Site redirect, random popups, random site shutdown

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Site redirect, random popups, random site shutdown Need help to fix.......!

#1 67mike

New Member

Group: Members
Posts: 9
Joined: 02-December 05

Posted 13 July 2011 - 05:02 AM

I am haveing problems with websites being redirected, random sites popping up at all times, sites just shutting down, and no sound on my youtube videos.

I have ran Norton, Malmarebytes, and Spybot with no success.

I accidently ran Combofix and then uninstalled it.

Please help.
THANK YOU!!!!!!!

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Crystal at 4:06:45 on 2011-07-13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.153 [GMT -5:00]
.
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWindow Title = Amherst Telephone Company
uInternet Settings,ProxyOverride = localhost
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D9EEBB65-9B9D-4290-BCD7-FCEF7F259134} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-7-7 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-7-7 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-7-1 810616]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-7-7 136312]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-7-7 130008]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-7 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110706.051\IDSXpx86.sys [2011-7-7 355256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 EraserUtilDrv10733;EraserUtilDrv10733; [x]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110706.035\naveng.sys [2011-7-7 86008]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110706.035\navex15.sys [2011-7-7 1542392]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-13 08:06:00 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{67107aa1-272b-4de6-b3fa-db3f9dab5f84}\mpengine.dll
2011-07-12 17:55:07 -------- d-s---w- C:\ComboFix
2011-07-12 11:05:04 -------- d-sha-r- C:\cmdcons
2011-07-12 10:50:46 98816 ----a-w- c:\windows\sed.exe
2011-07-12 10:50:46 518144 ----a-w- c:\windows\SWREG.exe
2011-07-12 10:50:46 256000 ----a-w- c:\windows\PEV.exe
2011-07-12 10:50:46 208896 ----a-w- c:\windows\MBR.exe
2011-07-11 08:39:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-11 04:57:50 388096 ----a-r- c:\documents and settings\crystal\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-11 04:57:49 -------- d-----w- c:\program files\Trend Micro
2011-07-11 04:25:15 1409 ----a-w- c:\windows\QTFont.for
2011-07-07 09:02:54 369784 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdi.sys
2011-07-07 09:02:54 331384 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys
2011-07-07 09:02:54 296568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symnets.sys
2011-07-07 09:02:53 744568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symefa.sys
2011-07-07 09:02:53 516216 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtsp.sys
2011-07-07 09:02:53 50168 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtspx.sys
2011-07-07 09:02:53 340088 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symds.sys
2011-07-07 09:02:52 136312 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys
2011-07-07 09:02:17 -------- d-----w- c:\windows\system32\drivers\nis\1206000.01D
2011-07-07 08:42:50 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-07-07 08:42:50 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-07 08:42:47 -------- d-----w- c:\program files\Symantec
2011-07-07 08:42:47 -------- d-----w- c:\program files\common files\Symantec Shared
2011-07-07 08:41:35 -------- d-----w- c:\windows\system32\drivers\NIS
2011-07-07 08:41:29 -------- d-----w- c:\program files\Norton Internet Security
2011-07-07 08:41:27 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-07-07 08:40:30 -------- d-----w- c:\program files\NortonInstaller
2011-07-07 08:40:30 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
.
==================== Find3M ====================
.
2011-05-30 05:26:43 0 ----a-w- c:\windows\Xhebuteboyobub.bin
2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-25 00:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 4:14:15.78 ===============

Attached File(s)

attach.txt (12.5K)
Number of downloads: 1
ark.txt (195.54K)
Number of downloads: 1

#2 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 13 July 2011 - 08:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

If you have since resolved the original problem you were having, we would appreciate you letting us know.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
- If you are unsure about any of these characteristics just post what you can and we will guide you.
Please tell us if you have your original Windows CD/DVD available.
If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step. Then proceed to run aswMbr.exe as noted below.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Note:
If you are unable to run a Gmer scan due the fact you are running a 64bit machine please run the following tool and post its log.

Please download aswMBR ( 511KB ) to your desktop.

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

Posted Image

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#3 67mike

New Member

Group: Members
Posts: 9
Joined: 02-December 05

Posted 13 July 2011 - 05:05 PM

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Crystal at 4:06:45 on 2011-07-13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.153 [GMT -5:00]
.
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWindow Title = Amherst Telephone Company
uInternet Settings,ProxyOverride = localhost
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D9EEBB65-9B9D-4290-BCD7-FCEF7F259134} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-7-7 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-7-7 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-7-1 810616]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-7-7 136312]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-7-7 130008]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-7 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110706.051\IDSXpx86.sys [2011-7-7 355256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 EraserUtilDrv10733;EraserUtilDrv10733; [x]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110706.035\naveng.sys [2011-7-7 86008]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110706.035\navex15.sys [2011-7-7 1542392]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-13 08:06:00 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{67107aa1-272b-4de6-b3fa-db3f9dab5f84}\mpengine.dll
2011-07-12 17:55:07 -------- d-s---w- C:\ComboFix
2011-07-12 11:05:04 -------- d-sha-r- C:\cmdcons
2011-07-12 10:50:46 98816 ----a-w- c:\windows\sed.exe
2011-07-12 10:50:46 518144 ----a-w- c:\windows\SWREG.exe
2011-07-12 10:50:46 256000 ----a-w- c:\windows\PEV.exe
2011-07-12 10:50:46 208896 ----a-w- c:\windows\MBR.exe
2011-07-11 08:39:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-11 04:57:50 388096 ----a-r- c:\documents and settings\crystal\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-11 04:57:49 -------- d-----w- c:\program files\Trend Micro
2011-07-11 04:25:15 1409 ----a-w- c:\windows\QTFont.for
2011-07-07 09:02:54 369784 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdi.sys
2011-07-07 09:02:54 331384 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys
2011-07-07 09:02:54 296568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symnets.sys
2011-07-07 09:02:53 744568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symefa.sys
2011-07-07 09:02:53 516216 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtsp.sys
2011-07-07 09:02:53 50168 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtspx.sys
2011-07-07 09:02:53 340088 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symds.sys
2011-07-07 09:02:52 136312 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys
2011-07-07 09:02:17 -------- d-----w- c:\windows\system32\drivers\nis\1206000.01D
2011-07-07 08:42:50 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-07-07 08:42:50 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-07 08:42:47 -------- d-----w- c:\program files\Symantec
2011-07-07 08:42:47 -------- d-----w- c:\program files\common files\Symantec Shared
2011-07-07 08:41:35 -------- d-----w- c:\windows\system32\drivers\NIS
2011-07-07 08:41:29 -------- d-----w- c:\program files\Norton Internet Security
2011-07-07 08:41:27 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-07-07 08:40:30 -------- d-----w- c:\program files\NortonInstaller
2011-07-07 08:40:30 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
.
==================== Find3M ====================
.
2011-05-30 05:26:43 0 ----a-w- c:\windows\Xhebuteboyobub.bin
2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-25 00:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 4:14:15.78 ===============

Attached File(s)

attach.txt (12.5K)
Number of downloads: 1
ark.txt (195.54K)
Number of downloads: 1

#4 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 13 July 2011 - 05:28 PM

Hello,

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.6.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.5.6.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
Close any open windows, including this one.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
TDSSKILLER log
COmbofix.txt
Can you burn cds and have a USB Flash Drive you can use?
How is your machine running now?

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#5 67mike

New Member

Group: Members
Posts: 9
Joined: 02-December 05

Posted 13 July 2011 - 10:52 PM

Well hello again,

My computer appears to be running much better now after running the TDSS Rootkill removal Tool and Combofix as you recommended. I only tried for a short while, but there are no redirect problems, and there is now sound again viewing Youtube videos.
I would like to say the problem is gne, but I am not 100% sure yet.

Yes I can burn CDs.

Yes I have a USB Flashdrive.

2011/07/13 21:15:21.0468 2828 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/13 21:15:22.0140 2828 ================================================================================
2011/07/13 21:15:22.0140 2828 SystemInfo:
2011/07/13 21:15:22.0140 2828
2011/07/13 21:15:22.0140 2828 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/13 21:15:22.0140 2828 Product type: Workstation
2011/07/13 21:15:22.0140 2828 ComputerName: DG3CMP41
2011/07/13 21:15:22.0140 2828 UserName: Crystal
2011/07/13 21:15:22.0140 2828 Windows directory: C:\WINDOWS
2011/07/13 21:15:22.0140 2828 System windows directory: C:\WINDOWS
2011/07/13 21:15:22.0140 2828 Processor architecture: Intel x86
2011/07/13 21:15:22.0140 2828 Number of processors: 1
2011/07/13 21:15:22.0140 2828 Page size: 0x1000
2011/07/13 21:15:22.0140 2828 Boot type: Normal boot
2011/07/13 21:15:22.0140 2828 ================================================================================
2011/07/13 21:15:24.0515 2828 Initialize success
2011/07/13 21:15:33.0843 2868 ================================================================================
2011/07/13 21:15:33.0843 2868 Scan started
2011/07/13 21:15:33.0843 2868 Mode: Manual;
2011/07/13 21:15:33.0843 2868 ================================================================================
2011/07/13 21:15:34.0703 2868 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
2011/07/13 21:15:34.0890 2868 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/13 21:15:35.0031 2868 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/13 21:15:35.0203 2868 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
2011/07/13 21:15:35.0375 2868 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/07/13 21:15:35.0562 2868 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/13 21:15:35.0750 2868 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/07/13 21:15:35.0953 2868 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
2011/07/13 21:15:36.0109 2868 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
2011/07/13 21:15:36.0265 2868 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
2011/07/13 21:15:36.0421 2868 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
2011/07/13 21:15:36.0593 2868 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
2011/07/13 21:15:36.0750 2868 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
2011/07/13 21:15:36.0953 2868 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
2011/07/13 21:15:37.0109 2868 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
2011/07/13 21:15:37.0250 2868 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
2011/07/13 21:15:37.0406 2868 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
2011/07/13 21:15:37.0546 2868 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
2011/07/13 21:15:37.0671 2868 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
2011/07/13 21:15:37.0953 2868 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/13 21:15:38.0109 2868 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/13 21:15:38.0375 2868 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/07/13 21:15:38.0578 2868 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/13 21:15:39.0125 2868 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/13 21:15:39.0515 2868 bcm4sbxp (068523d2cd260069b19ad68adea0d739) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/07/13 21:15:39.0937 2868 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/13 21:15:40.0671 2868 BHDrvx86 (ad73b4cd214de82d003fdadbaeab6410) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110701.001\BHDrvx86.sys
2011/07/13 21:15:41.0593 2868 btaudio (4b43dfe1c1fbb305a1dc5504ef9bb34e) C:\WINDOWS\system32\drivers\btaudio.sys
2011/07/13 21:15:42.0109 2868 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/07/13 21:15:42.0390 2868 BTKRNL (b4355289cb2ebcc91ae995f916d271b7) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/07/13 21:15:42.0671 2868 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/07/13 21:15:42.0812 2868 btwhid (949eca9c56f657c06d3166d51f3226c7) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2011/07/13 21:15:43.0015 2868 btwmodem (5922bae0cd84924b9cd7e6bb515ee070) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
2011/07/13 21:15:43.0187 2868 BTWUSB (fac7e5965162c70d184dfe92b4bcbd1b) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/07/13 21:15:43.0437 2868 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
2011/07/13 21:15:43.0609 2868 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/13 21:15:43.0750 2868 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
2011/07/13 21:15:43.0937 2868 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/13 21:15:44.0093 2868 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/13 21:15:44.0281 2868 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/13 21:15:44.0562 2868 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
2011/07/13 21:15:44.0765 2868 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
2011/07/13 21:15:44.0968 2868 ctac32k (4b6096745f72b4fd36514617e2ea5d37) C:\WINDOWS\system32\drivers\ctac32k.sys
2011/07/13 21:15:45.0171 2868 ctaud2k (3576ec792347ed15699f6d830e0f5437) C:\WINDOWS\system32\drivers\ctaud2k.sys
2011/07/13 21:15:45.0390 2868 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
2011/07/13 21:15:45.0578 2868 ctprxy2k (097d42574e3c6d98cd5a2ee7647fa6bf) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2011/07/13 21:15:45.0750 2868 ctsfm2k (c58a2507ef62b20b9bd670c666088b50) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2011/07/13 21:15:45.0937 2868 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
2011/07/13 21:15:46.0078 2868 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
2011/07/13 21:15:46.0281 2868 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/13 21:15:46.0515 2868 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/13 21:15:46.0765 2868 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/13 21:15:46.0953 2868 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/13 21:15:47.0156 2868 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/13 21:15:47.0359 2868 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
2011/07/13 21:15:47.0546 2868 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/13 21:15:47.0781 2868 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2011/07/13 21:15:47.0968 2868 dwusbdnt (732ab6d2fc7f2afebc4a9d2750655b7f) C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
2011/07/13 21:15:48.0109 2868 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/07/13 21:15:48.0281 2868 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/07/13 21:15:48.0453 2868 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
2011/07/13 21:15:48.0625 2868 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
2011/07/13 21:15:48.0796 2868 emupia (a9d94b89372f3f9609a1a5eec631a260) C:\WINDOWS\system32\drivers\emupia2k.sys
2011/07/13 21:15:49.0109 2868 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/07/13 21:15:49.0296 2868 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/13 21:15:49.0468 2868 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/13 21:15:49.0640 2868 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/13 21:15:49.0796 2868 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/13 21:15:49.0984 2868 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/13 21:15:50.0171 2868 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/13 21:15:50.0343 2868 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/13 21:15:50.0531 2868 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/07/13 21:15:50.0703 2868 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/13 21:15:50.0937 2868 ha10kx2k (dc9847cdc43665ed4cc780947516209c) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2011/07/13 21:15:51.0171 2868 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/13 21:15:51.0312 2868 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
2011/07/13 21:15:51.0484 2868 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/07/13 21:15:51.0671 2868 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/07/13 21:15:51.0843 2868 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/07/13 21:15:52.0031 2868 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/13 21:15:52.0203 2868 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/07/13 21:15:52.0343 2868 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
2011/07/13 21:15:52.0500 2868 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/13 21:15:52.0687 2868 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/07/13 21:15:52.0843 2868 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/07/13 21:15:53.0031 2868 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/07/13 21:15:53.0171 2868 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/07/13 21:15:53.0328 2868 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/07/13 21:15:53.0468 2868 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/07/13 21:15:53.0625 2868 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/07/13 21:15:53.0781 2868 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/07/13 21:15:54.0062 2868 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/07/13 21:15:54.0234 2868 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/07/13 21:15:54.0406 2868 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/13 21:15:54.0734 2868 IDSxpx86 (b9ba869eb7b66c5740e904a79f9245b4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110706.051\IDSxpx86.sys
2011/07/13 21:15:54.0953 2868 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/13 21:15:55.0125 2868 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
2011/07/13 21:15:55.0328 2868 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/07/13 21:15:55.0562 2868 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/07/13 21:15:55.0765 2868 IntelC53 (de2686c0e012e6ae24acd6e79eb7ff5d) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/07/13 21:15:55.0968 2868 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
2011/07/13 21:15:56.0125 2868 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/13 21:15:56.0296 2868 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/13 21:15:56.0468 2868 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/13 21:15:56.0640 2868 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/13 21:15:56.0812 2868 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/13 21:15:57.0000 2868 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/13 21:15:57.0156 2868 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/13 21:15:57.0343 2868 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/13 21:15:57.0531 2868 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/13 21:15:57.0718 2868 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/13 21:15:57.0875 2868 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/13 21:15:58.0171 2868 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/13 21:15:58.0328 2868 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/13 21:15:58.0484 2868 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/07/13 21:15:58.0640 2868 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/07/13 21:15:58.0796 2868 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/13 21:15:58.0937 2868 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/13 21:15:59.0078 2868 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/13 21:15:59.0218 2868 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
2011/07/13 21:15:59.0375 2868 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/13 21:15:59.0578 2868 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/13 21:15:59.0812 2868 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/13 21:16:00.0015 2868 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/13 21:16:00.0156 2868 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/13 21:16:00.0296 2868 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/13 21:16:00.0453 2868 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/13 21:16:00.0625 2868 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/13 21:16:00.0765 2868 MxlW2k (e91fc8b52d21e38317dc61a3c7ccfa4b) C:\WINDOWS\system32\drivers\MxlW2k.sys
2011/07/13 21:16:01.0046 2868 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110706.035\NAVENG.SYS
2011/07/13 21:16:01.0500 2868 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110706.035\NAVEX15.SYS
2011/07/13 21:16:01.0703 2868 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/13 21:16:01.0859 2868 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/13 21:16:02.0000 2868 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/13 21:16:02.0140 2868 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/13 21:16:02.0312 2868 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/13 21:16:02.0453 2868 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/13 21:16:02.0609 2868 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/13 21:16:02.0921 2868 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/13 21:16:03.0125 2868 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/13 21:16:03.0328 2868 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/13 21:16:03.0531 2868 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/13 21:16:03.0750 2868 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/13 21:16:03.0937 2868 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/13 21:16:04.0062 2868 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/07/13 21:16:04.0218 2868 ossrv (f29184bdc81c398b6027a67ff6a19895) C:\WINDOWS\system32\drivers\ctoss2k.sys
2011/07/13 21:16:04.0375 2868 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/07/13 21:16:04.0500 2868 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/13 21:16:04.0656 2868 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/13 21:16:04.0796 2868 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/13 21:16:04.0953 2868 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/13 21:16:05.0187 2868 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/13 21:16:05.0312 2868 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/13 21:16:05.0859 2868 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
2011/07/13 21:16:06.0000 2868 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
2011/07/13 21:16:06.0187 2868 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\system32\PfModNT.sys
2011/07/13 21:16:06.0546 2868 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/13 21:16:06.0734 2868 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/13 21:16:06.0875 2868 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/13 21:16:07.0015 2868 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/13 21:16:07.0171 2868 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/07/13 21:16:07.0296 2868 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
2011/07/13 21:16:07.0437 2868 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
2011/07/13 21:16:07.0562 2868 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
2011/07/13 21:16:07.0703 2868 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
2011/07/13 21:16:07.0843 2868 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
2011/07/13 21:16:07.0968 2868 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/13 21:16:08.0171 2868 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/13 21:16:08.0328 2868 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/13 21:16:08.0484 2868 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/13 21:16:08.0625 2868 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/13 21:16:08.0750 2868 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/13 21:16:08.0906 2868 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/13 21:16:09.0062 2868 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/13 21:16:09.0203 2868 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/13 21:16:09.0406 2868 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/07/13 21:16:09.0656 2868 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/13 21:16:09.0828 2868 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/13 21:16:09.0968 2868 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/13 21:16:10.0171 2868 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/13 21:16:10.0328 2868 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
2011/07/13 21:16:10.0593 2868 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
2011/07/13 21:16:10.0765 2868 smwdm (99a9e1ef62f955c82a5001ac94b4b77b) C:\WINDOWS\system32\drivers\smwdm.sys
2011/07/13 21:16:10.0937 2868 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
2011/07/13 21:16:11.0078 2868 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/13 21:16:11.0234 2868 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/13 21:16:11.0453 2868 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS
2011/07/13 21:16:11.0703 2868 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS
2011/07/13 21:16:11.0875 2868 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/13 21:16:12.0078 2868 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/13 21:16:12.0234 2868 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/13 21:16:12.0390 2868 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
2011/07/13 21:16:12.0515 2868 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
2011/07/13 21:16:12.0750 2868 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS
2011/07/13 21:16:13.0062 2868 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS
2011/07/13 21:16:13.0250 2868 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/07/13 21:16:13.0484 2868 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS
2011/07/13 21:16:13.0656 2868 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\System32\drivers\symlcbrd.sys
2011/07/13 21:16:13.0890 2868 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS
2011/07/13 21:16:14.0031 2868 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
2011/07/13 21:16:14.0156 2868 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
2011/07/13 21:16:14.0312 2868 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/13 21:16:14.0500 2868 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/13 21:16:14.0671 2868 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/13 21:16:14.0828 2868 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/13 21:16:14.0984 2868 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/13 21:16:15.0156 2868 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
2011/07/13 21:16:15.0343 2868 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/13 21:16:15.0500 2868 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
2011/07/13 21:16:15.0656 2868 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/13 21:16:15.0875 2868 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/13 21:16:16.0031 2868 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/13 21:16:16.0203 2868 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/13 21:16:16.0359 2868 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/13 21:16:16.0531 2868 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/13 21:16:16.0734 2868 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/13 21:16:16.0890 2868 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/13 21:16:17.0031 2868 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/13 21:16:17.0171 2868 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
2011/07/13 21:16:17.0312 2868 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
2011/07/13 21:16:17.0468 2868 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/13 21:16:17.0656 2868 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/13 21:16:18.0000 2868 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/13 21:16:18.0328 2868 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/13 21:16:18.0484 2868 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/13 21:16:18.0687 2868 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/07/13 21:16:18.0828 2868 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/07/13 21:16:18.0875 2868 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
2011/07/13 21:16:18.0890 2868 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
2011/07/13 21:16:18.0937 2868 Boot (0x1200) (f955baeca6c83cd53e40b8a569c9324d) \Device\Harddisk0\DR0\Partition0
2011/07/13 21:16:18.0953 2868 ================================================================================
2011/07/13 21:16:18.0953 2868 Scan finished
2011/07/13 21:16:18.0953 2868 ================================================================================
2011/07/13 21:16:18.0984 2860 Detected object count: 1
2011/07/13 21:16:18.0984 2860 Actual detected object count: 1
2011/07/13 21:16:56.0921 2860 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot
2011/07/13 21:16:56.0921 2860 \Device\Harddisk0\DR0 - ok
2011/07/13 21:16:56.0921 2860 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/13 21:17:12.0828 2808 Deinitialize success

ComboFix 11-07-13.04 - Crystal 07/13/2011 21:42:08.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.171 [GMT -5:00]
Running from: c:\documents and settings\Crystal\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
.
.
2011-07-11 08:39 . 2011-07-11 08:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-11 04:57 . 2011-07-11 04:57 388096 ----a-r- c:\documents and settings\Crystal\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-11 04:57 . 2011-07-11 04:57 -------- d-----w- c:\program files\Trend Micro
2011-07-11 04:25 . 2011-07-11 04:25 1409 ----a-w- c:\windows\QTFont.for
2011-07-07 08:42 . 2011-07-07 09:03 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-07-07 08:42 . 2011-07-07 09:03 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-07 08:42 . 2011-07-07 09:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-07-07 08:42 . 2011-07-07 09:03 -------- d-----w- c:\program files\Symantec
2011-07-07 08:41 . 2011-07-07 09:10 -------- d-----w- c:\windows\system32\drivers\NIS
2011-07-07 08:41 . 2011-07-07 08:41 -------- d-----w- c:\program files\Norton Internet Security
2011-07-07 08:41 . 2011-07-07 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-07-07 08:40 . 2011-07-07 08:40 -------- d-----w- c:\program files\NortonInstaller
2011-07-06 08:24 . 2011-07-06 08:24 -------- d-----w- c:\documents and settings\Administrator.DG3CMP41
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-07 15:55 . 2007-12-19 20:43 7074640 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-05-29 14:11 . 2011-05-30 10:29 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-25 00:14 . 2009-10-02 18:21 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-14 77824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2011-02-23 202256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2011-02-26 557056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 604776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 -c--a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 -c--a-w- c:\program files\Microsoft Money\System\MNYEXPR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 -c----w- c:\program files\Dell\Media Experience\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-04-14 03:36 77824 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 -c--a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\NIS\1206000.01D\symds.sys [7/7/2011 4:02 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1206000.01D\symefa.sys [7/7/2011 4:02 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110701.001\BHDrvx86.sys [7/1/2011 12:11 AM 810616]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1206000.01D\ironx86.sys [7/7/2011 4:02 AM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [7/7/2011 4:02 AM 130008]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/7/2011 4:01 AM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110706.051\IDSXpx86.sys [7/7/2011 4:04 AM 355256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 EraserUtilDrv10733;EraserUtilDrv10733; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
2011-07-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2811425543-3714653698-1795195549-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
.
2011-07-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2811425543-3714653698-1795195549-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = Amherst Telephone Company
uInternet Settings,ProxyOverride = localhost
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-13 21:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Local AppWizard-Generated Applications\MMDiag]
@DACL=(02 0000)
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas]
@DACL=(02 0000)
@SACL=
"NoOfOldWorkAreas"=dword:00000001
"OldWorkAreaRects"=hex:00,00,00,00,00,00,00,00,00,04,00,00,e2,02,00,00
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Desktop\SafeMode]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Desktop\Scheme]
@DACL=(02 0000)
@SACL=
"Edit"=""
"Display"=""
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Document Windows]
@DACL=(02 0000)
@SACL=
"Maximized"="no"
"height"=hex:00,00,00,00
"width"=hex:00,00,00,80
"x"=hex:00,00,00,80
"y"=hex:00,00,00,00
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Help_Menu_URLs]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International]
@DACL=(02 0000)
@SACL=
@=""
"W2KLpk"=dword:00000001
"CodePointToFontMap"=hex:22,00,00,00,54,00,69,00,6d,00,65,00,73,00,20,00,4e,00,
65,00,77,00,20,00,52,00,6f,00,6d,00,61,00,6e,00,00,00,00,00,00,00,00,00,00,\
"AcceptLanguage"="en-us"
"CNum_CpCache"=dword:00000001
"CpCache"=hex:e9,fd,00,00
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\CpMRU]
@DACL=(02 0000)
"Enable"=dword:00000001
"Size"=dword:0000000a
"InitHits"=dword:00000064
"Factor"=dword:00000014
"Cache"=hex:e3,04,00,00,b4,00,00,00,6a,03,00,00,1c,00,00,00,9f,4e,00,00,19,00,
00,00,e2,04,00,00,0f,00,00,00,b0,6f,00,00,09,00,00,00,e8,fd,00,00,03,00,00,\
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\10]
@DACL=(02 0000)
"IEPropFontName"="Mangal"
"IEFixedFontName"="Mangal"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\11]
@DACL=(02 0000)
"IEPropFontName"="Vrinda"
"IEFixedFontName"="Vrinda"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\12]
@DACL=(02 0000)
"IEPropFontName"="Raavi"
"IEFixedFontName"="Raavi"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\13]
@DACL=(02 0000)
"IEPropFontName"="Shruti"
"IEFixedFontName"="Shruti"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\14]
@DACL=(02 0000)
"IEPropFontName"="Kalinga"
"IEFixedFontName"="Kalinga"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\15]
@DACL=(02 0000)
"IEPropFontName"="Latha"
"IEFixedFontName"="Latha"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\16]
@DACL=(02 0000)
"IEPropFontName"="Gautami"
"IEFixedFontName"="Gautami"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\17]
@DACL=(02 0000)
"IEPropFontName"="Tunga"
"IEFixedFontName"="Tunga"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\18]
@DACL=(02 0000)
"IEPropFontName"="Kartika"
"IEFixedFontName"="Kartika"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\19]
@DACL=(02 0000)
"IEPropFontName"="Tahoma"
"IEFixedFontName"="Tahoma"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\20]
@DACL=(02 0000)
"IEPropFontName"="DokChampa"
"IEFixedFontName"="DokChampa"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\21]
@DACL=(02 0000)
"IEPropFontName"="Microsoft Himalaya"
"IEFixedFontName"="Microsoft Himalaya"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\22]
@DACL=(02 0000)
"IEPropFontName"="Sylfaen"
"IEFixedFontName"="Sylfaen"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\23]
@DACL=(02 0000)
"IEPropFontName"="Gulim"
"IEFixedFontName"="GulimChe"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\24]
@DACL=(02 0000)
"IEPropFontName"="MS PGothic"
"IEFixedFontName"="MS Gothic"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\25]
@DACL=(02 0000)
"IEPropFontName"="PMingLiu"
"IEFixedFontName"="MingLiu"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\26]
@DACL=(02 0000)
"IEPropFontName"="Simsun"
"IEFixedFontName"="NSimsun"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\27]
@DACL=(02 0000)
"IEPropFontName"="Nyala"
"IEFixedFontName"="Nyala"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\28]
@DACL=(02 0000)
"IEPropFontName"="Euphemia"
"IEFixedFontName"="Euphemia"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\29]
@DACL=(02 0000)
"IEPropFontName"="Plantagenet Cherokee"
"IEFixedFontName"="Plantagenet Cherokee"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\30]
@DACL=(02 0000)
"IEPropFontName"="Microsoft Yi Baiti"
"IEFixedFontName"="Microsoft Yi Baiti"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\34]
@DACL=(02 0000)
"IEPropFontName"="Iskoola Pota"
"IEFixedFontName"="Iskoola Pota"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\35]
@DACL=(02 0000)
"IEPropFontName"="Estrangelo Edessa"
"IEFixedFontName"="Estrangelo Edessa"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\37]
@DACL=(02 0000)
"IEPropFontName"="DaunPenh"
"IEFixedFontName"="DaunPenh"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\38]
@DACL=(02 0000)
"IEPropFontName"="MV Boli"
"IEFixedFontName"="MV Boli"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\39]
@DACL=(02 0000)
"IEPropFontName"="Mongolian Baiti"
"IEFixedFontName"="Mongolian Baiti"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\4]
@DACL=(02 0000)
"IEPropFontName"="Times New Roman"
"IEFixedFontName"="Courier New"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\5]
@DACL=(02 0000)
"IEPropFontName"="Times New Roman"
"IEFixedFontName"="Courier New"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\6]
@DACL=(02 0000)
"IEPropFontName"="Times New Roman"
"IEFixedFontName"="Courier New"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\7]
@DACL=(02 0000)
"IEPropFontName"="Sylfaen"
"IEFixedFontName"="Sylfaen"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\8]
@DACL=(02 0000)
"IEPropFontName"="David"
"IEFixedFontName"="Miriam Fixed"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\International\Scripts\9]
@DACL=(02 0000)
"IEPropFontName"="Simplified Arabic"
"IEFixedFontName"="Simplified Arabic Fixed"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Media]
@DACL=(02 0000)
"AutoplayPrompt"=hex:01
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\SearchUrl]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Security]
@DACL=(02 0000)
@SACL=
"Sending_Security"="Medium"
"Viewing_Security"="Low"
"Safety Warning Level"="Query"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Security\AntiPhishing]
@DACL=(02 0000)
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Services]
@DACL=(02 0000)
@SACL=
@=""
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Settings]
@DACL=(02 0000)
@SACL=
"Anchor Color Visited"="128,0,128"
"Anchor Color"="0,0,255"
"Background Color"="192,192,192"
"Text Color"="0,0,0"
"Use Anchor Hover Color"="No"
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Toolbar]
@DACL=(02 0000)
@SACL=
"LinksFolderName"="Links"
"Locked"=dword:00000001
"{1E796980-9CC5-11D1-A83F-00C04FC99D61}"=hex:07,00,00,00,f5,03,00,00,7e,69,79,
1e,c5,9c,d1,11,a8,3f,00,c0,4f,c9,9d,61,20,01,00,00,04,00,00,00,f6,03,00,00,\
"SaveLinksOrder"=hex:01,00,00,00
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Toolbar\Explorer]
@DACL=(02 0000)
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,24,00,00,00,19,00,00,00,
3e,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
@DACL=(02 0000)
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=hex:bf,d1,cd,42,fb,3f,38,42,8a,d1,78,
59,df,00,b1,d6
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,24,00,00,00,19,00,02,00,
3e,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
@DACL=(02 0000)
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,e0,01,ee,4e,d0,11,bf,e9,00,
aa,00,5b,43,83,10,00,00,00,00,00,00,00,01,e0,32,f4,01,00,00,00
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"=hex:21,bf,5c,0e,5f,d1,d0,11,83,01,00,
aa,00,5b,43,83,22,00,1c,00,08,00,00,00,06,00,00,00,01,00,00,00,00,00,00,00,\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"=hex:c3,ea,53,0b,69,8d,9e,4b,9b,19,a3,
7c,9a,56,76,a7
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,30,00,00,00,1f,00,03,00,
7e,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
"{C4069E3A-68F1-403E-B40E-20066696354B}"=hex:3a,9e,06,c4,f1,68,3e,40,b4,0e,20,
06,66,96,35,4b
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:e3,ef,eb,7f,19,6b,49,43,98,d2,ff,
b0,9d,4b,49,ca,01,f2,02,00,00
"ITBar7Layout"=hex:13,00,00,00,00,00,00,00,00,00,00,00,30,00,00,00,10,00,00,00,
15,00,00,00,01,00,00,00,00,07,00,00,5e,01,00,00,00,00,00,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-2811425543-3714653698-1795195549-1007\Software\Microsoft\Internet Explorer\URLSearchHooks]
@DACL=(02 0000)
@SACL=
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\TreatAs]
@DACL=(02 0000)
@="{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}\ProgID]
@DACL=(02 0000)
@="Sb.SuperBuddy.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}\Programmable]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}\TypeLib]
@DACL=(02 0000)
@="{39DC8E5F-A573-4D58-8A13-6877A3B672EA}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}\VersionIndependentProgID]
@DACL=(02 0000)
@="Sb.SuperBuddy"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}\Control]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}\MiscStatus]
@DACL=(02 0000)
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}\ProgID]
@DACL=(02 0000)
@="ACHtmfu.HtmlFunctions.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}\Programmable]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}\TypeLib]
@DACL=(02 0000)
@="{12D56325-94E3-4E74-A91B-586982151C2F}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}\Version]
@DACL=(02 0000)
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}\VersionIndependentProgID]
@DACL=(02 0000)
@="ACHtmfu.HtmlFunctions"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}\ProgID]
@DACL=(02 0000)
@="YGPPicInfo.PictureInfos.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}\Programmable]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}\TypeLib]
@DACL=(02 0000)
@="{79C10055-C1B5-4754-AC44-003784AA3A44}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}\VersionIndependentProgID]
@DACL=(02 0000)
@="YGPPicInfo.PictureInfos"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{943742F6-3A40-43FF-97F4-A1750D97B200}\ProgID]
@DACL=(02 0000)
@="YGPPicInfo.PictureInfo.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{943742F6-3A40-43FF-97F4-A1750D97B200}\Programmable]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{943742F6-3A40-43FF-97F4-A1750D97B200}\TypeLib]
@DACL=(02 0000)
@="{79C10055-C1B5-4754-AC44-003784AA3A44}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{943742F6-3A40-43FF-97F4-A1750D97B200}\VersionIndependentProgID]
@DACL=(02 0000)
@="YGPPicInfo.PictureInfo"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}\Control]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}\MiscStatus]
@DACL=(02 0000)
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}\ProgID]
@DACL=(02 0000)
@="AOL.UPFCtrl.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}\Programmable]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}\TypeLib]
@DACL=(02 0000)
@="{57B2FD05-64D4-4ad7-A92A-7C32FE50A0F4}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}\Version]
@DACL=(02 0000)
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}\VersionIndependentProgID]
@DACL=(02 0000)
@="AOL.UPFCtrl"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD41621C-A2DD-487D-A24B-8BE40116A5A3}\ProgID]
@DACL=(02 0000)
@="YGPPicInfo.IImageInfo.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD41621C-A2DD-487D-A24B-8BE40116A5A3}\Programmable]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD41621C-A2DD-487D-A24B-8BE40116A5A3}\TypeLib]
@DACL=(02 0000)
@="{79C10055-C1B5-4754-AC44-003784AA3A44}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD41621C-A2DD-487D-A24B-8BE40116A5A3}\VersionIndependentProgID]
@DACL=(02 0000)
@="YGPPicInfo.IImageInfo"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}\Control]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}\Implemented Categories]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}\Insertable]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}\MiscStatus]
@DACL=(02 0000)
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}\ProgID]
@DACL=(02 0000)
@="AOL.PicEditCtrl.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}\Programmable]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}\TypeLib]
@DACL=(02 0000)
@="{0B54F548-639F-462F-BCDE-9557B8AB378F}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}\Version]
@DACL=(02 0000)
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}\VersionIndependentProgID]
@DACL=(02 0000)
@="AOL.PicEditCtrl"
.
[HKEY_LOCAL_MACHINE\software\Classes\CoachDM.WebCoachDownload\CLSID]
@DACL=(02 0000)
@="{E04EAE82-14AD-41CB-BF5A-45556ABB8347}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CoachDM.WebCoachDownload\CurVer]
@DACL=(02 0000)
@="AOLCoach.TrainerOCXCtrl.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\CoachDM.WebCoachDownload.1\CLSID]
@DACL=(02 0000)
@="{E04EAE82-14AD-41CB-BF5A-45556ABB8347}"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{06645894-E73C-413B-8704-71823A9C39B5}\1.0]
@DACL=(02 0000)
@="Cerberus 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0B54F548-639F-462F-BCDE-9557B8AB378F}\1.0]
@DACL=(02 0000)
@="AOL CETCtrl 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{12D56325-94E3-4E74-A91B-586982151C2F}\1.0]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{229B78B8-38F5-11D5-9001-00C04F4C3B9F}\1.0]
@DACL=(02 0000)
@="CDDBControl(AOL) 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{296802FE-345A-4CA4-B941-692B8622CC69}\1.0]
@DACL=(02 0000)
@="AxTrack 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{307DE02D-679A-49B9-B582-6E623BE9386F}\1.0]
@DACL=(02 0000)
@="CoachDM 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{39DC8E5F-A573-4D58-8A13-6877A3B672EA}\1.0]
@DACL=(02 0000)
@="SB 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3F8E02B4-6601-41A2-95E7-6BD102935C55}\1.0]
@DACL=(02 0000)
@="Phobos 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{57B2FD05-64D4-4AD7-A92A-7C32FE50A0F4}\1.0]
@DACL=(02 0000)
@="AOL UPFCtrl 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{79C10055-C1B5-4754-AC44-003784AA3A44}\1.0]
@DACL=(02 0000)
@="YGPPicInfo 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{8D66A700-5DF0-4706-9ACA-FEB467A7A853}\1.0]
@DACL=(02 0000)
@="Ares 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{BB9EF4CE-09E6-44C5-A6E9-AD9A471B4025}\1.0]
@DACL=(02 0000)
@="AolCalSvr 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{DCCAF17F-7581-4C86-9867-56D9405FAC3F}\1.0]
@DACL=(02 0000)
@="Pathfinder 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{E3852602-B619-11D6-94EC-00047521F020}\1.0]
@DACL=(02 0000)
@="WinAmpXChat 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{ECAD18F1-CA65-11D6-8A1B-00E029570A3E}\1.0]
@DACL=(02 0000)
@="SAMgr 1.0 Type Library"
.
[HKEY_LOCAL_MACHINE\software\Creative Tech\Installation]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\9.0]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Settings]
@DACL=(02 0000)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Money\12.0\Msi]
@DACL=(02 0000)
@SACL=
"SystemCost"=dword:00000cc1
"PocketPC"=dword:00000001
"LastPackage"="{8C64E153-54BA-11D6-91B1-00500462BE80}"
"LastProduct"="{1D643CD7-4DD6-11D7-A4E0-000874180BB3}"
"LastLang"="1033"
"LastUserInstall"="Owner"
"PatchCount"=dword:00000000
"DESKTOP_SHORTCUTS"="1"
"_IsSetupTypeMin"="500"
"DPID"="#xA40000000300000037323730322D4F454D2D303430303030332D303030303000090000000000000000000000000000000000000000000000E5F06BC6620A502F662D0300000000008E011040B12D05000200000000000000000000000000000000000000000000003135383234000000000000008E0300001601D407000200008701000000000000000000000000000000000000000000000000000000000000C8484570"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}]
@DACL=(02 0000)
"FriendlyName"="DirectX"
"ComponentGUID"="{44BBA855-CC51-11CF-AAFA-00AA00B6015C}"
"Version"=dword:00040009
"Sub-Version"=dword:00000386
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\\dxxp.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\\dxxp.cat"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A0000BA0-97AD-43FB-8A05-3542C3AB99CD}]
@DACL=(02 0000)
"FriendlyName"="Windows Media WMDM Redist Exception Pack"
"ComponentGUID"="{A0000BA0-97AD-43FB-8A05-3542C3AB99CD}"
"Version"=dword:00090000
"Sub-Version"=dword:00010038
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{A0000BA0-97AD-43FB-8A05-3542C3AB99CD}\\WMDMDist.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{A0000BA0-97AD-43FB-8A05-3542C3AB99CD}\\wmdmdist.cat"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AA936DF4-2B08-4B1F-B071-72192E287704}]
@DACL=(02 0000)
"FriendlyName"="DirectX BDA"
"ComponentGUID"="{AA936DF4-2B08-4B1F-B071-72192E287704}"
"Version"=dword:00040009
"Sub-Version"=dword:00000386
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{AA936DF4-2B08-4B1F-B071-72192E287704}\\dxbda.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{AA936DF4-2B08-4B1F-B071-72192E287704}\\dx9bda.cat"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwDir]
@DACL=(02 0000)
@SACL=
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash]
@DACL=(02 0000)
@SACL=
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\Plugins\SP\MSPMSP\KBDeviceList]
@DACL=(02 0000)
"SanDiskIM"="SanDisk ;ImageMate III ;2.3"
"SanDiskIMb"="E-USB Fl;ash ; "
"Lexmark"="Parallel; Flash Unit;"
.
[HKEY_LOCAL_MACHINE\software\Shutterfly\UploadControl]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-07-13 22:00:23
ComboFix-quarantined-files.txt 2011-07-14 03:00
ComboFix2.txt 2011-07-12 13:59
.
Pre-Run: 49,427,689,472 bytes free
Post-Run: 49,465,475,072 bytes free
.
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 87297B44B321D7A4CEEFF20213B56F4F

#6 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 14 July 2011 - 05:34 PM

Hello,

Looks like the main infection has been eliminated! :clapping:

Lets go ahead and check for any leftovers or friends it may have brought onboard your machine. We will also update a couple programs .

1.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.

Download Link 1

Download Link 2

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to this Guide.
When the installation begins, follow the prompts and do not make any changes to default settings.
Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself. Press the OK button and continue.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
Click on the Scan button.
When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
Make sure that everything is checked and then click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
Exit Malwarebytes' when done.

Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Under scan settings, check and check Remove found threats
Click Advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

3.
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "Java Platform, Standard Edition".
Click the "Download JRE" button to the right.
Read the License Agreement, and then check the box that says: "Accept License Agreement".
From the list, select your OS and Platform (32-bit or 64-bit).
If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to

> Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the Java Setup - Welcome window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:

Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.

4.
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

Download the latest version of Adobe Reader Version X and save it to your desktop.
Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
Click the download button at the bottom.
If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
Then from your desktop double-click on Adobe Reader to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the "Adobe Setup - Welcome" window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Once the installation is finished, go here: Adobe Update Page and scroll down to UPDATES/PROGRAMS. From there download: Adobe Reader X update - multiple languages and save it to your desktop.
Double-click the file AdbeRdrUpd932_all_incr.msp on your desktop to start installing the update and follow the prompts.
Once the update is done click Exit.

Your Adobe Reader is now up to date!

Things to include in your next reply::
MBAM log
Eset log
A new DDS.txt
How is your machine running now?

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#7 67mike

New Member

Group: Members
Posts: 9
Joined: 02-December 05

Posted 15 July 2011 - 05:04 AM

hello,
My machine is running excellent! There are no more problems with being redirected, no more pop-ups, and no more sites shutting down. Everything works as good as new thanks to you!!

I am very happy and I APPRECIATE all the help you have given me!!

The Adobe Reader X update - multiple languages download did not work with my new install of Adobe X reader ver 10.1
Is this an important update?

ESET log was clear. No problems were found.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7069

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/14/2011 8:58:48 PM
mbam-log-2011-07-14 (20-58-47).txt

Scan type: Quick scan
Objects scanned: 187759
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached File(s)

dds2.txt (10.32K)
Number of downloads: 2
attach2.txt (12.19K)
Number of downloads: 1

#8 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 15 July 2011 - 04:12 PM

Hello, 67mike.
Congratulations! You now appear clean!

Uninstall Combofix

Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
o *If it is not on your Desktop, the below will not work.
Click on then Run....
Now copy & paste the green bolded text in the run-box and click OK.

ComboFix /Uninstall

<Notice the space between the "x" and "/".> <--- It needs to be there
Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall
Please advise if this step is missed for any reason as it performs some important actions:
"This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess

Download OTC by OldTimer and save it to your desktop.
Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
Then Click the big button.
You will get a prompt saying "Being Cleanup Process". Please select Yes.
Restart your computer when prompted.

Recommendations
Below are some recommendations to lower your chances of (re)infection.

Install and maintain an outbound firewall
Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.
Install the MVPs hosts file, and update it regularly
You can use the HostMan host file manager to do this automaticly if you wish.
For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
Install an Anti-Spyware program, and update it regularly
Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SUPERAntiSpyware is another good scanner with high detection and removal rates.
Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
Keep Windows (and your other Microsoft software) up to date!
I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
- Click the "Start Menu" (or Windows Orb)
- Click "All Programs"
- Click "Windows Update"
- On the left, choose "Change Settings"
- Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
- Press OK and accept the UAC prompt.
  Note: You shouldn't need to check this checkbox every single time you update, only the first time.
- Click "Check for Updates" in the upper left corner.
- Follow the instructions to install the latest updates.
- Reboot and repeat the "Check for Updates" until there are no more critical updates to install
Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
Stay up to date!
The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing .

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#9 67mike

New Member

Group: Members
Posts: 9
Joined: 02-December 05

Posted 16 July 2011 - 04:30 PM

THANK YOU again so very much for all your expertise help!!!

I will be making a donation to you for helping me out.

Greatly appreciated.

#10 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 17 July 2011 - 11:30 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.