Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine links redirecting


  • This topic is locked This topic is locked
20 replies to this topic

#1 Ivan DBA

Ivan DBA

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 14 January 2010 - 02:25 PM

In both IE and Firefox, no matter what search engine I use, sometimes when I click on a search result link, the browser gets redirected to a random site. Originally it was doing this every time, but after running Malware Bytes and deleting about 20 pieces of malware, it now only does it about one time in three.

Thank you very much in advance for any advice you can give!!

DDS Log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Christine Hoang at 8:52:10.50 on Thu 01/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2311 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe


++++++++++++++++++++++++++++

Root Repeal Report:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/14 09:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5163000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcafee_b0n4hnayq6lstnh
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ezzudwtewe54xow
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_l1fyrxhgznfk4ek
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_cxr8z9h4lyuabab
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\mcmsc_okgVtBhTpppbmyl
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\mcmsc_okgVtBhTpppbmyl-journal
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcafee_csr9lvntu7yit6q
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_au9emyobnxgfpuk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_zzhsdyqv732uejj
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_yb5nd5bdcpz9odv
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_estboxmpvcs7tp4
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_2ucdsb216x5lunz
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\christine hoang\local settings\temp\~dfe535.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\christine hoang\local settings\temp\~dff31e.tmp
Status: Allocation size mismatch (API: 393216, Raw: 16384)

Path: c:\documents and settings\christine hoang\local settings\temp\~dff3b7.tmp
Status: Allocation size mismatch (API: 458752, Raw: 16384)

==EOF==
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christine Hoang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\4.0.266.0\npchrome_tab.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [<NO NAME>]
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Google Search
IE: &Search
IE: &Translate English Word
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages
IE: Translate Page into English
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} - hxxp://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/57.11/uploader2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144111020264
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169980488406
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://company.kbklawyers.com/Remote/msrdp.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} - hxxps://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\4.0.266.0\npchrome_tab.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\f0ds8mdx.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-7 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-2 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-7 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-7 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-17 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-7 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-7 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-7 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-7 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-26 135664]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-7 34248]

=============== Created Last 30 ================

2010-01-13 21:38:05 0 d-----w- c:\docume~1\christ~1\applic~1\Malwarebytes
2010-01-13 21:37:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 21:37:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-13 21:37:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 21:37:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 03:21:56 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2006-11-18 21:51:00 56 --sh--r- c:\windows\system32\B7B13DFC61.sys
2009-03-29 03:28:35 2568 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 8:56:27.09 ===============

Attached Files


Edited by Ivan DBA, 14 January 2010 - 03:51 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:10 AM

Posted 20 January 2010 - 04:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Ivan DBA

Ivan DBA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 24 January 2010 - 07:22 PM

Hi Myrti,

Thank you very much for your assistance! I've subscribed to this thread as you suggested, and I'm downloading OTL to run the diagnostic now. I'll post the results per your instructions ASAP.

Thanks!

#4 Ivan DBA

Ivan DBA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 24 January 2010 - 07:44 PM

I've got a number of issues, the latter two are older and may be unrelated to the first two, which are more urgent.

1. When I do a search using Bing, Google, Yahoo, etc, sometimes I get redirected to random websights when I click on the search result links. This problem just started a couple weeks ago.

2. At one point last week, probably because of one of those websites I got redirected too, I had an infestation of trojans, including one that popped up a bogus infection warning when you log in, and when opening IE, along with a bogus anti-spyware installation button in the sys-tray. I very carefully did NOT click on any of these things or install anythink like that, and I re-ran the Windows Live Scan, McAffee scan, and Malware Bytes scan. Between them these deleted about two dozen trojans and spywares (which had not been there they day before, because I had already run all those scans when the redirects started happening). This problem has not recurred.

3. The first time I open IE after turning on the computer each day, I get a system pop-up saying that IE's default search provider has been corrupted. It then changes the default from Google back to "Live Search," every time. I've had this problem for months.

4. My Sys-tray has always has the same set of 11 updates waiting to install. No matter how many times I tell it to install them, they are always still there, and I get a message saying they could not be installed. I've had this problem for months.

I am ONLY using this computer to try to fix this problem, and I'm turning it off when not doing so. I haven't run any scans or programs since I ran the diagnostics in my original post.

Here are the OTL results:

OTL logfile created on: 1/24/2010 6:24:29 PM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Documents and Settings\Christine Hoang\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 74.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.80 Gb Total Space | 9.52 Gb Free Space | 13.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 189.92 Gb Total Space | 96.15 Gb Free Space | 50.63% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 6P7DQ91
Current User Name: Christine Hoang
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/24 18:23:58 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Christine Hoang\Desktop\OTL.exe
PRC - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 10:23:32 | 00,262,160 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/08/18 19:35:08 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/18 19:35:08 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 13:48:48 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/04/02 15:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/04/02 15:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/26 14:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/10/25 10:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/08/13 17:32:40 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/08/13 17:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/07/07 17:15:07 | 00,600,896 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2006/05/03 04:12:00 | 00,098,304 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2005/09/08 05:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/08/04 04:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/03/22 23:20:44 | 00,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/01/12 15:54:58 | 00,241,664 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PRC - [2005/01/12 15:54:56 | 00,135,168 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe


========== Modules (SafeList) ==========

MOD - [2010/01/24 18:23:58 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Christine Hoang\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/12/08 14:25:28 | 00,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/26 08:39:45 | 00,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/27 08:50:12 | 00,316,312 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\WINDOWS\Temp\0298741264378729mcinst.exe -- (0298741264378729mcinstcleanup) McAfee Application Installer Cleanup (0298741264378729)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/08/18 19:35:08 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 13:48:48 | 00,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2009/04/02 15:10:56 | 00,656,168 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/03/26 14:31:20 | 00,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/11/20 13:18:52 | 00,136,120 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 10:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/08/13 17:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2007/06/04 22:14:50 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2007/06/04 22:14:50 | 00,131,072 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2007/03/07 16:47:46 | 00,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/11/08 17:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006/11/08 17:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/08/04 04:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2004/11/19 11:26:40 | 00,147,456 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/03/26 14:23:46 | 00,036,864 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/03/19 15:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/11/20 13:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/13 12:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 12:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 10:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/03/08 13:20:50 | 00,021,568 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2007/03/08 13:20:49 | 00,016,496 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2007/03/08 13:20:48 | 00,049,920 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2007/02/25 13:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 17:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/06/30 02:51:21 | 00,021,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\point32.sys -- (Point32)
DRV - [2005/11/16 21:36:00 | 01,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/09/12 03:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 05:20:00 | 00,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 05:20:00 | 00,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 05:20:00 | 00,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 05:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 05:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 05:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 05:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 12:16:52 | 00,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 12:16:16 | 00,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 05:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/08/04 04:10:18 | 01,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/10/14 21:30:46 | 00,155,648 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2004/08/10 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 22:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/11/17 21:59:20 | 00,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 21:58:02 | 00,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 21:56:26 | 01,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/04/09 18:48:08 | 00,011,043 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2001/08/17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en&cl...&channel=us


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\S-1-5-21-3335849523-3734604731-3948078156-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\S-1-5-21-3335849523-3734604731-3948078156-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/01/14 00:58:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/05/06 09:08:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/18 19:35:35 | 00,000,000 | ---D | M]

[2008/08/27 09:39:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Christine Hoang\Application Data\Mozilla\Extensions
[2010/01/14 18:36:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Christine Hoang\Application Data\Mozilla\Firefox\Profiles\f0ds8mdx.default\extensions
[2008/03/19 11:40:54 | 00,001,406 | ---- | M] () -- C:\Documents and Settings\Christine Hoang\Application Data\Mozilla\Firefox\Profiles\f0ds8mdx.default\searchplugins\siteadvisor.gif
[2008/03/19 11:40:54 | 00,000,276 | ---- | M] () -- C:\Documents and Settings\Christine Hoang\Application Data\Mozilla\Firefox\Profiles\f0ds8mdx.default\searchplugins\siteadvisor.src
[2008/03/19 11:40:48 | 00,002,386 | ---- | M] () -- C:\Documents and Settings\Christine Hoang\Application Data\Mozilla\Firefox\Profiles\f0ds8mdx.default\searchplugins\siteadvisor.xml
[2010/01/14 18:36:26 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006/01/18 11:50:00 | 00,319,488 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
[2007/04/16 11:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2004/08/10 05:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (ChromeFrame BHO) - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\4.0.295.0\npchrome_frame.dll (@COMPANY_FULLNAME@)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\James Hughes\Start Menu\Programs\StartUp\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\James Hughes\Start Menu\Programs\StartUp\OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3335849523-3734604731-3948078156-1005\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab (Microsoft ProgressBar Control, version 5.0 (SP2))
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} http://picasaweb.google.com/s/v/57.11/uploader2.cab (UploadListView Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www.costcophotocenter.com/CostcoActivia.cab (Snapfish Activia)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (McAfee.com Operating System Class)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1144111020264 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1169980488406 (MUWebControl Class)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://company.kbklawyers.com/Remote/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab (OmniForm Form Control)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.93.41.127 24.93.41.128
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\cf {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\4.0.295.0\npchrome_frame.dll (@COMPANY_FULLNAME@)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Christine Hoang\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Christine Hoang\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 04:43:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/24 18:23:48 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Christine Hoang\Desktop\OTL.exe
[2010/01/24 18:18:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/01/14 08:52:14 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Christine Hoang\Desktop\RootRepeal.exe
[2010/01/13 15:38:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Christine Hoang\Application Data\Malwarebytes
[2010/01/13 15:37:49 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/13 15:37:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/13 15:37:45 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/13 15:37:45 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/12 21:21:56 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/12/11 20:46:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/11/30 20:36:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/26 08:39:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/09/29 05:05:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/09/25 08:56:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/04/19 20:06:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2008/12/07 00:00:11 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/08/01 17:09:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft
[2008/01/23 15:08:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/10/19 19:38:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/08/16 04:30:12 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/24 18:23:58 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Christine Hoang\Desktop\OTL.exe
[2010/01/24 18:16:24 | 00,035,423 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/24 18:12:13 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/24 18:10:06 | 00,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/24 18:09:42 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/24 18:09:37 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/24 18:09:34 | 32,192,79872 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/22 22:47:39 | 04,980,736 | ---- | M] () -- C:\Documents and Settings\Christine Hoang\NTUSER.DAT
[2010/01/22 22:45:54 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Christine Hoang\ntuser.ini
[2010/01/22 22:44:12 | 00,000,904 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/21 11:15:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/16 15:12:41 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\32662.exe
[2010/01/16 14:52:39 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\27644.exe
[2010/01/16 14:32:37 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\25547.exe
[2010/01/16 14:12:35 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6868.exe
[2010/01/16 13:52:32 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\28253.exe
[2010/01/16 13:32:30 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\7711.exe
[2010/01/16 13:12:28 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\15141.exe
[2010/01/16 12:52:26 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\4664.exe
[2010/01/16 12:32:23 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17673.exe
[2010/01/16 12:12:21 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\30333.exe
[2010/01/16 11:52:19 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\31322.exe
[2010/01/16 11:32:16 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\23811.exe
[2010/01/16 11:12:14 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\28703.exe
[2010/01/16 10:52:12 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\9894.exe
[2010/01/16 10:32:10 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17035.exe
[2010/01/16 10:12:07 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26299.exe
[2010/01/16 09:52:05 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\25667.exe
[2010/01/16 09:32:03 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19912.exe
[2010/01/16 09:12:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\1869.exe
[2010/01/16 08:52:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11538.exe
[2010/01/16 08:32:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\14771.exe
[2010/01/16 08:12:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\21726.exe
[2010/01/16 07:52:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5447.exe
[2010/01/16 07:32:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19895.exe
[2010/01/16 07:12:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19718.exe
[2010/01/16 06:52:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18716.exe
[2010/01/16 06:32:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17421.exe
[2010/01/16 06:12:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\12382.exe
[2010/01/16 05:52:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\292.exe
[2010/01/16 05:32:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\153.exe
[2010/01/16 05:12:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\3902.exe
[2010/01/16 04:52:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\14604.exe
[2010/01/16 04:31:43 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\32391.exe
[2010/01/16 04:11:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5436.exe
[2010/01/16 03:51:08 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\4827.exe
[2010/01/16 03:30:51 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11942.exe
[2010/01/16 03:10:33 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\2995.exe
[2010/01/16 02:50:16 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\491.exe
[2010/01/16 02:29:59 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\9961.exe
[2010/01/16 02:09:42 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\16827.exe
[2010/01/16 01:49:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\23281.exe
[2010/01/16 01:29:07 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\28145.exe
[2010/01/16 01:08:50 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5705.exe
[2010/01/16 00:48:33 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\24464.exe
[2010/01/16 00:28:15 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26962.exe
[2010/01/16 00:07:58 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\29358.exe
[2010/01/15 23:47:41 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11478.exe
[2010/01/15 23:27:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\15724.exe
[2010/01/15 23:07:06 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19169.exe
[2010/01/15 22:46:49 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26500.exe
[2010/01/15 22:26:10 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6334.exe
[2010/01/15 22:06:10 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2010/01/15 18:30:00 | 00,000,370 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (6P7DQ91-Christine Hoang).job
[2010/01/14 08:59:58 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Christine Hoang\Desktop\settings.dat
[2010/01/14 08:52:22 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Christine Hoang\Desktop\RootRepeal.exe
[2010/01/14 08:50:35 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Christine Hoang\Desktop\dds.scr
[2010/01/14 08:37:53 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Christine Hoang\Desktop\RSIT.exe
[2010/01/13 21:49:54 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/13 15:37:53 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/13 00:11:47 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/16 15:12:41 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\32662.exe
[2010/01/16 14:52:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\27644.exe
[2010/01/16 14:32:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\25547.exe
[2010/01/16 14:12:35 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\6868.exe
[2010/01/16 13:52:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\28253.exe
[2010/01/16 13:32:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\7711.exe
[2010/01/16 13:12:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\15141.exe
[2010/01/16 12:52:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\4664.exe
[2010/01/16 12:32:23 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17673.exe
[2010/01/16 12:12:21 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\30333.exe
[2010/01/16 11:52:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\31322.exe
[2010/01/16 11:32:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\23811.exe
[2010/01/16 11:12:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\28703.exe
[2010/01/16 10:52:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\9894.exe
[2010/01/16 10:32:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17035.exe
[2010/01/16 10:12:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26299.exe
[2010/01/16 09:52:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\25667.exe
[2010/01/16 09:32:03 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19912.exe
[2010/01/16 09:12:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\1869.exe
[2010/01/16 08:52:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11538.exe
[2010/01/16 08:32:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\14771.exe
[2010/01/16 08:12:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\21726.exe
[2010/01/16 07:52:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5447.exe
[2010/01/16 07:32:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19895.exe
[2010/01/16 07:12:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19718.exe
[2010/01/16 06:52:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18716.exe
[2010/01/16 06:32:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17421.exe
[2010/01/16 06:12:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\12382.exe
[2010/01/16 05:52:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\292.exe
[2010/01/16 05:32:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\153.exe
[2010/01/16 05:12:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\3902.exe
[2010/01/16 04:52:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\14604.exe
[2010/01/16 04:31:43 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\32391.exe
[2010/01/16 04:11:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5436.exe
[2010/01/16 03:51:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\4827.exe
[2010/01/16 03:30:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11942.exe
[2010/01/16 03:10:33 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\2995.exe
[2010/01/16 02:50:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\491.exe
[2010/01/16 02:29:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\9961.exe
[2010/01/16 02:09:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\16827.exe
[2010/01/16 01:49:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\23281.exe
[2010/01/16 01:29:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\28145.exe
[2010/01/16 01:08:50 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5705.exe
[2010/01/16 00:48:33 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\24464.exe
[2010/01/16 00:28:15 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26962.exe
[2010/01/16 00:07:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\29358.exe
[2010/01/15 23:47:41 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11478.exe
[2010/01/15 23:27:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\15724.exe
[2010/01/15 23:07:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19169.exe
[2010/01/15 22:46:49 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26500.exe
[2010/01/15 22:26:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\6334.exe
[2010/01/15 22:06:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2010/01/14 08:59:58 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Christine Hoang\Desktop\settings.dat
[2010/01/14 08:50:27 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Christine Hoang\Desktop\dds.scr
[2010/01/14 08:37:47 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Christine Hoang\Desktop\RSIT.exe
[2010/01/13 15:37:52 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/08/03 02:01:19 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2008/08/03 02:00:17 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2008/08/03 02:00:16 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2007/09/13 02:33:25 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/08/20 18:26:52 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/08/20 18:26:52 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/08/15 16:30:26 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/06/18 18:36:12 | 00,000,067 | ---- | C] () -- C:\WINDOWS\VideoConvert.INI
[2007/02/22 22:29:56 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/01/29 05:03:12 | 00,003,732 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/01/03 12:24:36 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/01/03 12:22:46 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/01/03 12:22:14 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/09/26 08:51:49 | 00,002,568 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/08/30 21:04:22 | 00,000,654 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/06/25 10:32:22 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\mpglib.dll
[2006/05/11 09:02:57 | 00,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/04/09 17:29:56 | 00,000,056 | RHS- | C] () -- C:\WINDOWS\System32\B7B13DFC61.sys
[2006/04/09 16:49:22 | 00,004,511 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/04/04 08:50:02 | 00,061,678 | ---- | C] () -- C:\Documents and Settings\Christine Hoang\Application Data\PFP120JPR.{PB
[2006/04/04 08:50:02 | 00,012,358 | ---- | C] () -- C:\Documents and Settings\Christine Hoang\Application Data\PFP120JCM.{PB
[2006/04/03 18:22:58 | 00,000,138 | ---- | C] () -- C:\Documents and Settings\Christine Hoang\Local Settings\Application Data\fusioncache.dat
[2006/03/27 09:52:03 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/03/27 09:48:29 | 00,000,124 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/03/27 09:15:04 | 00,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 08:56:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 04:37:24 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 04:18:33 | 01,288,192 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2005/08/05 14:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/01/05 01:30:18 | 00,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
< End of report >

------

Extras Report:

OTL Extras logfile created on: 1/24/2010 6:24:29 PM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Documents and Settings\Christine Hoang\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 74.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.80 Gb Total Space | 9.52 Gb Free Space | 13.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 189.92 Gb Total Space | 96.15 Gb Free Space | 50.63% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 6P7DQ91
Current User Name: Christine Hoang
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3335849523-3734604731-3948078156-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\THQ\Dawn Of War\W40k.exe" = C:\Program Files\THQ\Dawn Of War\W40k.exe:*:Enabled:W40k -- (THQ Canada Inc.)
"C:\Program Files\THQ\Dawn Of War\W40kWA.exe" = C:\Program Files\THQ\Dawn Of War\W40kWA.exe:*:Enabled:W40kWA -- (THQ Canada Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- File not found
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe" = C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:*:Enabled:Star Wars™: Empire at War™ -- (Lucasfilm Entertainment Company, Ltd.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- File not found
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Disabled:Azureus -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
"{008739FA-4232-45BE-A58B-00B1C6998BFD}" = Costco Photo Organizer
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0FABD3D7-3036-4e78-B29D-58957ADB0A12}" = HP PSC & OfficeJet 3.5
"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{133CD5EF-A4A1-442a-8D50-910B5DEF76BD}" = 4200_Help
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery
"{24C8FBF7-26C6-48ca-834B-A4E5C09E362F}" = AiO_Scan
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{29B50D30-EAFC-4cea-9F76-3A0E3729E9B0}" = SkinsHP1
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{300D9EF4-2721-4cb4-A6C3-FB2337CFEA2D}" = AIOMinimal
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{34611BCF-3157-405b-A34E-879C7DC79142}" = 4200
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{38B39865-D988-4945-9A22-6107B8B40953}" = C4200
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{415B8A4E-0EA2-4C69-975C-EEE07B837FD7}" = Unload
"{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows 2005-03-23
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{48242276-DB89-42e8-9678-BD4280D7B99A}" = Copy
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{4CCC7F68-A437-4559-A840-F5E010934951}" = HP Driver Diagnostics
"{50CE21D8-0F44-4f3f-A392-7F9AD3194DEF}" = PS_AIO_Software
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{56E78A0A-C795-4A62-B0A1-B7DCDE1519A5}" = Quick View Plus (Standalone Full Client)
"{57C7C46A-D35D-492d-A328-4F8C9B5B4B52}" = PrintScreen
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{639858DD-4966-40F3-A706-7C838BCF3A2B}" = MaxBlast 4
"{63F2408D-A675-4d97-A256-70EACB6B9B4A}" = AiOSoftware
"{68A2A8FC-2CA0-4b6c-BE09-CC7ABE2A8DDC}" = 4200Trb
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C117F31-28A8-4477-BE91-64AC0A2204AD}" = Microsoft IntelliPoint 6.01
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{745A92AF-53B4-41A7-91C3-9B026B1D5897}" = InstantShare
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{75852F49-2CAF-443F-B7C2-53DE5847DE56}" = OpenOffice.org 2.0
"{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}" = overland
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7E33F78B-E29C-4946-AC6B-047E0AE93932}" = S.M.A.R.T.
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{83F12F73-D52E-40C0-93B1-463C311C4E17}" = Warhammer 40,000: Dawn Of War - Gold Edition
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections
"{8641C1CB-03B3-41d4-8DEC-79826A4B5C0E}" = HP Photosmart All-In-One Software 8.0
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{88908767-B7AD-4b0d-ACBC-FBCCF2761D31}" = HP Photosmart All-In-One Software 9.0
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{99AE7207-8612-4DBA-A8F8-BAE5C633390D}" = Star Wars Empire at War
"{9A0DCD97-9648-45ed-A52C-133C728AB2FF}" = 4200Tour
"{9B03C535-3AEA-4ef2-B326-0A01A2207034}" = CreativeProjects
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{AB40272D-92AB-4F30-B36B-22EDE16F8FE5}" = HP Update
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{AF226123-1A6F-4ec1-8DEF-E35E7A0D0127}" = Fax
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B09BCBF6-87EE-4403-A336-3A9510856535}" = HP Photosmart All-In-One Software 9.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B668B2B8-70D4-4754-A890-17C1DDDA9418}" = PS_AIO_Software_min
"{BC339BFD-F550-471a-8D26-4D08126C62F7}" = SkinsHP2
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBE3E0AF-73BB-4c21-8B96-B09E003EDE7F}" = QuickProjects
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D186329B-1B4D-408D-ABEC-EA5CE1F182C9}" = Overland
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D8B7A682-20DA-4797-8415-B1FB14D4D32B}" = PS_AIO_Software
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E28750A2-45F2-4b63-99F7-9F81A94B1E2D}" = PS_AIO_Software_min
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E65CA2A8-1F2A-4400-AE55-FFD43D3B6980}" = c4200_Help
"{E68C446D-D95A-4160-AC39-DE7062422985}" = OLYMPUS Master 2
"{E8BFBD0A-8002-4dc9-869C-E495FA9DCE7A}" = PhotoGallery
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
"{FE0C305A-37EE-4499-B4CF-0182E37B20C4}" = PS_AIO_ProductContext
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Age of Wonders II" = Age of Wonders II
"AIM_6" = AIM 6
"AIMONE Video Converter_is1" = AIMONE Video Converter 1.61
"ATI Display Driver" = ATI Display Driver
"AVI MPEG RM WMV Joiner_is1" = AVI/MPEG/RM/WMV Joiner 4.82
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"CDisplay_is1" = CDisplay 1.8
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"End Of Atlantis_is1" = End Of Atlantis
"ENTERPRISER" = Microsoft Office Enterprise 2007
"ESPNMotion" = ESPNMotion
"Google Chrome Frame" = Google Chrome Frame
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photo & Imaging" = HP Image Zone 3.5
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPExtendedCapabilities" = HP Customer Participation Program 9.0
"HPOCR" = HP OCR Software 9.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows 2005-03-23
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Uninstall Utility" = McAfee Uninstaller
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mother Of All Battles_is1" = Mother Of All Battles 3.2
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Pdf995" = Pdf995
"Picasa 3" = Picasa 3
"PROSet" = Intel® PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"Slay_is1" = Slay 5.0
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"ViewpointMediaPlayer" = Viewpoint Media Player
"Walmart MP3 Music Downloads" = Walmart MP3 Music Downloads
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/24/2010 8:11:03 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/24/2010 8:11:03 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/24/2010 8:11:03 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/24/2010 8:11:03 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/24/2010 8:11:03 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/24/2010 8:12:01 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/24/2010 8:16:10 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/24/2010 8:16:10 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/24/2010 8:16:10 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/24/2010 8:16:10 PM | Computer Name = 6P7DQ91 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ OSession Events ]
Error - 6/21/2009 2:58:38 AM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/21/2009 2:58:46 AM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/21/2009 2:58:55 AM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/1/2009 10:21:46 PM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/1/2009 10:21:58 PM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/1/2009 10:22:07 PM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/1/2009 10:22:17 PM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/30/2009 2:26:43 AM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 10
seconds with 0 seconds of active time. This session ended with a crash.

Error - 11/8/2009 12:32:39 PM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 63229
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/11/2010 2:05:01 AM | Computer Name = 6P7DQ91 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 57996
seconds with 180 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 1/23/2010 12:48:37 AM | Computer Name = 6P7DQ91 | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {6A972E27-93E2-4F98-8367-4101B2073814}
as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
-Embedding

Error - 1/24/2010 8:10:02 PM | Computer Name = 6P7DQ91 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/24/2010 8:10:02 PM | Computer Name = 6P7DQ91 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/24/2010 8:11:07 PM | Computer Name = 6P7DQ91 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/24/2010 8:11:07 PM | Computer Name = 6P7DQ91 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 1/24/2010 8:11:07 PM | Computer Name = 6P7DQ91 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/24/2010 8:11:07 PM | Computer Name = 6P7DQ91 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 1/24/2010 8:11:36 PM | Computer Name = 6P7DQ91 | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 1/24/2010 8:14:02 PM | Computer Name = 6P7DQ91 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/24/2010 8:14:02 PM | Computer Name = 6P7DQ91 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.


< End of report >


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:10 AM

Posted 24 January 2010 - 08:35 PM

Hi,

please alos run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 Ivan DBA

Ivan DBA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 25 January 2010 - 08:45 AM

I'm having serious trouble running GMER.

Every time I have it start scanning, it freezes up shortly after starting, while scanning the system 32/driver files. Usually it freezes on an Atapi driver, which perhaps coincidentally is flagged by GMER's quick scan as "suspicious modification." In fact, it freezes up so badly that ctrl-al-delete doesn't work at all. (It is working at other times.)

This happens regardless of whether or not I have disabled McAffee's real-time protection. I'm not aware of any other real time protection on my PC.

I attempted to run in safe mode, but I can't get it successfully boot up in safe mode. Every time, as it is loading the drivers, I get the blue screen of death.

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:10 AM

Posted 25 January 2010 - 09:16 AM

Hi,

if you can not run gmer please run mbr and rootrepeal instead:

.Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

As well as rootrepeal:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Ivan DBA

Ivan DBA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 25 January 2010 - 07:56 PM

I'm not sure if I was able to run MBR correctly, I don't know any DOS commands anymore.

When I did the Start > Run command, the Dos Prompt that came up was "C:\Documents and Settings\Christine Hoang>"

I then typed in exactly what was in bold in the instructions: "c:\mbr.exe -t >"C:\mbr.log""
When I did so, it just went back to same DOS promt, nothing else seemed to happen.

I tried typing just "C:\mbr.log", and the following txt file was saved in the root directory, and also popped up:
-------------------------

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AEE7841]<<
kernel: MBR read successfully
user & kernel MBR OK

---------------------

I'm not sure if that's the right report or not.

I'm running the Root Repeal scan now, I'll post the result as soon as it's done.

Thank you!!



#9 Ivan DBA

Ivan DBA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 25 January 2010 - 09:02 PM

Root Repeal:

__________

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/25 18:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: mbr.sys
Image Path: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\mbr.sys
Address: 0xB499E000 Size: 20864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB88D6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\modemlog_conexant d850 56k v.9x dfvc modem.txt
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_ihfvkbjduun4m0c
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_xih3mjtldfkvuke
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_5xccu7du7zwamla
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_zfdbq9saszjkwyd
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_rieloybbxqitnxx
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_ugq2qnc9bcq8hgn
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_w6y7aai9v51sczb
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_egw5d5gjftbv5h7
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_envufbxodarrfly
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_3dtypgkdcg6ptle
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_6wohrgwuuqr6hod
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_l77rqinhgjccy4l
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_5urlmxfwdn2tqsn
Status: Allocation size mismatch (API: 4096, Raw: 0)

==EOF==

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:10 AM

Posted 25 January 2010 - 09:20 PM

Hi,

the mbr log looks as I expected it. It suggest that you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Ivan DBA

Ivan DBA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 26 January 2010 - 04:53 PM

If it's okay, I'd like to try to clean it, at least until I can migrate the files elsewhere, and not do in financial stuff on it in the meantime!!

Here's the combofix report--One good sign, safe mode works after combofix installed the windows restore console.

ComboFix 10-01-25.06 - Christine Hoang 01/26/2010 15:09:34.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2773 [GMT -6:00]
Running from: c:\documents and settings\Christine Hoang\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\23811.exe
c:\windows\system32\24464.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28703.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30333.exe
c:\windows\system32\31322.exe
c:\windows\system32\32391.exe
c:\windows\system32\32662.exe
c:\windows\system32\3902.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6868.exe
c:\windows\system32\7711.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 00:32 . 2010-01-26 00:32 77312 ----a-w- C:\mbr.exe
2010-01-15 10:27 . 2010-01-15 10:27 -------- d-----w- c:\documents and settings\James Hughes\Application Data\Malwarebytes
2010-01-13 21:38 . 2010-01-13 21:38 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-13 21:38 . 2010-01-13 21:38 -------- d-----w- c:\documents and settings\Christine Hoang\Application Data\Malwarebytes
2010-01-13 21:37 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 21:37 . 2010-01-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-13 21:37 . 2010-01-13 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 21:37 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 03:21 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 01:22 . 2009-01-15 04:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-16 03:50 . 2009-03-31 23:22 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-14 14:11 . 2009-12-01 23:35 -------- d-----w- c:\program files\Free Easy Word to Pdf Converter
2009-12-21 19:14 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-21 15:51 . 2005-08-16 10:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 04:41 . 2009-11-21 04:41 79488 ----a-w- c:\documents and settings\Christine Hoang\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
2006-11-18 21:51 . 2006-04-09 23:29 56 --sh--r- c:\windows\system32\B7B13DFC61.sys
2009-03-29 03:28 . 2006-09-26 14:51 2568 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

c:\documents and settings\James Hughes\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-7-14 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Christine Hoang^Start Menu^Programs^StartUp^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Christine Hoang\Start Menu\Programs\StartUp\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-02-09 22:34 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 23:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 17:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2008-11-07 18:50 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/26/2009 8:39 AM 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/2/2008 9:02 PM 93320]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/17/2008 7:29 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-26 14:39]

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-26 14:39]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-08 17:22]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-08 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Google Search
IE: &Search
IE: &Translate English Word
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages
IE: Translate Page into English
Trusted Zone: turbotax.com
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/57.11/uploader2.cab
FF - ProfilePath - c:\documents and settings\Christine Hoang\Application Data\Mozilla\Firefox\Profiles\f0ds8mdx.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-01-26 15:31:04
ComboFix-quarantined-files.txt 2010-01-26 21:31

Pre-Run: 12,501,745,664 bytes free
Post-Run: 15,920,254,976 bytes free

- - End Of File - - F9A06C6BB13D2A4276B4EC98C296DB2C


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:10 AM

Posted 27 January 2010 - 10:05 AM

Hi,

It seems that ComboFix did not see all infections. Please run TDSSKiller next:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 Ivan DBA

Ivan DBA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 28 January 2010 - 04:23 PM

TSSKiller Log:

15:21:56:156 3664 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
15:21:56:156 3664 ================================================================================
15:21:56:156 3664 SystemInfo:

15:21:56:156 3664 OS Version: 5.1.2600 ServicePack: 3.0
15:21:56:156 3664 Product type: Workstation
15:21:56:156 3664 ComputerName: 6P7DQ91
15:21:56:156 3664 UserName: Christine Hoang
15:21:56:156 3664 Windows directory: C:\WINDOWS
15:21:56:156 3664 Processor architecture: Intel x86
15:21:56:156 3664 Number of processors: 2
15:21:56:156 3664 Page size: 0x1000
15:21:56:156 3664 Boot type: Normal boot
15:21:56:156 3664 ================================================================================
15:21:56:171 3664 UnloadDriverW: NtUnloadDriver error 2
15:21:56:171 3664 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:21:56:171 3664 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:21:56:171 3664 UtilityInit: KLMD drop and load success
15:21:56:171 3664 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
15:21:56:171 3664 UtilityInit: KLMD open success
15:21:56:171 3664 UtilityInit: Initialize success
15:21:56:171 3664
15:21:56:171 3664 Scanning Services ...
15:21:56:171 3664 CreateRegParser: Registry parser init started
15:21:56:171 3664 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
15:21:56:171 3664 CreateRegParser: DisableWow64Redirection error
15:21:56:171 3664 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:21:56:171 3664 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
15:21:56:171 3664 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:21:56:171 3664 wfopen_ex: Trying to KLMD file open
15:21:56:171 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
15:21:56:171 3664 wfopen_ex: File opened ok (Flags 2)
15:21:56:171 3664 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384E00
15:21:56:171 3664 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:21:56:171 3664 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
15:21:56:171 3664 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:21:56:171 3664 wfopen_ex: Trying to KLMD file open
15:21:56:171 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
15:21:56:171 3664 wfopen_ex: File opened ok (Flags 2)
15:21:56:171 3664 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384C78
15:21:56:171 3664 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
15:21:56:171 3664 CreateRegParser: EnableWow64Redirection error
15:21:56:171 3664 CreateRegParser: RegParser init completed
15:21:56:734 3664 GetAdvancedServicesInfo: Raw services enum returned 382 services
15:21:56:734 3664 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:21:56:734 3664 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:21:56:734 3664
15:21:56:734 3664 Scanning Kernel memory ...
15:21:56:750 3664 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
15:21:56:750 3664 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AF6CA08
15:21:56:750 3664 DetectCureTDL3: KLMD_GetDeviceObjectList returned 8 DevObjects
15:21:56:750 3664
15:21:56:750 3664 DetectCureTDL3: DEVICE_OBJECT: 8A968AD8
15:21:56:750 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A968AD8
15:21:56:750 3664 KLMD_ReadMem: Trying to ReadMemory 0x8A968AD8[0x38]
15:21:56:750 3664 DetectCureTDL3: DRIVER_OBJECT: 8AF6CA08
15:21:56:750 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF6CA08[0xA8]
15:21:56:750 3664 KLMD_ReadMem: Trying to ReadMemory 0xE1011E30[0x18]
15:21:56:750 3664 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:21:56:750 3664 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
15:21:56:750 3664 DetectCureTDL3: IrpHandler (1) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
15:21:56:750 3664 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
15:21:56:750 3664 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
15:21:56:750 3664 DetectCureTDL3: IrpHandler (5) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (6) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (7) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (8) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
15:21:56:750 3664 DetectCureTDL3: IrpHandler (10) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (11) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (12) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (13) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
15:21:56:750 3664 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
15:21:56:750 3664 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
15:21:56:750 3664 DetectCureTDL3: IrpHandler (17) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (18) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (19) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (20) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (21) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
15:21:56:750 3664 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
15:21:56:750 3664 DetectCureTDL3: IrpHandler (24) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (25) addr: 804F4562
15:21:56:750 3664 DetectCureTDL3: IrpHandler (26) addr: 804F4562
15:21:56:750 3664 TDL3_FileDetect: Processing driver: Disk
15:21:56:750 3664 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:750 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:765 3664 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:21:56:765 3664
15:21:56:765 3664 DetectCureTDL3: DEVICE_OBJECT: 8A84DAB8
15:21:56:765 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A84DAB8
15:21:56:765 3664 DetectCureTDL3: DEVICE_OBJECT: 8A99B8E8
15:21:56:765 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A99B8E8
15:21:56:765 3664 DetectCureTDL3: DEVICE_OBJECT: 8A8EAEA0
15:21:56:765 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A8EAEA0
15:21:56:765 3664 KLMD_ReadMem: Trying to ReadMemory 0x8A8EAEA0[0x38]
15:21:56:765 3664 DetectCureTDL3: DRIVER_OBJECT: 8A88C5E0
15:21:56:765 3664 KLMD_ReadMem: Trying to ReadMemory 0x8A88C5E0[0xA8]
15:21:56:765 3664 KLMD_ReadMem: Trying to ReadMemory 0xE18D8480[0x1E]
15:21:56:765 3664 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
15:21:56:765 3664 DetectCureTDL3: IrpHandler (0) addr: BA3A5218
15:21:56:765 3664 DetectCureTDL3: IrpHandler (1) addr: 804F4562
15:21:56:765 3664 DetectCureTDL3: IrpHandler (2) addr: BA3A5218
15:21:56:765 3664 DetectCureTDL3: IrpHandler (3) addr: BA3A523C
15:21:56:765 3664 DetectCureTDL3: IrpHandler (4) addr: BA3A523C
15:21:56:781 3664 DetectCureTDL3: IrpHandler (5) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (6) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (7) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (8) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (9) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (10) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (11) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (12) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (13) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (14) addr: BA3A5180
15:21:56:781 3664 DetectCureTDL3: IrpHandler (15) addr: BA3A09E6
15:21:56:781 3664 DetectCureTDL3: IrpHandler (16) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (17) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (18) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (19) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (20) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (21) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (22) addr: BA3A45F0
15:21:56:781 3664 DetectCureTDL3: IrpHandler (23) addr: BA3A2A6E
15:21:56:781 3664 DetectCureTDL3: IrpHandler (24) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (25) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (26) addr: 804F4562
15:21:56:781 3664 KLMD_ReadMem: Trying to ReadMemory 0xBA3A1F26[0x400]
15:21:56:781 3664 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
15:21:56:781 3664 TDL3_FileDetect: Processing driver: USBSTOR
15:21:56:781 3664 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:21:56:781 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:21:56:781 3664 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
15:21:56:781 3664
15:21:56:781 3664 DetectCureTDL3: DEVICE_OBJECT: 8AF64C68
15:21:56:781 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF64C68
15:21:56:781 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF64C68[0x38]
15:21:56:781 3664 DetectCureTDL3: DRIVER_OBJECT: 8AF6CA08
15:21:56:781 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF6CA08[0xA8]
15:21:56:781 3664 KLMD_ReadMem: Trying to ReadMemory 0xE1011E30[0x18]
15:21:56:781 3664 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:21:56:781 3664 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
15:21:56:781 3664 DetectCureTDL3: IrpHandler (1) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
15:21:56:781 3664 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
15:21:56:781 3664 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
15:21:56:781 3664 DetectCureTDL3: IrpHandler (5) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (6) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (7) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (8) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
15:21:56:781 3664 DetectCureTDL3: IrpHandler (10) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (11) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (12) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (13) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
15:21:56:781 3664 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
15:21:56:781 3664 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
15:21:56:781 3664 DetectCureTDL3: IrpHandler (17) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (18) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (19) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (20) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (21) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
15:21:56:781 3664 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
15:21:56:781 3664 DetectCureTDL3: IrpHandler (24) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (25) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (26) addr: 804F4562
15:21:56:781 3664 TDL3_FileDetect: Processing driver: Disk
15:21:56:781 3664 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:781 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:781 3664 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:21:56:781 3664
15:21:56:781 3664 DetectCureTDL3: DEVICE_OBJECT: 8AF60C68
15:21:56:781 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF60C68
15:21:56:781 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF60C68[0x38]
15:21:56:781 3664 DetectCureTDL3: DRIVER_OBJECT: 8AF6CA08
15:21:56:781 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF6CA08[0xA8]
15:21:56:781 3664 KLMD_ReadMem: Trying to ReadMemory 0xE1011E30[0x18]
15:21:56:781 3664 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:21:56:781 3664 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
15:21:56:781 3664 DetectCureTDL3: IrpHandler (1) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
15:21:56:781 3664 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
15:21:56:781 3664 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
15:21:56:781 3664 DetectCureTDL3: IrpHandler (5) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (6) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (7) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (8) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
15:21:56:781 3664 DetectCureTDL3: IrpHandler (10) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (11) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (12) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (13) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
15:21:56:781 3664 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
15:21:56:781 3664 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
15:21:56:781 3664 DetectCureTDL3: IrpHandler (17) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (18) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (19) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (20) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (21) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
15:21:56:781 3664 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
15:21:56:781 3664 DetectCureTDL3: IrpHandler (24) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (25) addr: 804F4562
15:21:56:781 3664 DetectCureTDL3: IrpHandler (26) addr: 804F4562
15:21:56:781 3664 TDL3_FileDetect: Processing driver: Disk
15:21:56:781 3664 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:781 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:796 3664 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:21:56:796 3664
15:21:56:796 3664 DetectCureTDL3: DEVICE_OBJECT: 8AF61C68
15:21:56:796 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF61C68
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF61C68[0x38]
15:21:56:796 3664 DetectCureTDL3: DRIVER_OBJECT: 8AF6CA08
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF6CA08[0xA8]
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0xE1011E30[0x18]
15:21:56:796 3664 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:21:56:796 3664 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
15:21:56:796 3664 DetectCureTDL3: IrpHandler (1) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
15:21:56:796 3664 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
15:21:56:796 3664 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
15:21:56:796 3664 DetectCureTDL3: IrpHandler (5) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (6) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (7) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (8) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
15:21:56:796 3664 DetectCureTDL3: IrpHandler (10) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (11) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (12) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (13) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
15:21:56:796 3664 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
15:21:56:796 3664 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
15:21:56:796 3664 DetectCureTDL3: IrpHandler (17) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (18) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (19) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (20) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (21) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
15:21:56:796 3664 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
15:21:56:796 3664 DetectCureTDL3: IrpHandler (24) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (25) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (26) addr: 804F4562
15:21:56:796 3664 TDL3_FileDetect: Processing driver: Disk
15:21:56:796 3664 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:796 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:796 3664 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:21:56:796 3664
15:21:56:796 3664 DetectCureTDL3: DEVICE_OBJECT: 8AF62C68
15:21:56:796 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF62C68
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF62C68[0x38]
15:21:56:796 3664 DetectCureTDL3: DRIVER_OBJECT: 8AF6CA08
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF6CA08[0xA8]
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0xE1011E30[0x18]
15:21:56:796 3664 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:21:56:796 3664 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
15:21:56:796 3664 DetectCureTDL3: IrpHandler (1) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
15:21:56:796 3664 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
15:21:56:796 3664 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
15:21:56:796 3664 DetectCureTDL3: IrpHandler (5) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (6) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (7) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (8) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
15:21:56:796 3664 DetectCureTDL3: IrpHandler (10) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (11) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (12) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (13) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
15:21:56:796 3664 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
15:21:56:796 3664 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
15:21:56:796 3664 DetectCureTDL3: IrpHandler (17) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (18) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (19) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (20) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (21) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
15:21:56:796 3664 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
15:21:56:796 3664 DetectCureTDL3: IrpHandler (24) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (25) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (26) addr: 804F4562
15:21:56:796 3664 TDL3_FileDetect: Processing driver: Disk
15:21:56:796 3664 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:796 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:21:56:796 3664 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:21:56:796 3664
15:21:56:796 3664 DetectCureTDL3: DEVICE_OBJECT: 8AF66AB8
15:21:56:796 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF66AB8
15:21:56:796 3664 DetectCureTDL3: DEVICE_OBJECT: 8AF69D98
15:21:56:796 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF69D98
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF69D98[0x38]
15:21:56:796 3664 DetectCureTDL3: DRIVER_OBJECT: 8AF80210
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF80210[0xA8]
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0xE18B41E0[0x1A]
15:21:56:796 3664 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
15:21:56:796 3664 DetectCureTDL3: IrpHandler (0) addr: B9F156F2
15:21:56:796 3664 DetectCureTDL3: IrpHandler (1) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (2) addr: B9F156F2
15:21:56:796 3664 DetectCureTDL3: IrpHandler (3) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (4) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (5) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (6) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (7) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (8) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (9) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (10) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (11) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (12) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (13) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (14) addr: B9F15712
15:21:56:796 3664 DetectCureTDL3: IrpHandler (15) addr: B9F11852
15:21:56:796 3664 DetectCureTDL3: IrpHandler (16) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (17) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (18) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (19) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (20) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (21) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (22) addr: B9F1573C
15:21:56:796 3664 DetectCureTDL3: IrpHandler (23) addr: B9F1C336
15:21:56:796 3664 DetectCureTDL3: IrpHandler (24) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (25) addr: 804F4562
15:21:56:796 3664 DetectCureTDL3: IrpHandler (26) addr: 804F4562
15:21:56:796 3664 KLMD_ReadMem: Trying to ReadMemory 0xB9F12864[0x400]
15:21:56:796 3664 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
15:21:56:796 3664 TDL3_FileDetect: Processing driver: atapi
15:21:56:796 3664 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:21:56:796 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
15:21:56:859 3664 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
15:21:56:859 3664
15:21:56:859 3664 DetectCureTDL3: DEVICE_OBJECT: 8AF67AB8
15:21:56:859 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF67AB8
15:21:56:859 3664 DetectCureTDL3: DEVICE_OBJECT: 8AF8BD98
15:21:56:859 3664 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF8BD98
15:21:56:859 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF8BD98[0x38]
15:21:56:859 3664 DetectCureTDL3: DRIVER_OBJECT: 8AF80210
15:21:56:859 3664 KLMD_ReadMem: Trying to ReadMemory 0x8AF80210[0xA8]
15:21:56:859 3664 KLMD_ReadMem: Trying to ReadMemory 0xE18B41E0[0x1A]
15:21:56:859 3664 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
15:21:56:859 3664 DetectCureTDL3: IrpHandler (0) addr: B9F156F2
15:21:56:859 3664 DetectCureTDL3: IrpHandler (1) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (2) addr: B9F156F2
15:21:56:859 3664 DetectCureTDL3: IrpHandler (3) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (4) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (5) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (6) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (7) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (8) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (9) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (10) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (11) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (12) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (13) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (14) addr: B9F15712
15:21:56:859 3664 DetectCureTDL3: IrpHandler (15) addr: B9F11852
15:21:56:859 3664 DetectCureTDL3: IrpHandler (16) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (17) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (18) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (19) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (20) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (21) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (22) addr: B9F1573C
15:21:56:859 3664 DetectCureTDL3: IrpHandler (23) addr: B9F1C336
15:21:56:859 3664 DetectCureTDL3: IrpHandler (24) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (25) addr: 804F4562
15:21:56:859 3664 DetectCureTDL3: IrpHandler (26) addr: 804F4562
15:21:56:859 3664 KLMD_ReadMem: Trying to ReadMemory 0xB9F12864[0x400]
15:21:56:859 3664 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
15:21:56:859 3664 TDL3_FileDetect: Processing driver: atapi
15:21:56:859 3664 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:21:56:859 3664 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
15:21:56:859 3664 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
15:21:56:859 3664
15:21:56:859 3664 Completed
15:21:56:859 3664
15:21:56:859 3664 Results:
15:21:56:859 3664 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
15:21:56:859 3664 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:21:56:859 3664 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:21:56:859 3664
15:21:56:859 3664 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:21:56:859 3664 UtilityDeinit: KLMD(ARK) unloaded successfully


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:10 AM

Posted 29 January 2010 - 01:30 PM

Hi,

How is your PC doing? Please run another scan with MBR:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 Ivan DBA

Ivan DBA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 31 January 2010 - 02:16 AM

I haven't tried doing anything with this PC yet. Here's the MBR log. Should I start trying to use it? Would it be okay if I ran McAfee & Malware Bytes scans again at this point?

It still has the pop-up when I first launch IE saying Windows default search engine has been corrupted, and then bringing up a settings window to change it back to Live Search. I've had that problem for months though, long before I started having the redirect issues, so I think that is unrelated to this rootkit redirect thing, which just started this month.

Here's the latest MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

Thanks for all your help!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users