Infected with Google Redirect Virus

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Infected with Google Redirect Virus Don't know how to remove it

#1 chrissywv

Member

Group: Members
Posts: 19
Joined: 23-January 12

Posted 23 January 2012 - 11:22 PM

Hello! I believe I have the google redirect virus and I can't seem to get rid of it. When I do a google search and click on one of the results, it redirects me to a totally different site that what I originally clicked on. I tried running FixNCR, RKill, TDSSKiller, and Malwarebytes but it is still there. Please see my logs below. Any help would be greatly appreciated! Thanks in advance!!!

Chrissy

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by CHRISSY RUSSELL at 21:40:53 on 2012-01-23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.411 [GMT -6:00]
.
AV: Smart Engine *Enabled/Updated* {A6710FE6-B179-420E-8F4A-97DD6369AF5A}
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Smart Engine *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:25537
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [lxdcmon.exe] "c:\program files\lexmark 1300 series\lxdcmon.exe"
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
mRun: [LXDCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXDCtime.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\mahjong escape - ancient japan\images\stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\mahjong escape - ancient japan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F8006EFD-B788-49E8-B1B9-05D77D471D8F} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-3-31 211200]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101016.003\naveng.sys [2010-10-16 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101016.003\navex15.sys [2010-10-16 1371184]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg10\identity protection\agent\bin\avgidsagent.exe" --> c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-15 135664]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-15 135664]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;c:\windows\system32\drivers\rtl8180.sys [2005-11-28 184832]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
.
=============== Created Last 30 ================
.
2012-01-24 01:58:15 864 ----a-w- c:\documents and settings\all users\application data\wnylaaa.tmp
2012-01-24 01:57:35 791 ----a-w- c:\documents and settings\all users\application data\aoylaaa.tmp
2012-01-24 01:57:30 823 ----a-w- c:\documents and settings\all users\application data\znylaaa.tmp
2012-01-24 01:57:25 879 ----a-w- c:\documents and settings\all users\application data\ynylaaa.tmp
2012-01-24 01:57:20 779 ----a-w- c:\documents and settings\all users\application data\xnylaaa.tmp
2012-01-15 18:08:27 843 ----a-w- c:\documents and settings\all users\application data\gbamaaa.tmp
2012-01-15 18:07:47 839 ----a-w- c:\documents and settings\all users\application data\kbamaaa.tmp
2012-01-15 18:07:42 826 ----a-w- c:\documents and settings\all users\application data\jbamaaa.tmp
2012-01-15 18:07:37 861 ----a-w- c:\documents and settings\all users\application data\ibamaaa.tmp
2012-01-15 18:07:32 857 ----a-w- c:\documents and settings\all users\application data\hbamaaa.tmp
2012-01-15 16:34:35 777 ----a-w- c:\documents and settings\all users\application data\cnvlaaa.tmp
2012-01-15 16:33:55 844 ----a-w- c:\documents and settings\all users\application data\gnvlaaa.tmp
2012-01-15 16:33:50 839 ----a-w- c:\documents and settings\all users\application data\fnvlaaa.tmp
2012-01-15 16:33:45 846 ----a-w- c:\documents and settings\all users\application data\envlaaa.tmp
2012-01-15 16:33:40 815 ----a-w- c:\documents and settings\all users\application data\dnvlaaa.tmp
2012-01-14 10:32:23 850 ----a-w- c:\documents and settings\all users\application data\maxlaaa.tmp
2012-01-14 10:31:43 832 ----a-w- c:\documents and settings\all users\application data\qaxlaaa.tmp
2012-01-14 10:31:38 804 ----a-w- c:\documents and settings\all users\application data\paxlaaa.tmp
2012-01-14 10:31:33 842 ----a-w- c:\documents and settings\all users\application data\oaxlaaa.tmp
2012-01-14 10:31:28 829 ----a-w- c:\documents and settings\all users\application data\naxlaaa.tmp
2012-01-13 04:18:39 807 ----a-w- c:\documents and settings\all users\application data\tpgkaaa.tmp
2012-01-13 04:16:59 811 ----a-w- c:\documents and settings\all users\application data\wpgkaaa.tmp
2012-01-13 04:16:47 835 ----a-w- c:\documents and settings\all users\application data\vpgkaaa.tmp
2012-01-13 04:15:36 870 ----a-w- c:\documents and settings\all users\application data\spgkaaa.tmp
2012-01-13 04:13:41 822 ----a-w- c:\documents and settings\all users\application data\upgkaaa.tmp
2012-01-13 03:17:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-13 03:17:21 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-13 03:10:38 880 ----a-w- c:\documents and settings\all users\application data\mcfkaaa.tmp
2012-01-13 03:09:34 818 ----a-w- c:\documents and settings\all users\application data\jcfkaaa.tmp
2012-01-13 03:09:21 862 ----a-w- c:\documents and settings\all users\application data\icfkaaa.tmp
2012-01-13 03:07:53 873 ----a-w- c:\documents and settings\all users\application data\kcfkaaa.tmp
2012-01-13 03:00:27 829 ----a-w- c:\documents and settings\all users\application data\lcfkaaa.tmp
2012-01-12 04:06:17 832 ----a-w- c:\documents and settings\all users\application data\cpdkaaa.tmp
2012-01-12 04:06:07 907 ----a-w- c:\documents and settings\all users\application data\apdkaaa.tmp
2012-01-12 04:06:05 821 ----a-w- c:\documents and settings\all users\application data\zodkaaa.tmp
2012-01-12 03:59:12 866 ----a-w- c:\documents and settings\all users\application data\bpdkaaa.tmp
2012-01-12 03:22:15 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-12 03:22:15 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 20:35:20 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-11-01 20:35:20 667136 ----a-w- c:\windows\system32\wininet.dll
2011-11-01 20:35:20 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-11-01 15:02:49 369664 ----a-w- c:\windows\system32\html.iec
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
.
============= FINISH: 21:41:46.34 ===============

Attached File(s)

attach.txt (14.07K)
Number of downloads: 0
ark.txt (10.88K)
Number of downloads: 1

This post has been edited by chrissywv: 23 January 2012 - 11:26 PM

#2 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 25 January 2012 - 08:56 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
Because of this, you must reply within three days failure to reply will result in the topic being closed!
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:

NEXT:

One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.

I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

NEXT:

Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.
Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

NEXT:

Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

NEXT:

Running OTL

We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror
- Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extras.txt <-- Will be minimized

NEXT:

Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Please let me know how the above scans go.

Kindest Regards,
Agent ST.

This post has been edited by SweetTech: 25 January 2012 - 08:56 AM

Have I helped you? If you'd like to assist in the fight against malware, click here

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 chrissywv

Member

Group: Members
Posts: 19
Joined: 23-January 12

Posted 25 January 2012 - 11:40 PM

Hello Agent ST!

1. Thank you so much for vounteering your time to help me! These viruses are driving me nuts!!

The requested logs are below but I did want to tell you I had a little trouble with TDSSKiler. It ran fine and found around 10 threats. The default was set to "skip" so I hit continue but instead of taking me to the "reboot computer" screen, it took me to a screen that said I had zero threats. Hopefully the log captured what you need to see.

2. TDSSKiller

21:00:43.0656 2420 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
21:00:44.0140 2420 ============================================================
21:00:44.0140 2420 Current date / time: 2012/01/25 21:00:44.0140
21:00:44.0140 2420 SystemInfo:
21:00:44.0140 2420
21:00:44.0140 2420 OS Version: 5.1.2600 ServicePack: 3.0
21:00:44.0140 2420 Product type: Workstation
21:00:44.0140 2420 ComputerName: CHRIS-NAT
21:00:44.0140 2420 UserName: CHRISSY RUSSELL
21:00:44.0140 2420 Windows directory: C:\WINDOWS
21:00:44.0140 2420 System windows directory: C:\WINDOWS
21:00:44.0140 2420 Processor architecture: Intel x86
21:00:44.0140 2420 Number of processors: 1
21:00:44.0140 2420 Page size: 0x1000
21:00:44.0140 2420 Boot type: Normal boot
21:00:44.0140 2420 ============================================================
21:00:47.0015 2420 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:00:47.0062 2420 Initialize success
21:01:18.0640 2184 ============================================================
21:01:18.0640 2184 Scan started
21:01:18.0640 2184 Mode: Manual; SigCheck; TDLFS;
21:01:18.0640 2184 ============================================================
21:01:19.0187 2184 Abiosdsk - ok
21:01:19.0234 2184 abp480n5 - ok
21:01:19.0312 2184 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:01:21.0343 2184 ACPI - ok
21:01:21.0500 2184 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
21:01:21.0734 2184 ACPIEC - ok
21:01:21.0781 2184 adpu160m - ok
21:01:21.0890 2184 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:01:22.0078 2184 aec - ok
21:01:22.0171 2184 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
21:01:22.0187 2184 AegisP ( UnsignedFile.Multi.Generic ) - warning
21:01:22.0187 2184 AegisP - detected UnsignedFile.Multi.Generic (1)
21:01:22.0281 2184 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:01:22.0312 2184 AFD - ok
21:01:22.0359 2184 Aha154x - ok
21:01:22.0390 2184 aic78u2 - ok
21:01:22.0421 2184 aic78xx - ok
21:01:22.0453 2184 AliIde - ok
21:01:22.0484 2184 amsint - ok
21:01:22.0578 2184 AR5211 (69645f795bbc22f05bea8b8734e3ee82) C:\WINDOWS\system32\DRIVERS\ar5211.sys
21:01:22.0687 2184 AR5211 - ok
21:01:22.0718 2184 asc - ok
21:01:22.0734 2184 asc3350p - ok
21:01:22.0765 2184 asc3550 - ok
21:01:22.0843 2184 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:01:23.0015 2184 AsyncMac - ok
21:01:23.0046 2184 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:01:23.0234 2184 atapi - ok
21:01:23.0296 2184 Atdisk - ok
21:01:23.0406 2184 ati2mtag (d5537cc8cc9a86668e3903bd53caa83c) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:01:23.0562 2184 ati2mtag - ok
21:01:23.0703 2184 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:01:23.0875 2184 Atmarpc - ok
21:01:23.0968 2184 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:01:24.0156 2184 audstub - ok
21:01:24.0250 2184 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:01:24.0468 2184 Beep - ok
21:01:24.0515 2184 BoiHwsetup (141befbd4f2a84a66e2f54b9e32e40d1) C:\WINDOWS\system32\drivers\BoiHwSetup.sys
21:01:24.0562 2184 BoiHwsetup - ok
21:01:24.0625 2184 CAMCAUD (cce1f3c7c8e7383b90372229454999cf) C:\WINDOWS\system32\drivers\camc6aud.sys
21:01:24.0671 2184 CAMCAUD - ok
21:01:24.0750 2184 CAMCHALA (9a3bbde74dab737efa82de7ef4b40bea) C:\WINDOWS\system32\drivers\camc6hal.sys
21:01:24.0843 2184 CAMCHALA - ok
21:01:24.0984 2184 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:01:25.0203 2184 cbidf2k - ok
21:01:25.0296 2184 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:01:25.0468 2184 CCDECODE - ok
21:01:25.0546 2184 cd20xrnt - ok
21:01:25.0640 2184 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:01:25.0843 2184 Cdaudio - ok
21:01:25.0937 2184 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:01:26.0125 2184 Cdfs - ok
21:01:26.0203 2184 Cdrom (d5790d4fbfbcba5a124b7e1844944c53) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:01:26.0218 2184 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: d5790d4fbfbcba5a124b7e1844944c53, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe
21:01:26.0218 2184 Cdrom ( ForgedFile.Multi.Generic ) - warning
21:01:26.0218 2184 Cdrom - detected ForgedFile.Multi.Generic (1)
21:01:26.0234 2184 Changer - ok
21:01:26.0296 2184 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:01:26.0468 2184 CmBatt - ok
21:01:26.0484 2184 CmdIde - ok
21:01:26.0515 2184 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:01:26.0703 2184 Compbatt - ok
21:01:26.0734 2184 Cpqarray - ok
21:01:26.0765 2184 dac2w2k - ok
21:01:26.0796 2184 dac960nt - ok
21:01:26.0875 2184 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:01:27.0078 2184 Disk - ok
21:01:27.0156 2184 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:01:27.0406 2184 dmboot - ok
21:01:27.0500 2184 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:01:27.0687 2184 dmio - ok
21:01:27.0765 2184 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:01:27.0953 2184 dmload - ok
21:01:28.0015 2184 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:01:28.0171 2184 DMusic - ok
21:01:28.0265 2184 dpti2o - ok
21:01:28.0312 2184 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:01:28.0484 2184 drmkaud - ok
21:01:28.0531 2184 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys
21:01:28.0562 2184 drvmcdb ( UnsignedFile.Multi.Generic ) - warning
21:01:28.0562 2184 drvmcdb - detected UnsignedFile.Multi.Generic (1)
21:01:28.0625 2184 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys
21:01:28.0625 2184 drvnddm ( UnsignedFile.Multi.Generic ) - warning
21:01:28.0625 2184 drvnddm - detected UnsignedFile.Multi.Generic (1)
21:01:28.0781 2184 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
21:01:28.0843 2184 eeCtrl - ok
21:01:28.0968 2184 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:01:29.0156 2184 Fastfat - ok
21:01:29.0250 2184 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:01:29.0437 2184 Fdc - ok
21:01:29.0500 2184 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:01:29.0703 2184 Fips - ok
21:01:29.0796 2184 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:01:29.0953 2184 Flpydisk - ok
21:01:30.0015 2184 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:01:30.0203 2184 FltMgr - ok
21:01:30.0265 2184 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:01:30.0453 2184 Fs_Rec - ok
21:01:30.0562 2184 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:01:30.0781 2184 Ftdisk - ok
21:01:30.0890 2184 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:01:31.0093 2184 Gpc - ok
21:01:31.0218 2184 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:01:31.0390 2184 HidUsb - ok
21:01:31.0468 2184 hpn - ok
21:01:31.0593 2184 HSFHWATI (790acb861176ae06d97bd7fbddcdbbcb) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
21:01:31.0656 2184 HSFHWATI - ok
21:01:31.0796 2184 HSF_DPV (9a7c0d83bd340a43e10a453960607025) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
21:01:31.0953 2184 HSF_DPV - ok
21:01:32.0062 2184 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:01:32.0140 2184 HTTP - ok
21:01:32.0203 2184 i2omgmt - ok
21:01:32.0281 2184 i2omp - ok
21:01:32.0359 2184 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:01:32.0546 2184 i8042prt - ok
21:01:32.0640 2184 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:01:32.0812 2184 Imapi - ok
21:01:32.0875 2184 ini910u - ok
21:01:32.0937 2184 IntelIde - ok
21:01:33.0000 2184 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:01:33.0187 2184 intelppm - ok
21:01:33.0312 2184 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:01:33.0484 2184 Ip6Fw - ok
21:01:33.0593 2184 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:01:33.0796 2184 IpFilterDriver - ok
21:01:33.0890 2184 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:01:34.0062 2184 IpInIp - ok
21:01:34.0125 2184 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:01:34.0328 2184 IpNat - ok
21:01:34.0406 2184 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:01:34.0578 2184 IPSec - ok
21:01:34.0625 2184 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:01:34.0796 2184 IRENUM - ok
21:01:34.0875 2184 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:01:35.0062 2184 isapnp - ok
21:01:35.0109 2184 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:01:35.0281 2184 Kbdclass - ok
21:01:35.0359 2184 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:01:35.0562 2184 kmixer - ok
21:01:35.0640 2184 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:01:35.0703 2184 KSecDD - ok
21:01:35.0781 2184 lbrtfdc - ok
21:01:35.0906 2184 LSWPCv4 (aed928574c822e3511a7fcccc644640c) C:\WINDOWS\system32\DRIVERS\rtl8180.sys
21:01:35.0968 2184 LSWPCv4 - ok
21:01:36.0031 2184 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
21:01:36.0062 2184 mdmxsdk - ok
21:01:36.0171 2184 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
21:01:36.0187 2184 meiudf ( UnsignedFile.Multi.Generic ) - warning
21:01:36.0187 2184 meiudf - detected UnsignedFile.Multi.Generic (1)
21:01:36.0265 2184 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:01:36.0468 2184 mnmdd - ok
21:01:36.0562 2184 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:01:36.0718 2184 Modem - ok
21:01:36.0796 2184 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:01:37.0000 2184 Mouclass - ok
21:01:37.0078 2184 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:01:37.0265 2184 mouhid - ok
21:01:37.0343 2184 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:01:37.0515 2184 MountMgr - ok
21:01:37.0578 2184 mraid35x - ok
21:01:37.0671 2184 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:01:37.0843 2184 MRxDAV - ok
21:01:37.0953 2184 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:01:38.0046 2184 MRxSmb - ok
21:01:38.0140 2184 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:01:38.0296 2184 Msfs - ok
21:01:38.0484 2184 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:01:38.0656 2184 MSKSSRV - ok
21:01:38.0781 2184 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:01:38.0953 2184 MSPCLOCK - ok
21:01:38.0984 2184 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:01:39.0171 2184 MSPQM - ok
21:01:39.0218 2184 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:01:39.0390 2184 mssmbios - ok
21:01:39.0421 2184 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
21:01:39.0609 2184 MSTEE - ok
21:01:39.0687 2184 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:01:39.0750 2184 Mup - ok
21:01:39.0828 2184 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:01:40.0000 2184 NABTSFEC - ok
21:01:40.0156 2184 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101016.003\naveng.sys
21:01:40.0171 2184 NAVENG - ok
21:01:40.0250 2184 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101016.003\navex15.sys
21:01:40.0343 2184 NAVEX15 - ok
21:01:40.0437 2184 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:01:40.0625 2184 NDIS - ok
21:01:40.0734 2184 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:01:40.0906 2184 NdisIP - ok
21:01:41.0265 2184 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:01:41.0312 2184 NdisTapi - ok
21:01:41.0375 2184 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:01:41.0531 2184 Ndisuio - ok
21:01:41.0640 2184 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:01:41.0812 2184 NdisWan - ok
21:01:41.0875 2184 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:01:41.0953 2184 NDProxy - ok
21:01:42.0015 2184 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:01:42.0203 2184 NetBIOS - ok
21:01:42.0265 2184 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:01:42.0453 2184 NetBT - ok
21:01:42.0562 2184 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
21:01:42.0578 2184 Netdevio ( UnsignedFile.Multi.Generic ) - warning
21:01:42.0578 2184 Netdevio - detected UnsignedFile.Multi.Generic (1)
21:01:42.0671 2184 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:01:42.0843 2184 Npfs - ok
21:01:42.0968 2184 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:01:43.0234 2184 Ntfs - ok
21:01:43.0343 2184 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:01:43.0546 2184 Null - ok
21:01:43.0609 2184 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:01:43.0828 2184 NwlnkFlt - ok
21:01:43.0875 2184 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:01:44.0093 2184 NwlnkFwd - ok
21:01:44.0187 2184 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:01:44.0359 2184 Parport - ok
21:01:44.0406 2184 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:01:44.0593 2184 PartMgr - ok
21:01:44.0687 2184 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:01:44.0890 2184 ParVdm - ok
21:01:44.0937 2184 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:01:45.0109 2184 PCI - ok
21:01:45.0140 2184 PCIDump - ok
21:01:45.0218 2184 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:01:45.0421 2184 PCIIde - ok
21:01:45.0515 2184 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
21:01:45.0687 2184 Pcmcia - ok
21:01:45.0765 2184 PDCOMP - ok
21:01:45.0812 2184 PDFRAME - ok
21:01:45.0859 2184 PDRELI - ok
21:01:45.0906 2184 PDRFRAME - ok
21:01:45.0953 2184 perc2 - ok
21:01:46.0000 2184 perc2hib - ok
21:01:46.0093 2184 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
21:01:46.0109 2184 pfc ( UnsignedFile.Multi.Generic ) - warning
21:01:46.0109 2184 pfc - detected UnsignedFile.Multi.Generic (1)
21:01:46.0218 2184 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:01:46.0406 2184 PptpMiniport - ok
21:01:46.0437 2184 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:01:46.0625 2184 PSched - ok
21:01:46.0656 2184 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:01:46.0875 2184 Ptilink - ok
21:01:46.0984 2184 PxHelp20 (25f7c4453f189f79eb3846d3e23805a0) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:01:47.0015 2184 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning
21:01:47.0015 2184 PxHelp20 - detected UnsignedFile.Multi.Generic (1)
21:01:47.0109 2184 qkbfiltr (c50faa6fda843fa2172aa2b9c3cd1dab) C:\WINDOWS\system32\drivers\qkbfiltr.sys
21:01:47.0140 2184 qkbfiltr ( UnsignedFile.Multi.Generic ) - warning
21:01:47.0140 2184 qkbfiltr - detected UnsignedFile.Multi.Generic (1)
21:01:47.0156 2184 ql1080 - ok
21:01:47.0187 2184 Ql10wnt - ok
21:01:47.0218 2184 ql12160 - ok
21:01:47.0250 2184 ql1240 - ok
21:01:47.0265 2184 ql1280 - ok
21:01:47.0312 2184 qmofiltr (8652b9e134c3478be948bf089df8ed5e) C:\WINDOWS\system32\drivers\qmofiltr.sys
21:01:47.0359 2184 qmofiltr ( UnsignedFile.Multi.Generic ) - warning
21:01:47.0359 2184 qmofiltr - detected UnsignedFile.Multi.Generic (1)
21:01:47.0437 2184 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:01:47.0656 2184 RasAcd - ok
21:01:47.0734 2184 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:01:47.0906 2184 Rasl2tp - ok
21:01:47.0968 2184 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:01:48.0140 2184 RasPppoe - ok
21:01:48.0203 2184 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:01:48.0406 2184 Raspti - ok
21:01:48.0453 2184 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:01:48.0906 2184 Rdbss - ok
21:01:48.0968 2184 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:01:49.0171 2184 RDPCDD - ok
21:01:49.0296 2184 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
21:01:49.0375 2184 RDPWD - ok
21:01:49.0484 2184 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:01:49.0671 2184 redbook - ok
21:01:49.0781 2184 RTL8023xp (4a0ae7891fcf74acc848b109294cb80f) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
21:01:49.0875 2184 RTL8023xp - ok
21:01:49.0937 2184 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
21:01:50.0062 2184 rtl8139 - ok
21:01:50.0171 2184 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
21:01:50.0187 2184 SASDIFSV - ok
21:01:50.0218 2184 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
21:01:50.0234 2184 SASKUTIL - ok
21:01:50.0328 2184 SAVRT (a00d5aa4748a1002590f08aa00fc660d) C:\Program Files\Symantec AntiVirus\savrt.sys
21:01:50.0390 2184 SAVRT - ok
21:01:50.0406 2184 SAVRTPEL (1e805005583be1c1568a3fce259c81e3) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
21:01:50.0437 2184 SAVRTPEL - ok
21:01:50.0609 2184 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:01:50.0781 2184 Secdrv - ok
21:01:50.0859 2184 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:01:51.0015 2184 Serial - ok
21:01:51.0093 2184 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:01:51.0265 2184 Sfloppy - ok
21:01:51.0328 2184 Simbad - ok
21:01:51.0375 2184 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:01:51.0546 2184 SLIP - ok
21:01:51.0609 2184 Sparrow - ok
21:01:51.0750 2184 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
21:01:51.0796 2184 SPBBCDrv - ok
21:01:51.0953 2184 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:01:52.0125 2184 splitter - ok
21:01:52.0203 2184 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:01:52.0375 2184 sr - ok
21:01:52.0484 2184 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:01:52.0578 2184 Srv - ok
21:01:52.0671 2184 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys
21:01:52.0703 2184 sscdbhk5 ( UnsignedFile.Multi.Generic ) - warning
21:01:52.0703 2184 sscdbhk5 - detected UnsignedFile.Multi.Generic (1)
21:01:52.0828 2184 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys
21:01:52.0828 2184 ssrtln ( UnsignedFile.Multi.Generic ) - warning
21:01:52.0828 2184 ssrtln - detected UnsignedFile.Multi.Generic (1)
21:01:52.0921 2184 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:01:53.0078 2184 streamip - ok
21:01:53.0156 2184 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:01:53.0312 2184 swenum - ok
21:01:53.0359 2184 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:01:53.0515 2184 swmidi - ok
21:01:53.0562 2184 symc810 - ok
21:01:53.0593 2184 symc8xx - ok
21:01:53.0734 2184 SymEvent (b3f8b9eab2ebe205c0fe053fba951d8c) C:\Program Files\Symantec\SYMEVENT.SYS
21:01:53.0765 2184 SymEvent - ok
21:01:53.0906 2184 SYMREDRV (7c73b65f1bdfab9052a5076c0ca622de) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
21:01:53.0937 2184 SYMREDRV - ok
21:01:53.0984 2184 SYMTDI (b4562798891dca27ed67ca07acbadbd9) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
21:01:54.0015 2184 SYMTDI - ok
21:01:54.0046 2184 sym_hi - ok
21:01:54.0078 2184 sym_u3 - ok
21:01:54.0171 2184 SynTP (eb363ddfbe8b6d51003ccab29d93d744) C:\WINDOWS\system32\DRIVERS\SynTP.sys
21:01:54.0234 2184 SynTP - ok
21:01:54.0343 2184 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:01:54.0500 2184 sysaudio - ok
21:01:54.0640 2184 TBiosDrv (eeca2b57545e7b7be949b5e70e31444f) C:\WINDOWS\system32\drivers\TBiosDrv.sys
21:01:54.0656 2184 TBiosDrv ( UnsignedFile.Multi.Generic ) - warning
21:01:54.0656 2184 TBiosDrv - detected UnsignedFile.Multi.Generic (1)
21:01:54.0765 2184 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:01:54.0875 2184 Tcpip - ok
21:01:54.0921 2184 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:01:55.0093 2184 TDPIPE - ok
21:01:55.0187 2184 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:01:55.0343 2184 TDTCP - ok
21:01:55.0437 2184 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:01:55.0609 2184 TermDD - ok
21:01:55.0718 2184 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys
21:01:55.0734 2184 tfsnboio ( UnsignedFile.Multi.Generic ) - warning
21:01:55.0734 2184 tfsnboio - detected UnsignedFile.Multi.Generic (1)
21:01:55.0781 2184 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys
21:01:55.0796 2184 tfsncofs ( UnsignedFile.Multi.Generic ) - warning
21:01:55.0796 2184 tfsncofs - detected UnsignedFile.Multi.Generic (1)
21:01:55.0828 2184 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys
21:01:55.0843 2184 tfsndrct ( UnsignedFile.Multi.Generic ) - warning
21:01:55.0843 2184 tfsndrct - detected UnsignedFile.Multi.Generic (1)
21:01:55.0921 2184 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys
21:01:55.0937 2184 tfsndres ( UnsignedFile.Multi.Generic ) - warning
21:01:55.0937 2184 tfsndres - detected UnsignedFile.Multi.Generic (1)
21:01:55.0984 2184 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys
21:01:56.0000 2184 tfsnifs ( UnsignedFile.Multi.Generic ) - warning
21:01:56.0000 2184 tfsnifs - detected UnsignedFile.Multi.Generic (1)
21:01:56.0031 2184 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys
21:01:56.0046 2184 tfsnopio ( UnsignedFile.Multi.Generic ) - warning
21:01:56.0046 2184 tfsnopio - detected UnsignedFile.Multi.Generic (1)
21:01:56.0125 2184 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys
21:01:56.0140 2184 tfsnpool ( UnsignedFile.Multi.Generic ) - warning
21:01:56.0140 2184 tfsnpool - detected UnsignedFile.Multi.Generic (1)
21:01:56.0234 2184 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys
21:01:56.0265 2184 tfsnudf ( UnsignedFile.Multi.Generic ) - warning
21:01:56.0265 2184 tfsnudf - detected UnsignedFile.Multi.Generic (1)
21:01:56.0281 2184 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys
21:01:56.0312 2184 tfsnudfa ( UnsignedFile.Multi.Generic ) - warning
21:01:56.0312 2184 tfsnudfa - detected UnsignedFile.Multi.Generic (1)
21:01:56.0343 2184 TosIde - ok
21:01:56.0421 2184 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:01:56.0593 2184 Udfs - ok
21:01:56.0656 2184 ultra - ok
21:01:56.0750 2184 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:01:56.0968 2184 Update - ok
21:01:57.0078 2184 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
21:01:57.0234 2184 usbaudio - ok
21:01:57.0328 2184 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:01:57.0515 2184 usbccgp - ok
21:01:57.0593 2184 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:01:57.0765 2184 usbehci - ok
21:01:57.0843 2184 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:01:58.0015 2184 usbhub - ok
21:01:58.0046 2184 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
21:01:58.0203 2184 usbohci - ok
21:01:58.0250 2184 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:01:58.0406 2184 usbprint - ok
21:01:58.0468 2184 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:01:58.0625 2184 usbscan - ok
21:01:58.0671 2184 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:01:58.0843 2184 USBSTOR - ok
21:01:58.0906 2184 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
21:01:59.0062 2184 usbvideo - ok
21:01:59.0171 2184 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:01:59.0296 2184 VgaSave - ok
21:01:59.0359 2184 ViaIde - ok
21:01:59.0406 2184 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:01:59.0562 2184 VolSnap - ok
21:01:59.0625 2184 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:01:59.0796 2184 Wanarp - ok
21:01:59.0843 2184 wanatw - ok
21:01:59.0859 2184 WDICA - ok
21:01:59.0906 2184 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:02:00.0062 2184 wdmaud - ok
21:02:00.0171 2184 winachsf (eb5d5dd39da6b25ffd4206892365f67c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
21:02:00.0265 2184 winachsf - ok
21:02:00.0484 2184 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:02:00.0656 2184 WSTCODEC - ok
21:02:00.0765 2184 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk0\DR0
21:02:01.0062 2184 \Device\Harddisk0\DR0 - ok
21:02:01.0078 2184 Boot (0x1200) (def3bb30c44467891dc8b70fd9ee4f8e) \Device\Harddisk0\DR0\Partition0
21:02:01.0078 2184 \Device\Harddisk0\DR0\Partition0 - ok
21:02:01.0078 2184 ============================================================
21:02:01.0078 2184 Scan finished
21:02:01.0078 2184 ============================================================
21:02:01.0234 3052 Detected object count: 22
21:02:01.0234 3052 Actual detected object count: 22
21:02:09.0750 3052 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0750 3052 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0750 3052 Cdrom ( ForgedFile.Multi.Generic ) - skipped by user
21:02:09.0750 3052 Cdrom ( ForgedFile.Multi.Generic ) - User select action: Skip
21:02:09.0750 3052 drvmcdb ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0750 3052 drvmcdb ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0750 3052 drvnddm ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0750 3052 drvnddm ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0765 3052 meiudf ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0765 3052 meiudf ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0765 3052 Netdevio ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0765 3052 Netdevio ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0765 3052 pfc ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0765 3052 pfc ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0765 3052 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0765 3052 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0781 3052 qkbfiltr ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0781 3052 qkbfiltr ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0781 3052 qmofiltr ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0781 3052 qmofiltr ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0781 3052 sscdbhk5 ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0781 3052 sscdbhk5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0781 3052 ssrtln ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0781 3052 ssrtln ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0796 3052 TBiosDrv ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0796 3052 TBiosDrv ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0796 3052 tfsnboio ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0796 3052 tfsnboio ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0796 3052 tfsncofs ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0796 3052 tfsncofs ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0796 3052 tfsndrct ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0796 3052 tfsndrct ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0812 3052 tfsndres ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0812 3052 tfsndres ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0812 3052 tfsnifs ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0812 3052 tfsnifs ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0812 3052 tfsnopio ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0812 3052 tfsnopio ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0812 3052 tfsnpool ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0812 3052 tfsnpool ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0812 3052 tfsnudf ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0812 3052 tfsnudf ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:02:09.0812 3052 tfsnudfa ( UnsignedFile.Multi.Generic ) - skipped by user
21:02:09.0812 3052 tfsnudfa ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:12:02.0125 3484 Deinitialize success

3. FSS Log

Farbar Service Scanner Version: 18-01-2012 01
Ran by CHRISSY RUSSELL (administrator) on 25-01-2012 at 21:17:21
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: Attention! Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe
[2005-08-09 14:38] - [2008-04-13 18:12] - 0039936 ____A (Microsoft Corporation) 1852A19B834058F489F85EB520A88D15

C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(9) Tcpip(3)
0x0A00000004000000010000000200000003000000090000000A00000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

4. OTL and Extras Logs

OTL logfile created on: 1/25/2012 9:29:59 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\CHRISSY RUSSELL\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.17 Mb Total Physical Memory | 170.88 Mb Available Physical Memory | 19.11% Memory free
1.09 Gb Paging File | 0.34 Gb Available in Paging File | 31.14% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 22.69 Gb Free Space | 60.91% Space Free | Partition Type: NTFS

Computer Name: CHRIS-NAT | User Name: CHRISSY RUSSELL | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/25 21:29:10 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\OTL.exe
PRC - [2011/08/11 17:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2008/04/13 18:12:08 | 001,058,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/12 17:56:38 | 000,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdccoms.exe
PRC - [2007/02/05 17:32:16 | 000,020,480 | ---- | M] (Lexmark) -- C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
PRC - [2005/11/28 16:59:00 | 000,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2005/11/15 14:12:14 | 000,756,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
PRC - [2005/09/20 21:07:00 | 001,093,632 | ---- | M] (TOSHIBA Inc.) -- C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
PRC - [2005/07/12 18:14:42 | 000,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2005/07/11 18:04:46 | 000,311,296 | ---- | M] (Atheros Communications, Inc.) -- C:\Program Files\Atheros\ACU.exe
PRC - [2005/07/08 02:13:14 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2005/04/26 17:13:20 | 000,122,880 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2005/04/22 12:54:14 | 000,962,560 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2005/04/17 12:30:48 | 000,085,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/04/12 23:54:38 | 000,794,624 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSServ.exe
PRC - [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/04/08 15:52:30 | 000,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/01/17 17:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2004/12/30 01:32:20 | 000,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PRC - [2004/10/08 15:44:24 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2004/09/07 15:03:20 | 001,077,301 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\Touch and Launch\PadExe.exe
PRC - [2004/08/28 01:37:00 | 000,155,648 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe
PRC - [2004/08/28 01:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe

========== Modules (No Company Name) ==========

MOD - [2011/12/28 14:19:17 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\bce0720436dc6cb76006377f295ea365\System.Configuration.ni.dll
MOD - [2011/12/26 16:52:55 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll
MOD - [2011/12/26 16:52:46 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\71a2ae9ad561a62181cbd9fb11e9de7a\System.Windows.Forms.ni.dll
MOD - [2011/12/26 16:52:24 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll
MOD - [2011/12/26 16:50:26 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
MOD - [2011/12/26 16:50:12 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/12/26 16:47:40 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2008/06/20 10:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 10:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2007/02/05 17:34:38 | 000,040,960 | ---- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.Monitor.Core.dll
MOD - [2007/02/05 17:34:36 | 000,028,672 | ---- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.Monitor.Common.dll
MOD - [2007/02/05 17:32:26 | 000,024,576 | ---- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.DevMons.ScanDevMon.dll
MOD - [2007/02/05 17:32:24 | 000,057,344 | ---- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.DevMons.MCMDevMon.dll
MOD - [2007/01/24 12:53:10 | 000,011,776 | ---- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.DevMons.MCMDevMon.AutoPlayUtil.dll
MOD - [2007/01/18 12:18:54 | 000,103,936 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxdcdrpp.dll
MOD - [2005/07/12 18:14:42 | 000,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
MOD - [2005/07/08 02:13:14 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
MOD - [2004/11/11 22:08:00 | 000,106,496 | ---- | M] () -- C:\WINDOWS\system32\tsbwls.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (AVGIDSAgent)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/08/11 17:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2007/02/12 17:56:38 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdccoms.exe -- (lxdc_device)
SRV - [2005/07/12 18:14:42 | 000,040,960 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2005/07/08 02:13:14 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2005/04/17 12:30:42 | 000,124,608 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/04/17 12:30:40 | 001,706,176 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/04/08 15:54:50 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/04/05 11:17:22 | 000,206,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2005/01/17 17:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/08/28 01:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)

========== Driver Services (SafeList) ==========

DRV - [2011/07/22 10:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 15:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/10/16 02:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101016.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/10/16 02:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101016.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/15 02:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2005/06/29 00:01:58 | 001,241,088 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/06/17 16:17:48 | 000,352,000 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/06/17 16:17:00 | 000,038,144 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2005/06/10 22:42:00 | 000,005,504 | ---- | M] (Quanta Computer Corp) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BoiHwSetup.sys -- (BoiHwsetup)
DRV - [2005/06/02 04:33:00 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2005/05/25 03:39:44 | 000,465,952 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/05/09 16:17:06 | 000,031,360 | ---- | M] (Quanta Computer, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\qkbfiltr.sys -- (qkbfiltr)
DRV - [2005/05/05 15:27:38 | 000,007,936 | ---- | M] (Quanta Computer, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\qmofiltr.sys -- (qmofiltr)
DRV - [2005/04/05 11:17:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/04/05 11:17:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/04/01 20:36:04 | 000,123,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/03/31 18:08:02 | 000,211,200 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)
DRV - [2005/03/31 17:08:46 | 001,034,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/31 17:08:00 | 000,714,880 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/03/30 21:48:20 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/02/04 20:14:32 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/02/04 20:14:30 | 000,324,232 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2004/12/02 17:36:08 | 000,070,912 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/08/03 16:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/09/30 20:54:46 | 000,184,832 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8180.sys -- (LSWPCv4)
DRV - [2003/09/19 16:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/06/11 09:53:22 | 000,006,867 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (TBiosDrv)
DRV - [2003/01/29 15:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25537

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2240: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2298: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1348: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2010/10/17 20:11:44 | 000,002,831 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.212.189.116 www.google.com
O1 - Hosts: 67.212.189.116 google.com
O1 - Hosts: 67.212.189.116 google.com.au
O1 - Hosts: 67.212.189.116 www.google.com.au
O1 - Hosts: 67.212.189.116 google.be
O1 - Hosts: 67.212.189.116 www.google.be
O1 - Hosts: 67.212.189.116 google.com.br
O1 - Hosts: 67.212.189.116 www.google.com.br
O1 - Hosts: 67.212.189.116 google.ca
O1 - Hosts: 39 more lines...
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll File not found
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [CFSServ.exe] CFSServ.exe -NoClient File not found
O4 - HKLM..\Run: [gcasServ] C:\Program Files\Microsoft AntiSpyware\gcasServ.exe (Microsoft Corporation)
O4 - HKLM..\Run: [lxdcamon] C:\Program Files\Lexmark 1300 Series\lxdcamon.exe (Lexmark)
O4 - HKLM..\Run: [LXDCCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.DLL (Lexmark International, Inc.)
O4 - HKLM..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe" File not found
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [PadTouch] C:\Program Files\Toshiba\Touch and Launch\PadExe.exe (TOSHIBA)
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Toshiba Hotkey Utility] c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe (TOSHIBA Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007..\Run: [TOSCDSPD] C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsubleepa Electric Industrial Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - mswsock.dll File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file://C:\Program Files\Mahjong Escape - Ancient Japan\Images\stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file://C:\Program Files\Mahjong Escape - Ancient Japan\Images\armhelper.ocx (ArmHelper Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F8006EFD-B788-49E8-B1B9-05D77D471D8F}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\CHRISSY RUSSELL\My Documents\My Pictures\Chrissy's Pics\Resort pic 1.BMP
O24 - Desktop BackupWallPaper: C:\Documents and Settings\CHRISSY RUSSELL\My Documents\My Pictures\Chrissy's Pics\Resort pic 1.BMP
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {9EF34FF2-3396-4527-9D27-04C8C1C67806} - C:\Program Files\Microsoft AntiSpyware\shellextension.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/09 15:19:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/25 21:29:06 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\OTL.exe
[2012/01/23 21:53:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\gmer
[2012/01/23 21:40:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\CHRISSY RUSSELL\Start Menu\Programs\Administrative Tools
[2012/01/23 21:40:03 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\dds.scr
[2012/01/15 10:44:27 | 009,851,496 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\mbam-setup.exe
[2012/01/15 10:41:54 | 002,058,032 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\tdsskiller.exe
[2012/01/12 21:17:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2012/01/12 21:17:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2012/01/12 21:17:21 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/01/12 21:12:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/01/11 21:45:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/01/11 21:45:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2007/09/11 18:21:05 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDChcp.dll
[2007/09/11 18:21:04 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcinpa.dll
[2007/09/11 18:21:04 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdciesc.dll
[2007/09/11 18:21:03 | 000,999,424 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcusb1.dll
[2007/09/11 18:21:02 | 001,232,896 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcserv.dll
[2007/09/11 18:21:02 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcprox.dll
[2007/09/11 18:21:02 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcpplc.dll
[2007/09/11 18:21:01 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcpmui.dll
[2007/09/11 18:21:01 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdclmpm.dll
[2007/09/11 18:20:59 | 000,385,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcih.exe
[2007/09/11 18:20:58 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdchbn3.dll
[2007/09/11 18:20:56 | 000,537,520 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdccoms.exe
[2007/09/11 18:20:55 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdccomc.dll
[2007/09/11 18:20:55 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdccomm.dll
[34 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/25 21:36:39 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/25 21:36:21 | 000,001,821 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2012/01/25 21:29:10 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\OTL.exe
[2012/01/25 21:16:02 | 000,334,429 | ---- | M] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\FSS.exe
[2012/01/25 21:06:32 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/25 20:59:58 | 002,058,032 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\tdsskiller.exe
[2012/01/25 20:56:05 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/25 20:55:02 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/25 20:54:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/25 20:54:27 | 937,676,800 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/23 21:52:40 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\gmer.zip
[2012/01/23 21:40:04 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\dds.scr
[2012/01/23 21:37:13 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\CHRISSY RUSSELL\defogger_reenable
[2012/01/23 21:36:14 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\Defogger.exe
[2012/01/15 10:47:13 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/15 10:44:41 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\mbam-setup.exe
[2012/01/15 10:39:08 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\iExplore.exe
[2012/01/15 10:35:30 | 000,001,205 | ---- | M] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\FixNCR.reg
[2012/01/12 21:17:27 | 000,001,686 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/01/11 21:30:35 | 000,013,482 | -HS- | M] () -- C:\Documents and Settings\CHRISSY RUSSELL\Local Settings\Application Data\vm62u716ws666j6e2uttw87f82u
[2012/01/11 21:30:35 | 000,013,482 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\vm62u716ws666j6e2uttw87f82u
[34 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/25 21:16:00 | 000,334,429 | ---- | C] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\FSS.exe
[2012/01/23 21:52:38 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\gmer.zip
[2012/01/23 21:37:13 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\CHRISSY RUSSELL\defogger_reenable
[2012/01/23 21:36:14 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\Defogger.exe
[2012/01/15 10:39:04 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\iExplore.exe
[2012/01/15 10:35:29 | 000,001,205 | ---- | C] () -- C:\Documents and Settings\CHRISSY RUSSELL\Desktop\FixNCR.reg
[2012/01/15 10:29:19 | 937,676,800 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/12 21:17:27 | 000,001,686 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/01/12 20:32:54 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/11 22:02:40 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/11 21:28:26 | 000,013,482 | -HS- | C] () -- C:\Documents and Settings\CHRISSY RUSSELL\Local Settings\Application Data\vm62u716ws666j6e2uttw87f82u
[2012/01/11 21:28:26 | 000,013,482 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\vm62u716ws666j6e2uttw87f82u
[2007/09/19 12:59:25 | 000,000,614 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/09/11 18:25:15 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdcvs.dll
[2007/09/11 18:25:07 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxdccoin.dll
[2007/09/11 18:21:59 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdcrwrd.ini
[2007/09/11 18:21:06 | 000,278,528 | ---- | C] () -- C:\WINDOWS\System32\LXDCinst.dll
[2007/09/11 18:20:57 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdcgrd.dll
[2005/12/09 13:37:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2005/12/07 13:13:40 | 000,000,049 | ---- | C] () -- C:\WINDOWS\webica.ini
[2005/11/28 13:37:22 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/11/25 14:41:03 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\ControlWZCS.exe
[2005/11/25 14:41:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\acs.exe
[2005/11/25 14:40:56 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\AegisI5.exe
[2005/11/25 14:40:40 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\MFCFirstRemove.exe
[2005/11/25 14:40:39 | 000,270,336 | ---- | C] () -- C:\WINDOWS\System32\PlugPlayPCIDevice.exe
[2005/08/22 18:23:46 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/09 17:59:11 | 000,011,122 | ---- | C] () -- C:\WINDOWS\HWSetupStr.ini
[2005/08/09 17:59:11 | 000,002,036 | ---- | C] () -- C:\WINDOWS\SVPW32Str.ini
[2005/08/09 17:36:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2005/08/09 17:00:57 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2005/08/09 16:45:20 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/08/09 16:39:18 | 000,000,172 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2005/08/09 16:37:42 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/08/09 16:37:42 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/08/09 16:37:42 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/08/09 16:37:42 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/08/09 16:37:42 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/08/09 16:37:42 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/09 16:36:54 | 000,000,228 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/08/09 16:32:32 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2005/08/09 16:32:32 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2005/08/09 16:32:32 | 000,009,362 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2005/08/09 16:32:32 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2005/08/09 16:00:49 | 000,090,112 | ---- | C] () -- C:\WINDOWS\InstDrvr.exe
[2005/08/09 16:00:49 | 000,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/08/09 15:26:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/09 15:21:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/09 15:16:35 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/09 15:15:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/09 14:41:18 | 000,000,384 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/09 14:38:34 | 001,033,728 | ---- | C] () -- C:\WINDOWS\expl.dat
[2005/08/09 14:38:34 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\winl.dat
[2005/08/09 14:38:34 | 000,014,336 | ---- | C] () -- C:\WINDOWS\System32\svch.dat
[2005/08/09 14:38:23 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/09 14:38:18 | 000,446,386 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/09 14:38:18 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/09 14:38:18 | 000,073,426 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/09 14:38:18 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/09 14:38:16 | 000,004,688 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/09 14:38:14 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/09 14:38:12 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/09 14:38:04 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/09 14:38:04 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/09 14:37:49 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/09 14:37:40 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/09 08:10:36 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/09 08:09:39 | 000,209,696 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/06/30 14:15:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/06/10 17:59:16 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2004/11/11 22:08:00 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\tsbwls.dll
[2003/10/15 19:22:00 | 000,090,384 | ---- | C] () -- C:\WINDOWS\System32\ctxsetup.exe
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DA18FD1D
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:211ED887

< End of report >

OTL Extras logfile created on: 1/25/2012 9:29:59 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\CHRISSY RUSSELL\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.17 Mb Total Physical Memory | 170.88 Mb Available Physical Memory | 19.11% Memory free
1.09 Gb Paging File | 0.34 Gb Available in Paging File | 31.14% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 22.69 Gb Free Space | 60.91% Space Free | Partition Type: NTFS

Computer Name: CHRIS-NAT | User Name: CHRISSY RUSSELL | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2422525118-3929007035-3564027493-1007\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
"C:\Program Files\Lexmark 1300 Series\app4r.exe" = C:\Program Files\Lexmark 1300 Series\App4R.exe:*:Enabled:BorgListener -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\IVP\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer -- (LimeWire)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\WINDOWS\system32\lxdccoms.exe" = C:\WINDOWS\system32\lxdccoms.exe:*:Enabled:Lexmark Communications System -- ( )
"C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" = C:\Program Files\Lexmark 1300 Series\lxdcamon.exe:*:Enabled:Lexmark Device Monitor -- (Lexmark)
"C:\Program Files\Lexmark 1300 Series\App4R.exe" = C:\Program Files\Lexmark 1300 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio -- ()
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Documents and Settings\All Users\Application Data\a67495\SMa67_2211.exe" = C:\Documents and Settings\All Users\Application Data\a67495\SMa67_2211.exe:*:Enabled:Smart Engine

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}" = Atheros Wireless LAN MiniPCI card Driver
"{099D12EC-0321-4CAC-A0CC-33D020156FCD}" = Toshiba Utility
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}" = Macromedia Fireworks 8
"{536F7C74-844B-4683-B0C5-EA39E19A6FE3}" = Microsoft AntiSpyware
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5A633ED0-E5D7-4D65-AB8D-53ED43510284}" = Symantec AntiVirus
"{5D96E2B1-D9AC-46E0-9073-425C5F63E338}" = Touch and Launch
"{6304CCF6-3343-4DA5-96B6-84B3A644B93B}" = USB Driver for Panasonic DVC
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility
"{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}" = Atheros Client Utility
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A1CFBEF8-D9F6-4B2A-BDBE-7D8C0B0FE03A}" = Toshiba Hotkey Utility
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B700113B-24A8-4D4C-8484-0CC944F764C8}" = Google SketchUp 8
"{BA561482-C49D-4687-A61C-96236C1688F0}" = ArcSoft Software Suite
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D7CA2DF8-95CE-4C80-9296-98E21219A1E5}}_is1" = BovadaPoker
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F6C405D2-C50D-4D10-B89E-73A233A14D74}" = Toshiba Registration
"{F77890F3-774A-4CBE-A2E3-7BB0DC71D1FA}" = Toshiba Touchpad Utility
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"AIM_6.0" = AIM 6.0
"All ATI Software" = ATI - Software Uninstall Utility
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"ATI Display Driver" = ATI Display Driver
"Citrix ICA Web Client" = Citrix ICA Web Client
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_FF311179" = AC97 Data Fax SoftModem with SmartCP
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Google Chrome" = Google Chrome
"InstallShield_{099D12EC-0321-4CAC-A0CC-33D020156FCD}" = Toshiba Utility
"InstallShield_{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"InstallShield_{6304CCF6-3343-4DA5-96B6-84B3A644B93B}" = USB Driver for Panasonic DVC
"InstallShield_{F77890F3-774A-4CBE-A2E3-7BB0DC71D1FA}" = Toshiba Touchpad Utility
"Lexmark 1300 Series" = Lexmark 1300 Series
"LimeWire" = LimeWire 4.14.8
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Notebook_Maximizer" = Notebook Maximizer
"PartyPoker" = PartyPoker
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"PokerStars" = PokerStars
"PokerStars.net" = PokerStars.net
"Port Magic" = Pure Networks Port Magic
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Toshiba Q4 Retail Demo.scr" = Toshiba Q4 Retail Demo ScreenSaver
"Toshiba Tbiosdrv Driver" = Toshiba Tbiosdrv Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2422525118-3929007035-3564027493-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"UB" = UB

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/14/2012 6:43:59 AM | Computer Name = CHRIS-NAT | Source = MsiInstaller | ID = 11309
Description = Product: Microsoft Office Standard Edition 2003 -- Error 1309. Error
reading from file: D:\SKU112.CAB. System error 21. Verify that the file exists
and that you can access it.

Error - 1/14/2012 6:44:45 AM | Computer Name = CHRIS-NAT | Source = MsiInstaller | ID = 11309
Description = Product: Microsoft Office Standard Edition 2003 -- Error 1309. Error
reading from file: D:\SKU112.CAB. System error 21. Verify that the file exists
and that you can access it.

Error - 1/14/2012 6:45:42 AM | Computer Name = CHRIS-NAT | Source = MsiInstaller | ID = 11309
Description = Product: Microsoft Office Standard Edition 2003 -- Error 1309. Error
reading from file: D:\SKU112.CAB. System error 21. Verify that the file exists
and that you can access it.

Error - 1/14/2012 7:36:12 AM | Computer Name = CHRIS-NAT | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/15/2012 12:38:35 PM | Computer Name = CHRIS-NAT | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x61416ee0.

Error - 1/15/2012 12:38:51 PM | Computer Name = CHRIS-NAT | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0004487f.

Error - 1/15/2012 12:39:11 PM | Computer Name = CHRIS-NAT | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x000446da.

Error - 1/23/2012 9:54:30 PM | Computer Name = CHRIS-NAT | Source = Application Error | ID = 1000
Description = Faulting application vptray.exe, version 10.0.0.359, faulting module
unknown, version 0.0.0.0, fault address 0xffbadd11.

Error - 1/23/2012 10:11:44 PM | Computer Name = CHRIS-NAT | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt>
with error: The connection with the server was terminated abnormally

Error - 1/23/2012 10:11:44 PM | Computer Name = CHRIS-NAT | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt>
with error: This network connection does not exist.

[ System Events ]
Error - 1/23/2012 10:23:06 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 1/23/2012 10:23:06 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 1/23/2012 10:23:15 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 1/23/2012 10:23:15 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 1/23/2012 10:23:15 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 1/25/2012 10:55:56 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7003
Description = The AVGIDSAgent service depends on the following nonexistent service:
AVGIDSDriver

Error - 1/25/2012 10:55:56 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Symantec AntiVirus service
to connect.

Error - 1/25/2012 10:55:59 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 1/25/2012 10:56:06 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 1/25/2012 10:57:32 PM | Computer Name = CHRIS-NAT | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

< End of report >

5. My computer seems to run ok other than getting various pop up warnings when I firt turn on the computer as well as the google redirect thing. Also, I can't seem to update my Norton Antivirus.

#4 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 26 January 2012 - 03:17 AM

Hi chrissywv!

You're very welcome!

You are still pretty heavily infected, and I believe you have a few patched files. We'll run a scan a little later in this post to check for such.

You ran the TDSSKiller scan fine, and you provided me with the exact information I needed from it.

You didn't disable the shareaccess service did you?

I'm going to set it back to automatic. If this is going to be an issue, please let me know before you proceed with the instructions below.

It looks like this infection has messed with a registry setting or two. We will need to fix this, but first we need to create a back-up of your registry, in case anything goes wrong.

ERUNT - Emergency Recovery Utility NT
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
This is a free program that allows you to keep a complete backup of your registry and restore it when needed.
ERUNT utility program
Download:

Please download ERUNT...by Lars Hederer. Save it to your desktop.
Double-click erunt-setup-exe to start the install process. Follow the install prompts.
Use the default install settings...
say "NO" to the section that asks you to add ERUNT to the Start-Up folder. Enable this option later if desired.
Start ERUNT by opting to start the program at the end of setup -or- double click the desktop icon.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK ... Then click on "YES" to create the folder.

Run:

Please navigate to Start >> All Programs >> ERUNT. Click on OK within the pop-up menu.
In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
- System registry.
- Current user registry.
Next click on "OK"... at the prompt... reply "Yes".
After a short duration the Registry backup is complete! pop-up message will appear.
Now click on "OK". A registry backup has now been created.

< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

NEXT:

Please download the following registry fixes to your Desktop.

wuauserv.reg (1.81K)
Number of downloads: 1

wscsvc.reg (3.57K)
Number of downloads: 1

legacy_wuauserv.reg (529bytes)
Number of downloads: 1

legacy_wscsvc.reg (1.02K)
Number of downloads: 1

You will be downloading wscsvc.reg, wuauserv.reg, legacy_wscsvc.reg, and legacy_wuauserv.reg

You will want to double click on wscsvc.reg and when it asks if you want to merge it with your registry please select YES.

Manual method for Windows XP:

Quote

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.
Now double-click LEGACY_wscsvc.reg and confirm the prompt. Do the following for LEGACY_wuauserv.reg
Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.

NEXT:

OTL Fix

We need to run an OTL Fix

Note: If you have Malwarebytes 1.6 or higher installed please disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:Processes
KILLALLPROCESSES
:OTL
IE - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25537
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKU\S-1-5-21-2422525118-3929007035-3564027493-1007\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O4 - HKLM..\Run: [CFSServ.exe] CFSServ.exe -NoClient File not found
O4 - HKLM..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe" File not found
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart)
[2012/01/11 21:30:35 | 000,013,482 | -HS- | M] () -- C:\Documents and Settings\CHRISSY RUSSELL\Local Settings\Application Data\vm62u716ws666j6e2uttw87f82u
[2012/01/11 21:30:35 | 000,013,482 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\vm62u716ws666j6e2uttw87f82u
[2012/01/11 21:28:26 | 000,013,482 | -HS- | C] () -- C:\Documents and Settings\CHRISSY RUSSELL\Local Settings\Application Data\vm62u716ws666j6e2uttw87f82u
[2012/01/11 21:28:26 | 000,013,482 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\vm62u716ws666j6e2uttw87f82u
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DA18FD1D
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:211ED887

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\All Users\Application Data\a67495\SMa67_2211.exe"=-
:Files
C:\Documents and Settings\All Users\Application Data\a67495\
sc start SharedAccess /c
sc config SharedAccess start= auto /c
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
[EMPTYJAVA]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

OTL Custom Scan

We need to create a new OTL Report

Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Click on the NONE button at the top.

In the custom scan box paste the following:

msconfig
safebootminimal
activex
drivers32
netsvcs
"%WinDir%\$NtUninstallKB*$."
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
wininit.exe
AegisP.sys
cdrom.sys
drvmcdb.sys
drvnddm.sys
meiudf.sys
netdevio.sys
pfc.sys
PxHelp20.sys
qkbfiltr.sys
qmofiltr.sys
sscdbhk5.sys
ssrtln.sys
TBiosDrv.sys
tfsnboio.sys
tfsncofs.sys
tfsndrct.sys
tfsndres.sys
tfsnifs.sys
tfsnopio.sys
tfsnpool.sys
tfsnudf.sys
tfsnudfa.sys
svchost.exe
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

Push the button.
One report will open, copy and paste it in a reply here:
- OTL.txt <-- Will be opened

NEXT:

Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. OTL fix log.
3. OTL Custom Scan log file.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

#5 chrissywv

Member

Group: Members
Posts: 19
Joined: 23-January 12

Posted 26 January 2012 - 09:27 PM

Hello Agent ST!

I'm not having much luck tonight.

I was able to successfully back up my computer and I believe I also successfully downloaded and ran the registery files but when I paste the first fix into OTL, it ran for a few ands then timeed out. I ended up killing the process but unless I reboot, I have no desktop icons or start menu. I wasn't sure if I should try to run the second fix since the first wouldn't run so I stopped to email you.

Also, I get the following error message everytime I log in.

The ordinal 1109 could not be located in the dynamic link library WSOCK32.dll.

I will wait to hear from you before I do anything else. Thanks!

Chrissy

#6 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 27 January 2012 - 04:01 AM

Hi!

Sorry to hear you heat a speed bump when you ran the OTL fix.

Quote

Also, I get the following error message everytime I log in.

The ordinal 1109 could not be located in the dynamic link library WSOCK32.dll.

Is this the exact wording of the error message you receive? If not, can you provide me with it?

Can you please reboot your computer and then run this OTL Custom Scan Script for me?

OTL Custom Scan

We need to create a new OTL Report

Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Click on the NONE button at the top.

In the custom scan box paste the following:

msconfig
safebootminimal
activex
drivers32
netsvcs
"%WinDir%\$NtUninstallKB*$."
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
wininit.exe
AegisP.sys
cdrom.sys
drvmcdb.sys
drvnddm.sys
meiudf.sys
netdevio.sys
pfc.sys
PxHelp20.sys
qkbfiltr.sys
qmofiltr.sys
sscdbhk5.sys
ssrtln.sys
TBiosDrv.sys
tfsnboio.sys
tfsncofs.sys
tfsndrct.sys
tfsndres.sys
tfsnifs.sys
tfsnopio.sys
tfsnpool.sys
tfsnudf.sys
tfsnudfa.sys
svchost.exe
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

Push the button.
One report will open, copy and paste it in a reply here:
- OTL.txt <-- Will be opened

#7 chrissywv

Member

Group: Members
Posts: 19
Joined: 23-January 12

Posted 27 January 2012 - 09:06 AM

That is the exact wording of the error message. I will try to get a screen shot for you on my next post. The new OTL log is attached below. Thanks!

Chrissy

OTL logfile created on: 1/27/2012 7:55:41 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\CHRISSY RUSSELL\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.17 Mb Total Physical Memory | 303.58 Mb Available Physical Memory | 33.95% Memory free
1.09 Gb Paging File | 0.67 Gb Available in Paging File | 61.89% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 22.20 Gb Free Space | 59.59% Space Free | Partition Type: NTFS

Computer Name: CHRIS-NAT | User Name: CHRISSY RUSSELL | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

SafeBootMin: !SASCORE - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA851-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EFCE7BE0-510E-4932-9475-F44CD90DE16A} - Microsoft .NET Framework 1.1 Security Update (KB2572067)
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." >
[2010/08/16 22:29:40 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2079403$
[2010/08/16 22:30:15 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2115168$
[2010/09/15 14:21:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2121546$
[2010/09/15 14:18:23 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2141007$
[2010/09/28 21:33:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2158563$
[2010/08/16 22:25:46 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2160329$
[2010/08/16 22:30:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2183461$
[2010/07/15 16:29:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2229593$
[2010/09/15 14:21:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2259922$
[2010/10/14 20:23:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2279986$
[2010/08/16 22:23:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2286198$
[2010/10/14 20:23:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2296011$
[2010/10/14 20:23:40 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2345886$
[2010/09/15 14:21:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2347290$
[2010/10/14 20:23:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2360131$
[2010/10/14 20:19:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2360937$
[2010/10/14 20:23:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2378111_WM9$
[2010/10/14 20:23:57 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2387149$
[2011/12/24 20:49:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2393802$
[2011/12/24 20:51:51 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2412687$
[2011/12/24 20:51:25 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2419632$
[2011/12/24 20:47:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2423089$
[2011/12/24 20:56:18 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2440591$
[2011/12/24 20:56:52 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2443105$
[2011/12/24 20:55:52 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2476490$
[2011/12/24 20:49:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2478960$
[2011/12/24 21:01:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2478971$
[2011/12/24 21:01:49 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2479943$
[2011/12/24 20:56:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2481109$
[2011/12/24 20:55:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2483185$
[2011/12/24 20:56:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2485663$
[2011/12/24 21:00:58 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2491683$
[2011/12/24 20:50:52 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2506212$
[2011/12/24 20:51:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2507618$
[2011/12/24 20:56:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2507938$
[2011/12/24 20:51:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2508429$
[2011/12/24 20:49:58 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2509553$
[2011/12/24 20:56:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2510581$
[2011/12/24 20:51:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2535512$
[2011/12/24 20:57:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2536276-v2$
[2011/12/24 20:49:49 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2541763$
[2011/12/24 20:49:42 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2544521$
[2011/12/24 21:01:09 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2544893-v2$
[2011/12/24 21:01:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2564958$
[2011/12/24 20:48:52 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2566454$
[2011/12/24 21:01:40 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2567680$
[2011/12/24 20:55:05 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2570222$
[2011/12/24 20:51:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2570947$
[2012/01/26 20:07:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2584146$
[2011/12/24 20:55:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2592799$
[2012/01/27 07:53:58 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2598479$
[2012/01/26 20:07:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2603381$
[2011/12/24 20:50:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2618444$
[2011/12/24 20:50:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2618451$
[2011/12/24 20:50:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2619339$
[2011/12/24 20:49:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2620712$
[2011/12/24 20:55:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2624667$
[2012/01/27 07:54:16 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2631813$
[2011/12/24 20:48:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2633171$
[2011/12/24 20:50:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2633952$
[2011/12/24 20:56:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2639417$
[2011/12/24 20:55:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2641690$
[2012/01/27 07:54:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2646524$
[2009/11/16 20:51:27 | 000,000,000 | -HSD | M] -- C:\WINDOWS\$NtUninstallKB58688$
[2005/08/09 15:34:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB873333$
[2005/08/09 15:34:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB873339$
[2005/08/09 15:34:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB884018$
[2005/08/09 15:35:10 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB885250$
[2005/08/09 15:35:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB885835$
[2005/08/09 15:35:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB885836$
[2005/08/09 15:35:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB886185$
[2010/10/17 20:49:09 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB887472$
[2005/11/28 14:36:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB887742$
[2005/11/28 15:03:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB887797$
[2005/08/09 15:36:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB888113$
[2005/08/09 15:36:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB888302$
[2005/08/09 15:36:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB889673$
[2005/11/28 14:36:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB890046$
[2005/08/09 15:37:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB890047$
[2005/08/09 15:37:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB890175$
[2005/11/28 14:34:42 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB890859$
[2005/08/09 15:37:46 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB890923$
[2005/08/09 15:38:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB891781$
[2005/08/09 15:38:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB893056$
[2005/08/09 15:38:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB893066$
[2005/08/09 15:38:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB893086$
[2005/11/28 14:36:42 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB893756$
[2005/11/28 14:34:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB894391$
[2005/08/09 15:47:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB894871$
[2005/08/09 15:44:08 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB895200$
[2005/11/28 15:03:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB896344$
[2005/11/28 14:36:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB896358$
[2005/11/28 14:37:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB896422$
[2005/11/28 14:36:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB896423$
[2005/11/28 14:36:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB896424$
[2005/11/28 14:35:09 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB896428$
[2005/11/28 14:35:56 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB896688$
[2005/11/28 13:08:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB898461$
[2005/11/28 14:37:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB899587$
[2005/11/28 14:36:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB899591$
[2006/05/18 10:48:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB900485$
[2005/11/28 14:35:23 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB900725$
[2005/11/28 15:03:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB900930$
[2005/11/28 14:36:57 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB901017$
[2005/11/28 14:35:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB901214$
[2005/11/28 15:04:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB902344$
[2005/11/28 14:36:18 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB902400$
[2005/11/28 14:35:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB904706$
[2012/01/12 21:13:28 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB905414$
[2005/11/28 14:35:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB905749$
[2005/12/17 23:39:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB905915$
[2006/01/15 00:34:40 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB908519$
[2006/05/18 10:48:38 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB908531$
[2005/12/17 23:39:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB910437$
[2007/06/03 21:06:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB911280$
[2006/05/18 10:47:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB911562$
[2006/03/26 23:36:40 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB911564$
[2006/03/26 23:36:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB911565$
[2006/05/18 10:46:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB911567$
[2006/03/26 23:36:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB911927$
[2006/05/18 10:46:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB912812$
[2006/01/15 00:34:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB912919$
[2006/03/26 23:35:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB913446$
[2006/05/18 10:48:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB913580$
[2006/11/23 18:08:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB914388$
[2006/06/19 13:19:05 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB914389$
[2006/06/19 13:19:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB916281$
[2006/11/23 18:07:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB916595$
[2006/06/19 13:19:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB917344$
[2006/11/23 18:08:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB917422$
[2006/06/19 13:20:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB917734_WMP10$
[2006/06/19 13:19:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB917953$
[2007/06/03 20:59:25 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB918118$
[2012/01/15 12:02:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB918439$
[2006/11/23 18:09:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB918899$
[2006/11/23 18:08:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB919007$
[2007/06/03 20:59:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB920213$
[2006/11/23 18:09:05 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB920670$
[2006/10/30 22:49:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB920683$
[2007/06/03 21:06:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB920685$
[2006/11/23 18:08:57 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB920872$
[2007/09/13 18:53:16 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB921503$
[2006/11/23 18:08:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB922582$
[2007/06/03 21:09:16 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB922819$
[2006/11/23 18:08:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB923191$
[2007/06/03 21:08:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB923414$
[2009/11/17 03:03:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB923561$
[2007/06/03 21:00:15 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB923689$
[2007/06/03 20:57:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB923694$
[2007/06/03 21:06:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB923980$
[2007/06/03 21:09:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB924191$
[2007/06/03 21:01:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB924270$
[2007/06/03 21:01:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB924496$
[2007/06/03 21:01:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB924667$
[2007/06/03 21:07:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB925398_WMP64$
[2006/11/23 18:08:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB925486$
[2007/06/03 20:59:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB925902$
[2007/06/03 20:59:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB926255$
[2007/06/03 20:59:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB926436$
[2007/06/03 21:09:46 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB927779$
[2007/06/03 21:09:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB927802$
[2007/06/03 21:00:56 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB927891$
[2007/06/03 21:08:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB928255$
[2007/06/03 20:57:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB928843$
[2007/09/13 18:52:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB929123$
[2007/06/03 21:07:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB929969$
[2007/06/03 20:59:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB930178$
[2007/06/03 20:59:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB930916$
[2007/06/03 21:01:10 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB931261$
[2007/06/03 21:00:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB931768$
[2007/06/03 21:07:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB931784$
[2007/06/03 21:00:49 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB931836$
[2007/06/03 20:59:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB932168$
[2007/09/10 18:35:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB933360$
[2007/09/10 18:34:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB935839$
[2007/09/10 18:35:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB935840$
[2007/09/13 18:53:35 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB936021$
[2007/09/13 18:53:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB936357$
[2007/09/10 18:33:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB936782_WMP10$
[2007/09/10 18:34:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB937143$
[2007/09/10 18:35:25 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938127$
[2009/11/16 21:04:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938464$
[2009/11/16 19:11:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938464_0$
[2007/09/13 18:53:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938828$
[2007/09/13 18:53:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938829$
[2009/11/16 19:21:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB941569$
[2009/11/16 19:04:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB944338-v2$
[2009/11/16 21:06:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB946648$
[2009/11/16 19:25:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB946648_0$
[2009/11/16 21:08:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950762$
[2009/11/16 19:17:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950762_0$
[2009/11/16 21:09:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950974$
[2009/11/16 19:24:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950974_0$
[2009/11/16 21:11:28 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951066$
[2009/11/16 19:12:35 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951066_0$
[2009/11/16 19:15:51 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951072-v2$
[2009/11/16 21:13:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951376-v2$
[2009/11/16 19:25:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951376-v2_0$
[2009/11/16 21:14:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951698$
[2009/11/16 19:24:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951698_0$
[2009/11/17 03:04:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951748$
[2009/11/17 07:44:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951978$
[2009/11/17 03:10:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952004$
[2009/11/17 06:58:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952069_WM9$
[2009/11/16 21:16:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952287$
[2009/11/16 19:13:51 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952287_0$
[2009/11/16 21:17:28 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952954$
[2009/11/16 19:25:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952954_0$
[2009/11/17 07:09:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954155_WM9$
[2009/11/16 21:19:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954211$
[2009/11/16 19:23:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954211_0$
[2009/11/17 06:59:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954459$
[2009/11/17 03:03:38 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB955069$
[2010/01/18 12:35:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB955759$
[2009/11/16 21:20:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956390$
[2009/11/16 19:07:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956390_0$
[2009/11/16 19:24:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956391$
[2009/11/17 03:11:23 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956572$
[2009/11/17 07:03:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956744$
[2009/11/17 03:03:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956802$
[2009/11/16 21:21:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956803$
[2009/11/16 19:24:52 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956803_0$
[2009/11/16 21:21:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956841$
[2009/11/16 19:22:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956841_0$
[2009/11/17 03:11:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956844$
[2009/11/16 21:23:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB957095$
[2009/11/16 19:24:28 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB957095_0$
[2009/11/17 03:09:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB957097$
[2009/11/16 21:24:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958644$
[2009/11/16 19:10:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958644_0$
[2009/11/17 03:09:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958687$
[2009/11/17 03:13:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958869$
[2009/11/17 03:14:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB959426$
[2009/11/17 03:11:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB960225$
[2009/11/17 03:04:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB960803$
[2009/11/17 03:14:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB960859$
[2009/11/17 14:17:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB961118$
[2009/11/17 03:12:40 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB961371-v2$
[2009/11/17 03:10:58 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB961501$
[2009/11/17 03:08:05 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB967715$
[2009/11/17 03:01:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB968389$
[2009/11/17 07:44:21 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB968816_WM9$
[2009/11/17 03:12:56 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB969059$
[2009/11/17 03:01:25 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB969947$
[2009/11/17 03:04:49 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB970238$
[2009/12/11 02:48:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB970430$
[2009/11/17 03:02:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB970653-v3$
[2011/12/24 20:51:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971029$
[2010/02/15 11:56:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971468$
[2009/11/17 03:04:28 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971486$
[2009/11/17 03:12:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971557$
[2009/11/17 03:10:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971633$
[2009/11/17 03:12:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971657$
[2009/12/11 02:47:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971737$
[2009/11/17 06:57:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971961$
[2010/01/18 12:35:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB972270$
[2009/11/17 03:09:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973354$
[2009/11/17 03:09:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973507$
[2009/11/17 03:03:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973525$
[2009/11/17 07:01:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973540_WM9$
[2009/11/24 19:47:40 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973687$
[2009/11/17 03:04:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973815$
[2009/11/17 03:10:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973869$
[2009/12/11 02:48:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973904$
[2009/11/17 03:11:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB974112$
[2009/12/11 02:48:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB974318$
[2009/12/11 02:47:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB974392$
[2009/11/17 03:13:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB974455$
[2009/11/17 03:09:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB974571$
[2009/11/17 03:10:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975025$
[2009/11/17 03:02:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975467$
[2010/09/15 14:21:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975558_WM8$
[2010/02/15 11:54:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975560$
[2010/03/12 15:32:09 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975561$
[2010/07/06 21:29:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975562$
[2010/02/15 11:54:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975713$
[2009/11/24 19:47:51 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB976098-v2$
[2009/12/11 02:48:15 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB976325$
[2009/11/17 14:22:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB976749$
[2010/03/08 21:09:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB977165-v2$
[2010/04/15 14:40:56 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB977816$
[2010/02/15 11:54:05 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB977914$
[2010/02/15 11:54:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978037$
[2010/01/21 16:31:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978207$
[2010/02/15 11:54:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978251$
[2010/02/15 11:56:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978262$
[2010/04/15 14:41:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978338$
[2010/05/16 19:55:05 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978542$
[2010/04/13 21:23:05 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978601$
[2010/07/06 21:29:51 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978695_WM9$
[2010/02/15 11:53:49 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978706$
[2010/02/23 20:30:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979306$
[2010/04/13 21:22:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979309$
[2010/07/06 21:29:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979482$
[2010/07/06 21:32:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979559$
[2010/04/15 14:43:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979683$
[2010/10/14 20:22:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979687$
[2010/03/30 21:15:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB980182$
[2010/07/06 21:39:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB980195$
[2010/07/06 21:39:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB980218$
[2010/04/15 14:43:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB980232$
[2010/08/16 22:25:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB980436$
[2010/09/15 14:21:18 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981322$
[2010/04/15 14:41:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981349$
[2010/07/06 21:32:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981793$
[2010/08/16 22:29:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981852$
[2010/10/14 20:19:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981957$
[2010/08/16 22:22:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981997$
[2010/10/14 20:23:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB982132$
[2010/08/16 22:30:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB982214$
[2010/07/06 21:21:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB982381$
[2010/08/16 22:22:42 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB982665$
[2010/09/15 14:21:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB982802$

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/08/09 08:09:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2005/08/09 08:09:08 | 000,634,880 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2005/08/09 08:09:08 | 000,876,544 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

< %SYSTEMDRIVE%\*.exe >
[2005/10/31 09:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe

< MD5 for: AEGISP.SYS >
[2005/11/25 14:40:56 | 000,017,801 | ---- | M] (Meetinghouse Data Communications) MD5=2C5C22990156A1063E19AD162191DC1D -- C:\WINDOWS\system32\drivers\AegisP.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/11/16 20:40:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2009/11/16 20:40:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 06:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: CDROM.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:cdrom.sys
[2009/11/16 20:40:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:cdrom.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:cdrom.sys
[2009/11/16 20:40:22 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:cdrom.sys
[2008/04/13 12:40:46 | 000,062,976 | ---- | M] (Microsoft Corporation) MD5=1F4260CC5B42272D71F79E570A27A4FE -- C:\WINDOWS\ServicePackFiles\i386\cdrom.sys
[2004/08/04 06:00:00 | 000,049,536 | ---- | M] (Microsoft Corporation) MD5=AF9C19B3100FE010496B1A27181FBF72 -- C:\WINDOWS\$NtServicePackUninstall$\cdrom.sys
[2008/04/13 12:40:46 | 000,062,976 | ---- | M] () MD5=D5790D4FBFBCBA5A124B7E1844944C53 -- C:\WINDOWS\system32\drivers\cdrom.sys

< MD5 for: DRVMCDB.SYS >
[2005/04/22 04:22:00 | 000,088,352 | ---- | M] (Sonic Solutions) MD5=96BC8F872F0270C10EDC3931F1C03776 -- C:\Program Files\Sonic\DLA\install\drvmcdb.sys
[2005/04/22 04:22:00 | 000,088,352 | ---- | M] (Sonic Solutions) MD5=96BC8F872F0270C10EDC3931F1C03776 -- C:\WINDOWS\system32\drivers\drvmcdb.sys

< MD5 for: DRVNDDM.SYS >
[2005/04/21 03:56:00 | 000,040,544 | ---- | M] (Sonic Solutions) MD5=5AFBEC7A6AC61B211633DFDB1D9E0C89 -- C:\Program Files\Sonic\DLA\install\drvnddm.sys
[2005/04/21 03:56:00 | 000,040,544 | ---- | M] (Sonic Solutions) MD5=5AFBEC7A6AC61B211633DFDB1D9E0C89 -- C:\WINDOWS\system32\drivers\drvnddm.sys

< MD5 for: EXPLORER.EXE >
[2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\CHRISSY RUSSELL\Local Settings\Temp\RarSFX1\procs\explorer.exe
[2007/06/13 05:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\CHRISSY RUSSELL\Local Settings\Temp\RarSFX1\h\explorer.exe
[2008/04/13 18:12:08 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=EC4C168CF2E4AAF60848C5C7CFC02BD0 -- C:\WINDOWS\explorer.exe

< MD5 for: MEIUDF.SYS >
[2005/06/02 04:33:00 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) MD5=7EFAC183A25B30FB5D64CC9D484B1EB6 -- C:\WINDOWS\system32\drivers\meiudf.sys

< MD5 for: NETDEVIO.SYS >
[2003/01/29 15:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) MD5=1265EB253ED4EBE4ACB3BD5F548FF796 -- C:\Program Files\Toshiba\ConfigFree\NETDEVIO.SYS
[2003/01/29 15:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) MD5=1265EB253ED4EBE4ACB3BD5F548FF796 -- C:\WINDOWS\system32\drivers\Netdevio.sys

< MD5 for: PFC.SYS >
[2003/09/19 16:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) MD5=6C1618A07B49E3873582B6449E744088 -- C:\WINDOWS\system32\drivers\pfc.sys

< MD5 for: PXHELP20.SYS >
[2005/03/29 03:03:00 | 000,020,640 | ---- | M] (Sonic Solutions) MD5=25F7C4453F189F79EB3846D3E23805A0 -- C:\WINDOWS\system32\drivers\pxhelp20.sys

< MD5 for: QKBFILTR.SYS >
[2005/05/09 16:17:06 | 000,031,360 | ---- | M] (Quanta Computer, Inc.) MD5=C50FAA6FDA843FA2172AA2B9C3CD1DAB -- C:\WINDOWS\system32\drivers\qkbfiltr.sys

< MD5 for: QMOFILTR.SYS >
[2005/05/05 15:27:38 | 000,007,936 | ---- | M] (Quanta Computer, Inc.) MD5=8652B9E134C3478BE948BF089DF8ED5E -- C:\WINDOWS\system32\drivers\qmofiltr.sys

< MD5 for: SSCDBHK5.SYS >
[2005/05/13 11:37:28 | 000,005,627 | ---- | M] (Sonic Solutions) MD5=98625722AD52B40305E74AAA83C93086 -- C:\Program Files\Sonic\DLA\install\sscdbhk5.sys
[2005/05/13 11:37:28 | 000,005,627 | ---- | M] (Sonic Solutions) MD5=98625722AD52B40305E74AAA83C93086 -- C:\WINDOWS\system32\drivers\sscdbhk5.sys

< MD5 for: SSRTLN.SYS >
[2005/05/13 11:37:20 | 000,023,545 | ---- | M] (Sonic Solutions) MD5=D79412E3942C8A257253487536D5A994 -- C:\Program Files\Sonic\DLA\install\ssrtln.sys
[2005/05/13 11:37:20 | 000,023,545 | ---- | M] (Sonic Solutions) MD5=D79412E3942C8A257253487536D5A994 -- C:\WINDOWS\system32\drivers\ssrtln.sys

< MD5 for: SVCHOST.EXE >
[2008/04/13 18:12:08 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=1852A19B834058F489F85EB520A88D15 -- C:\WINDOWS\system32\svchost.exe
[2008/04/13 18:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2004/08/04 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: TBIOSDRV.SYS >
[2003/06/11 09:53:22 | 000,006,867 | ---- | M] () MD5=EECA2B57545E7B7BE949B5E70E31444F -- C:\WINDOWS\system32\drivers\tbiosdrv.sys

< MD5 for: TFSNBOIO.SYS >
[2005/05/31 06:33:00 | 000,025,725 | ---- | M] (Sonic Solutions) MD5=D0177776E11B0B3F272EEBD262A69661 -- C:\Program Files\Sonic\DLA\install\tfsnboio.sys
[2005/05/31 06:33:00 | 000,025,725 | ---- | M] (Sonic Solutions) MD5=D0177776E11B0B3F272EEBD262A69661 -- C:\WINDOWS\system32\dla\tfsnboio.sys

< MD5 for: TFSNCOFS.SYS >
[2005/05/31 06:33:00 | 000,034,845 | ---- | M] (Sonic Solutions) MD5=599804BC938B8305A5422319774DA871 -- C:\Program Files\Sonic\DLA\install\tfsncofs.sys
[2005/05/31 06:33:00 | 000,034,845 | ---- | M] (Sonic Solutions) MD5=599804BC938B8305A5422319774DA871 -- C:\WINDOWS\system32\dla\tfsncofs.sys

< MD5 for: TFSNDRCT.SYS >
[2005/05/31 06:33:00 | 000,004,125 | ---- | M] (Sonic Solutions) MD5=A1902C00ADC11C4D83F8E3ED947A6A32 -- C:\Program Files\Sonic\DLA\install\tfsndrct.sys
[2005/05/31 06:33:00 | 000,004,125 | ---- | M] (Sonic Solutions) MD5=A1902C00ADC11C4D83F8E3ED947A6A32 -- C:\WINDOWS\system32\dla\tfsndrct.sys

< MD5 for: TFSNDRES.SYS >
[2005/05/31 06:33:00 | 000,002,241 | ---- | M] (Sonic Solutions) MD5=D8DDB3F2B1BEF15CFF6728D89C042C61 -- C:\Program Files\Sonic\DLA\install\tfsndres.sys
[2005/05/31 06:33:00 | 000,002,241 | ---- | M] (Sonic Solutions) MD5=D8DDB3F2B1BEF15CFF6728D89C042C61 -- C:\WINDOWS\system32\dla\tfsndres.sys

< MD5 for: TFSNIFS.SYS >
[2005/05/31 06:33:00 | 000,086,876 | ---- | M] (Sonic Solutions) MD5=C4F2DEA75300971CDAEE311007DE138D -- C:\Program Files\Sonic\DLA\install\tfsnifs.sys
[2005/05/31 06:33:00 | 000,086,876 | ---- | M] (Sonic Solutions) MD5=C4F2DEA75300971CDAEE311007DE138D -- C:\WINDOWS\system32\dla\tfsnifs.sys

< MD5 for: TFSNOPIO.SYS >
[2005/05/31 06:33:00 | 000,015,069 | ---- | M] (Sonic Solutions) MD5=272925BE0EA919F08286D2EE6F102B0F -- C:\Program Files\Sonic\DLA\install\tfsnopio.sys
[2005/05/31 06:33:00 | 000,015,069 | ---- | M] (Sonic Solutions) MD5=272925BE0EA919F08286D2EE6F102B0F -- C:\WINDOWS\system32\dla\tfsnopio.sys

< MD5 for: TFSNPOOL.SYS >
[2005/05/31 06:33:00 | 000,006,365 | ---- | M] (Sonic Solutions) MD5=7B7D955E5CEBC2FB88B03EF875D52A2F -- C:\Program Files\Sonic\DLA\install\tfsnpool.sys
[2005/05/31 06:33:00 | 000,006,365 | ---- | M] (Sonic Solutions) MD5=7B7D955E5CEBC2FB88B03EF875D52A2F -- C:\WINDOWS\system32\dla\tfsnpool.sys

< MD5 for: TFSNUDF.SYS >
[2005/05/31 06:33:00 | 000,098,716 | ---- | M] (Sonic Solutions) MD5=E3D01263109D800C1967C12C10A0B018 -- C:\Program Files\Sonic\DLA\install\tfsnudf.sys
[2005/05/31 06:33:00 | 000,098,716 | ---- | M] (Sonic Solutions) MD5=E3D01263109D800C1967C12C10A0B018 -- C:\WINDOWS\system32\dla\tfsnudf.sys

< MD5 for: TFSNUDFA.SYS >
[2005/05/31 06:33:00 | 000,100,605 | ---- | M] (Sonic Solutions) MD5=B9E9C377906E3A65BC74598FFF7F7458 -- C:\Program Files\Sonic\DLA\install\tfsnudfa.sys
[2005/05/31 06:33:00 | 000,100,605 | ---- | M] (Sonic Solutions) MD5=B9E9C377906E3A65BC74598FFF7F7458 -- C:\WINDOWS\system32\dla\tfsnudfa.sys

< MD5 for: VOLSNAP.SYS >
[2008/04/13 12:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 12:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/04 06:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\CHRISSY RUSSELL\Local Settings\Temp\RarSFX1\winlogon.exe
[2008/04/13 18:12:08 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=DBD3103371FB897BB009348BA1AD9333 -- C:\WINDOWS\system32\winlogon.exe
[2008/04/13 18:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\aol.exe\InstallInfo\\ReinstallCommand: C:\PROGRA~1\AMERIC~1.0\accdef.exe -rb
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\aol.exe\InstallInfo\\HideIconsCommand: C:\PROGRA~1\AMERIC~1.0\accdef.exe -hb
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\aol.exe\InstallInfo\\ShowIconsCommand: C:\PROGRA~1\AMERIC~1.0\accdef.exe -sb
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\aol.exe\shell\open\command\\: C:\PROGRA~1\AMERIC~1.0\aol.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2008/04/13 18:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2008/04/13 18:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2008/04/13 18:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe [2012/01/15 10:39:08 | 001,008,141 | ---- | M] ()

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\aol.exe\InstallInfo\\ReinstallCommand: C:\PROGRA~1\AMERIC~1.0\accdef.exe -rb
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\aol.exe\InstallInfo\\HideIconsCommand: C:\PROGRA~1\AMERIC~1.0\accdef.exe -hb
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\aol.exe\InstallInfo\\ShowIconsCommand: C:\PROGRA~1\AMERIC~1.0\accdef.exe -sb
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\aol.exe\shell\open\command\\: C:\PROGRA~1\AMERIC~1.0\aol.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2012/01/19 23:35:36 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2008/04/13 18:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2008/04/13 18:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2008/04/13 18:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe [2012/01/15 10:39:08 | 001,008,141 | ---- | M] ()

< >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB58688$] -> Error: Cannot create file handle -> Unknown point type

< End of report >

#8 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 27 January 2012 - 09:13 AM

Hi Chrissy!

Thanks for the confirmation about that message you're receiving at boot-up.

We'll have to look into that in a little bit. It'd be helpful if you could get me a screenshot of it later.

Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

#9 chrissywv

Member

Group: Members
Posts: 19
Joined: 23-January 12

Posted 27 January 2012 - 06:23 PM

I'm not sure if my last message went through so I apologize if you get the same message twice.

I had trouble with combofix. It downloaded and ran fine but before it could finish, my computer rebooted. When the computer came back up, I had a message that windows had updated so that my be the reason for the reboot. I checked my C drive and didn't see a log. Should I try to run combofix again?

Chrissy

#10 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 28 January 2012 - 02:40 AM

Hi Chrissy!

Sorry to hear things didn't go as expected.

Yes, please do me a favor and run ComboFix again.

Kindest Regards,
ST.

#11 chrissywv

Member

Group: Members
Posts: 19
Joined: 23-January 12

Posted 28 January 2012 - 10:34 AM

ST,

I ran combofix again but it threw up an error saying that my Symantec antivirus real time scanner is active and not to press ok until it was disabled. Before I ran combofix, I followed the instructions to disable it and I thought it worked but I guess not. I actually hate Symantec so I decided to just de-install it (I would rather buy something better). After I deinstalled it, it asked me to reboot. What should I do? If I reboot, will I damage anything with combofix or should I just restart and re-run combofix? Sorry, I hope I didn't mess anything up.

Chrissy

#12 chrissywv

Member

Group: Members
Posts: 19
Joined: 23-January 12

Posted 28 January 2012 - 11:50 AM

Good news Agent ST!

Please diregard my last message. My computer rebooted on it's own and I was able to successfully run combofix. The log is attached.

Thanks,
Chrissy

ComboFix 12-01-28.01 - CHRISSY RUSSELL 01/28/2012 10:25:09.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.648 [GMT -6:00]
Running from: c:\documents and settings\CHRISSY RUSSELL\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\aoylaaa.tmp
c:\documents and settings\All Users\Application Data\apdkaaa.tmp
c:\documents and settings\All Users\Application Data\bpdkaaa.tmp
c:\documents and settings\All Users\Application Data\cnvlaaa.tmp
c:\documents and settings\All Users\Application Data\cpdkaaa.tmp
c:\documents and settings\All Users\Application Data\dnvlaaa.tmp
c:\documents and settings\All Users\Application Data\envlaaa.tmp
c:\documents and settings\All Users\Application Data\eynlaaa.tmp
c:\documents and settings\All Users\Application Data\fnvlaaa.tmp
c:\documents and settings\All Users\Application Data\fynlaaa.tmp
c:\documents and settings\All Users\Application Data\gbamaaa.tmp
c:\documents and settings\All Users\Application Data\gnvlaaa.tmp
c:\documents and settings\All Users\Application Data\hbamaaa.tmp
c:\documents and settings\All Users\Application Data\hynlaaa.tmp
c:\documents and settings\All Users\Application Data\ibamaaa.tmp
c:\documents and settings\All Users\Application Data\icfkaaa.tmp
c:\documents and settings\All Users\Application Data\jbamaaa.tmp
c:\documents and settings\All Users\Application Data\jcfkaaa.tmp
c:\documents and settings\All Users\Application Data\kbamaaa.tmp
c:\documents and settings\All Users\Application Data\kcfkaaa.tmp
c:\documents and settings\All Users\Application Data\lcfkaaa.tmp
c:\documents and settings\All Users\Application Data\maxlaaa.tmp
c:\documents and settings\All Users\Application Data\mcfkaaa.tmp
c:\documents and settings\All Users\Application Data\naxlaaa.tmp
c:\documents and settings\All Users\Application Data\oaxlaaa.tmp
c:\documents and settings\All Users\Application Data\paxlaaa.tmp
c:\documents and settings\All Users\Application Data\qaxlaaa.tmp
c:\documents and settings\All Users\Application Data\spgkaaa.tmp
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\tpgkaaa.tmp
c:\documents and settings\All Users\Application Data\upgkaaa.tmp
c:\documents and settings\All Users\Application Data\vpgkaaa.tmp
c:\documents and settings\All Users\Application Data\wnylaaa.tmp
c:\documents and settings\All Users\Application Data\wpgkaaa.tmp
c:\documents and settings\All Users\Application Data\xnylaaa.tmp
c:\documents and settings\All Users\Application Data\ynylaaa.tmp
c:\documents and settings\All Users\Application Data\znylaaa.tmp
c:\documents and settings\All Users\Application Data\zodkaaa.tmp
c:\documents and settings\CHRISSY RUSSELL\Application Data\Smart Engine
c:\documents and settings\CHRISSY RUSSELL\Recent\cb.sys
c:\documents and settings\CHRISSY RUSSELL\Recent\cid.exe
c:\documents and settings\CHRISSY RUSSELL\Recent\CLSV.exe
c:\documents and settings\CHRISSY RUSSELL\Recent\CLSV.sys
c:\documents and settings\CHRISSY RUSSELL\Recent\DBOLE.drv
c:\documents and settings\CHRISSY RUSSELL\Recent\delfile.sys
c:\documents and settings\CHRISSY RUSSELL\Recent\eb.sys
c:\documents and settings\CHRISSY RUSSELL\Recent\energy.drv
c:\documents and settings\CHRISSY RUSSELL\Recent\exec.exe
c:\documents and settings\CHRISSY RUSSELL\Recent\fan.dll
c:\documents and settings\CHRISSY RUSSELL\Recent\fan.drv
c:\documents and settings\CHRISSY RUSSELL\Recent\FS.dll
c:\documents and settings\CHRISSY RUSSELL\Recent\FS.drv
c:\documents and settings\CHRISSY RUSSELL\Recent\FW.drv
c:\documents and settings\CHRISSY RUSSELL\Recent\grid.drv
c:\documents and settings\CHRISSY RUSSELL\Recent\hymt.sys
c:\documents and settings\CHRISSY RUSSELL\Recent\kernel32.dll
c:\documents and settings\CHRISSY RUSSELL\Recent\kernel32.sys
c:\documents and settings\CHRISSY RUSSELL\Recent\pal.sys
c:\documents and settings\CHRISSY RUSSELL\Recent\PE.dll
c:\documents and settings\CHRISSY RUSSELL\Recent\PE.tmp
c:\documents and settings\CHRISSY RUSSELL\Recent\runddl.dll
c:\documents and settings\CHRISSY RUSSELL\Recent\runddlkey.tmp
c:\documents and settings\CHRISSY RUSSELL\Recent\tempdoc.exe
c:\documents and settings\CHRISSY RUSSELL\Start Menu\Programs\Smart Engine.lnk
c:\documents and settings\CHRISSY RUSSELL\Start Menu\Smart Engine.lnk
c:\documents and settings\CHRISSY RUSSELL\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\NATALIE PEASE\Application Data\AdobeDLM.log
c:\documents and settings\NATALIE PEASE\WINDOWS
c:\windows\$NtUninstallKB58688$
c:\windows\$NtUninstallKB58688$\2265932367\@
c:\windows\$NtUninstallKB58688$\2265932367\bckfg.tmp
c:\windows\$NtUninstallKB58688$\2265932367\cfg.ini
c:\windows\$NtUninstallKB58688$\2265932367\Desktop.ini
c:\windows\$NtUninstallKB58688$\2265932367\keywords
c:\windows\$NtUninstallKB58688$\2265932367\kwrd.dll
c:\windows\$NtUninstallKB58688$\2265932367\L\qajrolja
c:\windows\$NtUninstallKB58688$\2265932367\lsflt7.ver
c:\windows\$NtUninstallKB58688$\2265932367\U\00000001.@
c:\windows\$NtUninstallKB58688$\2265932367\U\00000002.@
c:\windows\$NtUninstallKB58688$\2265932367\U\00000004.@
c:\windows\$NtUninstallKB58688$\2265932367\U\80000000.@
c:\windows\$NtUninstallKB58688$\2265932367\U\80000004.@
c:\windows\$NtUninstallKB58688$\2265932367\U\80000032.@
c:\windows\$NtUninstallKB58688$\2265932367\version
c:\windows\$NtUninstallKB58688$\2550384381
c:\windows\expl.dat
c:\windows\iun6002.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\svch.dat
c:\windows\system32\Thumbs.db
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-28 )))))))))))))))))))))))))))))))
.
.
2012-01-27 22:57 . 2012-01-27 22:57 -------- d-----w- c:\documents and settings\CHRISSY RUSSELL\Application Data\SUPERAntiSpyware.com
2012-01-27 14:21 . 2012-01-27 14:21 -------- d-----w- C:\bffca5474fbe7c63d66ab95dfe978657
2012-01-27 02:07 . 2012-01-27 02:11 -------- d-----w- C:\8c6ad3e2f0b76f9a1811ac9607
2012-01-27 02:07 . 2012-01-27 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-27 01:40 . 2012-01-27 01:40 -------- d-----w- C:\_OTL
2012-01-27 01:20 . 2012-01-27 01:20 -------- d-----w- c:\program files\ERUNT
2012-01-13 03:17 . 2012-01-13 03:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-01-13 03:17 . 2012-01-13 03:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-13 03:17 . 2012-01-13 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-13 02:22 . 2012-01-13 02:22 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-12 03:22 . 2012-01-12 03:22 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-10 04:03 . 2012-01-10 04:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2012-01-10 03:38 . 2012-01-10 03:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2005-08-09 20:38 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2005-08-09 20:38 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2005-08-09 20:38 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-03 15:28 . 2005-08-09 20:38 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2005-08-09 20:38 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 20:35 . 2005-08-09 20:38 667136 ----a-w- c:\windows\system32\wininet.dll
2011-11-01 20:35 . 2005-08-09 20:38 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-11-01 20:35 . 2005-08-09 20:37 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-11-01 16:07 . 2005-08-09 20:38 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-11-01 15:02 . 2005-08-09 20:37 369664 ----a-w- c:\windows\system32\html.iec
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . DBD3103371FB897BB009348BA1AD9333 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . 1852A19B834058F489F85EB520A88D15 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 . EC4C168CF2E4AAF60848C5C7CFC02BD0 . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2005-09-21 1093632]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ACU"="c:\program files\Atheros\ACU.exe" [2005-07-12 311296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-28 180269]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-09 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-9 155648]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\avg\avg10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/31/2005 6:08 PM 211200]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 11:52 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 11:52 AM 135664]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;c:\windows\system32\drivers\rtl8180.sys [11/28/2005 1:56 PM 184832]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 17:52]
.
2012-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
AddRemove-Notebook_Maximizer - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-28 10:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(544)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\lxdccoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2012-01-28 10:42:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-28 16:42
.
Pre-Run: 23,886,434,304 bytes free
Post-Run: 24,754,712,576 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 0F850358A0D52F4A434D7CE60D267BE3

#13 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 29 January 2012 - 03:07 AM

Hi Chrissy,

Glad to hear you were able to get ComboFix to run successfully.

Do you have your Windows XP disc by any chance?

ComboFix Script

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
ClearJavaCache::
FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

#14 chrissywv

Member

Group: Members
Posts: 19
Joined: 23-January 12

Posted 29 January 2012 - 11:49 AM

Agent ST,

Please see my combofix log below. I do have a disc that came with my laptop but I'm not sure if it is the XP disc or not. It was wrapped with book that says Mirosoft Windows XP Home Edition and a Microsof certificate of authenticity but the cd itself doesn't say Windows on it. The cd says Toshiba Recovery and Applications/Drivers DVD Satellite L20/L25 Series. Is that what you need?

ComboFix 12-01-29.02 - CHRISSY RUSSELL 01/29/2012 10:30:56.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.496 [GMT -6:00]
Running from: c:\documents and settings\CHRISSY RUSSELL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CHRISSY RUSSELL\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\expl.dat
c:\windows\OLD109.tmp
c:\windows\OLD115.tmp
c:\windows\OLD121.tmp
c:\windows\OLD12D.tmp
c:\windows\OLD139.tmp
c:\windows\OLD145.tmp
c:\windows\OLD151.tmp
c:\windows\OLD15D.tmp
c:\windows\OLD169.tmp
c:\windows\OLD175.tmp
c:\windows\OLD181.tmp
c:\windows\OLD18D.tmp
c:\windows\OLD199.tmp
c:\windows\OLD3B.tmp
c:\windows\OLD45.tmp
c:\windows\OLD51.tmp
c:\windows\OLD5D.tmp
c:\windows\OLD69.tmp
c:\windows\OLD75.tmp
c:\windows\OLD85.tmp
c:\windows\OLD8D.tmp
c:\windows\OLD99.tmp
c:\windows\OLDA7.tmp
c:\windows\OLDB5.tmp
c:\windows\OLDC1.tmp
c:\windows\OLDCD.tmp
c:\windows\OLDD9.tmp
c:\windows\OLDE5.tmp
c:\windows\OLDF1.tmp
c:\windows\OLDFD.tmp
c:\windows\system32\OLD102.tmp
c:\windows\system32\OLD10C.tmp
c:\windows\system32\OLD10F.tmp
c:\windows\system32\OLD117.tmp
c:\windows\system32\OLD119.tmp
c:\windows\system32\OLD123.tmp
c:\windows\system32\OLD125.tmp
c:\windows\system32\OLD12F.tmp
c:\windows\system32\OLD131.tmp
c:\windows\system32\OLD13B.tmp
c:\windows\system32\OLD13D.tmp
c:\windows\system32\OLD147.tmp
c:\windows\system32\OLD149.tmp
c:\windows\system32\OLD153.tmp
c:\windows\system32\OLD155.tmp
c:\windows\system32\OLD15F.tmp
c:\windows\system32\OLD161.tmp
c:\windows\system32\OLD16B.tmp
c:\windows\system32\OLD16D.tmp
c:\windows\system32\OLD178.tmp
c:\windows\system32\OLD17B.tmp
c:\windows\system32\OLD183.tmp
c:\windows\system32\OLD185.tmp
c:\windows\system32\OLD18F.tmp
c:\windows\system32\OLD191.tmp
c:\windows\system32\OLD19B.tmp
c:\windows\system32\OLD19D.tmp
c:\windows\system32\OLD33.tmp
c:\windows\system32\OLD37.tmp
c:\windows\system32\OLD41.tmp
c:\windows\system32\OLD43.tmp
c:\windows\system32\OLD4D.tmp
c:\windows\system32\OLD4F.tmp
c:\windows\system32\OLD59.tmp
c:\windows\system32\OLD5B.tmp
c:\windows\system32\OLD65.tmp
c:\windows\system32\OLD67.tmp
c:\windows\system32\OLD71.tmp
c:\windows\system32\OLD73.tmp
c:\windows\system32\OLD7D.tmp
c:\windows\system32\OLD7F.tmp
c:\windows\system32\OLD89.tmp
c:\windows\system32\OLD8B.tmp
c:\windows\system32\OLD95.tmp
c:\windows\system32\OLD97.tmp
c:\windows\system32\OLDA1.tmp
c:\windows\system32\OLDA3.tmp
c:\windows\system32\OLDAD.tmp
c:\windows\system32\OLDB1.tmp
c:\windows\system32\OLDB8.tmp
c:\windows\system32\OLDBB.tmp
c:\windows\system32\OLDC3.tmp
c:\windows\system32\OLDC5.tmp
c:\windows\system32\OLDCF.tmp
c:\windows\system32\OLDD1.tmp
c:\windows\system32\OLDDB.tmp
c:\windows\system32\OLDDD.tmp
c:\windows\system32\OLDE7.tmp
c:\windows\system32\OLDE9.tmp
c:\windows\system32\OLDF3.tmp
c:\windows\system32\OLDF5.tmp
c:\windows\system32\OLDFF.tmp
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\svchost.exe --> c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-29 )))))))))))))))))))))))))))))))
.
.
2012-01-27 22:57 . 2012-01-27 22:57 -------- d-----w- c:\documents and settings\CHRISSY RUSSELL\Application Data\SUPERAntiSpyware.com
2012-01-27 14:21 . 2012-01-27 14:21 -------- d-----w- C:\bffca5474fbe7c63d66ab95dfe978657
2012-01-27 02:07 . 2012-01-27 02:11 -------- d-----w- C:\8c6ad3e2f0b76f9a1811ac9607
2012-01-27 02:07 . 2012-01-27 02:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-27 01:40 . 2012-01-27 01:40 -------- d-----w- C:\_OTL
2012-01-27 01:20 . 2012-01-27 01:20 -------- d-----w- c:\program files\ERUNT
2012-01-13 03:17 . 2012-01-13 03:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-01-13 03:17 . 2012-01-13 03:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-13 03:17 . 2012-01-13 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-13 02:22 . 2012-01-13 02:22 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-12 03:22 . 2012-01-12 03:22 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-10 04:03 . 2012-01-10 04:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2012-01-10 03:38 . 2012-01-10 03:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2005-08-09 20:38 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2005-08-09 20:38 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2005-08-09 20:38 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-03 15:28 . 2005-08-09 20:38 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2005-08-09 20:38 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 20:35 . 2005-08-09 20:38 667136 ----a-w- c:\windows\system32\wininet.dll
2011-11-01 20:35 . 2005-08-09 20:38 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-11-01 20:35 . 2005-08-09 20:37 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-11-01 16:07 . 2005-08-09 20:38 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-11-01 15:02 . 2005-08-09 20:37 369664 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-28_16.37.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-29 16:17 . 2012-01-29 16:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012012920120130\index.dat
+ 2012-01-29 16:17 . 2012-01-29 16:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-08-09 21:21 . 2012-01-29 16:29 524288 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-08-09 21:21 . 2012-01-28 16:12 524288 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-11-28 20:37 . 2012-01-28 16:52 52128560 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2005-09-21 1093632]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ACU"="c:\program files\Atheros\ACU.exe" [2005-07-12 311296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-28 180269]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-09 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-9 155648]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\avg\avg10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/31/2005 6:08 PM 211200]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 11:52 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 11:52 AM 135664]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;c:\windows\system32\drivers\rtl8180.sys [11/28/2005 1:56 PM 184832]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 17:52]
.
2012-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-29 10:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(548)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\lxdccoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2012-01-29 10:44:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-29 16:44
ComboFix2.txt 2012-01-28 16:42
.
Pre-Run: 24,673,562,624 bytes free
Post-Run: 24,602,021,888 bytes free
.
- - End Of File - - 4CE947829C5650FA8E9DF7036B2A24B2

#15 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 29 January 2012 - 01:31 PM

Hi!

No, I don't think that's what we will need.

But we may have an issue with a few system files.

I'd like to have you scan the file with VirusTotal.

Please visit VirusTotal. Click on the Choose File button.

Browse to: c:\windows\explorer.exe

Once you've located the file click on Open

Then click on Scan it!

It might give you a message about already detecting the file and asking if you want it to scan it again, please have it scan the file again.

Once it's done scanning the file please copy and paste the link back here for me to review.

Can you also confirm that the Windows Recovery got installed you should be able to tell this by a menu appearing when you reboot the computer for a few seconds asking if you want to boot into Windows XP or Windows Recovery Console.