Win32/Olmasco.E trojan

  • Please go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points.



The others files are located in your second Windows installation. Please boot into your other installation (H:\) and repeat the Eset scan from there.
Delete the found items.



Boot back into C:\



We need to run an OTL Custom Scan



  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
    /md5start
    volsnap.sys
    /md5stop
    %systemroot%\system32\*.dll /lockedfiles
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized



Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#9 93falcon

93falcon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 19 April 2011 - 09:34 PM

Georgi,

1. Ran Cleanmgr

2. Did not delete the second installation of windows. I need to write down what programs I have there and then reformat that drive. I do not use that installation.

3. Tried to attach the OTL file but said it was too big, so here it is as text:
OTL logfile created on: 4/19/2011 9:07:35 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Joe\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 393.00 Mb Available Physical Memory | 38.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.08 Gb Total Space | 3.60 Gb Free Space | 18.89% Space Free | Partition Type: NTFS
Drive D: | 7.86 Gb Total Space | 2.79 Gb Free Space | 35.50% Space Free | Partition Type: NTFS
Drive H: | 128.00 Gb Total Space | 100.61 Gb Free Space | 78.60% Space Free | Partition Type: NTFS
Drive I: | 465.75 Gb Total Space | 286.74 Gb Free Space | 61.57% Space Free | Partition Type: NTFS
Drive J: | 5.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive K: | 3.81 Gb Total Space | 2.75 Gb Free Space | 72.23% Space Free | Partition Type: FAT32

Computer Name: ANTEC-SONATA | User Name: Joe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/18 20:34:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
PRC - [2010/05/19 13:10:20 | 000,568,672 | ---- | M] (MyNetUniverse, Inc) -- C:\Program Files\MyShoppingGenie\mnumsg.exe
PRC - [2010/03/25 14:04:14 | 005,578,224 | ---- | M] () -- C:\Program Files\ActiHealth\AHClient.exe
PRC - [2010/02/18 11:43:20 | 000,490,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/15 17:08:40 | 000,182,576 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe
PRC - [2007/05/15 17:08:08 | 000,293,168 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
PRC - [2007/05/15 17:08:00 | 000,130,864 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
PRC - [2007/04/19 21:38:22 | 001,945,688 | ---- | M] (Acronis) -- C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
PRC - [2007/04/19 21:29:56 | 000,149,024 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
PRC - [2007/04/19 21:29:44 | 000,411,168 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
PRC - [2007/04/19 21:24:50 | 001,169,744 | ---- | M] (Seagate) -- C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
PRC - [2006/10/12 15:57:08 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
PRC - [2005/06/23 19:27:36 | 000,085,696 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/06/23 19:27:28 | 001,715,904 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/06/23 19:27:18 | 000,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/06/20 18:53:24 | 001,056,768 | R--- | M] (VIA Technologies) -- C:\Program Files\VIA\RAID\raid_tool.exe
PRC - [2005/06/02 09:21:46 | 000,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/06/02 09:21:40 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/06/02 09:21:38 | 000,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/07/01 05:23:32 | 000,067,584 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (SafeList) ==========

MOD - [2011/04/18 20:34:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/14 05:41:52 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2007/05/15 17:08:40 | 000,182,576 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca)
SRV - [2007/04/19 21:29:44 | 000,411,168 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2005/06/23 19:27:30 | 000,124,608 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/06/23 19:27:28 | 001,715,904 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/06/23 19:27:18 | 000,019,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/06/02 09:21:46 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/06/02 09:21:46 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/06/02 09:21:40 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/04/22 12:03:28 | 000,206,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/04/08 03:00:00 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110417.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/04/08 03:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110417.004\NAVENG.SYS -- (NAVENG)
DRV - [2010/05/31 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/01 16:51:54 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2010/05/01 16:51:54 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2010/05/01 16:51:38 | 000,120,992 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2005/05/13 19:50:10 | 000,123,488 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/04/22 12:03:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/04/22 12:03:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/03/30 21:48:20 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/02/04 20:14:32 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/02/04 20:14:30 | 000,324,232 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2004/08/03 22:29:32 | 000,104,960 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinrvxx.sys -- (atinrvxx) ATI WDM Rage Theater Video (Microsoft Corporation)
DRV - [2004/08/03 22:29:32 | 000,073,216 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atintuxx.sys -- (ATITUNEP) ATI WDM TV Tuner (Microsoft Corporation)
DRV - [2004/08/03 22:29:32 | 000,063,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinxsxx.sys -- (ATIXSAudio) ATI WDM TV Audio (Microsoft Corporation) Crossbar (Microsoft Corporation)
DRV - [2004/08/03 22:29:30 | 000,052,224 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinraxx.sys -- (ativraxx) ATI WDM Rage Theater Audio (Microsoft Corporation)
DRV - [2004/08/03 22:29:30 | 000,014,336 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinpdxx.sys -- (PCDCODEC) ATI WDM Specialized PCD Codec (Microsoft Corporation)
DRV - [2004/08/03 22:29:30 | 000,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC) ATI WDM Specialized MVD Codec (Microsoft Corporation)
DRV - [2004/08/03 22:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/07/01 01:49:00 | 000,626,977 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/02/23 22:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2004/01/29 01:32:24 | 000,044,544 | R--- | M] (VIA Networking Technologies, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\getnd5b.sys -- (GETNDIS)
DRV - [2003/11/07 12:00:00 | 000,035,328 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2003/07/02 04:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2001/10/18 12:00:00 | 000,006,144 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaidexp.sys -- (ViaIde)
DRV - [2001/08/17 08:51:14 | 000,023,936 | ---- | M] (OMNIKEY AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sccmusbm.sys -- (OMNUSB)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-57989841-115176313-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKU\S-1-5-21-57989841-115176313-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKU\S-1-5-21-57989841-115176313-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.foxnews.com/
IE - HKU\S-1-5-21-57989841-115176313-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/05/01 18:47:47 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/04/17 21:20:41 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe (Seagate)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe (VIA Technologies)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-57989841-115176313-839522115-1003..\Run: [mnumsg.exe] C:\Program Files\MyShoppingGenie\mnumsg.exe (MyNetUniverse, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe (ActivIdentity)
O4 - Startup: C:\Documents and Settings\Joe\Start Menu\Programs\Startup\AutoMailer.lnk = C:\Troopmaster Software\AutoMailer\AutoMailer.exe ()
O4 - Startup: C:\Documents and Settings\Joe\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Joe\Start Menu\Programs\Startup\Network Client.lnk = C:\Program Files\ActiHealth\AHClient.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-57989841-115176313-839522115-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-57989841-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-57989841-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-57989841-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-57989841-115176313-839522115-1003\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-57989841-115176313-839522115-1003\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-57989841-115176313-839522115-1003\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-57989841-115176313-839522115-1003\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} http://launch.soe.com/plugin/web/SOEWebInstaller.cab (SOE Web Installer)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271732465734 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271732458702 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} https://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB (Wizard101GameLauncher)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ackpbsc: DllName - C:\WINDOWS\system32\ackpbsc.dll - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity)
O20 - Winlogon\Notify\acunlock: DllName - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/19 20:16:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/03/21 13:54:38 | 000,000,000 | ---- | M] () - H:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/02/12 14:53:42 | 000,000,277 | R--- | M] () - J:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/19 07:30:20 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/19 07:21:31 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/18 21:11:26 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Joe\Desktop\avg_remover_stf_x86_2011_1184.exe
[2011/04/18 20:35:36 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/18 20:34:47 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
[2011/04/18 20:33:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/18 20:33:11 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/17 21:10:47 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/17 21:06:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/17 21:06:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/17 21:06:29 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/17 21:06:29 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/17 20:57:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/04/17 20:50:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/17 20:39:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/15 20:21:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/04/15 17:17:26 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Joe\Desktop\jdh.com.exe
[2011/04/15 00:46:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Desktop\tdsskiller
[2011/04/14 23:48:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Malwarebytes
[2011/04/14 23:47:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/14 23:47:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/14 23:47:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/14 23:47:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/14 23:14:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Joe\Recent
[2011/04/13 22:48:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/04/13 22:41:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/04/13 22:40:13 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/04/13 22:34:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/04/13 22:10:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Sammsoft
[2011/04/13 22:10:27 | 000,000,000 | ---D | C] -- C:\Program Files\ARO 2011
[2011/04/13 22:06:11 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/03/21 20:20:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Start Menu\Programs\PackMaster
[2011/03/21 20:19:34 | 000,000,000 | ---D | C] -- C:\Troopmaster Software

========== Files - Modified Within 30 Days ==========

[2011/04/19 21:02:01 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/19 20:49:30 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\RKUnhookerLE.EXE
[2011/04/19 20:38:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/19 20:38:16 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/18 23:25:18 | 013,299,381 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\Joy2Parent Gift From Fighting to Harmony Procedure.mp3
[2011/04/18 23:24:37 | 015,439,425 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\The One Thing All Successful Parents Do.mp3
[2011/04/18 21:28:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/18 21:11:29 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Joe\Desktop\avg_remover_stf_x86_2011_1184.exe
[2011/04/18 20:42:08 | 000,001,870 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Essential 3.0.lnk
[2011/04/18 20:34:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
[2011/04/18 20:34:02 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Joe\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/18 20:33:12 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\NTREGOPT.lnk
[2011/04/18 20:33:12 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\ERUNT.lnk
[2011/04/17 21:20:41 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/17 21:10:58 | 000,000,420 | RHS- | M] () -- C:\boot.ini
[2011/04/17 20:16:27 | 000,017,154 | -HS- | M] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\1ro18l3y70b46o6kj0v70
[2011/04/17 20:16:27 | 000,017,154 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1ro18l3y70b46o6kj0v70
[2011/04/16 18:17:45 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/15 23:37:21 | 000,066,704 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011/04/15 17:47:06 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\tdsskiller.zip
[2011/04/15 17:25:48 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Joe\Desktop\jdh.com.exe
[2011/04/15 06:47:51 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/04/15 06:47:38 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/15 06:47:38 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/15 04:05:23 | 000,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/15 03:33:29 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/14 23:09:32 | 000,013,736 | -HS- | M] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\4074311493
[2011/04/14 23:09:32 | 000,013,736 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4074311493
[2011/04/14 22:37:38 | 001,006,778 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\iExplore.exe
[2011/04/13 21:49:08 | 000,000,128 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18472756r
[2011/04/13 21:49:08 | 000,000,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18472756
[2011/04/13 21:34:44 | 000,000,328 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18472756
[2011/04/11 21:09:03 | 000,012,992 | ---- | M] () -- C:\Documents and Settings\Joe\Application Data\Comma Separated Values (Windows).CAL
[2011/04/11 20:06:17 | 000,038,460 | ---- | M] () -- C:\Documents and Settings\Joe\Application Data\Comma Separated Values (Windows).ADR
[2011/04/08 00:52:42 | 000,051,712 | ---- | M] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/21 20:20:25 | 000,001,621 | ---- | M] () -- C:\Documents and Settings\Joe\Start Menu\Programs\Startup\AutoMailer.lnk
[2011/03/21 20:20:17 | 000,001,532 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PackMaster.LNK

========== Files Created - No Company Name ==========

[2011/04/19 20:49:29 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\RKUnhookerLE.EXE
[2011/04/18 23:25:18 | 013,299,381 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\Joy2Parent Gift From Fighting to Harmony Procedure.mp3
[2011/04/18 23:24:32 | 015,439,425 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\The One Thing All Successful Parents Do.mp3
[2011/04/18 20:34:02 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Joe\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/18 20:33:12 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\NTREGOPT.lnk
[2011/04/18 20:33:12 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\ERUNT.lnk
[2011/04/17 21:10:58 | 000,000,304 | ---- | C] () -- C:\Boot.bak
[2011/04/17 21:10:50 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/17 21:06:30 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/17 21:06:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/17 21:06:30 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/17 21:06:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/17 21:06:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/17 19:47:15 | 000,017,154 | -HS- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\1ro18l3y70b46o6kj0v70
[2011/04/17 19:47:15 | 000,017,154 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1ro18l3y70b46o6kj0v70
[2011/04/15 20:42:08 | 000,066,704 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011/04/15 00:47:20 | 001,006,778 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\iExplore.exe
[2011/04/14 22:45:35 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\tdsskiller.zip
[2011/04/13 23:07:42 | 000,013,736 | -HS- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\4074311493
[2011/04/13 23:07:42 | 000,013,736 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4074311493
[2011/04/13 21:38:00 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18472756r
[2011/04/13 21:38:00 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18472756
[2011/04/13 21:34:44 | 000,000,328 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18472756
[2011/03/21 20:20:25 | 000,001,621 | ---- | C] () -- C:\Documents and Settings\Joe\Start Menu\Programs\Startup\AutoMailer.lnk
[2011/03/21 20:20:16 | 000,001,532 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PackMaster.LNK
[2011/02/21 13:30:38 | 000,012,992 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\Comma Separated Values (Windows).CAL
[2011/01/31 20:48:51 | 000,038,460 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\Comma Separated Values (Windows).ADR
[2010/12/15 02:11:30 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/24 23:01:28 | 000,001,691 | ---- | C] () -- C:\WINDOWS\hpomdl31.dat.temp
[2010/08/23 18:04:17 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2010/08/07 21:05:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2010/05/04 23:57:09 | 000,051,712 | ---- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/03 22:41:27 | 000,077,372 | ---- | C] () -- C:\WINDOWS\hpqins05.dat
[2010/05/01 18:46:49 | 000,023,121 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2010/05/01 17:40:44 | 000,166,564 | ---- | C] () -- C:\WINDOWS\hpoins31.dat
[2010/05/01 17:40:44 | 000,001,691 | ---- | C] () -- C:\WINDOWS\hpomdl31.dat
[2010/04/30 19:17:04 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2010/04/30 19:17:04 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2010/04/30 19:17:04 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2010/04/30 19:17:04 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2010/04/30 19:17:04 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2010/04/30 19:17:03 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2010/04/30 19:17:03 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2010/04/30 19:17:03 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2010/04/30 19:17:03 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2010/04/30 19:17:03 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2010/04/30 19:17:03 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2010/04/30 19:17:03 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2010/04/30 19:17:03 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2010/04/30 19:17:03 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2010/04/30 19:17:03 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2010/04/30 19:17:03 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2010/04/30 19:13:46 | 000,065,793 | ---- | C] () -- C:\WINDOWS\System32\esfw7c.bin
[2010/04/30 19:12:39 | 000,000,044 | ---- | C] () -- C:\WINDOWS\PERFV500P.ini
[2010/04/28 22:10:04 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2010/04/22 23:17:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/04/20 00:36:08 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2010/04/19 21:41:41 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2010/04/19 21:41:36 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/04/19 21:41:35 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/04/19 20:28:47 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/04/19 19:53:29 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/04/19 14:44:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/04/19 14:42:06 | 000,264,616 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,435,260 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,068,156 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Custom Scans ==========



< MD5 for: VOLSNAP.SYS >
[2008/04/14 00:11:02 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/14 00:11:02 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\dllcache\volsnap.sys
[2008/04/14 00:11:02 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/03 23:00:18 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< >

< >

< End of report >

--------------------------------------------------------------------------------------------------------------------
Also tried to attach the Extras file but was also told it was too big so here it is as text:
OTL Extras logfile created on: 4/19/2011 9:07:35 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Joe\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 393.00 Mb Available Physical Memory | 38.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.08 Gb Total Space | 3.60 Gb Free Space | 18.89% Space Free | Partition Type: NTFS
Drive D: | 7.86 Gb Total Space | 2.79 Gb Free Space | 35.50% Space Free | Partition Type: NTFS
Drive H: | 128.00 Gb Total Space | 100.61 Gb Free Space | 78.60% Space Free | Partition Type: NTFS
Drive I: | 465.75 Gb Total Space | 286.74 Gb Free Space | 61.57% Space Free | Partition Type: NTFS
Drive J: | 5.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive K: | 3.81 Gb Total Space | 2.75 Gb Free Space | 72.23% Space Free | Partition Type: FAT32

Computer Name: ANTEC-SONATA | User Name: Joe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"427:UDP" = 427:UDP:*:Enabled:SLP_Port(427)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"427:UDP" = 427:UDP:*:Enabled:SLP_Port(427)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"G:\setup\HPZnui01.exe" = G:\setup\HPZnui01.exe:*:Enabled:hpznui01.exe
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{09633A5E-3089-41A8-9FF1-382171423C5D}" = PSSWCORE
"{15B8AFD9-92E9-4E86-96D9-83FAC510B82E}" = HPPhotoSmartPhotobookWebPack1
"{171E6C1E-B5FC-11DF-B115-005056C00008}" = Google Earth Plug-in
"{1A36CF15-DF66-4756-9482-A9ABF3DDACE6}_is1" = Driver Robot
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{22F761D1-8063-4170-ADF7-2D2F47834CA9}" = VideoToolkit01
"{25653817-9502-41A5-A24D-FED750611E98}" = EPSON Perfection V500 Photo Scanner Driver Update
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{2AFEAA03-2DFE-4519-A629-EDAB6541ABE9}" = HPSSupply
"{3248E093-5288-4CA9-B3AB-11A675FEA1F9}" = Symantec AntiVirus
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{32622F02-640A-4335-86FF-557325DC39D4}" = PS_AIO_04_C6300_Software_Min
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = EPSON Event Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A3D0CF8-60FF-4CEF-91A4-A1F001424602}" = DocProc
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67EDD823-135A-4D59-87BD-950616D6E857}" = EPSON Copy Utility 3
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{70E1E357-E57C-4284-B04E-58196DC27BC1}" = PanoStandAlone
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{7BD42C12-74D1-4804-B24D-D21E25D4E3CF}" = PS_AIO_04_C6300_ProductContext
"{81A60A13-224D-4637-8203-3EAC03B121A4}" = Seagate DiscWizard
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{99832252-D489-4276-B961-6D505CF0AFAA}" = PS_AIO_04_C6300_Software
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{9EDC4EA1-558A-4297-9BCB-F36E572E6B1D}" = C6300_Help
"{9F4EE72A-C5C9-42ad-ABEF-427690843577}" = MarketResearch
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}" = Wizard101
"{AA2E8A46-B45E-4aea-8A23-88AB57D04523}" = WebReg
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{ABC62001-AD9F-46DB-8668-9946154D6A07}" = AMD Athlon 64 Processor Driver
"{AC194855-F7AC-4D04-B4C9-07BA46FCB697}" = ActivClient CAC 6.1 AFR
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BF08AB1C-3357-4f20-A200-8EBB8EF27C59}" = BufferChm
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C8732DC3-1736-44b2-B741-2D636DE58605}" = HP Photosmart C6300 All-In-One Driver Software 11.0 Rel .4
"{C89B5E3A-690F-4CEE-909A-BF869E198B0A}" = Scan
"{CCF6F57B-F6B4-4508-BF45-63AAC9DE416A}" = Quicken 2010
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D16B4BE6-8B10-422f-8034-96D1CA9483B5}" = GPBaseService
"{D4250558-4DE6-4342-8865-D397FD66076B}" = C6300
"{D74CFE48-087F-46E1-80E6-E2950E1A8DCE}" = HP Photosmart Essential 2.5
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{E535C94A-B87F-4182-BEA8-1E9322078D3E}" = Cards_Calendar_OrderGift_DoMorePlugout
"{E96B0085-6659-486b-A221-5042A042728D}" = Toolbox
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{EF9E56EE-0243-4BAD-88F4-5E7508AA7D96}" = Destination Component
"{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}" = 32 Bit HP CIO Components Installer
"{F95F178B-56AD-4fab-87F8-FA81E66C7D68}" = Network
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"File Extension Finder" = File Extension Finder
"FILE RECOVERY for WindowsNSIS" = FILE RECOVERY for Windows
"HP Imaging Device Functions" = HP Imaging Device Functions 11.0
"HP Photosmart Essential" = HP Photosmart Essential 3.0
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 11.0
"HPOCR" = OCR Software by I.R.I.S. 11.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyShoppingGenie4.0" = MyShoppingGenie
"PackMaster 2010" = PackMaster 2010
"Shop for HP Supplies" = Shop for HP Supplies
"Silent Package Run-Time Sample" = EPSON Perfection V500P User's Guide
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-57989841-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.5.0.457
"SOE-Clone Wars" = Clone Wars

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/14/2010 9:36:33 PM | Computer Name = ANTEC-SONATA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/22/2010 3:11:36 AM | Computer Name = ANTEC-SONATA | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.200.2, faulting module
java.dll, version 6.0.200.2, fault address 0x00005875.

Error - 1/5/2011 9:12:02 PM | Computer Name = ANTEC-SONATA | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/11/2011 8:33:26 AM | Computer Name = ANTEC-SONATA | Source = Application Hang | ID = 1002
Description = Hanging application WizardLauncher.exe, version 0.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/14/2011 7:26:55 PM | Computer Name = ANTEC-SONATA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/14/2011 7:26:55 PM | Computer Name = ANTEC-SONATA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/14/2011 7:26:55 PM | Computer Name = ANTEC-SONATA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/14/2011 7:26:55 PM | Computer Name = ANTEC-SONATA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/14/2011 7:26:55 PM | Computer Name = ANTEC-SONATA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/14/2011 7:26:55 PM | Computer Name = ANTEC-SONATA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 4/16/2011 4:15:37 AM | Computer Name = ANTEC-SONATA | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\D.

Error - 4/16/2011 4:15:42 AM | Computer Name = ANTEC-SONATA | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\D.

Error - 4/16/2011 3:46:26 PM | Computer Name = ANTEC-SONATA | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\D.

Error - 4/16/2011 3:46:31 PM | Computer Name = ANTEC-SONATA | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\D.

Error - 4/17/2011 5:14:04 PM | Computer Name = ANTEC-SONATA | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 4/17/2011 5:15:08 PM | Computer Name = ANTEC-SONATA | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 4/17/2011 5:15:24 PM | Computer Name = ANTEC-SONATA | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 4/17/2011 9:16:18 PM | Computer Name = ANTEC-SONATA | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Symantec AntiVirus service
to connect.

Error - 4/17/2011 9:17:22 PM | Computer Name = ANTEC-SONATA | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 4/18/2011 9:40:48 PM | Computer Name = ANTEC-SONATA | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.


< End of report >
--------------------------------------------------------------------------------------------------------------------
Rootkit Unhooker file was also too large:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2069376 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2069376 bytes
0x804D7000 RAW 2069376 bytes
0x804D7000 WMIxWDM 2069376 bytes
0xBF080000 C:\WINDOWS\System32\ati3duag.dll 1892352 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB0AD6000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110417.004\navex15.sys 1388544 bytes (Symantec Corporation, AV Engine)
0xF7107000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 815104 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF7015000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 618496 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xF7351000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF24E000 C:\WINDOWS\System32\ativvaxx.dll 520192 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xB2324000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6F8F000 C:\WINDOWS\system32\drivers\ALCXSENS.SYS 401408 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xF72C4000 timntr.sys 393216 bytes (Acronis, Acronis True Image Backup Archive Explorer)
0xB22C6000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF6DBC000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB246F000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB1683000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB27AB000 C:\Program Files\Symantec AntiVirus\savrt.sys 348160 bytes (Symantec Corporation, AutoProtect)
0xBF2CD000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB0E48000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB242F000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 262144 bytes (Symantec Corporation, Network Dispatch Driver)
0xBF048000 C:\WINDOWS\System32\ati2cqag.dll 229376 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 221184 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF6E1A000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF74AD000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB1893000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7324000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB2394000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB23E1000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7457000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB2409000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB227A000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6FF1000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF70AC000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF70D0000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB23BF000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D1000 ACPI_HAL 131840 bytes
0x806D1000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7407000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF747D000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB2232000 C:\WINDOWS\system32\DRIVERS\atinrvxx.sys 118784 bytes (ATI Technologies Inc., ATI WDM Rage Theater MiniDriver RT2)
0xB0C29000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xB278E000 C:\Program Files\Symantec\SYMEVENT.SYS 118784 bytes (Symantec Corporation, Symantec Event Library)
0xF72A8000 snapman.sys 114688 bytes (Acronis, Acronis Snapshot API)
0xF728E000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF743F000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB2262000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7427000 C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF73DE000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6F64000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB221D000 C:\WINDOWS\system32\DRIVERS\atintuxx.sys 86016 bytes (ATI Technologies Inc., ATI WDM TVTuner MiniDriver)
0xB1CB8000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB0AC2000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110417.004\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)
0xF6F7B000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB277A000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 81920 bytes (Symantec Corporation, SAVRTPEL)
0xF70F3000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB224F000 C:\WINDOWS\system32\DRIVERS\atinxsxx.sys 77824 bytes (ATI Technologies Inc., ATI WDM TVAUDIO_CrossBar MiniDriver RT2)
0xB24C8000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF73F5000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF749C000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6EB3000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF6F54000 C:\WINDOWS\system32\DRIVERS\atinraxx.sys 65536 bytes (ATI Technologies Inc., ATI Rage Theater Audio WDM Minidriver)
0xF777C000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF77EC000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF77BC000 C:\WINDOWS\System32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF75EC000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF781C000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF772C000 C:\WINDOWS\System32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF780C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF77FC000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB2035000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76DC000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF762C000 viamraid.sys 61440 bytes (VIA Technologies inc,.ltd, VIA RAID DRIVER FOR WIN 2000/XP/2003IA32)
0xF75FC000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF77AC000 C:\WINDOWS\System32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF764C000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF782C000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF783C000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF779C000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF761C000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF767C000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF775C000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF77CC000 C:\WINDOWS\System32\DRIVERS\getnd5b.sys 45056 bytes (VIA Networking Technologies, Inc. , NDIS 5.0 miniport driver)
0xF77DC000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF760C000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF784C000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75DC000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76AC000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF769C000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF763C000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF768C000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF773C000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAFFB6000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF771C000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7994000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF79BC000 C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 32768 bytes (Acronis, Acronis True Image File System Filter)
0xF79B4000 C:\WINDOWS\system32\DRIVERS\atinmdxx.sys 28672 bytes (ATI Technologies Inc., ATI Specialized MVD VBI Codec RT2)
0xF79AC000 C:\WINDOWS\system32\DRIVERS\atinpdxx.sys 28672 bytes (ATI Technologies Inc., ATI Specialized PCD VBI Codec RT2)
0xF7914000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF785C000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF795C000 C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF786C000 viaagp1.sys 28672 bytes (VIA Technologies, Inc., VIA NT AGP Filter)
0xF7924000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF791C000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7954000 C:\WINDOWS\System32\DRIVERS\sccmusbm.sys 24576 bytes (OMNIKEY AG, PC/SC IFD handler for CardMan 2020)
0xF790C000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7984000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7944000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF798C000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7864000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7934000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF793C000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF792C000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF799C000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7212000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB2121000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7232000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF71CE000 C:\WINDOWS\System32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xF71D2000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xF79EC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB253F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF722E000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF6DA0000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF71EE000 C:\WINDOWS\System32\Drivers\vulfntr.sys 12288 bytes (VIA Technologies, Inc., VIA USB Roothub Lower Filter Driver)
0xF7B18000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7AE2000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7B30000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B14000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7ADC000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B26000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B1E000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7B28000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B02000 C:\WINDOWS\system32\DRIVERS\serscan.sys 8192 bytes (Microsoft Corporation, Serial Imaging Device Driver)
0xF7B04000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B06000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7AE0000 viaidexp.sys 8192 bytes (VIA Technologies, Inc., VIA Generic PCI IDE Bus Driver)
0xF7ADE000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C8B000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7D1D000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7C31000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
0x03550000 Hidden Image-->Interop.SHDocVw.dll [ EPROCESS 0x83CC7DA0 ] PID: 1408, 151552 bytes
0x034C0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x83CC7DA0 ] PID: 1408, 307200 bytes

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:13 AM

Posted 21 April 2011 - 05:20 PM

Hi 93falcon,



Really sorry about the delay.



We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    [2011/04/17 20:16:27 | 000,017,154 | -HS- | M] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\1ro18l3y70b46o6kj0v70
    [2011/04/17 20:16:27 | 000,017,154 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1ro18l3y70b46o6kj0v70
    [2011/04/14 23:09:32 | 000,013,736 | -HS- | M] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\4074311493
    [2011/04/14 23:09:32 | 000,013,736 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4074311493
    [2011/04/13 21:49:08 | 000,000,128 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18472756r
    [2011/04/13 21:49:08 | 000,000,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18472756
    [2011/04/13 21:34:44 | 000,000,328 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18472756
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications"=dword:00000000
    "EnableFirewall"=dword:00000001
    :commands
    [reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.



I want to be sure that nothing reappeared. Please perform the following scan:
  • Download DDS by sUBs from the link below. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



How are the things now ?



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#11 93falcon

93falcon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 21 April 2011 - 09:00 PM

Georgi,

1. Ran OTL and that log follows:
========== OTL ==========
C:\Documents and Settings\Joe\Local Settings\Application Data\1ro18l3y70b46o6kj0v70 moved successfully.
C:\Documents and Settings\All Users\Application Data\1ro18l3y70b46o6kj0v70 moved successfully.
C:\Documents and Settings\Joe\Local Settings\Application Data\4074311493 moved successfully.
C:\Documents and Settings\All Users\Application Data\4074311493 moved successfully.
C:\Documents and Settings\All Users\Application Data\~18472756r moved successfully.
C:\Documents and Settings\All Users\Application Data\~18472756 moved successfully.
C:\Documents and Settings\All Users\Application Data\18472756 moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\"DisableMonitoring"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\"DisableNotifications"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\"EnableFirewall"|dword:00000001 /E : value set successfully!
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.22.3 log created on 04212011_204007

2. Ran DDS and forgot which one to copy/paste and which one to attach so I just attached both. Figured that would be cleaner.

3. Things seem to be running very smoothly now. I haven't had a re-direct or that word issue in the last couple of days.

Thanks for your help! I so appreciate it.

JDH

Attached Files



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:13 AM

Posted 22 April 2011 - 10:47 AM

Hi 93falcon,



Happy Easter ! Posted Image



All logs look good to me.


I am curious - Are you still unable to run TDSSKiller and if you are able to scan with it, can you tell me what the results of the scan are ?





Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an malicious object is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • Select Skip to the sptd.sys.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Then I will give you my final recommendations.



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#13 93falcon

93falcon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 22 April 2011 - 12:18 PM

Georgi,

I was able to run TDSSKiller without any problems. It didn't show any malware and didn't require a reboot.

The report is:

2011/04/22 12:13:57.0384 3776 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/22 12:13:57.0853 3776 ================================================================================
2011/04/22 12:13:57.0853 3776 SystemInfo:
2011/04/22 12:13:57.0853 3776
2011/04/22 12:13:57.0853 3776 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/22 12:13:57.0853 3776 Product type: Workstation
2011/04/22 12:13:57.0853 3776 ComputerName: ANTEC-SONATA
2011/04/22 12:13:57.0868 3776 UserName: Joe
2011/04/22 12:13:57.0868 3776 Windows directory: C:\WINDOWS
2011/04/22 12:13:57.0868 3776 System windows directory: C:\WINDOWS
2011/04/22 12:13:57.0868 3776 Processor architecture: Intel x86
2011/04/22 12:13:57.0868 3776 Number of processors: 1
2011/04/22 12:13:57.0868 3776 Page size: 0x1000
2011/04/22 12:13:57.0868 3776 Boot type: Normal boot
2011/04/22 12:13:57.0868 3776 ================================================================================
2011/04/22 12:13:58.0525 3776 Initialize success
2011/04/22 12:14:03.0868 2344 ================================================================================
2011/04/22 12:14:03.0868 2344 Scan started
2011/04/22 12:14:03.0868 2344 Mode: Manual;
2011/04/22 12:14:03.0868 2344 ================================================================================
2011/04/22 12:14:05.0962 2344 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/22 12:14:06.0118 2344 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/22 12:14:06.0415 2344 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/22 12:14:06.0556 2344 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/04/22 12:14:07.0071 2344 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2011/04/22 12:14:07.0275 2344 ALCXWDM (6725434f5eb0a975b7716d68566e5d86) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/04/22 12:14:07.0603 2344 AmdK8 (d7e6de8f676cf3a387f75e9ab404f7a4) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/04/22 12:14:08.0134 2344 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/04/22 12:14:09.0400 2344 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/22 12:14:09.0821 2344 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/22 12:14:10.0556 2344 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/04/22 12:14:11.0087 2344 atinrvxx (a7a01b907db63898d40b0a14248ff9a2) C:\WINDOWS\system32\DRIVERS\atinrvxx.sys
2011/04/22 12:14:11.0415 2344 ATITUNEP (edd66332608d27f4fd5069bcd0bc5164) C:\WINDOWS\system32\DRIVERS\atintuxx.sys
2011/04/22 12:14:11.0837 2344 ativraxx (da36687d701c833430605a298731410b) C:\WINDOWS\system32\DRIVERS\atinraxx.sys
2011/04/22 12:14:12.0056 2344 ATIXSAudio (77b575d7aab35d5908ae6ce681608d62) C:\WINDOWS\system32\DRIVERS\atinxsxx.sys
2011/04/22 12:14:12.0275 2344 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/22 12:14:12.0415 2344 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/22 12:14:12.0587 2344 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/22 12:14:12.0978 2344 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/22 12:14:13.0181 2344 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/22 12:14:13.0462 2344 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/22 12:14:13.0587 2344 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/22 12:14:13.0728 2344 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/22 12:14:14.0493 2344 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/22 12:14:14.0681 2344 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/22 12:14:14.0884 2344 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/22 12:14:15.0025 2344 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/22 12:14:15.0181 2344 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/22 12:14:15.0446 2344 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/22 12:14:15.0618 2344 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/04/22 12:14:15.0806 2344 EraserUtilDrvI10 (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys
2011/04/22 12:14:15.0978 2344 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/22 12:14:16.0196 2344 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/22 12:14:16.0321 2344 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/22 12:14:16.0462 2344 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/22 12:14:16.0618 2344 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/22 12:14:16.0775 2344 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/22 12:14:16.0915 2344 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/22 12:14:17.0056 2344 GETNDIS (98428f4be73c3fa6324100de0dd1a436) C:\WINDOWS\system32\DRIVERS\getnd5b.sys
2011/04/22 12:14:17.0243 2344 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/22 12:14:17.0384 2344 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/22 12:14:17.0806 2344 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/22 12:14:18.0571 2344 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/22 12:14:18.0743 2344 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/22 12:14:19.0290 2344 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/22 12:14:19.0446 2344 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/22 12:14:19.0571 2344 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/22 12:14:19.0728 2344 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/22 12:14:19.0868 2344 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/22 12:14:20.0009 2344 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/22 12:14:20.0165 2344 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/22 12:14:20.0306 2344 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/22 12:14:20.0603 2344 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/22 12:14:20.0759 2344 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/22 12:14:20.0900 2344 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/22 12:14:21.0040 2344 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/22 12:14:21.0306 2344 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/22 12:14:21.0493 2344 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/22 12:14:21.0665 2344 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/22 12:14:21.0821 2344 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/22 12:14:21.0978 2344 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/22 12:14:22.0212 2344 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/22 12:14:22.0368 2344 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/22 12:14:22.0509 2344 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/22 12:14:22.0665 2344 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/22 12:14:22.0806 2344 MVDCODEC (ed4c2bf8403f4437987c0ba09cf48716) C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
2011/04/22 12:14:22.0946 2344 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/22 12:14:23.0181 2344 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110417.004\naveng.sys
2011/04/22 12:14:23.0431 2344 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110417.004\navex15.sys
2011/04/22 12:14:23.0603 2344 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/22 12:14:23.0743 2344 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/22 12:14:23.0900 2344 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/22 12:14:24.0040 2344 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/22 12:14:24.0196 2344 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/22 12:14:24.0337 2344 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/22 12:14:24.0540 2344 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/22 12:14:24.0681 2344 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/22 12:14:24.0853 2344 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/04/22 12:14:24.0993 2344 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/22 12:14:25.0150 2344 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/22 12:14:25.0290 2344 NTSIM (a568b9a9ffe2d9387222a5c90f86d731) C:\WINDOWS\System32\ntsim.sys
2011/04/22 12:14:25.0462 2344 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/22 12:14:25.0618 2344 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/22 12:14:25.0790 2344 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/22 12:14:25.0946 2344 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/04/22 12:14:26.0103 2344 OMNUSB (55f38ca16206ea957aa33adbe953da83) C:\WINDOWS\system32\DRIVERS\sccmusbm.sys
2011/04/22 12:14:26.0306 2344 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/22 12:14:26.0462 2344 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/22 12:14:26.0618 2344 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/22 12:14:26.0759 2344 PCDCODEC (e90ac2b14e98f1a4372e5891b4278784) C:\WINDOWS\system32\DRIVERS\atinpdxx.sys
2011/04/22 12:14:26.0900 2344 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/22 12:14:27.0431 2344 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/22 12:14:28.0337 2344 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/22 12:14:28.0478 2344 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/22 12:14:28.0618 2344 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/22 12:14:28.0775 2344 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/22 12:14:29.0650 2344 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/22 12:14:29.0790 2344 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/22 12:14:29.0946 2344 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/22 12:14:30.0087 2344 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/22 12:14:30.0259 2344 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/22 12:14:30.0400 2344 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/22 12:14:30.0540 2344 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/22 12:14:30.0743 2344 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/22 12:14:30.0884 2344 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/22 12:14:31.0040 2344 SAVRT (a00d5aa4748a1002590f08aa00fc660d) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/04/22 12:14:31.0165 2344 SAVRTPEL (1e805005583be1c1568a3fce259c81e3) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/04/22 12:14:31.0321 2344 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/22 12:14:31.0462 2344 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/22 12:14:31.0618 2344 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/22 12:14:31.0790 2344 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/22 12:14:32.0040 2344 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/22 12:14:32.0212 2344 snapman (b6aa9bbff890ffea333ffe81d0b888ff) C:\WINDOWS\system32\DRIVERS\snapman.sys
2011/04/22 12:14:32.0509 2344 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/04/22 12:14:32.0665 2344 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/22 12:14:32.0821 2344 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/22 12:14:32.0978 2344 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/22 12:14:33.0212 2344 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/04/22 12:14:33.0384 2344 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/22 12:14:33.0525 2344 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/22 12:14:33.0665 2344 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/22 12:14:34.0025 2344 SymEvent (3feeb051c94f5005f56423619315273b) C:\Program Files\Symantec\SYMEVENT.SYS
2011/04/22 12:14:34.0196 2344 SYMREDRV (8d668fe83a439e2166b7defff995cddc) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/04/22 12:14:34.0353 2344 SYMTDI (b825e10cd61046672fef234820842c42) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/04/22 12:14:34.0743 2344 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/22 12:14:34.0931 2344 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/22 12:14:35.0134 2344 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/22 12:14:35.0290 2344 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/22 12:14:35.0446 2344 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/22 12:14:35.0603 2344 tifsfilter (b84b82c0cbeb1b0d7eb7a946bade5830) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2011/04/22 12:14:35.0759 2344 timounter (74711884439bdf9ccf446c79cb05fac0) C:\WINDOWS\system32\DRIVERS\timntr.sys
2011/04/22 12:14:36.0134 2344 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/22 12:14:36.0400 2344 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/22 12:14:36.0587 2344 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/22 12:14:36.0743 2344 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/22 12:14:36.0915 2344 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/22 12:14:37.0071 2344 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/22 12:14:37.0212 2344 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/22 12:14:37.0368 2344 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/22 12:14:37.0540 2344 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/22 12:14:37.0696 2344 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2011/04/22 12:14:37.0853 2344 ViaIde (a5d8b6c8d43786d4215c1df6fab0aae0) C:\WINDOWS\system32\DRIVERS\viaidexp.sys
2011/04/22 12:14:38.0056 2344 viamraid (0363e216e4eb5052969c96608934dbde) C:\WINDOWS\system32\DRIVERS\viamraid.sys
2011/04/22 12:14:38.0212 2344 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/22 12:14:38.0368 2344 vulfnths (c9a8ba443f809b70bccccd60cc73fa5c) C:\WINDOWS\System32\Drivers\vulfnth.sys
2011/04/22 12:14:38.0509 2344 vulfntrs (2d8c55889616f7767e9fb8adee37a02a) C:\WINDOWS\System32\Drivers\vulfntr.sys
2011/04/22 12:14:38.0712 2344 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/22 12:14:38.0978 2344 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/22 12:14:39.0228 2344 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/22 12:14:39.0400 2344 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/22 12:14:39.0571 2344 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/22 12:14:40.0040 2344 ================================================================================
2011/04/22 12:14:40.0040 2344 Scan finished
2011/04/22 12:14:40.0040 2344 ================================================================================

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:13 AM

Posted 22 April 2011 - 12:44 PM

Hi 93falcon,



Nicely done ! :)



I have some final words for you.



All Clean :thumbsup:



Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean :)



STEP 1 UPDATING TASKS





Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader X to your PC's desktop.

* Uninstall Adobe Reader 9.4.0 via Start => Control Panel > Add/Remove Programs
* Install the new downloaded updated software.


Note: Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.
Posted Image

Adobe released a new update a few days ago. Please download and install it over it. Click here => Adobe Reader 10.0.3 Update to download the file.



Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit Reader 4 x instead.

Foxit Reader 4x offer 5 levels of security. Click Me for more information.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.





Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment 6u24 and save it to your desktop.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 20


  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.





STEP 2 CLEANUP





1. Uninstall Combofix



  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
  • ComboFix /Uninstall



2. To remove all of the tools we used and the files and folders they created, please do the following:



Please reopen Posted Image on your desktop.

In the upper right click CleanUp

Posted Image

This will delete OTL and will clean up after it.


Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


You can uninstall now - ESET Online Scanner v3 and ERUNT 1.1j if they still present.





Keep your antivirus software turned on and up-to-date


  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.





Visit Microsoft's Windows Update Site Frequently



It is important that you visit windowsupdate.microsoft.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.

Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.

You can check these by visiting Secunia Software Inspector and Calendar of Updates.





Practice Safe Internet



One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:


  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.

  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.

  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.

  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:

    Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites

  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.

  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.

  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.

  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.

  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.





Use a Firewall



I noticed that you use Windows XP.

The Windows Firewall in Windows XP provides one-way network protection only.

It blocks incoming traffic as configured, but it will not block any outgoing traffic.

That's why I recommend you to install a 3rd party firewall like PCtools Firewall. (only if you don't use a router).

It's very light and simple to use.

Simply using it in its default configuration can increase the security of your system greatly.

For more information => please take a look here => http://www.pctools.com/firewall/





Don't use pirated software !!!



Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!





Create an image of your system



It is always a good idea to do a backup of all important files just in case something happens it.

Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.

The download link is here => http://www.macrium.com/reflectfree.asp

The tutorials can be found here => http://www.macrium.com/tutorial.asp

Be sure to read the tutorial first. :thumbup2:



Follow this list and your potential for being infected again will reduce dramatically.





STEP 3 IMPROVE YOUR PC PERFORMANCE





Use Disk Cleanup to delete files you no longer need and reclaim storage space on your computer.



Open Disk Cleanup by clicking the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Cleanup.

If the Disk Cleanup: Drive Selection dialog box appears, select the hard disk drive that you want to clean up, and then click OK.

Click the Disk Cleanup tab, and then select the check boxes for the files you want to delete.

When you finish selecting the files you want to delete, click OK, and then click Delete files to confirm the operation. Disk Cleanup proceeds to remove all unnecessary files from your computer.





Use CHKDSK to determine the condition of your hard disk to see if a volume is dirty.


  • Double-click My Computer, and then right-click the hard disk that you want to check.
  • Click Properties, and then click Tools.
  • Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
  • Use one of the following procedures:

    - To repair errors without scanning the volume for bad sectors, select the Automatically fix file system errors check box, and then click Start.
    - To repair errors, locate bad sectors, and recover readable information, select the Scan for and attempt recovery of bad sectors check box, and then click Start.


  • Note If one or more of the files on the hard disk are open, you will receive the following message:
    - The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
    Click Yes to schedule the disk check, and then restart your computer to start the disk check.





You can use Disk Defragmenter to rearrange files and unused space on your hard disk so that programs run faster



Please Open Disk Defragmenter by clicking the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Defragmenter

Select the drive you want to Defragment (the drive where Windows is installed).

Click Defragment Now.





Use MSConfig to disable any processes that you do not want running in the background of the computer.



Please type msconfig in the start menu, then hit enter.

Go to the startup tab and then uncheck any programs that you don't need to load with Windows.

Click the "Apply" button and click "OK" to close the MSCONFIG window.

Restart your computer to save the changes you made to the Startup.

You might have a popup window when you log on. This is typical. Just click ok. You can also make the popup window not come up anymore by checking the box there.

The programs you removed will no longer automatically launch once Windows starts up.



Safe Surfing ! :wink:



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#15 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:13 AM

Posted 27 April 2011 - 05:10 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users