Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Stealth Objects


  • Please log in to reply
38 replies to this topic

#1 BubbaT

BubbaT

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 27 September 2009 - 01:42 AM

I was about to enter some sensitive data in my computer, when I did a scan with RootReveal ( a recent habit i developed). It reveal a sequence of strange Stealth Objects ( I could not find them using google ). SSDT also showed that an unexpected process had hooked several API functions ( notably all are used to access the registry ).

The file hooking the calls was described as spXX.sys, with the XX changing every time I reboot. Process Explorer does not show such a process running and cannot find handles containing the process name, but the strangest thingis that when choosing the RootReveal SSDT tab and generating a report, the calls involving this process are not listed at all, though when doing a scan from the report tab they are. ( This may be unrelated to malware and simply a bug in RootReveal ).

In the attached ark.txt, I've included scans for every RootReveal tab that does not cause a BSOD. ( I did this from the report tab checking only boxes of tabs that do not cause a BSOD, I've tried checking all the boxes, but I get a BSOD. )


I will include some history of my computer after the logs.


DDS (Ver_09-09-24.01) - NTFSx86
Run by Administrator at 22:34:24.82 on 09/25/2009 Fri
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1918.875 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol_b\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Programs\Utilities\RocketDock\RocketDock.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Programs\System\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\System\VirtuaWin\VirtuaWin.exe
C:\Programs\System\VirtuaWin\modules\i-conized.exe
C:\Programs\System\VirtuaWin\modules\WinList.exe
C:\WINDOWS\system32\wuauclt.exe
C:\AV\RootkitRevealer.exe
C:\Programs\Internet\MozillaFirefox\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: AutorunsDisabled - No File
BHO: Ask Search Assistant BHO - No File
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [RocketDock] "c:\programs\utilities\rocketdock\RocketDock.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [SUPERAntiSpyware] c:\programs\system\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SkyTel] SkyTel.EXE
mRun: [WinPatrol] c:\program files\billp studios\winpatrol_b\winpatrol.exe -expressboot
mRun: [ZoneAlarm Client] c:\program files\zone labs\zonealarm\zlclient.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\programs\utilities\malwarebytes'anti-malware\mbam.exe" /runcleanupscript
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\virtua~1.lnk - c:\programs\system\virtuawin\VirtuaWin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Save Video As... - c:\program files\videodetect\videodetect.dll/201
IE: Download Video - http://www.viloader.net/addon.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0028E570-E86D-4ceb-A108-76158C18DEF3} - {C3A40C0F-6FBA-44AF-B171-09E72D7AD011} - c:\program files\videodetect\videodetect.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\programs\internet\winhttrack\WinHTTrackIEBar.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {1C590839-8630-4041-AB58-091E49B9755B} = 192.168.0.1,192.168.123.15
TCP: {42256BBA-C8F9-4662-9C85-F87EE14F8913} = 192.168.0.1,192.168.123.15
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\programs\system\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programs\system\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\c7vt9nkf.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c7vt9nkf.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\programs\documents\adobe\acrobat\reader\browser\nppdf32.dll
FF - plugin: c:\programs\internet\opera\program\plugins\np_gp.dll
FF - plugin: c:\programs\internet\opera\program\plugins\npdsplay.dll
FF - plugin: c:\programs\internet\opera\program\plugins\npqtplugin.dll
FF - plugin: c:\programs\internet\opera\program\plugins\npqtplugin2.dll
FF - plugin: c:\programs\internet\opera\program\plugins\npqtplugin3.dll
FF - plugin: c:\programs\internet\opera\program\plugins\npqtplugin4.dll
FF - plugin: c:\programs\internet\opera\program\plugins\npqtplugin5.dll
FF - plugin: c:\programs\internet\opera\program\plugins\NPSWF32.dll
FF - plugin: c:\programs\internet\opera\program\plugins\npwmsdrm.dll
FF - plugin: c:\programs\multimedia\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\programs\multimedia\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programs\internet\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programs\internet\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programs\internet\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programs\internet\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programs\internet\mozillafirefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 ahci8086;ahci8086;c:\windows\system32\drivers\ahci8086.sys [2008-6-6 119808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-6 214024]
R1 SASDIFSV;SASDIFSV;c:\programs\system\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\programs\system\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-6-25 55520]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-6-25 42048]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-17 353672]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\programs\postgresql\8.3\bin\pg_ctl.exe runservice -w -n "pgsql-8.3" -d "f:\postgresql\8.3\data\" --> c:\programs\postgresql\8.3\bin\pg_ctl.exe runservice -w -N pgsql-8.3 [?]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SASENUM;SASENUM;c:\programs\system\superantispyware\SASENUM.SYS [2009-6-23 7408]
S1 e89d07af.sys;e89d07af.sys;\??\c:\windows\system32\drivers\e89d07af.sys --> c:\windows\system32\drivers\e89d07af.sys [?]
S2 Ca533av;Polaroid Digital Cam Video;c:\windows\system32\drivers\Ca533av.sys [2008-10-4 515803]
S2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\mcshield.exe --> c:\program files\mcafee\virusscan\McShield.exe [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2006-2-28 14336]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-6 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-6 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-6 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-6 40552]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2009-7-28 16456]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2009-7-28 11088]
S3 SDB;SDB;c:\docume~1\admini~1\locals~1\temp\SDB.exe [2009-9-25 543616]
S3 USBCamera;Icatch(IV) Still Camera Device;c:\windows\system32\drivers\Bulk533.sys [2008-10-4 10986]
S3 WPMVQNXK;WPMVQNXK;c:\docume~1\admini~1\locals~1\temp\WPMVQNXK.exe [2009-9-25 527232]
S4 0103881250555447mcinstcleanup;McAfee Application Installer Cleanup (0103881250555447);c:\windows\temp\010388~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\010388~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-8-17 464264]
S4 BTMFPLBPSA;BTMFPLBPSA;c:\docume~1\admini~1\locals~1\temp\btmfplbpsa.exe --> c:\docume~1\admini~1\locals~1\temp\BTMFPLBPSA.exe [?]
S4 CYV;CYV;c:\docume~1\admini~1\locals~1\temp\CYV.exe [2009-9-24 383872]
S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe --> c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S4 YKUUFGI;YKUUFGI;c:\docume~1\admini~1\locals~1\temp\ykuufgi.exe --> c:\docume~1\admini~1\locals~1\temp\YKUUFGI.exe [?]
UnknownUnknown rootrepeal;rootrepeal; [x]

=============== Created Last 30 ================

2009-09-25 19:42 0 a------- c:\windows\system32\NGSS
2009-09-24 06:45 13,238,257 a------- c:\windows\system32\MQNOP
2009-09-24 04:36 <DIR> --d----- c:\program files\Everything
2009-09-23 19:03 <DIR> --d----- c:\program files\CDisplay
2009-09-14 01:33 <DIR> --d----- c:\program files\ConvertHelper
2009-09-13 02:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2009-09-13 02:08 <DIR> --d----- c:\program files\McAfee Security Scan
2009-09-08 13:39 <DIR> a-dshr-- C:\cmdcons
2009-09-08 13:39 <DIR> --d----- c:\windows\setup.pss
2009-09-08 13:39 <DIR> --d----- c:\windows\setupupd
2009-09-08 12:08 230,912 a------- c:\windows\PEV.exe
2009-09-08 12:08 161,792 a------- c:\windows\SWREG.exe
2009-09-08 12:08 98,816 a------- c:\windows\sed.exe
2009-09-08 06:45 15,782,624 a------- c:\windows\system32\TAV

==================== Find3M ====================

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-17 11:20 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-09 03:25 45,344 a------- c:\windows\system32\drivers\ogtbe99.sys
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-19 11:05 411,704 a------- c:\windows\system32\pwNative.exe
2009-07-19 11:05 16,456 a------- c:\windows\system32\pwdrvio.sys
2009-07-19 11:05 11,088 a------- c:\windows\system32\pwdspio.sys
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-07 06:53 65,536 a------- c:\windows\IFinst27.exe
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2008-06-28 12:09 14,296 a------- c:\program files\settings.dat
2003-10-06 03:21 0 a---h--- c:\docume~1\alluse~1\applic~1\sdpsenv.dat

============= FINISH: 22:34:42.59 ===============

As I said before when I scan certain tabs of RootRepeat ( Files, Hidden Services, Stealth SSDT ) I get a BSOD, the BSOD is number 0xD1 and it blames ahci8086.sys.

I removed an ISP provided McAfee from my installation, however fragments of it seem to be left around. I also installed some antiviral program recommended ona local computer oriented radio talk show. The program install something called "McAfee HTML UI Container" which I have left alone.

I study Japanese on and off and have turned on Japanese IME ( which should explain some of the logs ).

Furthermore when I try to boot into safe mode, the computer generates a list of files up to MUP.sys. THen it prints "press escape to skip somefile" when I do the computer restarts.

I don't check my mail much, but plan to check this site once a day to see if I have been answered, so please be patient if it takes a while to respond.

Thank you

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:51 AM

Posted 14 October 2009 - 05:44 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 BubbaT

BubbaT
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 16 October 2009 - 12:26 AM

My original problem was (and still is ):
Before doing something that required me to enter sensitive data, I ran RootrRepeal to make sure that there were no rootkits running.
I found some weird items in Stealth Objects, and I found in SSDT some unexpected entries all attributed to sp**.sys where the last two digits change on reboot.

Since then I have found two other things:
1) My computer will not reboot into safe mode, it hits MUP.sys then reboots.
2) When I start firefox, before I would type in the URL ( for example ) "bleepingcomputer.com" and it would take me to this site. Now it does a google search but returns a blank page. I cannot speak for IE, but I do not see such behavior from chrome.


The stealth objects are and ssdt results are in the log I originally submitted ( and still there ).


The two logs you request are:

--------OTL.Txt---------------------------------------------
OTL logfile created on: 10/15/2009 11:20:07 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.25 Gb Available Physical Memory | 66.85% Memory free
3.72 Gb Paging File | 3.19 Gb Available in Paging File | 85.60% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 25.00 Gb Total Space | 4.62 Gb Free Space | 18.47% Space Free | Partition Type: NTFS
Drive D: | 40.00 Gb Total Space | 0.38 Gb Free Space | 0.96% Space Free | Partition Type: NTFS
Drive E: | 39.06 Gb Total Space | 2.07 Gb Free Space | 5.31% Space Free | Partition Type: NTFS
Drive F: | 39.93 Gb Total Space | 1.85 Gb Free Space | 4.63% Space Free | Partition Type: NTFS
Drive G: | 40.29 Gb Total Space | 0.38 Gb Free Space | 0.95% Space Free | Partition Type: NTFS
Drive H: | 39.06 Gb Total Space | 9.10 Gb Free Space | 23.29% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 19.76 Gb Total Space | 1.03 Gb Free Space | 5.20% Space Free | Partition Type: NTFS

Computer Name: CAMRON
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/15 23:09:24 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/07/28 17:32:22 | 00,830,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/07/27 10:33:28 | 00,341,312 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol_b\winpatrol.exe
PRC - [2009/05/21 11:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/02/16 00:10:22 | 02,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe
PRC - [2009/02/16 00:10:22 | 00,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/09/19 07:30:34 | 03,674,112 | ---- | M] (PostgreSQL Global Development Group) -- C:\Programs\PostgreSQL\8.3\bin\postgres.exe
PRC - [2008/09/19 03:03:58 | 00,065,536 | ---- | M] (PostgreSQL Global Development Group) -- C:\Programs\PostgreSQL\8.3\bin\pg_ctl.exe
PRC - [2008/03/22 22:18:32 | 01,271,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Sidebar\sidebar.exe
PRC - [2008/01/22 12:35:52 | 00,103,808 | ---- | M] () -- C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
PRC - [2007/09/28 21:56:32 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2007/09/02 13:58:52 | 00,495,616 | ---- | M] () -- C:\Programs\Utilities\RocketDock\RocketDock.exe
PRC - [2007/08/09 12:07:40 | 00,166,384 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
PRC - [2007/08/09 12:07:36 | 01,010,160 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/02/16 18:49:50 | 00,411,168 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/01/30 17:54:36 | 16,116,224 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2006/05/24 13:31:39 | 01,372,160 | ---- | M] () -- C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
PRC - [2006/05/24 13:31:06 | 00,372,736 | ---- | M] () -- C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
PRC - [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe
PRC - [2003/03/19 01:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (YKUUFGI [Disabled | Stopped])
SRV - File not found -- -- (WPMVQNXK [On_Demand | Stopped])
SRV - File not found -- -- (McSysmon [Disabled | Stopped])
SRV - File not found -- -- (McShield [Unknown | Stopped])
SRV - File not found -- -- (McProxy [Disabled | Stopped])
SRV - File not found -- -- (McODS [Disabled | Stopped])
SRV - File not found -- -- (McNASvc [Disabled | Stopped])
SRV - File not found -- -- (mcmscsvc [Disabled | Stopped])
SRV - File not found -- -- (BTMFPLBPSA [Disabled | Stopped])
SRV - File not found -- -- (0103881250555447mcinstcleanup [Disabled | Stopped])
SRV - [2009/09/25 20:42:47 | 00,543,616 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Administrator\Local Settings\temp\SDB.exe -- (SDB [On_Demand | Stopped])
SRV - [2009/09/24 06:43:42 | 00,383,872 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Administrator\Local Settings\temp\CYV.exe -- (CYV [Disabled | Stopped])
SRV - [2009/09/03 11:53:00 | 00,048,368 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper [On_Demand | Stopped])
SRV - [2009/05/21 11:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/02/16 00:10:22 | 02,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
SRV - [2008/12/07 00:28:44 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [On_Demand | Stopped])
SRV - [2008/10/16 18:22:20 | 00,464,264 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\AskService.exe -- (ASKService [Disabled | Stopped])
SRV - [2008/09/19 03:03:58 | 00,065,536 | ---- | M] (PostgreSQL Global Development Group) -- C:\Programs\PostgreSQL\8.3\bin\pg_ctl.exe -- (pgsql-8.3 [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/10 19:28:06 | 40,999,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS [Disabled | Stopped])
SRV - [2008/07/10 19:28:06 | 00,369,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE -- (SQLAgent$SQLEXPRESS [Disabled | Stopped])
SRV - [2008/07/10 19:28:04 | 00,047,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE -- (MSSQLServerADHelper100 [Disabled | Stopped])
SRV - [2008/07/10 02:49:44 | 00,098,840 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Disabled | Stopped])
SRV - [2008/07/10 02:49:34 | 00,258,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Disabled | Stopped])
SRV - [2008/01/22 12:35:52 | 00,103,808 | ---- | M] () -- C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE -- (IJPLMSVC [Auto | Running])
SRV - [2007/11/06 15:22:26 | 00,092,792 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])
SRV - [2007/09/28 21:56:32 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2007/09/28 21:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2007/08/09 12:07:40 | 00,309,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9 [On_Demand | Stopped])
SRV - [2007/08/09 12:07:40 | 00,166,384 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Auto | Running])
SRV - [2007/08/09 12:07:36 | 01,010,160 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Running])
SRV - [2007/07/27 10:41:46 | 00,073,728 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [On_Demand | Stopped])
SRV - [2007/06/18 06:35:04 | 00,088,824 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9 [On_Demand | Stopped])
SRV - [2007/06/18 06:34:58 | 00,359,160 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9 [Auto | Stopped])
SRV - [2007/02/16 18:49:50 | 00,411,168 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc [Auto | Running])
SRV - [2006/05/24 13:31:06 | 00,372,736 | ---- | M] () -- C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe -- (StyleXPService [Auto | Running])
SRV - [2006/02/28 07:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2003/03/19 01:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe -- (MDM [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/08/09 17:24:06 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Programs\System\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2009/07/19 11:05:40 | 00,016,456 | ---- | M] () -- C:\WINDOWS\System32\pwdrvio.sys -- (pwdrvio [On_Demand | Stopped])
DRV - [2009/07/19 11:05:38 | 00,011,088 | ---- | M] () -- C:\WINDOWS\System32\pwdspio.sys -- (pwdspio [On_Demand | Stopped])
DRV - [2009/06/23 11:01:42 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Programs\System\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/06/23 11:01:40 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Programs\System\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/05/13 23:25:06 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2009/05/13 23:25:06 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Stopped])
DRV - [2009/05/13 23:25:06 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Stopped])
DRV - [2009/05/13 23:25:06 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Stopped])
DRV - [2009/05/13 23:24:34 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
DRV - [2009/02/16 00:10:26 | 00,353,672 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys -- (vsdatant [System | Running])
DRV - [2009/01/15 19:36:05 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2008/11/17 02:24:00 | 00,051,688 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
DRV - [2008/07/10 02:49:14 | 00,242,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\RsFx0102.sys -- (RsFx0102 [Disabled | Stopped])
DRV - [2008/06/12 04:42:53 | 00,392,320 | ---- | M] (Acronis) -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter [Boot | Running])
DRV - [2008/06/12 04:42:53 | 00,032,768 | ---- | M] (Acronis) -- C:\WINDOWS\System32\DRIVERS\tifsfilt.sys -- (tifsfilter [Auto | Running])
DRV - [2008/06/12 04:42:42 | 00,114,048 | ---- | M] (Acronis) -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman [Boot | Running])
DRV - [2008/05/31 01:42:54 | 00,042,048 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\DRIVERS\VBoxUSBMon.sys -- (VBoxUSBMon [System | Running])
DRV - [2008/05/31 01:42:46 | 00,055,520 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\VBoxDrv.sys -- (VBoxDrv [System | Running])
DRV - [2008/02/27 13:49:00 | 00,003,840 | ---- | M] () -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt [System | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/11/06 15:22:06 | 00,034,064 | ---- | M] (CACE Technologies) -- C:\WINDOWS\System32\drivers\npf.sys -- (NPF [On_Demand | Stopped])
DRV - [2007/09/28 22:05:59 | 02,456,064 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2007/07/26 03:00:00 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/07/23 15:05:20 | 00,009,104 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLADResM.SYS -- (DLADResM [Auto | Running])
DRV - [2007/07/23 15:04:58 | 00,037,360 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLABMFSM.SYS -- (DLABMFSM [Auto | Running])
DRV - [2007/07/23 15:04:56 | 00,098,448 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
DRV - [2007/07/23 15:04:56 | 00,093,552 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
DRV - [2007/07/23 15:04:54 | 00,027,216 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
DRV - [2007/07/23 15:04:52 | 00,032,848 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
DRV - [2007/07/23 15:04:52 | 00,016,304 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
DRV - [2007/07/23 15:04:50 | 00,108,752 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
DRV - [2007/07/23 14:55:44 | 00,099,808 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
DRV - [2007/07/23 14:49:44 | 00,030,064 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLARTL_M.SYS -- (DLARTL_M [System | Running])
DRV - [2007/07/23 14:49:44 | 00,014,576 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM [Boot | Running])
DRV - [2007/07/23 14:43:42 | 00,052,000 | ---- | M] (Roxio) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
DRV - [2007/07/13 06:20:24 | 00,113,952 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2007/07/03 17:07:40 | 00,057,328 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DRIVERS\RxFilter.sys -- (RxFilter [Disabled | Stopped])
DRV - [2007/02/06 23:43:26 | 00,090,880 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Stopped])
DRV - [2007/01/30 17:57:50 | 04,474,368 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2006/10/20 13:32:06 | 00,119,808 | R--- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\DRIVERS\ahci8086.sys -- (ahci8086 [Boot | Running])
DRV - [2006/05/10 09:27:00 | 00,036,864 | R--- | M] (Advanced Micro Devices) -- C:\WINDOWS\System32\DRIVERS\AmdK8.sys -- (AmdK8 [System | Running])
DRV - [2006/02/28 07:00:00 | 00,040,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\NMnt.sys -- (nm [On_Demand | Stopped])
DRV - [2006/02/28 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2006/02/28 07:00:00 | 00,012,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\fsvga.sys -- (FsVga [System | Running])
DRV - [2005/10/31 16:44:39 | 00,010,880 | ---- | M] (Windows ® 2000 DDK provider) -- C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe -- (StyleXPHelper [System | Running])
DRV - [2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2004/08/13 09:56:20 | 00,005,810 | R--- | M] () -- C:\WINDOWS\System32\DRIVERS\ASACPI.sys -- (MTsensor [On_Demand | Running])
DRV - [2004/08/03 23:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2004/08/03 22:31:20 | 00,036,224 | ---- | M] (ADMtek Incorporated.) -- C:\WINDOWS\System32\DRIVERS\AN983.sys -- (AN983 [On_Demand | Running])
DRV - [2003/05/14 13:42:50 | 00,010,144 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\WmBEnum.sys -- (WmBEnum [On_Demand | Running])
DRV - [2003/05/14 13:42:48 | 00,005,728 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\WmVirHid.sys -- (WmVirHid [On_Demand | Stopped])
DRV - [2003/05/14 13:42:44 | 00,044,288 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\WmXlCore.sys -- (WmXlCore [On_Demand | Running])
DRV - [2002/10/21 11:37:16 | 00,515,803 | ---- | M] (Digital Camera) -- C:\WINDOWS\System32\Drivers\Ca533av.sys -- (Ca533av [Auto | Stopped])
DRV - [2002/07/25 11:19:48 | 00,010,986 | ---- | M] (USB BULK) -- C:\WINDOWS\System32\Drivers\Bulk533.sys -- (USBCamera [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Ask.com (Virtus Designs)"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/firefox"
FF - prefs.js..extensions.enabledItems: aardvark@rob.brown:2.97
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 44
FF - prefs.js..extensions.enabledItems: askopensearch-VTS@ask.com:1.0.0.0
FF - prefs.js..extensions.enabledItems: autopager@mozilla.org:0.5.3.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.4
FF - prefs.js..extensions.enabledItems: {4BBDD651-70CF-4821-84F8-2B918CF89CA3}:6.3
FF - prefs.js..extensions.enabledItems: {c50ca3c4-5656-43c2-a061-13e717f73fc8}:2.03
FF - prefs.js..extensions.enabledItems: {E4091D66-127C-11DB-903A-DE80D2EFDFE8}:1.5.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}:6.0.06
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}:6.0.04
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {6e764c17-863a-450f-bdd0-6772bd5aaa18}:1.0.3
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {0AA9101C-D3C1-4129-A9B7-D778C6A17F82}:1.06
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.6.2
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.2
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..extensions.enabledItems: {5c8bfb7c-9a54-11dc-8314-0800200c9a66}:3.5
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..extensions.enabledItems: {c1dffba0-628e-11d9-9669-0800200c9a66}:3.5.0


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 23:31:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/12/25 18:44:33 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Programs\Internet\MozillaFirefox\components [2009/09/13 01:57:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Programs\Internet\MozillaFirefox\plugins [2009/09/13 02:07:28 | 00,000,000 | ---D | M]

[2009/05/16 15:45:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2008/06/19 19:54:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/16 15:45:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ee53ece0-255c-4cc6-8a7e-81a8b6e5ba2c}
[2009/10/15 14:51:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions
[2009/06/28 17:01:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{0AA9101C-D3C1-4129-A9B7-D778C6A17F82}
[2009/07/26 03:00:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
[2009/09/07 19:35:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/15 14:51:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
[2009/07/26 21:35:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
[2009/08/23 23:31:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/04/06 16:40:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18}
[2009/10/15 14:51:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/07/26 03:00:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{c1dffba0-628e-11d9-9669-0800200c9a66}
[2009/07/26 03:00:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8}
[2009/09/13 02:07:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/06/28 18:34:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{E4091D66-127C-11DB-903A-DE80D2EFDFE8}
[2009/07/26 03:00:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2009/08/17 11:20:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2008/11/19 23:24:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\aardvark@rob.brown
[2009/07/26 21:35:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\askopensearch-VTS@ask.com
[2009/09/11 08:06:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\autopager@mozilla.org
[2009/07/26 21:35:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\mac\browser\extensions
[2009/07/26 21:35:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\mac\mozapps\extensions
[2009/07/26 21:35:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\win\browser\extensions
[2009/07/26 21:35:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\c7vt9nkf.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\win\mozapps\extensions
[2009/01/15 20:55:19 | 00,000,523 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\FireFox\Profiles\c7vt9nkf.default\searchplugins\daemon-search.xml

O1 HOSTS File: (315 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.pcthreat.com
O1 - Hosts: 127.0.0.1 pcthreat.com
O1 - Hosts: 127.0.0.1 www.yoursearchprofits.com
O1 - Hosts: 127.0.0.1 zeobit.com
O1 - Hosts: 127.0.0.1 applian.com
O1 - Hosts: 127.0.0.1 internetantivirusscanner.com
O1 - Hosts: 127.0.0.1 buddytv.com
O1 - Hosts: 127.0.0.1 personalspywareprotection.com
O1 - Hosts: 127.0.0.1 spyware-scaner.net
O1 - Hosts: 127.0.0.1 pcvirusscan2.com
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No CLSID value found.
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol_b\winpatrol.exe (BillP Studios)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [RocketDock] C:\Programs\Utilities\RocketDock\RocketDock.exe ()
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKCU..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\VirtuaWin.lnk = C:\Programs\System\VirtuaWin\VirtuaWin.exe (VirtuaWin)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Save Video As... - C:\Program Files\videodetect\videodetect.dll ()
O8 - Extra context menu item: Download Video - File not found
O9 - Extra Button: Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll ()
O9 - Extra 'Tools' menuitem : Video Detect - {0028E570-E86D-4ceb-A108-76158C18DEF3} - C:\Program Files\videodetect\videodetect.dll ()
O9 - Extra Button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programs\Internet\WinHTTrack\WinHTTrackIEBar.dll ()
O9 - Extra 'Tools' menuitem : Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programs\Internet\WinHTTrack\WinHTTrackIEBar.dll ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Programs\System\SUPERAntiSpyware\SASWINLO.DLL - C:\Programs\System\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Programs\System\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/29 01:20:52 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/23 19:03:03 | 00,000,000 | ---D | C] -- C:\Program Files\CDisplay
[2009/09/24 04:36:40 | 00,000,000 | ---D | C] -- C:\Program Files\Everything
[2009/10/15 23:09:24 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/10/09 03:23:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/10/09 03:21:45 | 04,301,928 | ---- | C] (Adobe Systems Inc.) -- C:\Documents and Settings\Administrator\My Documents\Shockwave_Installer_Slim.exe
[2009/10/04 00:03:25 | 00,000,000 | ---D | C] -- C:\GAMES
[2009/10/01 03:29:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Smalltalk

========== Files - Modified Within 30 Days ==========

[2009/10/15 23:09:24 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/10/15 22:55:13 | 00,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/10/15 22:54:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/15 22:54:36 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/12 11:53:18 | 00,016,896 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/09 03:22:10 | 04,301,928 | ---- | M] (Adobe Systems Inc.) -- C:\Documents and Settings\Administrator\My Documents\Shockwave_Installer_Slim.exe
[2009/10/07 04:48:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2009/10/07 00:42:14 | 00,038,716 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/10/05 13:09:45 | 03,358,329 | ---- | M] () -- C:\bK_poss_vir.bgz
[2009/10/02 18:29:43 | 00,001,505 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vuze.lnk
[2009/10/01 09:19:35 | 00,001,858 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CGoban 3.lnk
[2009/09/27 14:10:08 | 00,104,786 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\America's Test Kitchen - Recipes_ Pepperoni Pan Pizza.pdf
[2009/09/23 19:03:03 | 00,000,630 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CDisplay.lnk
[2009/09/23 19:02:45 | 01,158,444 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\setup.zip

========== Files - No Company Name ==========
[2009/10/05 13:09:37 | 03,358,329 | ---- | C] () -- C:\bK_poss_vir.bgz
[2009/09/27 14:10:06 | 00,104,786 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\America's Test Kitchen - Recipes_ Pepperoni Pan Pizza.pdf
[2009/09/23 19:03:03 | 00,000,630 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CDisplay.lnk
[2009/09/23 19:02:41 | 01,158,444 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\setup.zip
[2009/08/09 03:25:39 | 00,045,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\ogtbe99.sys
[2009/07/28 00:27:12 | 00,016,456 | ---- | C] () -- C:\WINDOWS\System32\pwdrvio.sys
[2009/07/28 00:27:12 | 00,011,088 | ---- | C] () -- C:\WINDOWS\System32\pwdspio.sys
[2009/06/12 15:44:26 | 00,000,088 | ---- | C] () -- C:\WINDOWS\StyleBuilder.INI
[2009/02/23 04:07:31 | 00,000,134 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/15 19:36:05 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/01/08 00:08:39 | 00,001,134 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Astade.ini
[2009/01/07 17:42:17 | 00,000,075 | ---- | C] () -- C:\WINDOWS\winDecrypt.INI
[2008/10/04 17:42:52 | 00,000,163 | ---- | C] () -- C:\WINDOWS\Setup533.ini
[2008/09/05 20:40:00 | 00,000,054 | ---- | C] () -- C:\WINDOWS\Player.INI
[2008/07/28 03:56:28 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2008/07/24 07:04:32 | 01,468,624 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\rx_image.Cache
[2008/07/04 08:56:10 | 00,000,013 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameZ.txt
[2008/06/28 12:09:03 | 00,014,296 | ---- | C] () -- C:\Program Files\settings.dat
[2008/06/27 22:13:28 | 00,000,038 | ---- | C] () -- C:\WINDOWS\camcodec100.ini
[2008/06/25 00:18:50 | 00,055,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\VBoxDrv.sys
[2008/06/20 06:59:39 | 00,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/06/20 06:59:37 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/06/20 06:59:37 | 00,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/06/20 06:59:37 | 00,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/06/20 06:59:36 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/06/20 06:59:36 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/06/17 05:58:33 | 00,044,144 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/06/16 00:48:06 | 00,016,896 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/11 22:27:51 | 00,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2008/06/06 13:00:37 | 00,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/06/06 12:06:35 | 03,179,850 | -H-- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2008/06/06 12:04:49 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/06/06 12:01:57 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini
[2008/05/28 15:59:09 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2007/11/06 15:19:28 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/03/02 05:44:44 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\zmbv.dll
[2006/02/28 07:00:00 | 00,000,718 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/10/06 03:21:31 | 00,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\sdpsenv.dat
[2002/06/06 02:01:58 | 00,029,696 | ---- | C] () -- C:\WINDOWS\System32\asutl8.dll
[2002/05/02 07:58:10 | 00,000,461 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2001/03/13 23:22:21 | 00,000,080 | --S- | C] () -- C:\WINDOWS\System32\argtmp39.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 80 bytes -> C:\Documents and Settings\All Users\Application Data\sdpsenv.dat:naughtypirates
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Administrator\My Documents\tom_setup.rtf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Administrator\My Documents\label.jwl:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Administrator\Desktop\oro_pwd.png:Roxio EMC Stream
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C265C458

========== Files - Unicode (All) ==========
[2008/06/12 04:42:41 | 00,000,824 | ---- | M] ()(C:\Documents and Settings\All Users\Desktop\Acronis?True?Image?Home 10.0.lnk) -- C:\Documents and Settings\All Users\Desktop\Acronis True Image Home 10.0.lnk
[2008/06/12 04:42:41 | 00,000,824 | ---- | C] ()(C:\Documents and Settings\All Users\Desktop\Acronis?True?Image?Home 10.0.lnk) -- C:\Documents and Settings\All Users\Desktop\Acronis True Image Home 10.0.lnk
< End of report >

and

------------------------------Extras.Txt
OTL Extras logfile created on: 10/15/2009 11:20:07 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.25 Gb Available Physical Memory | 66.85% Memory free
3.72 Gb Paging File | 3.19 Gb Available in Paging File | 85.60% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 25.00 Gb Total Space | 4.62 Gb Free Space | 18.47% Space Free | Partition Type: NTFS
Drive D: | 40.00 Gb Total Space | 0.38 Gb Free Space | 0.96% Space Free | Partition Type: NTFS
Drive E: | 39.06 Gb Total Space | 2.07 Gb Free Space | 5.31% Space Free | Partition Type: NTFS
Drive F: | 39.93 Gb Total Space | 1.85 Gb Free Space | 4.63% Space Free | Partition Type: NTFS
Drive G: | 40.29 Gb Total Space | 0.38 Gb Free Space | 0.95% Space Free | Partition Type: NTFS
Drive H: | 39.06 Gb Total Space | 9.10 Gb Free Space | 23.29% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 19.76 Gb Total Space | 1.03 Gb Free Space | 5.20% Space Free | Partition Type: NTFS

Computer Name: CAMRON
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- C:\Programs\Internet\Opera\opera.exe (Opera Software)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programs\Internet\MozillaFirefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Programs\Internet\MozillaFirefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [open_x2] -- "C:\Programs\Utilities\xplorer2_lite\xplorer2_lite.exe" /1 /M /T "%1" (ZabKat)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0ED6E1BF-3604-45E9-A719-8DD3B5826706}" = Subversion
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2413" = CanoScan LiDE 100 Scanner Driver
"{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}" = Microsoft SQL Server 2008 Common Files
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1ABCD64F-6B57-D191-707A-A64C6E177DDF}" = Catalyst Control Center Graphics Full New
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype?4.0
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 14
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{2930D73B-49E6-02DC-BA42-8EC2B1C6752E}" = CCC Help English
"{2C0CD17D-0B06-4700-83FA-7344B868B0A2}" = Opera 9.63
"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30A01D71-86B1-4C24-8B1B-F9CCBDE094CC}" = TreeComp
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3F3733A5-8322-454D-A638-3B74E1C83752}" = Gadget Installer
"{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}" = Acronis True Image Home
"{4815BD99-96A4-49FE-A885-DCF06E9E4E78}" = Microsoft SQL Server 2008 Database Engine Shared
"{49EC6CF7-B704-C2FE-49B9-E3CEBA76C671}" = Catalyst Control Center Core Implementation
"{4A6F34E2-09E5-4616-B227-4A26A488A6F9}" = Microsoft SQL Server 2008 Common Files
"{4B95A5F1-EF59-4B08-BED8-C891C46121B3}_is1" = Mercurial snapshot
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate
"{58721EC3-8D4E-4B79-BC51-1054E2DDCD10}" = Microsoft SQL Server 2008 Database Engine Services
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{61150C85-DC0A-4976-922F-5575F388ADA6}" = Notation Player 2.5.2
"{683100FE-EDF8-403B-A234-B3EBEAF7BC82}" = Roxio Creator 9.1 XE
"{6B5E816C-A761-4F5B-BF48-84B794556CAA}_is1" = Freelang Dictionary (wordlist)
"{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7ED5371F-F4EA-48F9-B8F7-C8777AD9DF69}" = Borland Turbo C++
"{838E187D-8B7A-473D-B93C-C8E970B15D2B}" = psqlODBC
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A95C2DC-779A-4EA8-9DE3-B118D1411E8B}_is1" = Freelang Dictionary 3.74 beta
"{8BB235BF-8740-48CF-9843-F502F5F07EC1}" = PostgreSQL OLE DB Provider
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{90120000-008A-0409-0000-0000000FF1CE}" = Microsoft Office 2007 Recent Documents Gadget
"{91C4CBA0-2AD5-5AA8-EC98-0BCD4914C5F4}" = Catalyst Control Center Graphics Previews Common
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97C82B44-D408-4F14-9252-47FC1636D23E}_is1" = IZArc 3.81
"{9D6D76A6-4328-49E8-97A7-531A74841DA5}" = Microsoft SQL Server 2008 Setup Support Files (English)
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AA468551-1794-42FE-B504-C41D75EEBDF2}_is1" = Partition Wizard Home Edition 4.0
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AD4A33A1-58F7-4E24-909C-4B65D49C2746}" = Tea Timer
"{B1E260B6-9456-88F7-9994-7A4CCF39FB0C}" = ccc-utility
"{B5153233-9AEE-4CD4-9D2C-4FAAC870DBE2}" = Microsoft SQL Server 2008 Database Engine Services
"{B7B5A370-3DFF-4F0E-AE11-FD267C4938AA}" = CCS64 V3.7
"{B823632F-3B72-4514-8861-B961CE263224}" = PostgreSQL 8.3
"{B857D868-F8B0-43EE-BC2B-D9E5ED21F237}" = Microsoft SQL Server VSS Writer
"{B8737BE8-0E2B-C420-DB2D-F468748414F0}" = ccc-core-preinstall
"{BB05D173-9681-4812-A7FA-BD4042A3DA00}" = Alky for Applications (Windows XP)
"{C0608AE3-FAFD-4702-A79C-67CC6A2F71B7}" = OroBaduk
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C688457E-03FD-4941-923B-A27F4D42A7DD}" = Microsoft SQL Server 2008 Browser
"{C810930D-3FA2-3E54-1FAC-3907C5AEA7BC}" = Catalyst Control Center Graphics Full Existing
"{C965F01C-76EA-4BD7-973E-46236AE312D7}" = Sql Server Customer Experience Improvement Program
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CAFC9755-5469-DC18-CDD2-6F5C743AC478}" = Catalyst Control Center Graphics Light
"{CB16F6D9-EBC9-4BC6-B917-7AF53E99C067}" = LightScribe System Software 1.17.90.1
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D62975CC-4A38-4AB4-92F1-B3404A7638CF}" = Graphviz
"{D8087907-E255-3A41-A46D-D0F798709C71}" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"{D9D937B0-E842-4130-9588-B948E876904A}" = Microsoft SQL Server 2008 Native Client
"{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E2EA0C33-43B3-48A4-87CA-2BDA2F8ABF68}" = Sun xVM VirtualBox
"{EB9BD1D5-8DFB-48C4-927B-10BB47CA59B3}" = Microsoft .NET Framework SDK (English) 1.1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18B31E4-E2E3-4F4F-A2C9-BA579D6AF400}" = TortoiseOverlays
"{F1DC7648-8623-442F-92B7-E118DF61872E}" = Microsoft SQL Server 2008 RsFx Driver
"{F3494AB6-6900-41C6-AF57-823626827ED8}" = Microsoft SQL Server 2008 Database Engine Shared
"{F54885B7-7789-087D-62EB-373D4DF83B56}" = Skins
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F8474DF7-9902-7305-BAB3-34DEDFF2ADC5}" = ccc-core-static
"{FBF18108-DDC2-11D5-BEBF-00606733A9BE}" = Polaroid Digital Cam
"8461-7759-5462-8226" = Vuze
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"All ATI Software" = ATI - Software Uninstall Utility
"Arena 2.0.1_is1" = Arena 2.0.1
"Ask Toolbar_is1" = ZoneAlarm Spy Blocker Toolbar
"AsUninst.exe" = Anvil Studio
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"AviSynth2" = AviSynth 2 (remove only)
"Belarc Advisor" = Belarc Advisor 7.2
"Brain Workshop_is1" = Brain Workshop 4.4
"camcodec" = CamStudio Lossless Codec
"CamStudio" = CamStudio
"Canon CanoScan LiDE 100 User Registration" = Canon CanoScan LiDE 100 User Registration
"CANONIJPLM100" = Inkjet Printer/Scanner Extended Survey Program
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner (remove only)
"CDisplay_is1" = CDisplay 1.8
"Chandler" = Chandler 1.0.3
"CHM To PDF PRO_is1" = CHM To PDF Converter PRO
"D-Fend Reloaded" = D-Fend Reloaded 0.7.0 (deinstall)
"Drago_is1" = Drago 3.14.03
"Duplicate Cleaner_is1" = Duplicate Cleaner 1.2
"eMule" = eMule
"EnterpriseDB Tuning Wizard 1.1" = EnterpriseDB Tuning Wizard for PostgreSQL
"Everything" = Everything 1.2.1.371
"Foxit Reader" = Foxit Reader
"gGo" = gGo
"GPL Ghostscript 8.63" = GPL Ghostscript 8.63
"GSview 4.9" = GSview 4.9
"HackerEvolutionUntold" = Hacker Evolution: Untold (2.01.033)(remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"InstallWatch Pro 2.5" = InstallWatch Pro 2.5
"KeyTweak" = KeyTweak - Keyboard Remapper (remove only)
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 3.9.5
"lightning_admin_pgsql_is1" = PG Lightning Admin
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan
"MediaMonkey_is1" = MediaMonkey 3.0
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 10" = Microsoft SQL Server 2008
"Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008
"Microsoft Visual C++ 2008 Express Edition with SP1 - ENU" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"MiKTeX 2.7" = MiKTeX 2.7
"mIRC" = mIRC
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"MP Navigator EX 2.0" = Canon MP Navigator EX 2.0
"MSC" = McAfee SecurityCenter
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Ogg Codecs" = Ogg Codecs 0.81.15562
"OpenAL" = OpenAL
"PDF Password Remover v3.0_is1" = PDF Password Remover v3.0
"PE Builder_is1" = PE Builder 3.1.10a
"PlanetPenguin Racer_is1" = PlanetPenguin Racer
"PremiumSoft Navicat 8.0 Lite for PostgreSQL_is1" = PremiumSoft Navicat 8.0 Lite for PostgreSQL
"Python 2.5 PySVN_is1" = Python 2.5 PySVN 1.6.2-1067
"qGo_is1" = qGo 1.5.4-r2
"QuickPar" = QuickPar 0.9
"QuicktimeAlt_is1" = QuickTime Alternative 1.81
"RocketDock_is1" = RocketDock 1.3.5
"Ruby-186-26" = Ruby-186-26
"setuptools-py2.5" = Python 2.5 setuptools-0.6c9
"Sharpshooter's Miniature Golf 4.285_is1" = Sharpshooter's Miniature Golf Version 4.285
"Streambox Vcr Suite_is1" = Streambox Vcr Suite 2
"StyleBuilder" = StyleBuilder (remove only)
"StyleXP" = StyleXP (remove only)
"TeXnicCenter_is1" = TeXnicCenter Version 1 Beta 7.50
"The Rosetta Stone" = The Rosetta Stone
"TinyCars_is1" = TinyCars 1.1
"TortoiseHg_is1" = TortoiseHg-0.5
"Tweak UI 2.10" = Tweak UI
"Universal Document Converter_is1" = Universal Document Converter
"VDMSound" = VDMSound
"videodetect_is1" = videodetect 1.0
"VirtuaWin_is1" = VirtuaWin v4.0.1
"VLC media player" = VideoLAN VLC media player 0.8.6i
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Sidebar" = Windows Sidebar
"WinGimp-2.0_is1" = GIMP 2.4.6
"WinHTTrack Website Copier_is1" = WinHTTrack Website Copier 3.43-2
"WinPatrol" = WinPatrol 2009
"WinPcapInst" = WinPcap 4.0.2
"WinRAR archiver" = WinRAR archiver
"Wireshark" = Wireshark 1.0.0
"wxFormBuilder_is1" = wxFormBuilder 3.0.57
"wxWidgets_is1" = wxWidgets 2.8.9
"xplorer2l" = xplorer˛ lite
"ZMBV" = Zip Motion Block Video codec (Remove Only)
"ZoneAlarm" = ZoneAlarm

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"CGoban 3" = CGoban 3
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player
"Universal 3D Chess" = Universal 3D Chess
"Vuze Launcher" = Vuze Launcher
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/30/2009 4:33:52 PM | Computer Name = CAMRON | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00018af2.

Error - 9/30/2009 8:51:58 PM | Computer Name = CAMRON | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/8/2009 1:57:02 PM | Computer Name = CAMRON | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00018af2.

Error - 10/9/2009 5:51:27 AM | Computer Name = CAMRON | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
dirapix.dll, version 10.4.1.26, fault address 0x000379f0.

Error - 10/10/2009 12:24:52 AM | Computer Name = CAMRON | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
dirapix.dll, version 10.4.1.26, fault address 0x000379f0.

Error - 10/12/2009 7:29:34 AM | Computer Name = CAMRON | Source = Application Hang | ID = 1002
Description = Hanging application emule.exe, version 0.49.2.37, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/12/2009 7:29:47 AM | Computer Name = CAMRON | Source = Application Hang | ID = 1002
Description = Hanging application emule.exe, version 0.49.2.37, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/14/2009 9:26:59 AM | Computer Name = CAMRON | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
dirapix.dll, version 10.4.1.26, fault address 0x000379f0.

[ System Events ]
Error - 10/15/2009 3:37:24 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7000
Description = The TrueVector Internet Monitor service failed to start due to the
following error: %%1053

Error - 10/15/2009 3:37:24 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7000
Description = The Polaroid Digital Cam Video service failed to start due to the
following error: %%1058

Error - 10/15/2009 3:37:24 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7000
Description = The McAfee Real-time Scanner service failed to start due to the following
error: %%2

Error - 10/15/2009 3:37:24 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7023
Description = The Security Center service terminated with the following error: %%126

Error - 10/15/2009 11:50:19 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7000
Description = The Polaroid Digital Cam Video service failed to start due to the
following error: %%1058

Error - 10/15/2009 11:50:19 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7000
Description = The McAfee Real-time Scanner service failed to start due to the following
error: %%2

Error - 10/15/2009 11:50:19 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7023
Description = The Security Center service terminated with the following error: %%126

Error - 10/15/2009 11:56:09 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7000
Description = The Polaroid Digital Cam Video service failed to start due to the
following error: %%1058

Error - 10/15/2009 11:56:09 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7000
Description = The McAfee Real-time Scanner service failed to start due to the following
error: %%2

Error - 10/15/2009 11:56:09 PM | Computer Name = CAMRON | Source = Service Control Manager | ID = 7023
Description = The Security Center service terminated with the following error: %%126


< End of report >

#4 BubbaT

BubbaT
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 16 October 2009 - 12:28 AM

Let me correct something, when I described sp**.sys I said the last two digits, I meant the last two letters.

Thank you

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:51 AM

Posted 16 October 2009 - 07:48 AM

Hi,

sorry I should have mentioned that earlier: The sptd.sys and it's friend sp??.sys are "harmless". They belong to a program called sptd, it nis used by daemon tools (and similar programs) to create the virtual CD drives.

Please try the following to uninstall McAfee as there are indeed left-overs from it:

You should be able to remove McAfee products via Start > Control Panel > Add or Remove Programs,
If you need instructions on how to do so, please consult: How To Remove An Installed Program From Your Computer

The following removal utility can be used to uninstall the program if the uninstall via Add/remove does not work:
  • Download MCPR.exe to your desktop.
  • Make sure all McAfee windows are closed.
  • Double-click MCPR.exe to run the removal tool.
  • Restart your computer after receiving the message CleanUp Successful.

Original instructions here:
http://service.mcafee.com/FAQDocument.aspx?id=TS100507


Concernig firefox I believe this might be a broken setting. Do you also get google results if you enter www.bleepingcomputer.com instead of bleepingcomputer.com?

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 BubbaT

BubbaT
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 17 October 2009 - 05:41 AM

I did have Daemon Tools on and removed it. at the time it looked like a clean uninstall, but I did find the file when I looked for it.
( Why is Daemon Tools hooking registry calls? I can

Deleting it cleared up almost everything, including the safe mode and firefox problems.
MCPR.exe did seem to clean up a lot of McaFee, probably all but I would like to make sure.
Is there a way to check?

In safe mode I ran both SuperAntiSpyware and Malwarebytes, and both ran cleanly.
( Sorry I realised afterwards I probably should not have done so. If there is more to do I will be more restrained. )

Finally, about two weeks before I noticed this problem, I had had an infection that I had managed to clean up.
Is there anything more that I should do to make sure it is completely eradicated?


Thank you.

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:51 AM

Posted 18 October 2009 - 10:52 AM

Hi,

I would have asked for a Malwarebytes scan as a next step. :( 2 things which are good to know for Malwarebytes are that Malwarebytes does not automatically update, so before scanning make sure that you have the latest signatures by updating the program manually. The second thing is, that Malwarebytes is most effective in normal mode.

So please repeat the scan for me and run another updates Malwarebytes scan in normal mode. Please also try to run a gmer scan:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Daemon Tools "must" hide from copyright protection software, which is why their driver has a random name and changes name.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 BubbaT

BubbaT
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 19 October 2009 - 12:15 PM

Hi,

I would have asked for a Malwarebytes scan as a next step. :( 2 things which are good to know for Malwarebytes are that Malwarebytes does not automatically update, so before scanning make sure that you have the latest signatures by updating the program manually. The second thing is, that Malwarebytes is most effective in normal mode.

I know about the update circumstances. In fact whenever I do usually run a scan, I forget to update. So I wind up aborting it and then updating and starting it again.

So please repeat the scan for me and run another updates Malwarebytes scan in normal mode.


I'm a bit confused here, when you say the scan, do you mean MBAM ( or do you mean OTL )?
When you say "normal mode" you mean a "full scan" ( as opposed to a "quick scan")? ( It doesn't say normal on the scanner page. )

Please also try to run a gmer scan:
[/list]-- If you encounter any problems, try running GMER in Safe Mode.


I ran a scan of GMER, but glancing at the scan ( and checking with RootRepeal afterwards ) it seems that vsdatant.sys ( a part of ZoneAlarm if I understand correctly ) still left hooks in the system.
I wasn't sure if that counted as a problem, but I will try to first disable all autostarts ( rather than shuting off things after boot ) and rebooting before I run another scan.
Then I will also run a scan in safe-mode. I will post those logs when I finish. ( If they match then just one. )

Thank You

-------------------------------------------GMER Scan--------------------------------------------------------------

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-19 04:02:12
Windows 5.1.2600 Service Pack 2
Running: 1c0x0127.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxtdqpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB103EFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB103BC80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB1056170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB103F580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB1053900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB1053B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB1057B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB103F670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB103C210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB10569F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB10567A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB1053280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB1056F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB1056F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB103C070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB1055180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB1054F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB10576F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB1057150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB103EBE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB1057540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB103F190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB103C440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB10564E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB1054200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB1054080]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C44 80503A18 12 Bytes [80, F5, 03, B1, 00, 39, 05, ...]
? srescan.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B1043B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B1043930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B1044260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B1041E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B1041E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B1043B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B1043930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B1044260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B1043B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B1044260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B1043930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B1041E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B1044260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B1043930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B1043B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B1041E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B1043B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B1043930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B1044260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B1043B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B1041E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B1044260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B1043930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0x96 0xE7 0x59 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1D 0x09 0x38 0x54 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x32 0x8F 0xEE 0x64 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x46 0xF0 0xB3 0x27 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xBE 0x3A 0x74 0x78 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x39 0x16 0xA0 0xAF ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x6A 0x7C 0xF1 0x97 ...
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClvkcygwsricpieyof.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClvkcygwsricpieyof.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACtssajonauocqfhqkf.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACcptiwgfmjccmchryx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACdusuohwitcvnfvyxc.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACfljpnehmlutonxmje.db
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACmmnpxjbvmdqrdvdrt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACmpmmdgvokypfjxgkk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UAChugielkdtdpvvkxyc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0x96 0xE7 0x59 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x47 0x1E 0x8E 0xA2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0x96 0xE7 0x59 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x47 0x1E 0x8E 0xA2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@EncoderType 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Local Administration\Acronis\Acronis
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Local Administration\Acronis\Acronis@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Thought\Tom
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Thought\Tom@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Tom
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Tom@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C65C4DB1-1AB2-4FD8-0CF0-25CBDD986F22}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C65C4DB1-1AB2-4FD8-0CF0-25CBDD986F22}@japbikdcgjlffohaanni 0x63 0x61 0x61 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C65C4DB1-1AB2-4FD8-0CF0-25CBDD986F22}@pahbcjlbfemfkeichjlpdapamjkmhodk 0x63 0x61 0x65 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C65C4DB1-1AB2-4FD8-0CF0-25CBDD986F22}@hapbikdcgjlffoha 0x61 0x61 0x00 0x7C

---- EOF - GMER 1.0.15 ----

#9 BubbaT

BubbaT
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 20 October 2009 - 02:09 AM

I ran scans with both by booting with all the autostart stuff off and in safe mode. In both case all scan results are contained in the scan result above.
The things in the orignal scan missing from either of the other two scans mostly concern SSDT or vsdatant.sys. So I don't think those scans will be of more help then the above scan. If you want me to post either let me know.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:51 AM

Posted 20 October 2009 - 11:02 AM

Hi,

In fact whenever I do usually run a scan, I forget to update. So I wind up aborting it and then updating and starting it again.

This sounds very much like the way I do things. :( If you like Malwarebytes and want to get automatic updates for it, you may want to consider the paid version. It is a one-time payment of about $30.

I'm a bit confused here, when you say the scan, do you mean MBAM ( or do you mean OTL )?
When you say "normal mode" you mean a "full scan" ( as opposed to a "quick scan")? ( It doesn't say normal on the scanner page. )

I meant Malwarebytes.
You stated that you ran Malwarebyts in safe mode:

In safe mode I ran both SuperAntiSpyware and Malwarebytes, and both ran cleanly.

But Malwarebyts is most effective when run in "normal mode" (as opposd to safe mode). What I wanted to ask you to do was a quick scan not in safe mode.

I ran a scan of GMER, but glancing at the scan ( and checking with RootRepeal afterwards ) it seems that vsdatant.sys ( a part of ZoneAlarm if I understand correctly ) still left hooks in the system.

GMER is first of all a diagnostic tools, as long as you can start it and it doesn't crash it didn't run into problems. :( The logs you provided are fine.

vsdatant.sys is indeed a part of ZoneAlarm and the hooks need to remain if you want it to protect you in future.

I also see some leftovers of a rootkit. Did you remove this on your own?

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 BubbaT

BubbaT
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 20 October 2009 - 03:26 PM

I ran MBAM again in normal mode, it ran clean.

About two weeks to a month before I spotted the present incident, I was clearly either very corrupt or very infected. The diskmanager would start but not show anything.
I don't remember exactly what happened but I used some rootkit scanner, probably rootreveal, and it showed me a couple of files. I don't remember their names, but they were something like YUU*****
and MNPQ****** with either a sys or exe extension, but MBAM was running clean. I booted into a linux liveCD deleted the two files. Thewn I rebooted into XP and ran MBAM which found the infection and cleaned it out.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:51 AM

Posted 21 October 2009 - 06:44 AM

Hi,

could you please provide the log from Malwarebytes in which you removed the infection?

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 BubbaT

BubbaT
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 21 October 2009 - 08:28 AM

Hmmm.
Looking at the logs, I see I had something relatively minor pop up the eek before. I can't remeber it, so I suspose it was routine. I posted logs from those two scans also.
The last scan is the scan I made after deleting the two files.

--------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2712
Windows 5.1.2600 Service Pack 2

9/3/2009 10:45:46 AM
mbam-log-2009-09-03 (10-45-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 4758
Time elapsed: 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.
-----------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2735
Windows 5.1.2600 Service Pack 2

9/3/2009 11:49:18 AM
mbam-log-2009-09-03 (11-49-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 442925
Time elapsed: 56 minute(s), 33 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\system32\winupdate.exe (Rogue.AdvancedVirusRemover) -> Unloaded process successfully.
C:\WINDOWS\system32\drivers\smss.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Ertfor) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows system recover! (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\drivers\smss.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\drivers\smss.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\cpv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ppc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sp.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR09.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
-------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2756
Windows 5.1.2600 Service Pack 2

9/8/2009 6:30:08 AM
mbam-log-2009-09-08 (06-30-08).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|J:\|)
Objects scanned: 600527
Time elapsed: 1 hour(s), 11 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetceoqulqj (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{55C10545-AF25-4BA6-BC3E-AA6DBC009909}\RP2\A0000036.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55C10545-AF25-4BA6-BC3E-AA6DBC009909}\RP6\A0000463.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55C10545-AF25-4BA6-BC3E-AA6DBC009909}\RP6\A0000467.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55C10545-AF25-4BA6-BC3E-AA6DBC009909}\RP6\A0000490.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UAC1e7f.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACa13c.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETboibivcn.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETdimyvpvj.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACdrpqfueltm.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:51 AM

Posted 21 October 2009 - 10:28 AM

Hi,

This looks a little odd,
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\System32\drivers\ogtbe99.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 BubbaT

BubbaT
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 21 October 2009 - 01:51 PM

Ok. I've run the scans. I don't know a better way to get you the results, so I printed the scans as PDF and attached them. I am now disabling autoruns and rebooting to start fresh to run ComboFix.
Since I don't know how long that will take I thought I would post this first.


BubbaT

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users