Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches redirect to http://rle822x.cn


  • This topic is locked This topic is locked
30 replies to this topic

#1 LinJo

LinJo

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 12 January 2010 - 03:30 PM

Hi Folks, thanks for all you do. Here's a detailed description of the problem(s):

MAIN ISSUE STARTED: December 29, 2009
MAIN ISSUE: Google IE8 search results will first redirect to hxxp://rle822x.cn and then to random pages such as other search pages or business sites, etc. Also will get popups from rogue sites telling us the computer is infecected.

OTHER ISSUES AT THE SAME TIME: The PC was very slow - I use this PC maybe 3 times/month, but other family members complained of it's slowdown. Free disk space is about 1/3rd. In taskmanager CLI.exe was running 47% of CPU, DSCA.exe running 40% of CPU. I removed the DellSupport (DSCA) application and unchecked the CLI in startup. The PC speed increased so that I could run some scans faster (before discovering cli.exe and dsca.exe problem, the Adaware and Avira scans on 12/29/09 took 36 hours)

DETECTION SOFTWARE RUNNING AT TIME OF INFECTION: AdAware, Avira, Windows Defender. The Avira scan (12/29/09) found no issues. Adaware scan (12/29/09) found 60 cookies. In the Windows Defender history there was one issue (12/28/09) where a registry key was modified "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\vritivfqufhtssb". This action was allowed
(I don't know if a family member allowed it, or if Windows Defender did). I have checked in regedit and this key no longer exists. In addition, the Windows Firewall had been disabled somehow (it's since been re-enabled).

WHAT I HAVE TRIED TO RESOLVE THIS ISSUE:
I did a screen capture of a redirect and was able to see it going to hxxp://rle822x.cn

12/31/09 - Installed Malwarebytes. Scan found 5 registry keys of which 4 were MyWebSearch, and the 5th one was TrojanAgent. Further scans on 1/1 and 1/11 find 0 detections.
12/31/09 - Installed SuperAntiSpyware. Scan found 816 cookies, 0 memory, 0 registry. Subsequent scans with
SuperAntiSpyware find the usual tracking cookies.
01/03/10 - Installed PCTools ThreatFire. Detection = 0. I have removed this tool since.
01/03/10 - Ran online ESET scan. Detection = 0. I have removed this tool's files.
01/03/10 - Installed and ran TrendMicro RootKitBuster. Detection = 0.
01/03/10 - Installed and ran TrendMicro RUBOtted. Detection = negative. I have removed this tool since.
01/03/10 - Installed IObit Security 360. Detection = 2. Spy.Matles.A and Trojan.Injector. I think these were false positives. This application is stilled installed on PC.
01/06/10 - Installed Ccleaner and cleaned files and registry. This tool is still on PC.
01/06/10 - Installed Microsoft Security Essentials. Detection = 0. 1/11 scan also 0 detect.
01/06/10 - Installed HitmanPro. Detection = 2. ALZZIP.bin, ALZALZ.bin in \system32. I think this was a false
positive, but I let it remove anyway. This tool has been removed.
01/06/10 - Installed Panda Cloud. This tool errored on 2 differnt scans, never got to the point of having any
results. Tool has been removed.
01/08/10 - Installed A-Squared. Detection = 5 cookies, 5 files. I think these where all false positives. This tool
has been removed.
01/11/10 - Ran Microsoft Malicious Software Removal Tool. Detection = 0.
01/11/10 My taskbar suddenly disappeared. I was able to get it back (it lacked icons though) after killing explorer and starting a new one. Also my appwiz.cpl would not start at all, so I couldn't remove any software. I used CCleaner to remove some software and this worked. What seemed to cure this taskbar and appwix.cpl issue was just to log out and back in again to my account and then add/remove button worked again and taskbar looked normal. Another suspicious thing I have noticed (and I hate to even mention this) is that the modified date on my windows\system32\drivers\atapi.sys has changed a couple of times since I've been working on this problem.

01/12/10 RootRepeal would NOT run. When the execuatable is clicked it just shows the windows hourglass for about a second and nothing happens. After trying to unsuccessfully start RootRepeal several times the the PC now has some really weird problems where PowerPoint has an error, Windows repair runs to reconfigure Publisher 2002, try to run Word and get message that there isn't enough memory or disk space to run Word and I'm asked to accept the Microsoft Office Agreement. IE8 screen morphs and crashes. I don't dare reboot the PC becuase so many things are going haywire at once.

I really appreciate what you folks do. Thank you for helping me with this issue and I look forward to hearing from you.

Linda

Here's the DDS.txt file:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Mama at 12:12:34.32 on Tue 01/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.167 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CMS Peripherals\ABSpro Backup\ABSLauncher.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Mama\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar =
uWindow Title = Windows Internet Explorer
mWindow Title = Windows Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mama\startm~1\programs\startup\abspro~1.lnk - c:\program files\cms peripherals\abspro backup\ABSLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: <NO NAME> =
IE: &Search - ?p=ZC
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxp://connect.comcast.com/dl/Comcast%20Activation%20Controls.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162134132390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162134563312
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37686.2763078704
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5601/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64288]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-7 11608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-7 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-7 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-6 56816]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-1-3 312592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 portD;ABS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2003-7-3 12960]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-19 12672]
S3 GPU-Z;GPU-Z;\??\c:\docume~1\mama\locals~1\temp\gpu-z.sys --> c:\docume~1\mama\locals~1\temp\GPU-Z.sys [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2003-5-26 11520]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]

=============== Created Last 30 ================

2010-01-12 02:38:30 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-12 01:51:01 0 d-----w- C:\92da05013ae5fab0bb70f4
2010-01-12 01:09:15 0 d-----w- c:\program files\SpywareGuard
2010-01-08 18:17:58 0 d-----w- c:\program files\a-squared Free
2010-01-08 01:41:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-08 01:41:48 0 d-----w- c:\program files\Avira
2010-01-07 22:57:11 13896 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-01-07 22:56:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-01-07 22:56:36 0 d-----w- c:\program files\Hitman Pro 3.5
2010-01-07 14:46:24 0 d-----w- c:\docume~1\mama\applic~1\Panda Security
2010-01-07 14:39:47 0 d-----w- c:\program files\Panda Security
2010-01-06 21:55:36 260 ----a-w- c:\windows\setup.iss
2010-01-06 21:51:58 0 d-----w- c:\docume~1\mama\applic~1\NewSoft
2010-01-06 17:54:33 0 d-----w- c:\program files\CCleaner
2010-01-04 01:49:11 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-01-04 01:49:06 0 d-----w- c:\program files\IObit
2010-01-03 20:55:06 0 d-----w- c:\program files\ThreatFire
2010-01-03 17:55:08 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-02 19:08:54 0 d-----w- c:\program files\Trend Micro
2010-01-02 18:56:31 0 d-----w- c:\docume~1\mama\applic~1\Office Genuine Advantage
2010-01-02 18:36:10 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-01 03:02:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-01 03:01:48 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 03:01:47 0 d-----w- c:\docume~1\mama\applic~1\SUPERAntiSpyware.com
2010-01-01 03:00:47 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-01 01:32:58 0 d-----w- c:\docume~1\mama\applic~1\Malwarebytes
2010-01-01 01:32:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 01:32:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-01 01:32:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 01:32:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-01-11 19:12:47 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-11 19:12:47 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-08 13:32:54 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-08 18:28:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2002-08-29 11:00:00 94784 --sha-w- c:\windows\TWAIN.DLL
2008-04-14 00:11:56 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:02 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sha-w- c:\windows\system32\regsvr32.exe
2008-06-09 23:24:00 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060920080610\index.dat

============= FINISH: 12:15:07.17 ===============

Attached Files


Edited by Orange Blossom, 12 January 2010 - 07:24 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:04 PM

Posted 17 January 2010 - 09:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  1. Click on the My Controls link at the top of the page to enter your control panel.
  2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 LinJo

LinJo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 18 January 2010 - 09:23 AM

Hi, thanks for all you do. Here is a new (Jan 18, 2010 9:15am) dds.txt log file that you requested. I look forward to hearing from you. //Linda


DDS (Ver_09-12-01.01) - NTFSx86
Run by Mama at 9:13:36.06 on Mon 01/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.207 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CMS Peripherals\ABSpro Backup\ABSLauncher.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Mama\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar =
uWindow Title = Windows Internet Explorer
mWindow Title = Windows Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mama\startm~1\programs\startup\abspro~1.lnk - c:\program files\cms peripherals\abspro

backup\ABSLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10

\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common

files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: <NO NAME> =
IE: &Search - ?p=ZC
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-

1719D1177202/LegitCheckControl.cab
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxp://connect.comcast.com/dl/Comcast%20Activation%20Controls.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162134132390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162134563312
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?

37686.2763078704
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5601/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64288]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-7 11608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-7 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-7 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-6 56816]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-1-3 312592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 portD;ABS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2003-7-3 12960]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-19 12672]
S3 GPU-Z;GPU-Z;\??\c:\docume~1\mama\locals~1\temp\gpu-z.sys --> c:\docume~1\mama\locals~1\temp\GPU-Z.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2003-5-26 11520]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]

=============== Created Last 30 ================

2010-01-16 22:20:01 0 d--h--w- c:\windows\PIF
2010-01-16 17:00:56 0 d-----w- C:\571f78410baa32495c94e3b5ff076c8a
2010-01-12 02:38:30 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-12 01:09:15 0 d-----w- c:\program files\SpywareGuard
2010-01-08 18:17:58 0 d-----w- c:\program files\a-squared Free
2010-01-08 01:41:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-08 01:41:48 0 d-----w- c:\program files\Avira
2010-01-07 22:57:11 13896 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-01-07 22:56:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-01-07 22:56:36 0 d-----w- c:\program files\Hitman Pro 3.5
2010-01-07 14:46:24 0 d-----w- c:\docume~1\mama\applic~1\Panda Security
2010-01-07 14:39:47 0 d-----w- c:\program files\Panda Security
2010-01-06 21:55:36 260 ----a-w- c:\windows\setup.iss
2010-01-06 21:51:58 0 d-----w- c:\docume~1\mama\applic~1\NewSoft
2010-01-06 17:54:33 0 d-----w- c:\program files\CCleaner
2010-01-04 01:49:11 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-01-04 01:49:06 0 d-----w- c:\program files\IObit
2010-01-03 20:55:06 0 d-----w- c:\program files\ThreatFire
2010-01-03 17:55:08 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-02 19:08:54 0 d-----w- c:\program files\Trend Micro
2010-01-02 18:56:31 0 d-----w- c:\docume~1\mama\applic~1\Office Genuine Advantage
2010-01-02 18:36:10 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-01 03:02:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-01 03:01:48 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 03:01:47 0 d-----w- c:\docume~1\mama\applic~1\SUPERAntiSpyware.com
2010-01-01 03:00:47 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-01 01:32:58 0 d-----w- c:\docume~1\mama\applic~1\Malwarebytes
2010-01-01 01:32:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 01:32:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-01 01:32:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 01:32:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-01-15 17:20:28 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-15 17:20:28 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-08 13:32:54 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-08 18:28:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2002-08-29 11:00:00 94784 --sha-w- c:\windows\TWAIN.DLL
2008-04-14 00:11:56 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:02 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sha-w- c:\windows\system32\regsvr32.exe
2008-06-09 23:24:00 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5

\mshist012008060920080610\index.dat

============= FINISH: 9:15:54.03 ===============


#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 PM

Posted 18 January 2010 - 11:44 AM

Hi LinJo,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.

Step1
  1. Go to this thread and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Start > Run and copy/paste the following bolded command into run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.

Step3

Please download GMER Rootkit Scanner from Here or Here.
  1. Extract the contents of the zipped file to desktop.
  2. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  3. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  4. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  5. Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  6. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


In your next reply, please post back:

1.TDSSKiller.txt
2.ComboFix log
3.Gmer log Thanks.

#5 LinJo

LinJo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 18 January 2010 - 06:55 PM

Hi sundavis - it's so nice to have you helping me. I appreciate it so very much!

1. I ran the TDSSKiller and the log file is below. The PC did reboot and it said it cleaned a TDSS rootkit in atapi.sys. The IRP handler was infected.
2. I tried running ComboFix (downloaded it from bleepingcomputer) and got the error "Some installation files are corrupt. Please download a fresh copy and retry the installation." I downloaded a new version from forospyware.com but it wouldn't run because of locked files. I killed the first ComboFix.exe through taskmanager and then was able to run it, however, the new copy of ComboFix from forospyware produced the same exact error message about the installation files being corrupt. It too left a ComboFix.exe out in taskmanager doing absolutely nothing which I had to delete.
3. I did not run GMER yet because I want to hear back from you first regarding the ComboFix problem.

As a side note, this morning I updated my Avira files and the MS Security Essential files (I update these daily). Today, both of these finally made a detection. Avira realtime detection didn't allow a change to atapi.sys and it made this detection 461 times. MS Security realtime detected the Aleuron.F and suspended it and waited for me to tell it to disinfect which I didn't let it do a clean. I wanted to do what you suggested first. Plus I was so afraid it would delete atapi.sys and make my PC unbootable. But in the history it said it made the exact same disinfection on its own earlier in the day. Here are the 3 sets detections:

(This was logged by Avira 1 time today 2010Jan18 at 14:28):
Virus or unwanted program 'TR/Patched.Gen [trojan]'detected in file
'C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP213\A0045882.sys.
Action performed: Deny access

(This was logged by Avira 461 times today 2010Jan18 from 13:09 to 14:27)
Virus or unwanted program 'TR/Patched.Gen [trojan]'
detected in file 'C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.
Action performed: Deny access

Windows Security Essentials also update this morning and I just got this warning:
Virus:win32/Alureon.F
Item: C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys

I look forward to hearing from you with the next steps to take and what to do about ComboFix and if I should run GMER anyway. Thank you so much. //Linda
Here's a copy of the TDSSKiller.txt:
17:56:13:515 35452 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
17:56:13:515 35452 ================================================================================
17:56:13:515 35452 SystemInfo:

17:56:13:515 35452 OS Version: 5.1.2600 ServicePack: 3.0
17:56:13:515 35452 Product type: Workstation
17:56:13:515 35452 ComputerName: KLYLAR
17:56:13:515 35452 UserName: Mama
17:56:13:515 35452 Windows directory: C:\WINDOWS
17:56:13:515 35452 Processor architecture: Intel x86
17:56:13:515 35452 Number of processors: 2
17:56:13:515 35452 Page size: 0x1000
17:56:13:515 35452 Boot type: Normal boot
17:56:13:515 35452 ================================================================================
17:56:13:515 35452 UnloadDriverW: NtUnloadDriver error 2
17:56:13:515 35452 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:56:13:531 35452 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:56:13:578 35452 UtilityInit: KLMD drop and load success
17:56:13:578 35452 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
17:56:13:578 35452 UtilityInit: KLMD open success
17:56:13:578 35452 UtilityInit: Initialize success
17:56:13:578 35452
17:56:13:578 35452 Scanning Services ...
17:56:13:578 35452 CreateRegParser: Registry parser init started
17:56:13:578 35452 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
17:56:13:578 35452 CreateRegParser: DisableWow64Redirection error
17:56:13:578 35452 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:56:13:578 35452 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
17:56:13:578 35452 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:56:13:578 35452 wfopen_ex: Trying to KLMD file open
17:56:13:578 35452 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
17:56:13:578 35452 wfopen_ex: File opened ok (Flags 2)
17:56:13:578 35452 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: BF4DE8
17:56:13:578 35452 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:56:13:578 35452 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
17:56:13:578 35452 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:56:13:578 35452 wfopen_ex: Trying to KLMD file open
17:56:13:578 35452 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
17:56:13:578 35452 wfopen_ex: File opened ok (Flags 2)
17:56:13:578 35452 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: BF4CD8
17:56:13:578 35452 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
17:56:13:578 35452 CreateRegParser: EnableWow64Redirection error
17:56:13:578 35452 CreateRegParser: RegParser init completed
17:56:14:375 35452 GetAdvancedServicesInfo: Raw services enum returned 431 services
17:56:14:375 35452 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:56:14:375 35452 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:56:14:375 35452
17:56:14:375 35452 Scanning Kernel memory ...
17:56:14:375 35452 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:56:14:375 35452 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 873D5A08
17:56:14:375 35452 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
17:56:14:375 35452
17:56:14:375 35452 DetectCureTDL3: DEVICE_OBJECT: 8730AC68
17:56:14:375 35452 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8730AC68
17:56:14:375 35452 KLMD_ReadMem: Trying to ReadMemory 0x8730AC68[0x38]
17:56:14:375 35452 DetectCureTDL3: DRIVER_OBJECT: 873D5A08
17:56:14:375 35452 KLMD_ReadMem: Trying to ReadMemory 0x873D5A08[0xA8]
17:56:14:375 35452 KLMD_ReadMem: Trying to ReadMemory 0xE1940838[0x18]
17:56:14:375 35452 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:56:14:375 35452 DetectCureTDL3: IrpHandler (0) addr: F7775BB0
17:56:14:375 35452 DetectCureTDL3: IrpHandler (1) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (2) addr: F7775BB0
17:56:14:375 35452 DetectCureTDL3: IrpHandler (3) addr: F776FD1F
17:56:14:375 35452 DetectCureTDL3: IrpHandler (4) addr: F776FD1F
17:56:14:375 35452 DetectCureTDL3: IrpHandler (5) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (6) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (7) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (8) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (9) addr: F77702E2
17:56:14:375 35452 DetectCureTDL3: IrpHandler (10) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (11) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (12) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (13) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (14) addr: F77703BB
17:56:14:375 35452 DetectCureTDL3: IrpHandler (15) addr: F7773F28
17:56:14:375 35452 DetectCureTDL3: IrpHandler (16) addr: F77702E2
17:56:14:375 35452 DetectCureTDL3: IrpHandler (17) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (18) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (19) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (20) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (21) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (22) addr: F7771C82
17:56:14:375 35452 DetectCureTDL3: IrpHandler (23) addr: F777699E
17:56:14:375 35452 DetectCureTDL3: IrpHandler (24) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (25) addr: 804F9739
17:56:14:375 35452 DetectCureTDL3: IrpHandler (26) addr: 804F9739
17:56:14:375 35452 TDL3_FileDetect: Processing driver: Disk
17:56:14:375 35452 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:56:14:375 35452 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:56:14:390 35452 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:56:14:390 35452
17:56:14:390 35452 DetectCureTDL3: DEVICE_OBJECT: 873CFC68
17:56:14:390 35452 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873CFC68
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0x873CFC68[0x38]
17:56:14:390 35452 DetectCureTDL3: DRIVER_OBJECT: 873D5A08
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0x873D5A08[0xA8]
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0xE1940838[0x18]
17:56:14:390 35452 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:56:14:390 35452 DetectCureTDL3: IrpHandler (0) addr: F7775BB0
17:56:14:390 35452 DetectCureTDL3: IrpHandler (1) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (2) addr: F7775BB0
17:56:14:390 35452 DetectCureTDL3: IrpHandler (3) addr: F776FD1F
17:56:14:390 35452 DetectCureTDL3: IrpHandler (4) addr: F776FD1F
17:56:14:390 35452 DetectCureTDL3: IrpHandler (5) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (6) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (7) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (8) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (9) addr: F77702E2
17:56:14:390 35452 DetectCureTDL3: IrpHandler (10) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (11) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (12) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (13) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (14) addr: F77703BB
17:56:14:390 35452 DetectCureTDL3: IrpHandler (15) addr: F7773F28
17:56:14:390 35452 DetectCureTDL3: IrpHandler (16) addr: F77702E2
17:56:14:390 35452 DetectCureTDL3: IrpHandler (17) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (18) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (19) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (20) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (21) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (22) addr: F7771C82
17:56:14:390 35452 DetectCureTDL3: IrpHandler (23) addr: F777699E
17:56:14:390 35452 DetectCureTDL3: IrpHandler (24) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (25) addr: 804F9739
17:56:14:390 35452 DetectCureTDL3: IrpHandler (26) addr: 804F9739
17:56:14:390 35452 TDL3_FileDetect: Processing driver: Disk
17:56:14:390 35452 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:56:14:390 35452 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:56:14:390 35452 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:56:14:390 35452
17:56:14:390 35452 DetectCureTDL3: DEVICE_OBJECT: 8730CAB8
17:56:14:390 35452 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8730CAB8
17:56:14:390 35452 DetectCureTDL3: DEVICE_OBJECT: 873D6D98
17:56:14:390 35452 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873D6D98
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0x873D6D98[0x38]
17:56:14:390 35452 DetectCureTDL3: DRIVER_OBJECT: 873D0A30
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0x873D0A30[0xA8]
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0x87388030[0x38]
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0x8738A568[0xA8]
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0xE1036290[0x1A]
17:56:14:390 35452 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:56:14:390 35452 DetectCureTDL3: IrpHandler (0) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (1) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (2) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (3) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (4) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (5) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (6) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (7) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (8) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (9) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (10) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (11) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (12) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (13) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (14) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (15) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (16) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (17) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (18) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (19) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (20) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (21) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (22) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (23) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (24) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (25) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: IrpHandler (26) addr: 87315841
17:56:14:390 35452 DetectCureTDL3: All IRP handlers pointed to one addr: 87315841
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0x87315841[0x400]
17:56:14:390 35452 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
17:56:14:390 35452 Driver "atapi" Irp handler infected by TDSS rootkit ... 17:56:14:390 35452 KLMD_WriteMem: Trying to WriteMemory 0x873158BA[0xD]
17:56:14:390 35452 cured
17:56:14:390 35452 KLMD_ReadMem: Trying to ReadMemory 0x873156EC[0x400]
17:56:14:390 35452 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
17:56:14:390 35452 Driver "atapi" StartIo handler infected by TDSS rootkit ... 17:56:14:390 35452 TDL3_StartIoHookCure: Number of patches 1
17:56:14:390 35452 KLMD_WriteMem: Trying to WriteMemory 0x873157F5[0x6]
17:56:14:390 35452 cured
17:56:14:390 35452 TDL3_FileDetect: Processing driver: atapi
17:56:14:390 35452 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:56:14:390 35452 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
17:56:14:437 35452 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
17:56:14:437 35452 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 17:56:14:437 35452 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:56:14:437 35452 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:56:14:453 35452 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\I386\sp2.cab
17:56:14:500 35452 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\I386\sp3.cab
17:56:14:531 35452 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
17:56:14:562 35452 CabinetCallback: File extracted successfully: C:\DOCUME~1\Mama\LOCALS~1\Temp\bck30.tmp
17:56:14:562 35452 ValidateDriverFile: Stage 1 passed
17:56:14:562 35452 ValidateDriverFile: Stage 2 passed
17:56:14:640 35452 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
17:56:15:500 35452 DigitalSignVerifyByHandle: Cat DS result: 00000000
17:56:15:515 35452 ValidateDriverFile: Stage 3 passed
17:56:15:515 35452 CabinetCallback: File validated successfully, restore information prepared
17:56:15:515 35452 FindDriverFileBackup: Backup copy found in cab-file
17:56:15:515 35452 TDL3_FileCure: Backup copy found, using it..
17:56:15:515 35452 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk31.tmp
17:56:15:562 35452 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk31.tmp, system32\drivers\atapi.sys)
17:56:15:562 35452 TDL3_FileCure: KLMD jobs schedule success
17:56:15:562 35452 will be cured on next reboot
17:56:15:562 35452 UtilityBootReinit: Reboot required for cure complete..
17:56:15:562 35452 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
17:56:15:578 35452 UtilityBootReinit: KLMD drop success
17:56:15:609 35452 KLMD_ApplyPendList: Pending buffer(E30_2215, 608) dropped successfully
17:56:15:609 35452 UtilityBootReinit: Cure on reboot scheduled successfully
17:56:15:609 35452
17:56:15:609 35452 Completed
17:56:15:609 35452
17:56:15:609 35452 Results:
17:56:15:609 35452 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
17:56:15:609 35452 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:56:15:609 35452 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:56:15:609 35452
17:56:15:609 35452 UnloadDriverW: NtUnloadDriver error 1
17:56:15:609 35452 KLMD_Unload: UnloadDriverW(klmd21) error 1
17:56:15:609 35452 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:56:15:609 35452 UtilityDeinit: KLMD(ARK) unloaded successfully


#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 PM

Posted 19 January 2010 - 12:09 AM

Hi LinJo,



I do not recommend that you have more than one anti virus product installed and running on your computer at a time. In your case, you have an AntiVir, and Windows Security Essentials.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".
It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to Add/Remove Porgrams in the control panel and remove one of two programs in the following.

AntiVir
Windows Security Essentials

After that, please remove unnecessary antimalware programs. Those programs can't effectively defend your system, but cause too many resourse hogs. You may keep MBAM as highly recommended.


QUOTE
'C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP213\A0045882.sys.

Avira flagged that infected file was in System Volume Cache. Whatever is in there can't harm you unless you choose to perform a manual restore. We will deal with that later.

Please allow the change on what Avira found. Then disable the real time protection of Avira and rerun TDSSKiller as instructed in my previous post. Post the contents in your next reply.

QUOTE
Some installation files are corrupt

Yes, the developer should had been alerted what the new situation presents. Maybe, it has been rectified. You may try it again.

Please delete the current copy of ComboFix from your desktop and download a new one saving it to your desktop. Click Start button > Select Run > then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.


In your next reply, please post back:

1.New TDSSKiller.txt
2.ComboFix log
3.Gmer log Thanks

Edited by sundavis, 19 January 2010 - 01:18 AM.


#7 LinJo

LinJo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 19 January 2010 - 05:43 PM

Hi sundavis, thanks for the response.
1. I removed MS Security Essentials and other anti-malware software as you suggested.
2. I ran TDssKiller again and the log is below.
3. I downloaded a new copy of ComboFix which worked. I ran it, however it could not install the windows recovery console. It did complete the scan and the log file is below.
4. I ran GMER - it ran for 5 hours actively scanning, however when I clicked SAVE to save the log file it froze up and so did my PC. Because of the save problem I do not have a gmer log for you right now. I will run it again and try saving it again.

So, here's the tdsskiller and combofix logs for now. I will provide the gmer if it saves the next time. Thank you for your help, I appreciate it so very much. //LinJo

TDssKiller log:
10:36:04:921 3684 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
10:36:04:921 3684 ================================================================================
10:36:04:921 3684 SystemInfo:

10:36:04:921 3684 OS Version: 5.1.2600 ServicePack: 3.0
10:36:04:921 3684 Product type: Workstation
10:36:04:921 3684 ComputerName: KLYLAR
10:36:04:921 3684 UserName: Mama
10:36:04:921 3684 Windows directory: C:\WINDOWS
10:36:04:921 3684 Processor architecture: Intel x86
10:36:04:921 3684 Number of processors: 2
10:36:04:921 3684 Page size: 0x1000
10:36:04:921 3684 Boot type: Normal boot
10:36:04:921 3684 ================================================================================
10:36:04:921 3684 UnloadDriverW: NtUnloadDriver error 2
10:36:04:921 3684 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:36:04:921 3684 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:36:04:937 3684 UtilityInit: KLMD drop and load success
10:36:04:937 3684 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
10:36:04:937 3684 UtilityInit: KLMD open success
10:36:04:937 3684 UtilityInit: Initialize success
10:36:04:937 3684
10:36:04:937 3684 Scanning Services ...
10:36:04:937 3684 CreateRegParser: Registry parser init started
10:36:04:937 3684 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
10:36:04:937 3684 CreateRegParser: DisableWow64Redirection error
10:36:04:937 3684 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:36:04:937 3684 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
10:36:04:937 3684 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:36:04:937 3684 wfopen_ex: Trying to KLMD file open
10:36:04:937 3684 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
10:36:04:937 3684 wfopen_ex: File opened ok (Flags 2)
10:36:04:937 3684 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 394C48
10:36:04:937 3684 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:36:04:937 3684 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
10:36:04:937 3684 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:36:04:937 3684 wfopen_ex: Trying to KLMD file open
10:36:04:937 3684 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
10:36:04:937 3684 wfopen_ex: File opened ok (Flags 2)
10:36:04:937 3684 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 394B38
10:36:04:937 3684 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
10:36:04:937 3684 CreateRegParser: EnableWow64Redirection error
10:36:04:937 3684 CreateRegParser: RegParser init completed
10:36:05:546 3684 GetAdvancedServicesInfo: Raw services enum returned 425 services
10:36:05:546 3684 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:36:05:546 3684 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:36:05:546 3684
10:36:05:546 3684 Scanning Kernel memory ...
10:36:05:546 3684 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
10:36:05:546 3684 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8739BA08
10:36:05:546 3684 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
10:36:05:546 3684
10:36:05:546 3684 DetectCureTDL3: DEVICE_OBJECT: 8736CC68
10:36:05:546 3684 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8736CC68
10:36:05:546 3684 KLMD_ReadMem: Trying to ReadMemory 0x8736CC68[0x38]
10:36:05:546 3684 DetectCureTDL3: DRIVER_OBJECT: 8739BA08
10:36:05:546 3684 KLMD_ReadMem: Trying to ReadMemory 0x8739BA08[0xA8]
10:36:05:546 3684 KLMD_ReadMem: Trying to ReadMemory 0xE198BE80[0x18]
10:36:05:546 3684 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:36:05:546 3684 DetectCureTDL3: IrpHandler (0) addr: F7775BB0
10:36:05:546 3684 DetectCureTDL3: IrpHandler (1) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (2) addr: F7775BB0
10:36:05:546 3684 DetectCureTDL3: IrpHandler (3) addr: F776FD1F
10:36:05:546 3684 DetectCureTDL3: IrpHandler (4) addr: F776FD1F
10:36:05:546 3684 DetectCureTDL3: IrpHandler (5) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (6) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (7) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (8) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (9) addr: F77702E2
10:36:05:546 3684 DetectCureTDL3: IrpHandler (10) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (11) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (12) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (13) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (14) addr: F77703BB
10:36:05:546 3684 DetectCureTDL3: IrpHandler (15) addr: F7773F28
10:36:05:546 3684 DetectCureTDL3: IrpHandler (16) addr: F77702E2
10:36:05:546 3684 DetectCureTDL3: IrpHandler (17) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (18) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (19) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (20) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (21) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (22) addr: F7771C82
10:36:05:546 3684 DetectCureTDL3: IrpHandler (23) addr: F777699E
10:36:05:546 3684 DetectCureTDL3: IrpHandler (24) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (25) addr: 804F9739
10:36:05:546 3684 DetectCureTDL3: IrpHandler (26) addr: 804F9739
10:36:05:546 3684 TDL3_FileDetect: Processing driver: Disk
10:36:05:546 3684 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:36:05:546 3684 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:36:05:578 3684 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:36:05:578 3684
10:36:05:578 3684 DetectCureTDL3: DEVICE_OBJECT: 8736DC68
10:36:05:578 3684 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8736DC68
10:36:05:578 3684 KLMD_ReadMem: Trying to ReadMemory 0x8736DC68[0x38]
10:36:05:578 3684 DetectCureTDL3: DRIVER_OBJECT: 8739BA08
10:36:05:578 3684 KLMD_ReadMem: Trying to ReadMemory 0x8739BA08[0xA8]
10:36:05:578 3684 KLMD_ReadMem: Trying to ReadMemory 0xE198BE80[0x18]
10:36:05:578 3684 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:36:05:578 3684 DetectCureTDL3: IrpHandler (0) addr: F7775BB0
10:36:05:578 3684 DetectCureTDL3: IrpHandler (1) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (2) addr: F7775BB0
10:36:05:578 3684 DetectCureTDL3: IrpHandler (3) addr: F776FD1F
10:36:05:578 3684 DetectCureTDL3: IrpHandler (4) addr: F776FD1F
10:36:05:578 3684 DetectCureTDL3: IrpHandler (5) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (6) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (7) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (8) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (9) addr: F77702E2
10:36:05:578 3684 DetectCureTDL3: IrpHandler (10) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (11) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (12) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (13) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (14) addr: F77703BB
10:36:05:578 3684 DetectCureTDL3: IrpHandler (15) addr: F7773F28
10:36:05:578 3684 DetectCureTDL3: IrpHandler (16) addr: F77702E2
10:36:05:578 3684 DetectCureTDL3: IrpHandler (17) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (18) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (19) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (20) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (21) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (22) addr: F7771C82
10:36:05:578 3684 DetectCureTDL3: IrpHandler (23) addr: F777699E
10:36:05:578 3684 DetectCureTDL3: IrpHandler (24) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (25) addr: 804F9739
10:36:05:578 3684 DetectCureTDL3: IrpHandler (26) addr: 804F9739
10:36:05:578 3684 TDL3_FileDetect: Processing driver: Disk
10:36:05:578 3684 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:36:05:578 3684 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:36:05:593 3684 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:36:05:593 3684
10:36:05:593 3684 DetectCureTDL3: DEVICE_OBJECT: 8735FAB8
10:36:05:593 3684 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8735FAB8
10:36:05:593 3684 DetectCureTDL3: DEVICE_OBJECT: 873C9B00
10:36:05:593 3684 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873C9B00
10:36:05:593 3684 KLMD_ReadMem: Trying to ReadMemory 0x873C9B00[0x38]
10:36:05:593 3684 DetectCureTDL3: DRIVER_OBJECT: 873661B0
10:36:05:593 3684 KLMD_ReadMem: Trying to ReadMemory 0x873661B0[0xA8]
10:36:05:593 3684 KLMD_ReadMem: Trying to ReadMemory 0xE10025C0[0x1A]
10:36:05:593 3684 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:36:05:593 3684 DetectCureTDL3: IrpHandler (0) addr: F767C6F2
10:36:05:593 3684 DetectCureTDL3: IrpHandler (1) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (2) addr: F767C6F2
10:36:05:593 3684 DetectCureTDL3: IrpHandler (3) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (4) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (5) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (6) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (7) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (8) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (9) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (10) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (11) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (12) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (13) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (14) addr: F767C712
10:36:05:593 3684 DetectCureTDL3: IrpHandler (15) addr: F7678852
10:36:05:593 3684 DetectCureTDL3: IrpHandler (16) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (17) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (18) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (19) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (20) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (21) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (22) addr: F767C73C
10:36:05:593 3684 DetectCureTDL3: IrpHandler (23) addr: F7683336
10:36:05:593 3684 DetectCureTDL3: IrpHandler (24) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (25) addr: 804F9739
10:36:05:593 3684 DetectCureTDL3: IrpHandler (26) addr: 804F9739
10:36:05:593 3684 KLMD_ReadMem: Trying to ReadMemory 0xF7679864[0x400]
10:36:05:593 3684 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
10:36:05:593 3684 TDL3_FileDetect: Processing driver: atapi
10:36:05:593 3684 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
10:36:05:593 3684 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
10:36:05:625 3684 TDL3_FileDetect: C:\WINDOWS\system32\drivers\atapi.sys - Verdict: Clean
10:36:05:625 3684
10:36:05:640 3684 Completed
10:36:05:640 3684
10:36:05:640 3684 Results:
10:36:05:640 3684 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
10:36:05:640 3684 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:36:05:640 3684 File objects infected / cured / cured on reboot: 0 / 0 / 0
10:36:05:640 3684
10:36:05:640 3684 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:36:05:640 3684 UtilityDeinit: KLMD(ARK) unloaded successfully

ComboFix log:
ComboFix 10-01-18.03 - Mama 01/19/2010 10:55:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.579 [GMT -5:00]
Running from: c:\documents and settings\Mama\desktop\combofix.exe
Command switches used :: /killall
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
c:\windows\system32\Data

.
((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-16 22:20 . 2010-01-16 22:20 -------- d--h--w- c:\windows\PIF
2010-01-16 17:00 . 2010-01-16 17:08 -------- d-----w- C:\571f78410baa32495c94e3b5ff076c8a
2010-01-12 01:09 . 2010-01-12 13:47 -------- d-----w- c:\program files\SpywareGuard
2010-01-08 18:17 . 2010-01-12 14:56 -------- d-----w- c:\program files\a-squared Free
2010-01-08 01:41 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-08 01:41 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-08 01:41 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-08 01:41 . 2010-01-08 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-08 01:41 . 2010-01-08 01:41 -------- d-----w- c:\program files\Avira
2010-01-07 22:57 . 2010-01-07 22:57 13896 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-01-07 22:56 . 2010-01-07 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-01-07 22:56 . 2010-01-07 22:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-01-07 14:46 . 2010-01-07 14:46 -------- d-----w- c:\documents and settings\Mama\Application Data\Panda Security
2010-01-07 14:39 . 2010-01-07 14:39 -------- d-----w- c:\program files\Panda Security
2010-01-06 22:03 . 2010-01-06 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-01-06 21:51 . 2010-01-06 21:54 -------- d-----w- c:\documents and settings\Mama\Application Data\NewSoft
2010-01-06 21:51 . 2010-01-06 21:54 -------- d-----w- c:\documents and settings\Mama\Local Settings\Application Data\NewSoft
2010-01-06 17:54 . 2010-01-06 17:54 -------- d-----w- c:\program files\CCleaner
2010-01-04 01:49 . 2010-01-04 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-01-04 01:49 . 2010-01-04 01:49 -------- d-----w- c:\program files\IObit
2010-01-03 20:55 . 2010-01-08 01:30 -------- d-----w- c:\program files\ThreatFire
2010-01-03 17:55 . 2010-01-03 17:55 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-03 17:26 . 2010-01-03 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-02 19:08 . 2010-01-08 01:35 -------- d-----w- c:\program files\Trend Micro
2010-01-02 18:56 . 2010-01-02 18:56 -------- d-----w- c:\documents and settings\Mama\Application Data\Office Genuine Advantage
2010-01-02 18:36 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-01 03:02 . 2010-01-01 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-01 03:01 . 2010-01-19 15:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 03:01 . 2010-01-19 15:19 -------- d-----w- c:\documents and settings\Mama\Application Data\SUPERAntiSpyware.com
2010-01-01 02:30 . 2010-01-01 02:30 -------- d-sh--w- c:\documents and settings\Amy\IECompatCache
2010-01-01 01:32 . 2010-01-01 01:32 -------- d-----w- c:\documents and settings\Mama\Application Data\Malwarebytes
2010-01-01 01:32 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 01:32 . 2010-01-01 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 01:32 . 2010-01-11 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 01:32 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 23:00 . 2002-08-29 07:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-18 14:53 . 2009-07-13 18:02 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2010-01-14 16:12 . 2009-10-03 23:00 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 19:06 . 2009-05-04 21:03 -------- d-----w- c:\documents and settings\Dada\Application Data\U3
2010-01-13 13:58 . 2003-01-15 17:00 247824 ----a-w- c:\documents and settings\Dada\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 23:39 . 2009-05-06 17:05 -------- d-----w- c:\documents and settings\Mama\Application Data\U3
2010-01-12 19:47 . 2002-12-17 18:03 247824 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 01:58 . 2002-12-17 18:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-12 01:57 . 2009-02-07 22:49 -------- d-----w- c:\program files\ESTsoft
2010-01-12 01:57 . 2009-02-07 22:49 -------- d-----w- c:\documents and settings\Dada\Application Data\ESTsoft
2010-01-11 20:35 . 2010-01-11 20:35 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-06 22:44 . 2009-03-04 20:00 -------- d-----w- c:\program files\DivX
2010-01-06 22:35 . 2007-02-19 00:50 -------- d-----w- c:\program files\Apple Software Update
2010-01-06 22:29 . 2007-10-03 21:41 -------- d-----w- c:\program files\Common Files\Apple
2010-01-06 22:11 . 2006-10-30 14:03 -------- d-----w- c:\program files\Google
2010-01-06 21:42 . 2005-01-23 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-06 20:55 . 2009-02-20 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\zed3
2010-01-06 20:13 . 2005-05-16 14:32 245872 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 20:03 . 2005-05-27 19:09 245872 ----a-w- c:\documents and settings\Susie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 19:26 . 2003-01-26 02:00 245872 ----a-w- c:\documents and settings\Danny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 00:56 . 2008-02-12 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-01-01 00:56 . 2008-02-12 19:57 -------- d-----w- c:\program files\Dell Support Center
2009-12-20 18:30 . 2009-07-13 18:03 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-12-20 18:30 . 2009-07-13 18:03 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-12-20 18:30 . 2009-07-13 18:03 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-12-20 18:30 . 2009-10-22 17:28 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\aawapi.dll
2009-12-20 18:30 . 2009-07-13 18:03 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Savapibridge.dll
2009-12-20 18:30 . 2009-07-13 18:03 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-12-20 18:30 . 2009-07-13 18:02 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-12-20 18:30 . 2009-07-13 18:02 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-12-20 18:30 . 2009-07-13 18:02 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-12-20 18:30 . 2009-07-13 18:02 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-12-20 18:30 . 2009-07-13 18:02 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-12-20 18:30 . 2009-07-13 18:02 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-12-20 15:44 . 2009-05-04 21:00 -------- d-----w- c:\documents and settings\Danny\Application Data\U3
2009-12-08 13:32 . 2009-05-06 18:02 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 18:29 . 2009-07-13 18:03 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-11-19 18:29 . 2009-07-13 18:02 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-11-19 18:29 . 2009-07-13 18:02 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-11-19 18:29 . 2009-09-21 17:58 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-11-08 18:28 . 2009-11-08 18:28 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-08 18:28 . 2009-11-08 18:28 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\SBREDrv.sys
2009-11-08 18:28 . 2009-11-08 18:28 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\sbap.dll
2009-11-08 18:28 . 2009-06-08 18:10 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-11-08 18:28 . 2009-03-09 20:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-08 18:28 . 2009-11-08 18:28 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Vipre.dll
2009-11-08 18:28 . 2009-11-08 18:28 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\VipreBridge.dll
2009-11-08 18:28 . 2009-11-08 18:28 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\SBTE.dll
2009-11-08 18:28 . 2009-11-08 18:28 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\SBRE.dll
2009-10-29 07:45 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2002-08-29 11:00 . 2002-08-29 11:00 94784 --sha-w- c:\windows\TWAIN.DLL
2008-04-14 00:11 . 2002-08-29 11:00 1028096 --sh--w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2002-08-29 11:00 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 11:00 413696 --sh--w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-08-29 11:00 343040 --sh--w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2002-08-29 11:00 551936 --sha-w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2002-08-29 11:00 84992 --sh--w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2002-08-29 11:00 11776 --sha-w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-12-20 788880]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-02 684032]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Mama\Start Menu\Programs\Startup\
ABSpro Launcher.lnk - c:\program files\CMS Peripherals\ABSpro Backup\ABSLauncher.exe [2003-7-3 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-12-17 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2003-1-15 663552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2005-08-12 18:43 45056 ------w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/9/2009 12:58 PM 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/7/2010 8:41 PM 108289]
R2 portD;ABS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [7/3/2003 3:36 PM 12960]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 cpuz132;cpuz132;c:\windows\SYSTEM32\DRIVERS\cpuz132_x32.sys [6/19/2009 11:48 AM 12672]
S3 GPU-Z;GPU-Z;\??\c:\docume~1\Mama\LOCALS~1\Temp\GPU-Z.sys --> c:\docume~1\Mama\LOCALS~1\Temp\GPU-Z.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1181328]
S3 scsiscan;SCSI Scanner Driver;c:\windows\SYSTEM32\DRIVERS\scsiscan.sys [5/26/2003 12:44 PM 11520]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-18 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-19 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-19 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-19 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-19 c:\windows\Tasks\User_Feed_Synchronization-{44B6A0E4-A375-4FA0-BFAA-609B6D13B426}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2010-01-19 c:\windows\Tasks\User_Feed_Synchronization-{4E9E7DBD-125D-4C85-BE0A-E1AA63E71474}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Windows Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - ?p=ZC
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 11:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g8?4?V??g8?4?SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp????X??????????????????>?w0 ?w????3??w???g?%4???4????g?????CY????????g:?4?2???????????<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2551294104-1589364550-1331601642-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2468)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-19 11:18:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 16:18

Pre-Run: 65,522,196,480 bytes free
Post-Run: 65,631,883,264 bytes free

- - End Of File - - 95F0C6198B5C88C154586DB148CC17A0


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 PM

Posted 19 January 2010 - 10:09 PM

Hi LinJo,


QUOTE
I ran GMER - it ran for 5 hours actively scanning

Since the culprit is gone, we may skip Gmer part.

QUOTE
I removed MS Security Essentials and other anti-malware software as you suggested.

That sounds good. thumbup2.gif You need to delete those folders in program files as well.

Let's remove some orphaned entries and review your logs one more time. Let me know if you have any remaining issues on your pc.

Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
DDS::
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mPolicies-explorer: =
IE: &Search - ?p=ZC

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

We need to create an OTL Report
  1. Please OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the OTL icon on your desktop.
  4. Click the "Scan All Users" checkbox. .
  5. Push the Run Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



In your next reply, please post back:

1.Combofix log
2.OTListIt.txt and Extra.txt

Tell me if you have any remaining issues on your pc.

#9 LinJo

LinJo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 20 January 2010 - 12:24 PM

Hi sundavis. Thanks for your response - your instructions are so clear and organized and helpful!
1. I deleted all those orphaned folders under ProgramFiles.
2. I ran ComboFix again with the script you provided (it updated to the latest ComboFix version). This time
it successfully installed the windows recovery console. The log is below.
3. I ran OTL and the 2 reports are below.

I tried google, yahoo and bing and did searches. No malicious redirections occurred. So far, so good. thumbup.gif When starting any MS Office applications they now start up instantaneously - the PC is much more responsive. Memory usage seems to be less. I'm cautiously optimistic, but right now, it's looking good. Thank you and I look forward to hearing from you. //LinJo

ComboFix Log:
ComboFix 10-01-19.08 - Mama 01/20/2010 11:04:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.544 [GMT -5:00]
Running from: c:\documents and settings\Mama\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mama\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-16 22:20 . 2010-01-16 22:20 -------- d--h--w- c:\windows\PIF
2010-01-16 17:00 . 2010-01-16 17:08 -------- d-----w- C:\571f78410baa32495c94e3b5ff076c8a
2010-01-08 01:41 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-08 01:41 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-08 01:41 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-08 01:41 . 2010-01-08 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-08 01:41 . 2010-01-08 01:41 -------- d-----w- c:\program files\Avira
2010-01-06 22:03 . 2010-01-06 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-01-06 21:51 . 2010-01-06 21:54 -------- d-----w- c:\documents and settings\Mama\Local Settings\Application Data\NewSoft
2010-01-06 17:54 . 2010-01-06 17:54 -------- d-----w- c:\program files\CCleaner
2010-01-03 17:55 . 2010-01-03 17:55 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-03 17:26 . 2010-01-03 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-02 18:56 . 2010-01-02 18:56 -------- d-----w- c:\documents and settings\Mama\Application Data\Office Genuine Advantage
2010-01-02 18:36 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-01 03:01 . 2010-01-19 15:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 02:30 . 2010-01-01 02:30 -------- d-sh--w- c:\documents and settings\Amy\IECompatCache
2010-01-01 01:32 . 2010-01-01 01:32 -------- d-----w- c:\documents and settings\Mama\Application Data\Malwarebytes
2010-01-01 01:32 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 01:32 . 2010-01-01 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 01:32 . 2010-01-11 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 01:32 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 23:00 . 2002-08-29 07:27 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-18 14:53 . 2009-07-13 18:02 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2010-01-14 16:12 . 2009-10-03 23:00 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 19:06 . 2009-05-04 21:03 -------- d-----w- c:\documents and settings\Dada\Application Data\U3
2010-01-13 13:58 . 2003-01-15 17:00 247824 ----a-w- c:\documents and settings\Dada\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 23:39 . 2009-05-06 17:05 -------- d-----w- c:\documents and settings\Mama\Application Data\U3
2010-01-12 19:47 . 2002-12-17 18:03 247824 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 01:58 . 2002-12-17 18:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-11 20:35 . 2010-01-11 20:35 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-06 22:44 . 2009-03-04 20:00 -------- d-----w- c:\program files\DivX
2010-01-06 22:35 . 2007-02-19 00:50 -------- d-----w- c:\program files\Apple Software Update
2010-01-06 22:29 . 2007-10-03 21:41 -------- d-----w- c:\program files\Common Files\Apple
2010-01-06 20:13 . 2005-05-16 14:32 245872 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 20:03 . 2005-05-27 19:09 245872 ----a-w- c:\documents and settings\Susie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 19:26 . 2003-01-26 02:00 245872 ----a-w- c:\documents and settings\Danny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-20 18:30 . 2009-07-13 18:03 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-12-20 18:30 . 2009-07-13 18:03 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-12-20 18:30 . 2009-07-13 18:03 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-12-20 18:30 . 2009-10-22 17:28 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\aawapi.dll
2009-12-20 18:30 . 2009-07-13 18:03 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Savapibridge.dll
2009-12-20 18:30 . 2009-07-13 18:03 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-12-20 18:30 . 2009-07-13 18:02 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-12-20 18:30 . 2009-07-13 18:02 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-12-20 18:30 . 2009-07-13 18:02 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-12-20 18:30 . 2009-07-13 18:02 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-12-20 18:30 . 2009-07-13 18:02 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-12-20 18:30 . 2009-07-13 18:02 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-12-20 15:44 . 2009-05-04 21:00 -------- d-----w- c:\documents and settings\Danny\Application Data\U3
2009-12-08 13:32 . 2009-05-06 18:02 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 18:29 . 2009-07-13 18:03 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-11-19 18:29 . 2009-07-13 18:02 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-11-19 18:29 . 2009-07-13 18:02 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-11-19 18:29 . 2009-09-21 17:58 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-11-08 18:28 . 2009-11-08 18:28 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-08 18:28 . 2009-11-08 18:28 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\SBREDrv.sys
2009-11-08 18:28 . 2009-11-08 18:28 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\sbap.dll
2009-11-08 18:28 . 2009-06-08 18:10 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-11-08 18:28 . 2009-03-09 20:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-08 18:28 . 2009-11-08 18:28 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Vipre.dll
2009-11-08 18:28 . 2009-11-08 18:28 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\VipreBridge.dll
2009-11-08 18:28 . 2009-11-08 18:28 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\SBTE.dll
2009-11-08 18:28 . 2009-11-08 18:28 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\SBRE.dll
2009-10-29 07:45 . 2006-06-23 16:33 916480 ------w- c:\windows\system32\wininet.dll
2002-08-29 11:00 . 2002-08-29 11:00 94784 --sha-w- c:\windows\TWAIN.DLL
2008-04-14 00:11 . 2002-08-29 11:00 1028096 --sh--w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2002-08-29 11:00 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 11:00 413696 --sh--w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-08-29 11:00 551936 --sha-w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2002-08-29 11:00 84992 --sh--w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2002-08-29 11:00 11776 --sha-w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-12-20 788880]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-02 684032]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Mama\Start Menu\Programs\Startup\
ABSpro Launcher.lnk - c:\program files\CMS Peripherals\ABSpro Backup\ABSLauncher.exe [2003-7-3 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-12-17 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2003-1-15 663552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2005-08-12 18:43 45056 ------w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/9/2009 12:58 PM 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/7/2010 8:41 PM 108289]
R2 portD;ABS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [7/3/2003 3:36 PM 12960]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1181328]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 cpuz132;cpuz132;c:\windows\SYSTEM32\DRIVERS\cpuz132_x32.sys [6/19/2009 11:48 AM 12672]
S3 GPU-Z;GPU-Z;\??\c:\docume~1\Mama\LOCALS~1\Temp\GPU-Z.sys --> c:\docume~1\Mama\LOCALS~1\Temp\GPU-Z.sys [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows\SYSTEM32\DRIVERS\scsiscan.sys [5/26/2003 12:44 PM 11520]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:30]

2010-01-20 c:\windows\Tasks\User_Feed_Synchronization-{44B6A0E4-A375-4FA0-BFAA-609B6D13B426}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2010-01-20 c:\windows\Tasks\User_Feed_Synchronization-{4E9E7DBD-125D-4C85-BE0A-E1AA63E71474}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Windows Internet Explorer
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g8?4?V??g8?4?SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp????X??????????????????>?w0 ?w????3??w???g?%4???4????g?????CY????????g:?4?2???????????<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2551294104-1589364550-1331601642-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-01-20 11:16:20
ComboFix-quarantined-files.txt 2010-01-20 16:16

Pre-Run: 65,649,786,880 bytes free
Post-Run: 65,612,333,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 49AE04FA947A9B1DC30E301E6172CA56

OTL Log:
OTL logfile created on: 1/20/2010 11:37:44 AM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Mama\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 571.00 Mb Available Physical Memory | 56.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.22 Gb Total Space | 61.14 Gb Free Space | 32.83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KLYLAR
Current User Name: Mama
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/20 10:50:20 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mama\Desktop\OTL.exe
PRC - [2010/01/07 20:51:40 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/01/07 20:51:40 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/12/20 13:30:14 | 00,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/12/20 13:30:13 | 01,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/09/08 20:09:42 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/09/08 20:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\wscntfy.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/11 00:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/03/15 10:09:36 | 00,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2005/12/11 18:33:44 | 00,393,216 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\SYSTEM32\ati2evxx.exe
PRC - [2004/03/18 08:33:26 | 00,892,928 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\iTouch.exe
PRC - [2003/05/08 10:00:58 | 00,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
PRC - [2002/10/02 18:41:20 | 00,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [2002/09/12 10:28:14 | 00,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2002/08/29 06:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\WBEM\UNSECAPP.EXE
PRC - [2002/08/14 19:22:52 | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe
PRC - [2002/08/14 18:29:26 | 00,090,112 | ---- | M] (MUSICMATCH, Inc.) -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PRC - [2000/06/26 08:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
PRC - [1999/12/13 02:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE


========== Modules (SafeList) ==========

MOD - [2010/01/20 10:50:20 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mama\Desktop\OTL.exe
MOD - [2006/03/24 09:53:30 | 00,159,744 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll
MOD - [2004/03/18 09:26:48 | 00,114,688 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL
MOD - [2004/03/18 08:26:50 | 00,004,608 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\itchhk.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/07 20:51:40 | 00,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/01/07 20:51:40 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/12/20 13:30:13 | 01,181,328 | ---- | M] (Lavasoft) [On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/09/08 20:09:30 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/02/02 15:57:18 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/09/11 00:45:04 | 00,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2007/03/07 14:47:46 | 00,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/03/03 21:03:10 | 00,069,632 | ---- | M] (HP) [Unknown | Stopped] -- C:\WINDOWS\SYSTEM32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/12/11 20:05:00 | 00,520,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\ati2sgag.exe -- (ATI Smart)
SRV - [2005/12/11 18:33:44 | 00,393,216 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2002/05/03 12:29:42 | 01,118,208 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\NMSSvc.Exe -- (NMSSvc) Intel®
SRV - [2000/06/26 08:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\MsPMSPSv.exe -- (WMDM PMSP Service)
SRV - [1999/12/13 02:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE -- (Creative Service for CDROM Access)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/01/07 20:51:40 | 00,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys -- (ssmdrv)
DRV - [2009/12/08 08:32:54 | 00,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys -- (avgntflt)
DRV - [2009/09/23 07:55:23 | 00,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/03/30 10:33:07 | 00,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys -- (avipbb)
DRV - [2009/03/27 00:16:28 | 00,012,672 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\cpuz132_x32.sys -- (cpuz132)
DRV - [2009/02/13 12:35:05 | 00,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/04/13 13:45:33 | 00,011,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\scsiscan.sys -- (scsiscan)
DRV - [2008/04/13 13:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2008/04/13 13:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/02/02 15:51:27 | 00,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys -- (Cdralw2k)
DRV - [2008/02/02 15:51:27 | 00,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2008/02/02 15:51:26 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys -- (Secdrv)
DRV - [2007/02/25 11:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 15:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSPROCT)
DRV - [2006/04/12 05:04:39 | 00,049,664 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZid412.sys -- (HPZid412)
DRV - [2006/04/12 05:04:39 | 00,021,568 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZius12.sys -- (HPZius12)
DRV - [2006/04/12 05:04:39 | 00,016,496 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr12.sys -- (HPZipr12)
DRV - [2005/12/11 18:40:42 | 01,414,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2005/03/21 11:00:24 | 00,004,096 | ---- | M] (SuperAdBlocker.com) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\sabprocenum.sys -- (SABProcEnum)
DRV - [2004/10/07 20:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/04 00:29:54 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)
DRV - [2004/08/04 00:29:49 | 00,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/04 00:29:47 | 00,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/04 00:29:45 | 00,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/04 00:29:43 | 00,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/04 00:29:42 | 00,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/04 00:29:41 | 00,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/04 00:29:37 | 00,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/04 00:29:37 | 00,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/04 00:29:37 | 00,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/04 00:29:36 | 00,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/03/10 13:42:24 | 00,012,953 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\itchfltr.sys -- (itchfltr)
DRV - [2004/03/03 08:50:00 | 00,037,887 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Lhidusb.sys -- (LHidUsb)
DRV - [2002/12/17 13:21:50 | 00,028,164 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys -- (MxlW2k)
DRV - [2002/10/11 10:29:00 | 00,207,936 | ---- | M] (Dell Computer Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AtlsVid.sys -- (EMATCORE)
DRV - [2002/10/11 10:29:00 | 00,025,600 | ---- | M] (Dell Computer Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AtlsAud.sys -- (AtlsAud)
DRV - [2002/10/02 18:47:04 | 00,025,674 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/10/02 18:46:58 | 00,030,406 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/10/02 18:46:52 | 00,134,426 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pwd_2K.sys -- (pwd_2k)
DRV - [2002/10/02 18:43:20 | 00,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2002/10/02 18:42:00 | 00,240,640 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/09/19 15:59:50 | 00,139,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\e100b325.sys -- (E100B) Intel®
DRV - [2002/09/18 15:57:54 | 00,012,960 | ---- | M] (CMS Peripherals, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\portd2k.sys -- (portD)
DRV - [2002/08/30 17:29:02 | 01,293,440 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2002/08/29 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS -- (Ptilink)
DRV - [2002/07/19 11:22:08 | 00,017,153 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/06/30 20:50:12 | 00,167,155 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2002/06/30 20:49:46 | 01,172,416 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2002/06/30 20:45:12 | 00,594,832 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2002/05/03 12:30:08 | 00,009,868 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NMSCFG.SYS -- (NMSCFG)
DRV - [2001/11/30 03:42:00 | 00,067,694 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\LMouFlt2.sys -- (LMouFlt2)
DRV - [2001/11/30 03:42:00 | 00,022,206 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\LHidFlt2.sys -- (LHidFlt2)
DRV - [2001/11/30 03:42:00 | 00,005,838 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\LKbdFlt2.sys -- (LKbdFlt2)
DRV - [2001/10/22 15:46:42 | 00,009,855 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
DRV - [2001/08/17 15:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 14:28:12 | 00,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_V124.sys -- (V124)
DRV - [2001/08/17 14:28:12 | 00,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 14:28:10 | 00,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 14:28:10 | 00,073,279 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_SPKP.sys -- (SpeakerPhone)
DRV - [2001/08/17 14:28:10 | 00,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 14:28:08 | 00,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 14:28:06 | 00,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 14:28:06 | 00,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 14:28:06 | 00,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 14:28:04 | 00,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_BSC2.sys -- (basic2)
DRV - [2001/08/17 13:11:06 | 00,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [2001/08/09 21:03:00 | 00,070,084 | ---- | M] (MK Systems CO., LTD.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\EPLPDX02.SYS -- (Eplpdx02)
DRV - [1999/12/17 02:00:00 | 00,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\PFMODNT.SYS -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005\S-1-5-21-2551294104-1589364550-1331601642-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005\S-1-5-21-2551294104-1589364550-1331601642-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0



O1 HOSTS File: ([2010/01/19 11:07:53 | 00,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [diagent] C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe (MUSICMATCH, Inc.)
O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
O4 - Startup: C:\Documents and Settings\Mama\Start Menu\Programs\Startup\ABSpro Launcher.lnk = C:\Program Files\CMS Peripherals\ABSpro Backup\ABSLauncher.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O15 - HKU\.DEFAULT\..Trusted Domains: 31 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 31 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} http://connect.comcast.com/dl/Comcast%20Ac...%20Controls.cab (SupportSoft External Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1162134132390 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1162134563312 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...7686.2763078704 (Reg Error: Key error.)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadblocker.com/activex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323 (QDiagHUpdateObj Class)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...601/mcfscan.cab (McFreeScan Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 14:36:02 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/20 11:16:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/01/20 11:00:54 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2010/01/20 10:50:16 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mama\Desktop\OTL.exe
[2010/01/19 10:53:40 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/19 10:53:40 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/19 10:53:40 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/19 10:53:40 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/19 10:53:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/19 10:52:57 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/18 17:50:46 | 00,176,392 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Mama\Desktop\TDSSKiller.exe
[2010/01/16 17:20:01 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/01/16 12:00:56 | 00,000,000 | ---D | C] -- C:\571f78410baa32495c94e3b5ff076c8a
[2010/01/11 23:08:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mama\Desktop\Scanner Log Files
[2010/01/11 19:10:48 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Mama\Recent
[2010/01/08 13:17:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mama\My Documents\a-squared Free
[2010/01/07 20:41:57 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/01/07 20:41:57 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/01/07 20:41:57 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/01/07 20:41:56 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/01/07 20:41:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/01/07 20:41:48 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/01/06 17:03:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2010/01/06 16:51:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mama\My Documents\My PageManager
[2010/01/06 16:51:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mama\Local Settings\Application Data\NewSoft
[2010/01/06 13:47:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mama\My Documents\RegistryFileBackup
[2010/01/06 12:54:33 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/01/03 12:55:08 | 00,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/01/03 12:26:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/01/02 13:56:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mama\Application Data\Office Genuine Advantage
[2010/01/02 13:38:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/01/02 13:38:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/01/02 13:38:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/01/02 13:38:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/01/02 13:38:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/01/02 13:38:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/01/02 13:38:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/01/02 13:38:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/01/02 13:36:10 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/12/31 22:01:48 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/31 20:32:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mama\Application Data\Malwarebytes
[2009/12/31 20:32:50 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/31 20:32:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/31 20:32:46 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/31 20:32:46 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/13 10:11:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/05/11 18:00:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2009/05/06 17:13:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/04/28 13:27:22 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/03/09 14:57:18 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/11/14 19:35:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft
[2008/04/04 17:59:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2007/10/17 09:44:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2006/10/29 15:19:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/01/28 10:08:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Share-to-Web Upload Folder
[2002/12/17 13:05:58 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll

========== Files - Modified Within 30 Days ==========

[2010/01/20 11:38:00 | 00,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{4E9E7DBD-125D-4C85-BE0A-E1AA63E71474}.job
[2010/01/20 11:36:00 | 00,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{44B6A0E4-A375-4FA0-BFAA-609B6D13B426}.job
[2010/01/20 11:16:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/20 11:10:51 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/20 11:01:04 | 00,000,281 | RHS- | M] () -- C:\BOOT.INI
[2010/01/20 10:58:51 | 03,830,599 | R--- | M] () -- C:\Documents and Settings\Mama\Desktop\ComboFix.exe
[2010/01/20 10:57:05 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/20 10:57:05 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/20 10:57:05 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/20 10:57:05 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/20 10:57:05 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/20 10:50:20 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mama\Desktop\OTL.exe
[2010/01/20 08:42:13 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/01/20 08:39:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/01/20 08:39:50 | 10,727,66976 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/19 17:55:18 | 07,864,320 | -H-- | M] () -- C:\Documents and Settings\Mama\NTUSER.DAT
[2010/01/19 17:55:18 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Mama\NTUSER.INI
[2010/01/19 11:07:53 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2010/01/19 10:15:32 | 00,068,096 | ---- | M] () -- C:\Documents and Settings\Mama\Desktop\MSSecurityEssentialsHistoryLog.doc
[2010/01/18 17:54:21 | 00,386,980 | ---- | M] () -- C:\Documents and Settings\Mama\Desktop\Google searches redirect to hxxp--rle822x_cn.mht
[2010/01/18 16:47:04 | 00,284,915 | ---- | M] () -- C:\Documents and Settings\Mama\Desktop\gmer.zip
[2010/01/18 16:39:56 | 00,152,401 | ---- | M] () -- C:\Documents and Settings\Mama\Desktop\tdsskiller.zip
[2010/01/18 14:27:12 | 00,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2010/01/17 19:08:47 | 00,000,000 | ---- | M] () -- C:\DebugCapture.prn
[2010/01/17 19:08:46 | 00,003,223 | ---- | M] () -- C:\WINDOWS\System32\GNPORT
[2010/01/14 11:12:06 | 00,181,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/01/13 08:44:00 | 00,176,392 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Mama\Desktop\TDSSKiller.exe
[2010/01/12 15:56:49 | 00,726,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/12 14:50:49 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/01/12 10:44:47 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Mama\Desktop\dds.scr
[2010/01/07 20:51:40 | 00,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/01/07 20:44:34 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/07 17:53:28 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 18:23:41 | 00,001,035 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2010/01/06 18:23:41 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2010/01/06 16:55:49 | 00,000,260 | ---- | M] () -- C:\WINDOWS\setup.iss
[2010/01/06 15:54:03 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Mama\Application Data\winscp.rnd
[2010/01/06 12:54:37 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Mama\Desktop\CCleaner.lnk
[2010/01/03 12:55:08 | 00,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/01/02 14:01:18 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Mama\Local Settings\Application Data\housecall.guid.cache
[2009/12/31 20:32:53 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/27 11:23:03 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

========== Files Created - No Company Name ==========

[2010/01/20 11:01:04 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2010/01/20 11:00:58 | 00,260,272 | ---- | C] () -- C:\cmldr
[2010/01/19 11:42:25 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Mama\Desktop\gmer.exe
[2010/01/19 10:53:40 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/19 10:53:40 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/19 10:53:40 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/19 10:53:40 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/19 10:53:40 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/19 10:51:00 | 03,830,599 | R--- | C] () -- C:\Documents and Settings\Mama\Desktop\ComboFix.exe
[2010/01/19 10:15:32 | 00,068,096 | ---- | C] () -- C:\Documents and Settings\Mama\Desktop\MSSecurityEssentialsHistoryLog.doc
[2010/01/18 17:54:20 | 00,386,980 | ---- | C] () -- C:\Documents and Settings\Mama\Desktop\Google searches redirect to hxxp--rle822x_cn.mht
[2010/01/18 16:46:58 | 00,284,915 | ---- | C] () -- C:\Documents and Settings\Mama\Desktop\gmer.zip
[2010/01/18 16:39:49 | 00,152,401 | ---- | C] () -- C:\Documents and Settings\Mama\Desktop\tdsskiller.zip
[2010/01/16 16:51:16 | 10,727,66976 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/12 10:44:32 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Mama\Desktop\dds.scr
[2010/01/07 20:44:34 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/07 17:53:28 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2010/01/06 16:55:36 | 00,000,260 | ---- | C] () -- C:\WINDOWS\setup.iss
[2010/01/06 15:54:03 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\Mama\Application Data\winscp.rnd
[2010/01/06 12:54:37 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Mama\Desktop\CCleaner.lnk
[2010/01/05 08:04:38 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/05 08:04:36 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/05 08:04:34 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/05 08:04:33 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/02 14:01:18 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Mama\Local Settings\Application Data\housecall.guid.cache
[2009/12/31 20:32:53 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/30 07:48:13 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/03/03 09:26:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2008/02/02 16:48:00 | 00,023,552 | ---- | C] () -- C:\Documents and Settings\Mama\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/18 17:12:42 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2008/01/18 17:00:20 | 00,006,813 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/08/29 09:12:53 | 00,000,220 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/04/24 16:59:42 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7R.DLL
[2007/04/24 16:58:16 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2007/04/24 16:57:46 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2007/04/24 16:55:57 | 00,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/02/17 14:17:00 | 00,000,384 | ---- | C] () -- C:\WINDOWS\pixcache.ini
[2006/11/02 13:39:54 | 00,000,051 | ---- | C] () -- C:\WINDOWS\iTouch.ini
[2006/10/07 09:12:45 | 00,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/10/07 08:50:48 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2006/10/07 08:50:47 | 02,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2006/10/07 08:50:47 | 00,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2006/10/07 08:50:47 | 00,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2006/07/15 12:29:10 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/02/17 17:44:50 | 00,000,101 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\REGISTRY.INI
[2005/01/31 18:04:37 | 00,000,127 | ---- | C] () -- C:\Documents and Settings\Mama\Local Settings\Application Data\fusioncache.dat
[2003/04/01 13:40:21 | 00,000,039 | ---- | C] () -- C:\WINDOWS\mscandc.ini
[2003/03/17 09:51:59 | 00,000,023 | ---- | C] () -- C:\WINDOWS\EPS2200.ini
[2003/03/01 11:42:30 | 00,000,781 | ---- | C] () -- C:\WINDOWS\BTI.INI
[2003/01/28 09:57:56 | 00,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2003/01/27 18:47:02 | 00,000,102 | ---- | C] () -- C:\WINDOWS\CTRec.INI
[2003/01/06 16:48:08 | 00,000,004 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt
[2003/01/04 17:32:02 | 00,000,021 | ---- | C] () -- C:\WINDOWS\DVDSentry.ini
[2002/12/17 13:24:11 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/12/17 13:06:13 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2002/12/17 13:05:59 | 00,002,092 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini
[2002/12/17 13:05:59 | 00,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2002/12/17 13:05:58 | 00,039,936 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2002/12/17 13:05:58 | 00,006,175 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI
[2002/12/17 13:05:58 | 00,005,917 | ---- | C] () -- C:\WINDOWS\SBMIXDEF.INI
[2002/12/17 13:05:57 | 00,000,064 | ---- | C] () -- C:\WINDOWS\P16x.ini
[2002/12/17 13:05:28 | 00,000,245 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2002/12/17 13:02:56 | 00,000,443 | ---- | C] () -- C:\WINDOWS\Cmousecc.ini
[2002/12/17 13:01:35 | 00,000,883 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/12/17 12:40:24 | 00,000,549 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/09/09 19:39:32 | 00,000,802 | ---- | C] () -- C:\WINDOWS\LRUN32.INI
[2002/09/09 19:37:54 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/02/06 10:04:14 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\NMSInst.dll
[2002/01/21 16:17:18 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PROInst.dll
[2001/07/07 03:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
< End of report >

Extras Log:
OTL Extras logfile created on: 1/20/2010 11:37:44 AM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Mama\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 571.00 Mb Available Physical Memory | 56.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.22 Gb Total Space | 61.14 Gb Free Space | 32.83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KLYLAR
Current User Name: Mama
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\SYSTEM32\mmc.exe" = C:\WINDOWS\SYSTEM32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01A4AEDE-F219-49A2-B855-16A016EAF9A4}" = Intel® PROSet II
"{036AA4D4-6D32-11D4-9875-00105ACE7734}" = Logitech iTouch Software
"{0965D484-1777-4BA5-8C3A-095A6B0D2696}_is1" = Driver Sweeper 1.5.5
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert
"{17A11EB0-43C7-748F-B318-4BFB56C1FDBF}" = Bonus Content - Ceiling Fans
"{1AE8A48E-A580-42B0-B0B5-4F94006292D6}" = Bonus Content - Fireplace Items
"{1FE9FB0F-A112-442C-8772-98A971C14657}" = Bonus Content - Home Theater Items
"{237a4b22-78c2-11d6-a394-00104bd190b1}" = QuickBooks Pro Edition 2003
"{26EE66EC-E2CE-E4EF-34BE-23AB97A030A2}" = Bonus Content - Household Items
"{286B027C-BFE3-3C23-A761-7017045EAD5E}" = Bonus Content - Architectural Accents
"{3215EBED-1D06-42fb-A05C-A752A46FB24C}" = Canon MP530
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F8EB641-6AD2-45DE-A8DD-91D7BDD39CDE}" = Microsoft USB Flash Drive Manager
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Dell Modem-On-Hold
"{4AC00457-03CD-D3EB-C60C-5D64DD621CDC}" = Bonus Content - Outdoor Sports
"{4EAD791E-4A35-4C65-B2E6-33CD9EAA2911}" = Browntech Image Plugin 1.97
"{53A42D05-05DF-F006-4B1D-8C568CB0FA52}" = Bonus Content - Accessibility Items
"{5556F9A5-67AE-4A12-A639-4148A3B82245}" = Bonus Content - Sunroom Items
"{55BC7EFA-D832-4EE3-9DEA-49B0C07539D9}" =
"{5851025C-B1EA-4EBA-B469-E1BF71E1DBEC}" = Bonus Content - Garage Items
"{5E835305-63BB-4E55-BBB7-EEBBE67774DB}" = MyDVD
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{65A1FC3C-E496-41A9-98C7-2CEAFE7053B7}" = Better Homes and Gardens HD Suite 7.0 Training Videos
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76939A89-9F51-1C34-AD05-85DE054DC75F}" = Bonus Content - Textiles
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{85BB6CF7-5144-4942-87E4-5FC5C47569F8}" = The Print Shop 20
"{870815CA-6B60-47B6-88DD-A67F42D2F03E}" = GPL MPEG-1/2 DirectShow Decoder Filter
"{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}" = Windows Support Tools
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95632566-071E-4A02-92C1-4BD907065736}" = ABSpro Backup
"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}" = Sound Blaster Live!
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ED6519B-324A-4C66-98EE-E3F54281BA78}" = Atlantis
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A557D4C9-03AA-4806-80A7-227D2C8E4439}" = Better Homes and Gardens Home Designer Suite 7.0
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{ADA11E01-7975-55ED-F769-269FA58B83E4}" = Bonus Content - Window Treatments
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2E066F2-A6B9-4825-8630-1E243C9AD402}" = Bonus Content - Kids Items
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{BB46245B-CECA-406F-8790-3ABA0D01012F}" = Roxio VideoWave Movie Creator
"{BCE67364-74C8-85B1-E5FE-50B9DF56270B}" = Bonus Content - Deck Railings
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C28E3F02-6C10-09CD-D780-03A86F28446D}" = Bonus Content - Home Office Items
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1532C5A-C1A1-11D6-8A44-00D0B71AF8DB}" = ASF Digital ROC 1.1.1 and Digital SHO 1.1.1 Plug-Ins
"{D71C2B3D-9895-4D2A-A392-2FB9F58D1BE6}" = ATI Catalyst Control Center
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DCDC8E79-4600-4C02-9824-CD3BB8971D4E}" =
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E3436EE2-D5CB-4249-840B-3A0140CC34C3}" = Classic PhoneTools
"{E48A46FD-4C82-4ADB-9588-0B2311A77A21}" = Bonus Content - Landscape Beds
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E9E34215-82EF-4909-BE2F-F581F0DC9062}" = DirectX for Managed Code Update (Summer 2004)
"{EA52A1AC-D35D-4D25-8686-9466FE2C5CE5}" = Presto! PageManager 7.15.11
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0" = Conexant HSF V92 56K RTAD Speakerphone PCI Modem
"CPUID HWMonitor_is1" = CPUID HWMonitor 1.14
"Easy-WebPrint" = Easy-WebPrint
"Finale NotePad 2008" = Finale NotePad 2008
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{9ED6519B-324A-4C66-98EE-E3F54281BA78}" = Dell Movie Studio Diagnostics
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Microsoft Press Interactive Training" = Microsoft Interactive Training
"Microtek Scanner ICC Profiler" = Microtek Scanner ICC Profiler
"Microtek ScanWizard Pro TX" = Microtek ScanWizard Pro TX
"MP Navigator 2.2" = Canon MP Navigator 2.2
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MUSICMATCH Jukebox" = MUSICMATCH Jukebox
"MyCheck Writer Personal" = MyCheck Writer Personal
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel® PRO Ethernet Adapter and Software
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/16/2010 4:41:52 AM | Computer Name = KLYLAR | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/16/2010 1:12:52 PM | Computer Name = KLYLAR | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/16/2010 1:32:27 PM | Computer Name = KLYLAR | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/16/2010 1:32:44 PM | Computer Name = KLYLAR | Source = Application Hang | ID = 1002
Description = Hanging application msseces.exe, version 1.0.1611.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/16/2010 1:32:47 PM | Computer Name = KLYLAR | Source = Application Hang | ID = 1002
Description = Hanging application msseces.exe, version 1.0.1611.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/16/2010 1:33:04 PM | Computer Name = KLYLAR | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/16/2010 1:33:38 PM | Computer Name = KLYLAR | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/17/2010 2:34:53 AM | Computer Name = KLYLAR | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/17/2010 6:28:57 PM | Computer Name = KLYLAR | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/20/2010 9:58:58 AM | Computer Name = KLYLAR | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/19/2010 11:53:38 AM | Computer Name = KLYLAR | Source = Service Control Manager | ID = 7034
Description = The Creative Service for CDROM Access service terminated unexpectedly.
It has done this 1 time(s).

Error - 1/19/2010 11:53:38 AM | Computer Name = KLYLAR | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 1/19/2010 11:53:38 AM | Computer Name = KLYLAR | Source = Service Control Manager | ID = 7034
Description = The WMDM PMSP Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/19/2010 11:53:38 AM | Computer Name = KLYLAR | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/19/2010 11:53:38 AM | Computer Name = KLYLAR | Source = Service Control Manager | ID = 7034
Description = The Adobe Active File Monitor V6 service terminated unexpectedly.
It has done this 1 time(s).

Error - 1/19/2010 11:53:38 AM | Computer Name = KLYLAR | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 1/19/2010 11:53:38 AM | Computer Name = KLYLAR | Source = Service Control Manager | ID = 7034
Description = The Indexing Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/19/2010 11:53:38 AM | Computer Name = KLYLAR | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 1/19/2010 12:04:28 PM | Computer Name = KLYLAR | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system
without first being prepared for removal.

Error - 1/20/2010 11:38:00 AM | Computer Name = KLYLAR | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0007E9C706CB. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.


< End of report >


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 PM

Posted 20 January 2010 - 12:58 PM

Hi LinJo,



Looks good. thumbup2.gif You need to upgrade your java from Here . The new version is jre-6u18-windows-i586-p.exe. After that, you may clear your java cache as instructed in this thread .

We need to remove some orphaned entries. Please be patient and do the following:

Step1
  1. Please start OTL on your desktop.
  2. Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.
    CODE
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-2551294104-1589364550-1331601642-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]
  3. Click Run Fix button on the top.
  4. Click OK and let it run unhindered.
  5. OTL will ask to reboot the machine. Please OK the prompt.
  6. A report will open. Copy and Paste that report in your next reply.

In your next reply, please post back:

1.OTL delete log. Thanks


#11 LinJo

LinJo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 20 January 2010 - 05:51 PM

Hi sundavis. A few new issues. wacko.gif
1. I can't find the java file jre-6u18-windows-i586-p.exe. I go to the java page, click "Download JRE",
select windows for the platform, see under windows offline, there's a 15.20MB file called jre-6u18-windows-i586.exe, but I don't see one with the -p.exe. Also, is the file supposed to download from cds-esd.sun.com?

2. I haven't run OTL again with the code yet because I haven't installed the java.

3. Today I am NOT able to update my Avira after running ComboFix, etc. this morning. I keep getting these errors over and over again:
[UPD] [INFO] Checking whether newer files are available.
[UPD] [INFO] Select update server 'http://62.146.66.185/update'.
[UPD] [INFO] Downloading of 'http://62.146.66.185/update/idx/master.idx' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\master.idx'.
[UPDLIB] [ERROR] Download manager: An error occurred inside the WinINet library.
[UPD] [INFO] Downloading of 'http://62.146.66.185/update/idx/master.idx' to 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\master.idx'.
[UPDLIB] [ERROR] Download of file 'http://62.146.66.185/update/idx/master.idx'. Service unavailable
[UPDLIB] [ERROR] Download manager: An error occurred inside the WinINet library.


4. I wasn't able to get onto any web sites through IE8 this afternoon. I then noticed that Windows defender made 2 detections and it was waiting for my input and I chose deny access: (BTW I am typing this all in by hand because I can't do a copy from the WindowsDefender History Screen, so bear with any typos.)
System Configuration change occurred. This agent monitors security related configuration changes made to Windows. Detected changes: New:1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
Original: 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
Firewallport (Changed):
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP
After denying access through windows defender and it applied the actions, I was able to use the internet again.
I rebooted the PC and then Windows Detector detected:
Description: This program has potentially unwanted behavior. Resources: firewallport: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP
The 2nd detection was almost the same .........bla, bla, bla.....\List\\2869:TCP

Seeing the "GloballyOpenPorts" sent up a red flag for me - could this be a bad thing? A backdoor? Or is this a normal setting change? I think maybe some changes were made to my networking and that may be why Avira won't update too. Thanks for your help. \\LinJo

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 PM

Posted 20 January 2010 - 07:58 PM

Hi LinJo,



QUOTE
there's a 15.20MB file called jre-6u18-windows-i586.exe

That file is exactly what you need to upgrade. Sorry for the typo.

QUOTE
I keep getting these errors over and over again

The update error message should be Update Servers under heavy load . You may try the following command: Start >Run >type CMD, hit enter and copy/paste the bolded text into command prompt and click OK. After that, please reboot your pc.

"C:\Program Files\Avira\AntiVir Desktop\update.exe" /DM="0" "/NOMESSAGEBOX /receivetimeout=120

All the trouble might be caused by Avira heavy load of update servers. WD detects the differet ports were being engaged by the unknown server. It alerts you automatically.

Please proceed the previous instruction when you're ready. Let me know if you still need further assistance.

Edited by sundavis, 20 January 2010 - 08:44 PM.


#13 LinJo

LinJo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 January 2010 - 03:47 PM

Hi sundavis. Thanks for the reply.
1. Thanks for the Avira tip about putting in a timeout limit. The servers are still not responding well today,
so I did a manual update to be on the safer side.
2. I installed the Java RTE and cleared the Java cache.
3. I ran OTL with the code that you provided and the log is below.
Thanks!! \\LinJo

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-2551294104-1589364550-1331601642-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Amy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 134 bytes

User: Dada
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5276161 bytes
->Java cache emptied: 2096 bytes

User: Danny
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Mama
->Temp folder emptied: 2227257 bytes
->Temporary Internet Files folder emptied: 18964981 bytes
->Java cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 3584 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Susie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 134 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3715 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 632394 bytes
RecycleBin emptied: 3530 bytes

Total Files Cleaned = 26.00 mb


OTL by OldTimer - Version 3.1.25.2 log created on 01212010_150614

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 PM

Posted 21 January 2010 - 10:51 PM

Hi LinJo,


Since the culprit is gone, your system appears clean now. thumbup.gif If you have no remaining concerns on your pc, let's do some tidy up and you should be good to go.

Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Start OTL from your desktop.
  1. Double click OTL and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.


Please delete all the tools and logs we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all these programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#15 LinJo

LinJo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 23 January 2010 - 04:00 PM

Hi sundavis. Let me start by thanking you for all your help. You folks are wonderful to provide this kind of service.
Here's the final chapter of this virus problem:
1. Uninstalled ComboFix and OTL and the other tools.
2. Installed acrobat reader 9 (heard there was a security hole in older versions), installed Web of Trust.
3. Updated Avira, Windows Defender, Malwarebytes, Adaware - then ran scans. Avira and Malwarebytes detected and deleted old infected system restore points.

Everything seems to look good so far. I still need to do a scan with Secunis Software Inspector. After I post this note I will be doing a complete backup to an external hard drive.

I do have one more question about installing ERUNT - I haven't installed it. I've read that it also installs a registry optimizer that is dangerous and has wrecked some systems. What are your thoughts on this?

Thank you!!!!! \\LinJo

***** UPDATE JAN 23 9:00pm **** I had typed in a bunch of stuff with lots of details but somehow it all disappeared before I posted it. So this explanation is going to be brief this second time. mad.gif

I spoke too soon. BSOD several times today. STOP:0x0000007e (ox0000005, 0xf7c1c900, 0xf7b86770, 0xf7b8646c) with no other error message or hint. I was able to boot into safe mode with networking, used in internet etc. Device manager had no problems. Event viewer had "The following boot-start or system-start driver(s) failed to load:avgio, avipbb, cdudf_xp, Fips, intelppm, ssmdrv. There also was an event from Windows Defender (this detection isn't in it's history file though) in the event system event viewer: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\yljklu;file:C:\WINDOWS\SYSTEM32\DRIVERS\uqnfdcpq.sys Looks very virus-like to me. BTW this file and registry key are gone.
This detection was not made present to me by WD, like I said it's not even in it's own history file. This event occurred about 1 minute after Malwarebytes had found 4 detections in system restore points and Malwarebytes had rebooted the system. On the reboot, WD must have detected this.

After rebooting out of safe mode once or twice into normal mode the PC started. I don't dare shut it down again. I'm going to start an Avira scan and then a Malwarebytes scan.

Any ideas? Another virus attack? Thanks. \\Linda

Edited by LinJo, 23 January 2010 - 09:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users