Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intrusion Help


  • This topic is locked This topic is locked
21 replies to this topic

#1 BDigital

BDigital

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 11 April 2010 - 11:37 PM

Hello there,

I've been having a handful of spyware/malware issues over the past week or so and after trying several anti-malware programs, it seems like things aren't 100% fixed.

It all originally started with "Your Computer Is Infected -- buy our program to fix it" type notifications in my toolbar. This seemed to be identified as caused by a file named "ave.exe". I also noticed right around this time that my firewalls (both Norton and plain old Windows 'Network Connections') seemed to be turned off (not sure how this happened but this likely led to the problems). I've run ComboFix, Malwarebytes, ESET, & Trend Micro -- each a handful of times with them picking up (and claiming to fix) a handful of different infections.

Just when I thought things were OK, I noticed I was getting redirected to weird sites (e.g. findbizdeals.com) when I clicked on Search Engine results (e.g. Google & Yahoo). This too has come and gone a couple times after running various spyware programs (same ones as mentioned above) but seems to still poke its head (though not consistently).

The latest problem is that I get pretty regular notifications from Norton that "a recent attempt to attack your computer has been blocked". When I check more details, I get one of these following two notices:

Intrusion: HTTP Tidserv Request
Intruder: 213.163.89.106 (http(80)
Risk Level: High
Protocol: TCP
Attacked Port: 2156

Intrusion: HTTP Tidserv Request
Intruder: zl091kha644.com (213.163.89.109) (http(80)
Risk Level: High
Protocol: TCP
Attacked Port: 2264

These notifications occur even when I have no programs running and the computer is idle. Additionally, they seem to now occur almost everytime I do a Search Engine search on Yahoo or Google (when the results are loading).

I tried running GMER three times and each time I got the blue screen of death about midway through saying the issue was caused by fxtdqpog.sys so I'm not able to post the GMER log. However here is the DDS scan:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Bobby Orr at 17:58:14.21 on Mon 04/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_06
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.102 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bobby Orr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: TextAloud: {f053c368-5458-45b2-9b4d-d8914bdddbff} - c:\progra~1\textal~1\TAForIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [TSC] "c:\docume~1\bobbyo~1\locals~1\temp\housecall\tsc.exe" /HD
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk - c:\program files\dell photo printer 720\dlbcserv.exe
IE: E&xport to Microsoft Excel
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax3518.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bobbyo~1\applic~1\mozilla\firefox\profiles\t7i3x33h.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-3-15 53896]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-3-15 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-3-15 161392]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-3-15 127088]
R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\compact wireless-g usb network adapter with speedbooster\WLService.exe [2007-9-4 53307]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-3-15 185968]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20051007.016\NAVENG.Sys [2005-10-7 77816]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20051007.016\NavEx15.Sys [2005-10-7 665816]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-3-15 324232]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2005-3-11 67184]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-3-15 83568]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-3-15 198368]

=============== Created Last 30 ================

2010-04-10 17:56:05 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-08 12:50:44 98816 ----a-w- c:\windows\sed.exe
2010-04-08 12:50:44 161792 ----a-w- c:\windows\SWREG.exe
2010-04-07 01:58:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 01:58:13 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 01:58:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 23:43:50 0 d-----w- c:\program files\ESET
2010-04-05 15:27:04 0 d-----w- c:\program files\Trend Micro
2010-04-05 15:12:32 0 d-----w- c:\program files\Malwarebytes Anti-Malware

==================== Find3M ====================

2010-03-12 22:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 18:00:03.04 ===============


I'll post my OTL log in my second post -- I wanted to at least relay what I was experiencing first. Let me know if there are any other logs (ComboFix, MalwareBytes, etc.) you'd like me to post next. Thank you very much in advance!

Attached Files


Edited by BDigital, 12 April 2010 - 06:30 PM.


BC AdBot (Login to Remove)

 


#2 BDigital

BDigital
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 11 April 2010 - 11:49 PM

As promised here are my two OTL logs:

OTL logfile created on: 4/12/2010 12:38:39 AM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Bobby Orr\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 146.00 Mb Available Physical Memory | 29.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 26.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.97 Gb Total Space | 2.23 Gb Free Space | 6.56% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BOBBY
Current User Name: Bobby Orr
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/12 00:20:02 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bobby Orr\Desktop\OTL.exe
PRC - [2010/01/15 23:09:37 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/04/21 15:26:38 | 005,358,592 | ---- | M] (Linksys) -- C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
PRC - [2005/07/04 16:46:04 | 000,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
PRC - [2005/04/05 11:17:22 | 000,206,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
PRC - [2005/03/15 16:34:04 | 000,127,088 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
PRC - [2005/03/15 16:33:52 | 000,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2005/03/15 16:33:50 | 000,239,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
PRC - [2005/03/15 16:33:44 | 000,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/03/15 16:33:42 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/03/15 16:33:42 | 000,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/03/12 07:25:00 | 000,403,456 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
PRC - [2005/03/12 07:25:00 | 000,102,400 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
PRC - [2005/01/08 19:42:54 | 000,315,392 | R--- | M] () -- C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
PRC - [2004/11/02 16:59:50 | 000,316,544 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
PRC - [2004/10/14 20:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2004/07/27 17:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/05/18 03:08:44 | 007,667,779 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe


========== Modules (SafeList) ==========

MOD - [2010/04/12 00:20:02 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bobby Orr\Desktop\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2005/07/19 20:21:22 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll
MOD - [2005/03/15 16:34:08 | 000,198,240 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\AntiSpam\asOEHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- -- (WUSB54GSCSVC)
SRV - [2005/04/05 11:17:22 | 000,206,552 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/03/15 16:34:12 | 000,083,584 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Norton Internet Security\ISSVC.exe -- (ISSVC)
SRV - [2005/03/15 16:34:06 | 000,198,368 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe -- (SAVScan)
SRV - [2005/03/15 16:34:04 | 000,127,088 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe -- (navapsvc)
SRV - [2005/03/15 16:33:52 | 000,992,864 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2005/03/15 16:33:50 | 000,239,216 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy)
SRV - [2005/03/15 16:33:44 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/03/15 16:33:44 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/03/15 16:33:42 | 000,185,968 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/03/11 22:05:40 | 000,067,184 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe -- (SBService)
SRV - [2004/11/02 16:59:50 | 000,316,544 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- (SymWSC)


========== Driver Services (SafeList) ==========

DRV - [2009/11/19 23:02:58 | 000,268,664 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\SymcData\idsdefs\20100402.001\SymIDSCo.sys -- (SYMIDSCO)
DRV - [2006/09/22 16:33:38 | 000,515,200 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SndTDriverV32.sys -- (SndTDriverV32)
DRV - [2005/09/12 04:00:00 | 000,665,816 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20051007.016\NAVEX15.SYS -- (NAVEX15)
DRV - [2005/09/12 04:00:00 | 000,077,816 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20051007.016\NAVENG.SYS -- (NAVENG)
DRV - [2005/04/05 11:17:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/04/05 11:17:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/04/05 11:16:58 | 000,036,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS -- (SYMIDS)
DRV - [2005/04/05 11:16:56 | 000,047,192 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2005/04/05 11:16:54 | 000,173,208 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMFW.SYS -- (SYMFW)
DRV - [2005/04/05 11:16:52 | 000,011,512 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS -- (SYMDNS)
DRV - [2005/03/15 16:34:06 | 000,324,232 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Norton Internet Security\Norton AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/03/15 16:34:06 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/03/15 16:33:52 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/03/15 16:33:52 | 000,123,208 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2004/12/06 02:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 02:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 02:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 02:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 02:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 02:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 02:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 02:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 02:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 04:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 03:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/09/17 15:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/04 06:00:00 | 000,012,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2004/08/04 00:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 00:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/14 12:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 12:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2003/09/25 22:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\GTNDIS5.sys -- (GTNDIS5)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht


IE - HKU\S-1-5-21-2799317244-3254765659-1781042131-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-2799317244-3254765659-1781042131-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/16 22:09:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/02 02:05:04 | 000,000,000 | ---D | M]

[2008/06/17 20:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Extensions
[2010/04/11 12:10:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\extensions
[2009/06/03 20:56:31 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/06/08 17:29:37 | 000,000,931 | ---- | M] () -- C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\searchplugins\dictionary.xml
[2009/06/08 17:30:13 | 000,001,504 | ---- | M] () -- C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\searchplugins\imdb.xml
[2009/06/08 17:31:50 | 000,004,140 | ---- | M] () -- C:\Documents and Settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\searchplugins\youtube.xml
[2010/04/11 12:10:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/04/05 11:46:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (PCTools Site Guard) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program Files\Spyware Doctor\tools\iesdsg.dll (PC Tools)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (CNisExtBho Class) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
O2 - BHO: (PCTools Browser Monitor) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll (GuideWorks Pty. Ltd.)
O2 - BHO: (CNavExtBho Class) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Internet Security) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (TextAloud) - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\Program Files\TextAloud\TAForIE.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Norton Internet Security) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Norton Internet Security) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-2799317244-3254765659-1781042131-1006\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-2799317244-3254765659-1781042131-1006\..\Toolbar\WebBrowser: (Norton Internet Security) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [MimBoot] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\Program Files\SymNetDrv\SNDMon.exe (Symantec Corporation)
O4 - HKLM..\RunOnce: [TSC] C:\Documents and Settings\Bobby Orr\Local Settings\temp\HouseCall\TSC.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2799317244-3254765659-1781042131-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2799317244-3254765659-1781042131-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2799317244-3254765659-1781042131-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2799317244-3254765659-1781042131-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll (GuideWorks Pty. Ltd.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab (CKAVWebScan Object)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} http://entimg.msn.com/client/msnmusax3518.cab (MsnMusicAx Class)
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab (IWinAmpActiveX Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = secfile] -- Reg Error: Key error. File not found
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-21-2799317244-3254765659-1781042131-1006\...exe [@ = exefile] -- Reg Error: Key error. File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/12 00:19:59 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bobby Orr\Desktop\OTL.exe
[2010/04/11 16:26:12 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/10 20:03:42 | 001,840,232 | ---- | C] (Trend Micro) -- C:\Documents and Settings\Bobby Orr\Desktop\HousecallLauncher.exe
[2010/04/10 16:54:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/10 13:56:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/10 13:56:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG
[2010/04/10 13:56:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/08 08:50:44 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/08 08:50:44 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/08 08:50:44 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/08 08:50:44 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/08 08:49:40 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/08 05:40:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/08 01:10:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2010/04/06 21:58:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/06 21:58:13 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/06 21:58:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/05 23:47:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/05 19:43:50 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/05 19:25:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/04/05 19:20:34 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/05 11:27:04 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/05 11:12:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes Anti-Malware
[2010/04/02 14:02:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bobby Orr\Desktop\Unknown Artist
[2008/06/03 21:43:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/06/03 21:43:06 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/06/03 21:43:06 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/06/01 22:20:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Symantec
[2008/04/14 20:42:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/09/29 18:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2007/09/29 18:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2005/07/11 19:23:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/12 00:20:02 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bobby Orr\Desktop\OTL.exe
[2010/04/11 23:12:53 | 000,217,088 | ---- | M] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/11 22:21:05 | 000,000,372 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2010/04/11 16:38:25 | 077,597,126 | ---- | M] () -- C:\Documents and Settings\Bobby Orr\Desktop\AVA_LOVE.zip
[2010/04/10 20:04:12 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\housecall.guid.cache
[2010/04/10 20:03:43 | 001,840,232 | ---- | M] (Trend Micro) -- C:\Documents and Settings\Bobby Orr\Desktop\HousecallLauncher.exe
[2010/04/10 18:51:10 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/04/10 18:49:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/10 18:47:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/10 18:47:26 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/10 18:46:47 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\Bobby Orr\NTUSER.DAT
[2010/04/10 18:46:47 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Bobby Orr\ntuser.ini
[2010/04/10 18:46:42 | 001,930,896 | -H-- | M] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\IconCache.db
[2010/04/10 16:46:31 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/10 15:48:50 | 000,018,886 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4pXA
[2010/04/09 20:25:42 | 000,000,556 | ---- | M] () -- C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Bobby Orr.job
[2010/04/08 08:49:12 | 000,019,136 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8Hk05HQw
[2010/04/08 08:49:11 | 000,019,136 | -HS- | M] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\8Hk05HQw
[2010/04/08 08:46:21 | 003,909,898 | R--- | M] () -- C:\Documents and Settings\Bobby Orr\Desktop\ComboFix.exe
[2010/04/08 08:24:09 | 000,019,192 | -HS- | M] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\277504238
[2010/04/08 08:24:09 | 000,019,192 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2325594301
[2010/04/08 08:23:38 | 000,019,196 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\277504238
[2010/04/08 00:50:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/06 23:22:05 | 000,039,504 | ---- | M] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/05 21:41:17 | 000,192,184 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/05 20:42:09 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/05 11:59:09 | 000,001,746 | ---- | M] () -- C:\Documents and Settings\Bobby Orr\Desktop\HijackThis.lnk
[2010/04/05 11:46:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/05 11:30:18 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\kigekone
[2010/04/03 12:53:02 | 000,381,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/03 12:53:01 | 000,441,626 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/03 12:53:01 | 000,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/11 16:36:01 | 077,597,126 | ---- | C] () -- C:\Documents and Settings\Bobby Orr\Desktop\AVA_LOVE.zip
[2010/04/10 20:04:12 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\housecall.guid.cache
[2010/04/10 18:47:26 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/10 13:47:58 | 000,018,886 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\4pXA
[2010/04/10 13:47:58 | 000,018,886 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4pXA
[2010/04/08 08:50:44 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/08 08:50:44 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/08 08:50:44 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/08 08:46:19 | 003,909,898 | R--- | C] () -- C:\Documents and Settings\Bobby Orr\Desktop\ComboFix.exe
[2010/04/08 08:38:51 | 000,019,188 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\8Hk05HQw
[2010/04/08 08:24:08 | 000,019,192 | -HS- | C] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\277504238
[2010/04/08 08:24:08 | 000,019,192 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2325594301
[2010/04/08 08:23:26 | 000,019,196 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\277504238
[2010/04/08 08:23:26 | 000,019,136 | -HS- | C] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\8Hk05HQw
[2010/04/08 05:40:19 | 000,019,192 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\8Hk05HQw
[2010/04/08 05:40:19 | 000,019,136 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8Hk05HQw
[2010/04/05 11:59:09 | 000,001,746 | ---- | C] () -- C:\Documents and Settings\Bobby Orr\Desktop\HijackThis.lnk
[2010/01/18 03:05:53 | 000,005,445 | ---- | C] () -- C:\Documents and Settings\Bobby Orr\_GEAREXT.WO_IDENT.TXT
[2008/07/23 19:40:25 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/07/23 19:40:25 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/09/04 23:44:58 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2007/09/04 23:44:42 | 000,000,609 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2007/03/26 22:21:59 | 000,001,778 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/08/13 01:21:24 | 000,000,004 | -HS- | C] () -- C:\Documents and Settings\Bobby Orr\win_rhtdo53x4
[2005/07/16 13:52:39 | 000,000,421 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2005/07/16 13:52:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbcvs.dll
[2005/07/16 13:52:10 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\dlbccoin.ini
[2005/07/11 23:44:44 | 000,217,088 | ---- | C] () -- C:\Documents and Settings\Bobby Orr\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/09 22:12:21 | 000,003,311 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/06/30 22:36:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/29 21:33:59 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Bobby Orr\ntuser.dat.LOG
[2005/06/29 21:33:59 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Bobby Orr\ntuser.ini
[2005/06/29 21:33:58 | 006,029,312 | -H-- | C] () -- C:\Documents and Settings\Bobby Orr\NTUSER.DAT
[2005/06/29 21:33:11 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2005/06/29 21:33:11 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2005/06/20 15:41:00 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/06/20 15:32:38 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/06/20 15:06:34 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/06/20 15:06:22 | 000,000,375 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/28 00:22:38 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/04/28 00:22:34 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/04/28 00:22:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/04/09 18:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/07/11 19:24:18 | 000,135,168 | ---- | M] (Netsurfer, Inc.) -- C:\DHCPD.exe
[2005/07/11 19:24:17 | 000,790,528 | ---- | M] (Netsurfer, Inc.) -- C:\setup32.exe
[2005/07/11 19:24:18 | 000,344,064 | ---- | M] (Netsurfer, Inc.) -- C:\Yampa.exe


< MD5 for: AGP440.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\erdnt\cache\AGP440.SYS
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\erdnt\cache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\erdnt\cache\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\erdnt\cache\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\erdnt\cache\scecli.dll
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

-------------------------------------------

OTL Extras logfile created on: 4/12/2010 12:38:39 AM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Bobby Orr\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 146.00 Mb Available Physical Memory | 29.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 26.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.97 Gb Total Space | 2.23 Gb Free Space | 6.56% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BOBBY
Current User Name: Bobby Orr
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-21-2799317244-3254765659-1781042131-1006\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
jsefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
wsffile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{12E2B9E9-05B1-407d-B0FD-B5F350535125}" = Norton Internet Security
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3B29A786-5803-4e9e-9B58-3014A5B4E519}" = Norton AntiSpam
"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{449F3A9E-9903-4a0d-A209-08030D45A935}" = Norton Internet Security
"{48185814-A224-447a-81DA-71BD20580E1B}" = Norton Internet Security
"{503AA035-41E2-4858-B31F-1E49AC66C309}" = Norton Security Center
"{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}" = Norton Internet Security
"{5677563D-0CB1-485f-9E18-C5025306BB3F}" = Norton AntiSpam
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}" = iTunes
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{65563451-00B6-458C-9F9A-03A7757355A6}" = Compact Wireless-G USB Network Adapter with SpeedBooster
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B7C61755-DB48-4003-948F-3D34DB8EAF69}" = MSRedist
"{C6F5B6CF-609C-428E-876F-CA83176C021B}" = Norton AntiVirus 2005
"{C9D599E1-6B68-4a1f-8A4F-A1DB433DB1BF}" = Norton Internet Security
"{CA0A1E54-CE0F-4366-B09C-A87B61DC5633}" = Symantec Network Drivers Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{D327AFC9-7BAA-473A-8319-6EB7A0D40138}" = Symantec Script Blocking Installer
"{D8F6834B-D5E7-4451-8681-B051ABD8561D}" = ccCommon
"{DA42FDCA-7C5A-43EF-9A05-CCE148ADF919}" = CC_ccProxyExt
"{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}" = Norton Internet Security
"{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton Internet Security
"{E85FA9A1-C241-4698-893B-DD99509B8DB0}" = Norton WMI Update
"{F64306A5-4C32-41bb-B153-53986527FAB4}" = Norton WMI Update
"{FC08587A-4F01-4188-819F-F55880022917}" = ccPxyCore
"{FC2C0536-583C-46c0-844A-62CECAE01F22}" = Norton Internet Security
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AOL Instant Messenger" = AOL Instant Messenger
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Photo Printer 720" = Dell Photo Printer 720
"Dell Photo Printer 720 Logger" = Dell Photo Printer 720 Logger
"DellSupport" = Dell Support 5.0.0 (630)
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"ffdshow_is1" = ffdshow [rev 1723] [2007-12-24]
"FLV Player" = FLV Player 2.0, build 24
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSN Music Assistant" = MSN Music Assistant
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"MyWaySearchAssistantDE" = My Way Search Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Spyware Doctor_is1" = Spyware Doctor 3.2
"SpywareBlaster_is1" = SpywareBlaster 4.2
"SymSetup.{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security 2005 (Symantec Corporation)
"TextAloud MP3_is1" = TextAloud
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2799317244-3254765659-1781042131-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/10/2009 12:11:28 AM | Computer Name = BOBBY | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 8/13/2009 7:17:26 PM | Computer Name = BOBBY | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 10.0.0.3646, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/14/2009 3:34:50 PM | Computer Name = BOBBY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3071, faulting module
npswf32.dll, version 10.0.32.18, fault address 0x0004f2df.

Error - 9/27/2009 1:12:38 AM | Computer Name = BOBBY | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 10.0.0.3646, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/11/2009 11:08:39 PM | Computer Name = BOBBY | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3071, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/11/2009 11:08:39 PM | Computer Name = BOBBY | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3071, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/15/2009 9:09:06 PM | Computer Name = BOBBY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3071, faulting module
npswf32.dll, version 10.0.32.18, fault address 0x0004f2df.

Error - 11/10/2009 10:57:18 PM | Computer Name = BOBBY | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 10.0.0.3646, faulting module
l3codecx.ax, version 1.5.0.50, fault address 0x0000851d.

Error - 11/10/2009 10:57:38 PM | Computer Name = BOBBY | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 10.0.0.3646, faulting module
l3codecx.ax, version 1.5.0.50, fault address 0x0000851d.

Error - 11/22/2009 8:33:50 PM | Computer Name = BOBBY | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 10.0.0.3646, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 4/6/2010 7:10:39 PM | Computer Name = BOBBY | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 4/6/2010 10:09:17 PM | Computer Name = BOBBY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/6/2010 10:09:17 PM | Computer Name = BOBBY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/6/2010 10:10:59 PM | Computer Name = BOBBY | Source = Service Control Manager | ID = 7024
Description = The ISSVC service terminated with service-specific error 4294967295
(0xFFFFFFFF).

Error - 4/6/2010 10:11:00 PM | Computer Name = BOBBY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

Error - 4/6/2010 10:12:01 PM | Computer Name = BOBBY | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 4/6/2010 10:12:01 PM | Computer Name = BOBBY | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 4/6/2010 11:42:37 PM | Computer Name = BOBBY | Source = DCOM | ID = 10010
Description = The server {F3A614DC-ABE0-11D2-A441-00C04F795683} did not register
with DCOM within the required timeout.

Error - 4/7/2010 2:19:32 AM | Computer Name = BOBBY | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 4/7/2010 2:20:13 AM | Computer Name = BOBBY | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056


< End of report >


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 15 April 2010 - 04:46 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run the rootkit scanner, Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#4 BDigital

BDigital
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 15 April 2010 - 06:27 PM

Hello there,

I have tried running GMER a handful of times and each time I got the blue screen of death about midway through saying the problem was caused by fxtdqpog.sys so I'm not able to post a full GMER log. I was able to capture some of the scan while it was still running (which I've attached) but I believe that it is not complete since the scan was still going until I got the blue screen.

Let me know what you suggest I do next. Thanks!

Attached Files


Edited by BDigital, 15 April 2010 - 06:27 PM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 15 April 2010 - 06:37 PM

Run the following programs

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.


Finally run Combofix. If you have the program already delete that and download an updated one from below

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#6 BDigital

BDigital
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 15 April 2010 - 07:37 PM

Figured I'd give an update on my system since my original post was a few days ago...long story short, not much has changed. I still get the Norton "an attempt to attack your computer was blocked" fairly frequently. Also, it seems every 24 -36 hours, the ave.exe "Windows XP Security -- you have spyware!" nonsense appears out of the blue (even when I haven't done anything online in hours).

Here are the requested logs:

ExeHelper
exeHelper by Raktor
Build 20100414
Run at 20:04:44 on 04/15/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

RKill
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Bobby Orr on 04/15/2010 at 20:05:40.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Bobby Orr\Desktop\rkill.pif


Rkill completed on 04/15/2010 at 20:05:53.

ComboFix
ComboFix 10-04-14.04 - Bobby Orr 04/15/2010 20:11:28.11.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.211 [GMT -4:00]
Running from: c:\documents and settings\Bobby Orr\Desktop\comfix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-13 20:04 . 2010-04-13 20:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-13 20:04 . 2010-04-13 20:04 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-04-12 06:58 . 2010-04-12 06:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-04-10 17:56 . 2010-04-10 17:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-10 17:56 . 2010-04-10 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-07 01:58 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 01:58 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 01:58 . 2010-04-07 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 23:43 . 2010-04-05 23:43 -------- d-----w- c:\program files\ESET
2010-04-05 23:20 . 2010-04-05 23:20 -------- d-----w- c:\program files\ERUNT
2010-04-05 15:27 . 2010-04-05 15:27 -------- d-----w- c:\program files\Trend Micro
2010-04-05 15:12 . 2010-04-05 15:32 -------- d-----w- c:\program files\Malwarebytes Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 23:48 . 2005-06-20 19:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-09 04:35 . 2008-06-13 05:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-09 04:33 . 2008-06-13 05:39 -------- d-----w- c:\program files\SpywareBlaster
2010-04-07 03:22 . 2005-06-30 01:35 39504 ----a-w- c:\documents and settings\Bobby Orr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2004-08-10 17:51 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-10 17:50 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 03:57 . 2009-03-04 17:02 -------- d-----w- c:\program files\Microsoft Silverlight
.

((((((((((((((((((((((((((((( SnapShot@2010-04-08_13.06.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-02-27 03:18 . 2010-04-03 16:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-27 03:18 . 2010-04-10 22:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-06-30 01:25 . 2010-04-10 22:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-06-30 01:25 . 2010-04-03 16:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-03-15 48752]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-07-14 100056]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-7-16 315392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [9/4/2007 11:44 PM 53307]
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2010-04-10 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Bobby Orr.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-03-15 20:34]

2010-04-15 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-06-20 17:24]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel
FF - ProfilePath - c:\documents and settings\Bobby Orr\Application Data\Mozilla\Firefox\Profiles\t7i3x33h.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 20:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8223CAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857cfc3
\Driver\ACPI -> ACPI.sys @ 0xf84efcb8
\Driver\atapi -> atapi.sys @ 0xf84a77b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3332)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-04-15 20:30:10
ComboFix-quarantined-files.txt 2010-04-16 00:30
ComboFix2.txt 2010-04-13 23:08
ComboFix3.txt 2010-04-10 20:54
ComboFix4.txt 2010-04-08 13:14

Pre-Run: 1,831,624,704 bytes free
Post-Run: 1,817,583,616 bytes free

- - End Of File - - 49F5C2A03AF5975804845803BFE2C643

Thanks!

Attached Files


Edited by BDigital, 15 April 2010 - 07:37 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 16 April 2010 - 05:16 AM

We have to identify the rootkit before we can remove it.
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).


Posted Image
m0le is a proud member of UNITE

#8 BDigital

BDigital
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 16 April 2010 - 07:18 AM

Here is the TDSSKiller log:

08:06:24:359 0396 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
08:06:24:359 0396 ================================================================================
08:06:24:359 0396 SystemInfo:

08:06:24:359 0396 OS Version: 5.1.2600 ServicePack: 2.0
08:06:24:359 0396 Product type: Workstation
08:06:24:359 0396 ComputerName: BOBBY
08:06:24:359 0396 UserName: Bobby Orr
08:06:24:359 0396 Windows directory: C:\WINDOWS
08:06:24:359 0396 Processor architecture: Intel x86
08:06:24:359 0396 Number of processors: 2
08:06:24:359 0396 Page size: 0x1000
08:06:24:359 0396 Boot type: Normal boot
08:06:24:359 0396 ================================================================================
08:06:24:406 0396 UnloadDriverW: NtUnloadDriver error 2
08:06:24:406 0396 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
08:06:24:593 0396 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
08:06:24:593 0396 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:06:24:593 0396 wfopen_ex: Trying to KLMD file open
08:06:24:593 0396 wfopen_ex: File opened ok (Flags 2)
08:06:24:593 0396 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
08:06:24:593 0396 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:06:24:593 0396 wfopen_ex: Trying to KLMD file open
08:06:24:593 0396 wfopen_ex: File opened ok (Flags 2)
08:06:24:593 0396 Initialize success
08:06:24:593 0396
08:06:24:593 0396 Scanning Services ...
08:06:25:140 0396 Raw services enum returned 332 services
08:06:25:156 0396
08:06:25:156 0396 Scanning Kernel memory ...
08:06:25:156 0396 Devices to scan: 4
08:06:25:156 0396
08:06:25:156 0396 Driver Name: Disk
08:06:25:156 0396 IRP_MJ_CREATE : F857EC30
08:06:25:156 0396 IRP_MJ_CREATE_NAMED_PIPE : 804F9729
08:06:25:156 0396 IRP_MJ_CLOSE : F857EC30
08:06:25:156 0396 IRP_MJ_READ : F8578D9B
08:06:25:156 0396 IRP_MJ_WRITE : F8578D9B
08:06:25:156 0396 IRP_MJ_QUERY_INFORMATION : 804F9729
08:06:25:156 0396 IRP_MJ_SET_INFORMATION : 804F9729
08:06:25:156 0396 IRP_MJ_QUERY_EA : 804F9729
08:06:25:156 0396 IRP_MJ_SET_EA : 804F9729
08:06:25:156 0396 IRP_MJ_FLUSH_BUFFERS : F8579366
08:06:25:156 0396 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9729
08:06:25:156 0396 IRP_MJ_SET_VOLUME_INFORMATION : 804F9729
08:06:25:156 0396 IRP_MJ_DIRECTORY_CONTROL : 804F9729
08:06:25:156 0396 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9729
08:06:25:156 0396 IRP_MJ_DEVICE_CONTROL : F857944D
08:06:25:156 0396 IRP_MJ_INTERNAL_DEVICE_CONTROL : F857CFC3
08:06:25:156 0396 IRP_MJ_SHUTDOWN : F8579366
08:06:25:156 0396 IRP_MJ_LOCK_CONTROL : 804F9729
08:06:25:156 0396 IRP_MJ_CLEANUP : 804F9729
08:06:25:156 0396 IRP_MJ_CREATE_MAILSLOT : 804F9729
08:06:25:156 0396 IRP_MJ_QUERY_SECURITY : 804F9729
08:06:25:156 0396 IRP_MJ_SET_SECURITY : 804F9729
08:06:25:156 0396 IRP_MJ_POWER : F857AEF3
08:06:25:156 0396 IRP_MJ_SYSTEM_CONTROL : F857FA24
08:06:25:156 0396 IRP_MJ_DEVICE_CHANGE : 804F9729
08:06:25:156 0396 IRP_MJ_QUERY_QUOTA : 804F9729
08:06:25:156 0396 IRP_MJ_SET_QUOTA : 804F9729
08:06:25:203 0396 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:06:25:203 0396
08:06:25:203 0396 Driver Name: Disk
08:06:25:203 0396 IRP_MJ_CREATE : F857EC30
08:06:25:203 0396 IRP_MJ_CREATE_NAMED_PIPE : 804F9729
08:06:25:203 0396 IRP_MJ_CLOSE : F857EC30
08:06:25:203 0396 IRP_MJ_READ : F8578D9B
08:06:25:203 0396 IRP_MJ_WRITE : F8578D9B
08:06:25:203 0396 IRP_MJ_QUERY_INFORMATION : 804F9729
08:06:25:203 0396 IRP_MJ_SET_INFORMATION : 804F9729
08:06:25:203 0396 IRP_MJ_QUERY_EA : 804F9729
08:06:25:203 0396 IRP_MJ_SET_EA : 804F9729
08:06:25:203 0396 IRP_MJ_FLUSH_BUFFERS : F8579366
08:06:25:203 0396 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9729
08:06:25:203 0396 IRP_MJ_SET_VOLUME_INFORMATION : 804F9729
08:06:25:203 0396 IRP_MJ_DIRECTORY_CONTROL : 804F9729
08:06:25:203 0396 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9729
08:06:25:203 0396 IRP_MJ_DEVICE_CONTROL : F857944D
08:06:25:203 0396 IRP_MJ_INTERNAL_DEVICE_CONTROL : F857CFC3
08:06:25:203 0396 IRP_MJ_SHUTDOWN : F8579366
08:06:25:203 0396 IRP_MJ_LOCK_CONTROL : 804F9729
08:06:25:203 0396 IRP_MJ_CLEANUP : 804F9729
08:06:25:203 0396 IRP_MJ_CREATE_MAILSLOT : 804F9729
08:06:25:203 0396 IRP_MJ_QUERY_SECURITY : 804F9729
08:06:25:203 0396 IRP_MJ_SET_SECURITY : 804F9729
08:06:25:203 0396 IRP_MJ_POWER : F857AEF3
08:06:25:203 0396 IRP_MJ_SYSTEM_CONTROL : F857FA24
08:06:25:203 0396 IRP_MJ_DEVICE_CHANGE : 804F9729
08:06:25:203 0396 IRP_MJ_QUERY_QUOTA : 804F9729
08:06:25:203 0396 IRP_MJ_SET_QUOTA : 804F9729
08:06:25:234 0396 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:06:25:234 0396
08:06:25:234 0396 Driver Name: Disk
08:06:25:234 0396 IRP_MJ_CREATE : F857EC30
08:06:25:234 0396 IRP_MJ_CREATE_NAMED_PIPE : 804F9729
08:06:25:234 0396 IRP_MJ_CLOSE : F857EC30
08:06:25:234 0396 IRP_MJ_READ : F8578D9B
08:06:25:234 0396 IRP_MJ_WRITE : F8578D9B
08:06:25:234 0396 IRP_MJ_QUERY_INFORMATION : 804F9729
08:06:25:234 0396 IRP_MJ_SET_INFORMATION : 804F9729
08:06:25:234 0396 IRP_MJ_QUERY_EA : 804F9729
08:06:25:234 0396 IRP_MJ_SET_EA : 804F9729
08:06:25:234 0396 IRP_MJ_FLUSH_BUFFERS : F8579366
08:06:25:234 0396 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9729
08:06:25:234 0396 IRP_MJ_SET_VOLUME_INFORMATION : 804F9729
08:06:25:234 0396 IRP_MJ_DIRECTORY_CONTROL : 804F9729
08:06:25:234 0396 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9729
08:06:25:234 0396 IRP_MJ_DEVICE_CONTROL : F857944D
08:06:25:234 0396 IRP_MJ_INTERNAL_DEVICE_CONTROL : F857CFC3
08:06:25:234 0396 IRP_MJ_SHUTDOWN : F8579366
08:06:25:234 0396 IRP_MJ_LOCK_CONTROL : 804F9729
08:06:25:234 0396 IRP_MJ_CLEANUP : 804F9729
08:06:25:234 0396 IRP_MJ_CREATE_MAILSLOT : 804F9729
08:06:25:234 0396 IRP_MJ_QUERY_SECURITY : 804F9729
08:06:25:234 0396 IRP_MJ_SET_SECURITY : 804F9729
08:06:25:234 0396 IRP_MJ_POWER : F857AEF3
08:06:25:234 0396 IRP_MJ_SYSTEM_CONTROL : F857FA24
08:06:25:234 0396 IRP_MJ_DEVICE_CHANGE : 804F9729
08:06:25:234 0396 IRP_MJ_QUERY_QUOTA : 804F9729
08:06:25:234 0396 IRP_MJ_SET_QUOTA : 804F9729
08:06:25:234 0396 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:06:25:234 0396
08:06:25:234 0396 Driver Name: atapi
08:06:25:234 0396 IRP_MJ_CREATE : 8223CAC8
08:06:25:234 0396 IRP_MJ_CREATE_NAMED_PIPE : 8223CAC8
08:06:25:234 0396 IRP_MJ_CLOSE : 8223CAC8
08:06:25:234 0396 IRP_MJ_READ : 8223CAC8
08:06:25:234 0396 IRP_MJ_WRITE : 8223CAC8
08:06:25:234 0396 IRP_MJ_QUERY_INFORMATION : 8223CAC8
08:06:25:234 0396 IRP_MJ_SET_INFORMATION : 8223CAC8
08:06:25:234 0396 IRP_MJ_QUERY_EA : 8223CAC8
08:06:25:234 0396 IRP_MJ_SET_EA : 8223CAC8
08:06:25:234 0396 IRP_MJ_FLUSH_BUFFERS : 8223CAC8
08:06:25:234 0396 IRP_MJ_QUERY_VOLUME_INFORMATION : 8223CAC8
08:06:25:234 0396 IRP_MJ_SET_VOLUME_INFORMATION : 8223CAC8
08:06:25:234 0396 IRP_MJ_DIRECTORY_CONTROL : 8223CAC8
08:06:25:234 0396 IRP_MJ_FILE_SYSTEM_CONTROL : 8223CAC8
08:06:25:234 0396 IRP_MJ_DEVICE_CONTROL : 8223CAC8
08:06:25:234 0396 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8223CAC8
08:06:25:234 0396 IRP_MJ_SHUTDOWN : 8223CAC8
08:06:25:234 0396 IRP_MJ_LOCK_CONTROL : 8223CAC8
08:06:25:234 0396 IRP_MJ_CLEANUP : 8223CAC8
08:06:25:234 0396 IRP_MJ_CREATE_MAILSLOT : 8223CAC8
08:06:25:234 0396 IRP_MJ_QUERY_SECURITY : 8223CAC8
08:06:25:234 0396 IRP_MJ_SET_SECURITY : 8223CAC8
08:06:25:234 0396 IRP_MJ_POWER : 8223CAC8
08:06:25:234 0396 IRP_MJ_SYSTEM_CONTROL : 8223CAC8
08:06:25:234 0396 IRP_MJ_DEVICE_CHANGE : 8223CAC8
08:06:25:234 0396 IRP_MJ_QUERY_QUOTA : 8223CAC8
08:06:25:234 0396 IRP_MJ_SET_QUOTA : 8223CAC8
08:06:25:234 0396 Driver "atapi" infected by TDSS rootkit!
08:06:25:250 0396 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
08:06:25:250 0396 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 08:06:25:250 0396 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
08:06:25:265 0396 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
08:06:25:593 0396 vfvi6
08:06:25:750 0396 !dsvbh1
08:06:28:828 0396 dsvbh2
08:06:28:828 0396 fdfb2
08:06:28:828 0396 Backup copy found, using it..
08:06:28:921 0396 will be cured on next reboot
08:06:28:921 0396 Reboot required for cure complete..
08:06:28:953 0396 Cure on reboot scheduled successfully
08:06:28:953 0396
08:06:28:953 0396 Completed
08:06:28:953 0396
08:06:28:953 0396 Results:
08:06:28:953 0396 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
08:06:28:953 0396 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:06:28:953 0396 File objects infected / cured / cured on reboot: 1 / 0 / 1
08:06:28:953 0396
08:06:28:953 0396 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
08:06:28:953 0396 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
08:06:28:953 0396 UnloadDriverW: NtUnloadDriver error 1
08:06:28:968 0396 KLMD(ARK) unloaded successfully

Thanks!

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 16 April 2010 - 12:00 PM

Can you now run Gmer?

Also, have the HTTP Tidserv Requests now stopped?
Posted Image
m0le is a proud member of UNITE

#10 BDigital

BDigital
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 16 April 2010 - 01:34 PM

Hi there,

I'm currently at work so I won't be able to try GMER until later this evening (on the U.S. East Coast) and I wasn't able to spend much time on my computer after I ran TDSSKiller but I'll let you know what I am experiencing (though it might be a day or two before I know for sure since my original issues were somewhat sporadic).

In the meantime, I just wanted to clarify one thing with GMER -- I've seen in other threads that some moderators specified specific boxes to be checked/unchecked in GMER. I didn't see any mentioned in your original reply so figured I'd ask if there is anything specific I should do or if I should just run it as is when it opens?

Thanks again for all your help thus far.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 16 April 2010 - 01:43 PM

Run it as it is. The reason they are specifying checkboxes if that some rootkits are blocking Gmer from running. Checking less boxes gives it more chance to work. If you have problems running it then please check only SECTIONS.
Posted Image
m0le is a proud member of UNITE

#12 BDigital

BDigital
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 16 April 2010 - 08:50 PM

Hi there,

I was able to run GMER without any issues...the log is pasted below.

To answer your other question, I am still getting the HTTP Tidserv Requests from Norton.

GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 21:34:32
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\BOBBYO~1\LOCALS~1\Temp\fxtdqpog.sys


---- System - GMER 1.0.15 ----

SSDT 821C35F8 ZwConnectPort
SSDT 82187B28 ZwDuplicateObject
SSDT 82114368 ZwOpenProcess
SSDT 82183228 ZwOpenThread

---- Kernel code sections - GMER 1.0.15 ----

? klmdb.sys The system cannot find the file specified. !
? tsk252.tmp The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xF86A3194]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF80B0F80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0097000A
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0096000C
.text C:\WINDOWS\System32\svchost.exe[1284] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 01AC000A
.text C:\WINDOWS\System32\svchost.exe[1284] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 01AB000A
.text C:\WINDOWS\Explorer.EXE[2028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B5000A
.text C:\WINDOWS\Explorer.EXE[2028] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[2028] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B4000C
.text C:\WINDOWS\system32\wuauclt.exe[3016] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\wuauclt.exe[3016] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\wuauclt.exe[3016] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BE000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi \Device\Ide\IdePort0 tsk252.tmp
Device \Driver\atapi \Device\Ide\IdePort1 tsk252.tmp
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e tsk252.tmp

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat BA7E4C8A

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8223EAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\cdrom.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 17 April 2010 - 04:25 AM

The rootkit has revealed itself now.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    cdrom.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#14 BDigital

BDigital
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 17 April 2010 - 10:09 AM

Here is my SystemLook log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:05 on 17/04/2010 by Bobby Orr (Administrator - Elevation successful)

========== filefind ==========

Searching for "cdrom.sys"
C:\i386\cdrom.sys --a--- 49536 bytes [00:00 12/07/2005] [10:00 04/08/2004] AF9C19B3100FE010496B1A27181FBF72
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\cdrom.sys --a--- 62976 bytes [22:18 16/08/2008] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE
C:\WINDOWS\system32\drivers\cdrom.sys --a--- 49536 bytes [03:59 04/08/2004] [10:00 04/08/2004] AF9C19B3100FE010496B1A27181FBF72

-=End Of File=-

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 18 April 2010 - 03:35 AM

Let's replace the infected file

We need to replace the infected file in the Recovery Environment


First we need to copy a clean file to replace the infected one.

Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\i386\cdrom.sys C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
Now we need to boot into the Recovery Environment:

Reboot your computer. Combofix should have installed the recovery console so this should already be available.

Follow the instructions here to start it

Next

Type cd system32\drivers and press Enter.
Type ren cdrom.sys cdrom.vir and press Enter.
Then type copy C:\cdrom.sys cdrom.sys and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Please run Gmer and post the log.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users