Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR Rootkit Detected! Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035a92


  • This topic is locked This topic is locked
26 replies to this topic

#1 bomber1712

bomber1712

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:07:07 AM

Posted 31 October 2009 - 10:12 PM

I was helping my Father in Law with his computer. I was assisted by garmanma, and he helped to clean the computer. Many THANKS!

I decided to run the same diagnostics on my other 3 computers, while I was at it (reassure myself that all was OK!). In that process, I ran ATF cleaner, Dr Web, MBAM and SAS. All showed clean computers. Then I ran Root Repeal and really ran into issues. I am going to ask for assistance to tackle the issues one computer at a time.

Here is the first post in the "Am I infected forum": http://www.bleepingcomputer.com/forums/t/267979/root-repeal-log-help/

This computer is no longer connected to the internet nor the LAN. I will do nothing further with it until I hear from someone here.

I was told to post the Root Repeal Log and the DDs log, so here they are. I have also attached the Attach.txt from DDS. Any help you can provide will be greatly appreciated!

DDS log:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Dan Neinas at 21:56:39.75 on Sat 10/31/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.493 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dan Neinas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON PictureMate PM 240] c:\windows\system32\spool\drivers\w32x86\3\e_fatibca.exe /fu "c:\windows\temp\E_S1B3.tmp" /EF "HKCU"
mRun: [hplampc] c:\windows\system32\hplampc.exe
mRun: [FileZilla Server Interface] "c:\program files\filezilla server\FileZilla Server Interface.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-18 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-18 25160]

=============== Created Last 30 ================

2009-10-30 00:11:40 0 d-----w- c:\program files\Sophos
2009-10-28 12:59:20 0 d-----w- c:\documents and settings\dan neinas\DoctorWeb
2009-10-16 02:23:28 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-13 01:45:05 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-13 01:42:10 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-13 01:39:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-13 01:39:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-13 01:38:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-09-23 00:50:30 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-23 00:50:27 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-23 00:50:26 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 00:15:54 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 22:44:09 68938 ----a-w- c:\windows\hpoins05.dat
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-16 15:08:36 178176 ----a-w- c:\windows\system32\unrar.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 21:58:20.01 ===============


When I run Root Repeal, I get an error message:

"Root Repeal could not read boot sector. Try adjusting disk access level"

After the error message, it does give me a log file, and that's where I am really concerned. I don't know what all of this means (pretty sure it's not good!), but I know someone out there can let me know if I have a real issue.

Root Repeal Log:


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/29 07:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3D69000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D75000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2F31000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Prefetch\HPRBLOG.EXE-35C0D80C.pf
Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS\system32\drivers\sfi.dat
Status: Locked to the Windows API!

Path: Volume H:\
Status: MBR Rootkit Detected!

Path: Volume H:\, Sector 1
Status: Sector mismatch

Path: Volume H:\, Sector 2
Status: Sector mismatch

Path: Volume H:\, Sector 3
Status: Sector mismatch

Path: Volume H:\, Sector 4
Status: Sector mismatch

Path: Volume H:\, Sector 5
Status: Sector mismatch

Path: Volume H:\, Sector 6
Status: Sector mismatch

Path: Volume H:\, Sector 7
Status: Sector mismatch

Path: Volume H:\, Sector 8
Status: Sector mismatch

Path: Volume H:\, Sector 9
Status: Sector mismatch

Path: Volume H:\, Sector 10
Status: Sector mismatch

Path: Volume H:\, Sector 11
Status: Sector mismatch

Path: Volume H:\, Sector 12
Status: Sector mismatch

Path: Volume H:\, Sector 13
Status: Sector mismatch

Path: Volume H:\, Sector 14
Status: Sector mismatch

Path: Volume H:\, Sector 15
Status: Sector mismatch

Path: Volume H:\, Sector 16
Status: Sector mismatch

Path: Volume H:\, Sector 17
Status: Sector mismatch

Path: Volume H:\, Sector 18
Status: Sector mismatch

Path: Volume H:\, Sector 19
Status: Sector mismatch

Path: Volume H:\, Sector 20
Status: Sector mismatch

Path: Volume H:\, Sector 21
Status: Sector mismatch

Path: Volume H:\, Sector 22
Status: Sector mismatch

Path: Volume H:\, Sector 23
Status: Sector mismatch

Path: Volume H:\, Sector 24
Status: Sector mismatch

Path: Volume H:\, Sector 25
Status: Sector mismatch

Path: Volume H:\, Sector 26
Status: Sector mismatch

Path: Volume H:\, Sector 27
Status: Sector mismatch

Path: Volume H:\, Sector 28
Status: Sector mismatch

Path: Volume H:\, Sector 29
Status: Sector mismatch

Path: Volume H:\, Sector 30
Status: Sector mismatch

Path: Volume H:\, Sector 31
Status: Sector mismatch

Path: Volume H:\, Sector 32
Status: Sector mismatch

Path: Volume H:\, Sector 33
Status: Sector mismatch

Path: Volume H:\, Sector 34
Status: Sector mismatch

Path: Volume H:\, Sector 35
Status: Sector mismatch

Path: Volume H:\, Sector 36
Status: Sector mismatch

Path: Volume H:\, Sector 37
Status: Sector mismatch

Path: Volume H:\, Sector 38
Status: Sector mismatch

Path: Volume H:\, Sector 39
Status: Sector mismatch

Path: Volume H:\, Sector 40
Status: Sector mismatch

Path: Volume H:\, Sector 41
Status: Sector mismatch

Path: Volume H:\, Sector 42
Status: Sector mismatch

Path: Volume H:\, Sector 43
Status: Sector mismatch

Path: Volume H:\, Sector 44
Status: Sector mismatch

Path: Volume H:\, Sector 45
Status: Sector mismatch

Path: Volume H:\, Sector 46
Status: Sector mismatch

Path: Volume H:\, Sector 47
Status: Sector mismatch

Path: Volume H:\, Sector 48
Status: Sector mismatch

Path: Volume H:\, Sector 49
Status: Sector mismatch

Path: Volume H:\, Sector 50
Status: Sector mismatch

Path: Volume H:\, Sector 51
Status: Sector mismatch

Path: Volume H:\, Sector 52
Status: Sector mismatch

Path: Volume H:\, Sector 53
Status: Sector mismatch

Path: Volume H:\, Sector 54
Status: Sector mismatch

Path: Volume H:\, Sector 55
Status: Sector mismatch

Path: Volume H:\, Sector 56
Status: Sector mismatch

Path: Volume H:\, Sector 57
Status: Sector mismatch

Path: Volume H:\, Sector 58
Status: Sector mismatch

Path: Volume H:\, Sector 59
Status: Sector mismatch

Path: Volume H:\, Sector 60
Status: Sector mismatch

Path: Volume H:\, Sector 61
Status: Sector mismatch

Path: Volume H:\, Sector 62
Status: Sector mismatch

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031d46

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031250

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40318ea

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40322c2

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031132

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4033254

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403352c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030cf8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031f2c

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40320dc

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030a5a

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4032ed6

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40314d4

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031b2e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403078a

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031764

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030902

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4032688

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40329f0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4032c72

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4033084

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4032488

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403146e

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031658

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030ffc

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030eca

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035308

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035a2c

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403543c

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40358ec

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403557c

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40356b0

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035188

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40343da

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034e58

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40357ea

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034bc6

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034d08

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40348aa

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034112

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403455c

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034708

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034fa8

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034a6c

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403509e

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034282

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035a92

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035cc6

==EOF==

Edited by bomber1712, 01 November 2009 - 09:02 AM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:07 AM

Posted 07 November 2009 - 05:43 PM

Hello bomber1712

Welcome to BleepingComputer :(

Hi that file cmdguard.sys is related to Comodo.

==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:07:07 AM

Posted 07 November 2009 - 06:35 PM

Thank you sooooo much for your help! I hope I got everything that you need. I had to use 2 replies to get all of the logs posted, so this is one of two.

FYI - When I ran OTL, there were no check boxes next to: "Check the boxes beside LOP Check and Purity Check." They looked like blue hyperlinks, but I could not do anything with them.

Here are the logs you requested:

OTL.txt

OTL logfile created on: 11/7/2009 5:04:21 PM - Run 1
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\Dan Neinas\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.54 Mb Total Physical Memory | 520.16 Mb Available Physical Memory | 67.77% Memory free
1.64 Gb Paging File | 1.44 Gb Available in Paging File | 87.46% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.01 Gb Total Space | 12.40 Gb Free Space | 65.25% Space Free | Partition Type: NTFS
Drive D: | 19.08 Gb Total Space | 18.94 Gb Free Space | 99.26% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 7.46 Gb Total Space | 2.77 Gb Free Space | 37.11% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
Drive H: | 931.51 Gb Total Space | 287.34 Gb Free Space | 30.85% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: SERVER
Current User Name: Dan Neinas
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Dan Neinas\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO)
PRC - C:\Program Files\Macrium\Reflect\ReflectService.exe ()
PRC - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe (Apache Software Foundation)
PRC - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe (Apache Software Foundation)
PRC - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe (Apache Software Foundation)
PRC - C:\Program Files\FileZilla Server\FileZilla server.exe (FileZilla Project)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\slserv.exe (Smart Link)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe (Linksys)
PRC - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE (SEIKO EPSON CORPORATION)
PRC - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe (GEMTEKS)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Company)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Dan Neinas\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\guard32.dll (COMODO)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\serwvdrv.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\umdmxfrm.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (WUSB54GCSVC) -- File not found
SRV - (cmdAgent) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO)
SRV - (ReflectService) -- C:\Program Files\Macrium\Reflect\ReflectService.exe ()
SRV - (TeamViewer4) -- C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (Apache2.2) -- C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe (Apache Software Foundation)
SRV - (FileZilla Server) -- C:\Program Files\FileZilla Server\FileZilla Server.exe (FileZilla Project)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (SLService) -- C:\WINDOWS\System32\slserv.exe (Smart Link)
SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (EPSON_PM_RPCV4_01) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE (SEIKO EPSON CORPORATION)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (Inspect) -- C:\WINDOWS\System32\DRIVERS\inspect.sys (COMODO)
DRV - (cmdHlp) -- C:\WINDOWS\system32\drivers\cmdhlp.sys (COMODO)
DRV - (cmdGuard) -- C:\WINDOWS\system32\drivers\cmdguard.sys (COMODO)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (AegisP) -- C:\WINDOWS\system32\drivers\AegisP.sys (Meetinghouse Data Communications)
DRV - (pssnap) -- C:\WINDOWS\system32\DRIVERS\pssnap.sys (Macrium Software)
DRV - (mf) -- C:\WINDOWS\system32\drivers\mf.sys (Microsoft Corporation)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (HPZipr12) -- C:\WINDOWS\system32\drivers\HPZipr12.sys (HP)
DRV - (HPZid412) -- C:\WINDOWS\system32\drivers\HPZid412.sys (HP)
DRV - (HPZius12) -- C:\WINDOWS\system32\drivers\HPZius12.sys (HP)
DRV - (RT73) -- C:\WINDOWS\system32\drivers\rt73.sys (Ralink Technology, Corp.)
DRV - (BCM42RLY) -- C:\WINDOWS\system32\bcm42rly.sys (Broadcom Corporation)
DRV - (SlNtHal) -- C:\WINDOWS\system32\drivers\slnthal.sys (Smart Link)
DRV - (SlWdmSup) -- C:\WINDOWS\system32\drivers\slwdmsup.sys (Smart Link)
DRV - (Slntamr) -- C:\WINDOWS\system32\drivers\slntamr.sys (Smart Link)
DRV - (NtMtlFax) -- C:\WINDOWS\system32\drivers\ntmtlfax.sys (Smart Link)
DRV - (Mtlmnt5) -- C:\WINDOWS\system32\drivers\mtlmnt5.sys (Smart Link)
DRV - (RecAgent) -- C:\WINDOWS\system32\DRIVERS\RecAgent.sys (Smart Link)
DRV - (Mtlstrm) -- C:\WINDOWS\system32\drivers\mtlstrm.sys (Smart Link)
DRV - (admjoy) -- C:\WINDOWS\system32\drivers\admjoy.sys (Aureal, Inc.)
DRV - (AN983) -- C:\WINDOWS\system32\drivers\an983.sys (ADMtek Incorporated.)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\ASPI32.SYS (Adaptec)
DRV - (E100B) -- C:\WINDOWS\system32\drivers\e100b325.sys (Intel Corporation)
DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (wdm_au8830) -- C:\WINDOWS\system32\drivers\adm8830.sys (Aureal, Inc.)
DRV - (hp4200c) -- C:\WINDOWS\system32\drivers\hp4200c.sys (Hewlett-Packard)
DRV - (l8042prt) -- C:\WINDOWS\system32\drivers\l8042prt.sys (Logitech)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/18 21:33:38 | 00,000,000 | ---D | M]


O1 HOSTS File: (789 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [FileZilla Server Interface] C:\Program Files\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project)
O4 - HKLM..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe (Hewlett-Packard)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [EPSON PictureMate PM 240] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe (Apache Software Foundation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 46 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 46 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Reg Error: Key error.)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/04 18:15:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/07 17:00:48 | 00,528,896 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dan Neinas\Desktop\OTL.exe
[2009/11/07 11:22:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dan Neinas\Local Settings\Application Data\COMODO
[2009/10/29 18:11:40 | 00,000,000 | ---D | C] -- C:\Program Files\Sophos
[2009/10/28 06:59:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dan Neinas\DoctorWeb
[2009/10/27 17:45:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/10/27 17:37:35 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Dan Neinas\Desktop\RootRepeal.exe
[2009/10/27 17:37:34 | 19,857,528 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Dan Neinas\Desktop\launch.exe
[2009/10/15 20:23:28 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll
[2009/10/12 19:45:05 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/10/12 19:42:10 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/10/12 19:39:10 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/12 19:39:02 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/12 19:38:45 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/07 17:02:45 | 00,031,232 | ---- | M] () -- C:\Documents and Settings\Dan Neinas\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/07 17:01:42 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/07 17:01:02 | 00,291,328 | ---- | M] () -- C:\xcn4jc6z.exe
[2009/11/07 17:00:50 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/07 17:00:42 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan Neinas\Desktop\OTL.exe
[2009/11/07 17:00:30 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/07 11:56:59 | 05,767,168 | -H-- | M] () -- C:\Documents and Settings\Dan Neinas\NTUSER.DAT
[2009/11/07 11:56:59 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Dan Neinas\ntuser.ini
[2009/11/07 11:56:56 | 03,184,656 | -H-- | M] () -- C:\Documents and Settings\Dan Neinas\Local Settings\Application Data\IconCache.db
[2009/11/07 11:30:31 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Dan Neinas\Desktop\settings.dat
[2009/11/07 09:50:40 | 00,439,552 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/07 09:50:40 | 00,380,350 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/07 09:50:40 | 00,052,764 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/31 20:53:58 | 00,523,776 | ---- | M] () -- C:\Documents and Settings\Dan Neinas\Desktop\dds.scr
[2009/10/27 18:14:15 | 00,000,789 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/27 17:45:23 | 00,000,196 | -HS- | M] () -- C:\boot.ini
[2009/10/27 16:27:42 | 19,857,528 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Dan Neinas\Desktop\launch.exe
[2009/10/27 16:09:32 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Dan Neinas\Desktop\RootRepeal.exe
[2009/10/26 22:00:00 | 00,000,324 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2009/10/25 08:48:30 | 00,000,710 | ---- | M] () -- C:\Documents and Settings\Dan Neinas\Desktop\Scanner and Camera Wizard.lnk
[2009/10/15 20:54:57 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/12 19:45:10 | 00,000,824 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/10/12 19:39:14 | 00,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/12 19:38:32 | 07,174,176 | ---- | M] () -- C:\Documents and Settings\Dan Neinas\My Documents\SUPERAntiSpyware.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/07 17:01:06 | 00,291,328 | ---- | C] () -- C:\xcn4jc6z.exe
[2009/10/31 20:54:16 | 00,523,776 | ---- | C] () -- C:\Documents and Settings\Dan Neinas\Desktop\dds.scr
[2009/10/27 21:32:13 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Dan Neinas\Desktop\settings.dat
[2009/10/25 08:48:30 | 00,000,710 | ---- | C] () -- C:\Documents and Settings\Dan Neinas\Desktop\Scanner and Camera Wizard.lnk
[2009/10/15 20:35:05 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/10/12 19:45:10 | 00,000,824 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/10/12 19:39:14 | 00,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/12 19:38:32 | 07,174,176 | ---- | C] () -- C:\Documents and Settings\Dan Neinas\My Documents\SUPERAntiSpyware.exe
[2009/09/10 21:23:18 | 00,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/08/29 16:44:35 | 00,000,133 | ---- | C] () -- C:\Documents and Settings\Dan Neinas\Local Settings\Application Data\fusioncache.dat
[2009/03/14 10:19:36 | 00,001,361 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2008/09/07 19:40:01 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2008/09/07 17:56:04 | 00,014,753 | ---- | C] () -- C:\WINDOWS\HPSETUP.INI
[2006/08/02 18:50:06 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2006/08/02 18:46:16 | 00,004,868 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/07/11 19:29:51 | 00,000,349 | ---- | C] () -- C:\WINDOWS\CMOUSECC.INI
[2006/07/11 19:05:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2006/07/04 20:04:22 | 03,184,656 | -H-- | C] () -- C:\Documents and Settings\Dan Neinas\Local Settings\Application Data\IconCache.db
[2006/07/04 19:26:46 | 00,098,648 | ---- | C] () -- C:\Documents and Settings\Dan Neinas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/07/04 18:54:01 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/04 18:38:07 | 00,031,232 | ---- | C] () -- C:\Documents and Settings\Dan Neinas\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/07/04 18:29:46 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Dan Neinas\Application Data\desktop.ini
[2006/07/04 13:01:22 | 00,093,696 | ---- | C] () -- C:\WINDOWS\System32\hpgt42.dll
[2006/07/04 12:57:51 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/06/07 17:00:02 | 00,000,052 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2006/06/06 09:35:02 | 00,000,040 | ---- | C] () -- C:\WINDOWS\System32\EAL.INI
[2006/02/28 06:00:00 | 00,000,658 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 06:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/16 12:22:44 | 00,338,944 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[2003/01/16 12:22:44 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[2001/07/07 02:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/01/22 12:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 02:00:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== LOP Check ==========

[2009/08/29 17:30:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2009/09/24 05:29:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Macrium
[2006/08/14 16:38:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dan Neinas\Application Data\Image Zone Express
[2009/08/27 21:27:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dan Neinas\Application Data\TeamViewer
[2006/02/28 06:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/07 17:00:50 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


< End of report >

Extras.txt

OTL Extras logfile created on: 11/7/2009 5:04:21 PM - Run 1
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\Dan Neinas\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.54 Mb Total Physical Memory | 520.16 Mb Available Physical Memory | 67.77% Memory free
1.64 Gb Paging File | 1.44 Gb Available in Paging File | 87.46% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.01 Gb Total Space | 12.40 Gb Free Space | 65.25% Space Free | Partition Type: NTFS
Drive D: | 19.08 Gb Total Space | 18.94 Gb Free Space | 99.26% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 7.46 Gb Total Space | 2.77 Gb Free Space | 37.11% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
Drive H: | 931.51 Gb Total Space | 287.34 Gb Free Space | 30.85% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: SERVER
Current User Name: Dan Neinas
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"21:TCP" = 21:TCP:*:Enabled:FTP Server
"80:TCP" = 80:TCP:*:Enabled:HTTP Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- File not found
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\TeamViewer\Version4\TeamViewer.exe" = C:\Program Files\TeamViewer\Version4\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\FileZilla Server\FileZilla server.exe" = C:\Program Files\FileZilla Server\FileZilla server.exe:*:Enabled:FileZilla server.exe -- (FileZilla Project)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600
"{1012451C-BEE2-4BC1-A2EB-0858CB8F3CF7}" = Macrium Reflect - Free Edition
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 12
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}" = Apache HTTP Server 2.2.13
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB449D5A-7710-47aa-B9F5-352B877C90E6}" = 1600_Help
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{F4C6CC40-1142-49be-A28C-7BBD36F0B41A}" = 1600Trb
"{F855C3AE-992D-4B84-A09D-07103CDCDAC2}" = Compact Wireless-G USB Adapter
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"CCleaner" = CCleaner (remove only)
"COMODO Internet Security" = COMODO Internet Security
"EPSON Printer and Utilities" = EPSON Printer Software
"FileZilla Server" = FileZilla Server (remove only)
"HP Photo & Imaging" = HP Image Zone 4.7
"ie8" = Windows Internet Explorer 8
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.1.0 (Standard)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"TeamViewer 4 Host" = TeamViewer 4 Host
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/22/2009 10:47:47 AM | Computer Name = EIBNS | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 10:16:16 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 10:16:16 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 10:16:16 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 10:16:16 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 11:37:50 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 11:37:50 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 11:37:50 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 11:37:50 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/27/2009 2:18:48 PM | Computer Name = GARAGE | Source = Windows Product Activation | ID = 1012
Description = Due to hardware changes on this computer, you will need to reactivate
your Windows product.

[ Application Events ]
Error - 3/22/2009 10:47:47 AM | Computer Name = EIBNS | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 10:16:16 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 10:16:16 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 10:16:16 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 10:16:16 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 11:37:50 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 11:37:50 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 11:37:50 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/19/2009 11:37:50 PM | Computer Name = GARAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/27/2009 2:18:48 PM | Computer Name = GARAGE | Source = Windows Product Activation | ID = 1012
Description = Due to hardware changes on this computer, you will need to reactivate
your Windows product.

[ System Events ]
Error - 11/7/2009 1:27:40 PM | Computer Name = SERVER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/7/2009 1:28:14 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 11/7/2009 1:28:14 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 11/7/2009 1:28:14 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 11/7/2009 1:28:14 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The Apache2.2 service depends on the AFD service which failed to start
because of the following error: %%31

Error - 11/7/2009 1:28:14 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 11/7/2009 1:28:14 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD cmdGuard cmdHlp Fips IPSec MRxSmb NetBIOS NetBT P3 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip

Error - 11/7/2009 1:51:23 PM | Computer Name = SERVER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/7/2009 1:56:49 PM | Computer Name = SERVER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/7/2009 1:56:58 PM | Computer Name = SERVER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >

#4 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:07:07 AM

Posted 07 November 2009 - 06:38 PM

POST 2 of 2:

I can't post the GMER Results.log...It says it's too long. I have attached it as a file.

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:07 AM

Posted 07 November 2009 - 06:39 PM

Hi Please download and run MBR.exe by GMER:

http://www2.gmer.net/mbr/mbr.exe

It will produce a brief log, mbr.txt in the same directory as the program. Please copy/paste that log here.
============

Edited by kahdah, 07 November 2009 - 06:42 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:07:07 AM

Posted 07 November 2009 - 08:53 PM

I ran the file from my H: drive (this is a portable Iomega 1TB USB drive)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

I also ran it from the C: root (Like GMER):

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:07 AM

Posted 08 November 2009 - 08:43 AM

Hmm strange root repeal shows mbr activity but nothing else does.
Please run root repeal again.

Download RootRepeal from one of the following locations:Unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan should not take very long. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
Please copy and paste the report into your Post.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:07:07 AM

Posted 08 November 2009 - 10:17 AM

Strange, I agree. The funny thing is that the H: drive that is showing an MBR rootkit is a portable USB drive. Should it even have a boot record? Also, I notice during the scan that it is scanning folders that I cannot see (H:\RECYCLER and others).

During the "File" scan, I get an error message (right after it finds "Path: C:\WINDOWS\system32\drivers\sfi.dat Status: Locked to the Windows API!") that states, "Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog". The only option is to click OK and then the scan continues.

Should I be concerned with all of the "Sector Mismatch" references?

Here is the fresh Root Repeal log (looks the same as last, I think). I ran it twice with the same results.:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/08 09:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3839000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7DCB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3871000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\sfi.dat
Status: Locked to the Windows API!

Path: Volume H:\
Status: MBR Rootkit Detected!

Path: Volume H:\, Sector 1
Status: Sector mismatch

Path: Volume H:\, Sector 2
Status: Sector mismatch

Path: Volume H:\, Sector 3
Status: Sector mismatch

Path: Volume H:\, Sector 4
Status: Sector mismatch

Path: Volume H:\, Sector 5
Status: Sector mismatch

Path: Volume H:\, Sector 6
Status: Sector mismatch

Path: Volume H:\, Sector 7
Status: Sector mismatch

Path: Volume H:\, Sector 8
Status: Sector mismatch

Path: Volume H:\, Sector 9
Status: Sector mismatch

Path: Volume H:\, Sector 10
Status: Sector mismatch

Path: Volume H:\, Sector 11
Status: Sector mismatch

Path: Volume H:\, Sector 12
Status: Sector mismatch

Path: Volume H:\, Sector 13
Status: Sector mismatch

Path: Volume H:\, Sector 14
Status: Sector mismatch

Path: Volume H:\, Sector 15
Status: Sector mismatch

Path: Volume H:\, Sector 16
Status: Sector mismatch

Path: Volume H:\, Sector 17
Status: Sector mismatch

Path: Volume H:\, Sector 18
Status: Sector mismatch

Path: Volume H:\, Sector 19
Status: Sector mismatch

Path: Volume H:\, Sector 20
Status: Sector mismatch

Path: Volume H:\, Sector 21
Status: Sector mismatch

Path: Volume H:\, Sector 22
Status: Sector mismatch

Path: Volume H:\, Sector 23
Status: Sector mismatch

Path: Volume H:\, Sector 24
Status: Sector mismatch

Path: Volume H:\, Sector 25
Status: Sector mismatch

Path: Volume H:\, Sector 26
Status: Sector mismatch

Path: Volume H:\, Sector 27
Status: Sector mismatch

Path: Volume H:\, Sector 28
Status: Sector mismatch

Path: Volume H:\, Sector 29
Status: Sector mismatch

Path: Volume H:\, Sector 30
Status: Sector mismatch

Path: Volume H:\, Sector 31
Status: Sector mismatch

Path: Volume H:\, Sector 32
Status: Sector mismatch

Path: Volume H:\, Sector 33
Status: Sector mismatch

Path: Volume H:\, Sector 34
Status: Sector mismatch

Path: Volume H:\, Sector 35
Status: Sector mismatch

Path: Volume H:\, Sector 36
Status: Sector mismatch

Path: Volume H:\, Sector 37
Status: Sector mismatch

Path: Volume H:\, Sector 38
Status: Sector mismatch

Path: Volume H:\, Sector 39
Status: Sector mismatch

Path: Volume H:\, Sector 40
Status: Sector mismatch

Path: Volume H:\, Sector 41
Status: Sector mismatch

Path: Volume H:\, Sector 42
Status: Sector mismatch

Path: Volume H:\, Sector 43
Status: Sector mismatch

Path: Volume H:\, Sector 44
Status: Sector mismatch

Path: Volume H:\, Sector 45
Status: Sector mismatch

Path: Volume H:\, Sector 46
Status: Sector mismatch

Path: Volume H:\, Sector 47
Status: Sector mismatch

Path: Volume H:\, Sector 48
Status: Sector mismatch

Path: Volume H:\, Sector 49
Status: Sector mismatch

Path: Volume H:\, Sector 50
Status: Sector mismatch

Path: Volume H:\, Sector 51
Status: Sector mismatch

Path: Volume H:\, Sector 52
Status: Sector mismatch

Path: Volume H:\, Sector 53
Status: Sector mismatch

Path: Volume H:\, Sector 54
Status: Sector mismatch

Path: Volume H:\, Sector 55
Status: Sector mismatch

Path: Volume H:\, Sector 56
Status: Sector mismatch

Path: Volume H:\, Sector 57
Status: Sector mismatch

Path: Volume H:\, Sector 58
Status: Sector mismatch

Path: Volume H:\, Sector 59
Status: Sector mismatch

Path: Volume H:\, Sector 60
Status: Sector mismatch

Path: Volume H:\, Sector 61
Status: Sector mismatch

Path: Volume H:\, Sector 62
Status: Sector mismatch

==EOF==

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:07 AM

Posted 08 November 2009 - 10:23 AM

What is on your H:\ drive?
Is it just files and folders etc..?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:07:07 AM

Posted 08 November 2009 - 10:36 AM

I have several folders on the drive. One is a backup of "My Docs" from an old computer. Another has a bunch of programs that I have downloaded and installed. Another is a folder that I use to make backups of our DVD's. I have some family videos, some school video projects, and Macruim images from all of my hard drives.

I had set this computer up as an HTTP (Apache) and FTP (Filezilla) server. The FTP server share files were on this portable drive. The HTTP files (personal website) were on the C: drive. I think someone hacked into the computer, and that's how I got infected. I have since disconnected the server from the LAN and the internet, in hopes of repairing this problem.

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:07 AM

Posted 08 November 2009 - 12:02 PM

Ok plug in your H: drive and then scan it with RootRepeal.
When the initialization scan stops right click where is says mbr detected and choose Restore and reboot immediatley.
Reboot then run it again to see if it still present.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:07:07 AM

Posted 08 November 2009 - 01:54 PM

When it gets to the error message, I cannot do anything until I click OK. After clicking OK, the scan finishes. Once done, I right clicked and chose "Restore and Reboot Immediately". A message pops up asking if I really want to do that. I clicked OK. Reboot. Ran scan, again, and results are the same as before.

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:07 AM

Posted 08 November 2009 - 02:57 PM

This is also a comodo file:
C:\WINDOWS\system32\drivers\sfi.dat
Nothing to worry about there.

Can you move the info off of that drive to another temporarily and then just format H:\?
It shouldn't have a boot record at all since it is just a portable device.

The easiest way to get rid of it would be formatting that H:\ drive.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:07:07 AM

Posted 08 November 2009 - 05:28 PM

I was afraid that we would come to that. No, I don't have anywhere to store the files whilst I reformat. I will have to figure something out.

My C: and D: look good though, huh? That's good news, anyway. Do I need to do anything else or am I good once I reformat the H:?

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:07 AM

Posted 08 November 2009 - 05:37 PM

Well I don't know if it is infected or not.
Don't see how it can with no mbr to begin with.
But to be on the safe side I would format that drive.

But yes otherwise I see no sign of infection.

But yes after formatting the drive come back to this thread after running root repeal and let me know how it turns out.

Edited by kahdah, 08 November 2009 - 05:38 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users