Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ave.exe and google search redirect


  • This topic is locked This topic is locked
47 replies to this topic

#1 FrostyJams

FrostyJams

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 30 April 2010 - 07:18 PM

About two weeks ago I got infected with the ave.exe virus from surfing an untrusted website looking for slipstream information. I believe that it got in through either java or acrobat. My java was not up to date and there was some type of pdf trying to load when my virus scanner picked it up. I use avantquest system suite 9 on my system for antivirus and firewall. Well when I saw what had happened I went into task manager and shut down ave.exe and removed it using "trojan_fakerean_exe_fix.reg" that I found on the web. I installed Malwarebytes and scanned everything to clear out about 10 more items and I now have the active protection running as well as my system suite 9. What I still have on my computer is the google search popups. I have watched it closely and something is trying to access the internet through IE7 so my firewall doesn't pick it up and go to web address' registered in Russia. That's bad! Malwarebytes active protection is blocking those websites so I seem to have it contained, but it is still there and I am concerned that whatever this trojan is, it is trying to allow my personal information out. I could have reformatted in the time I have spent working on this but I want get to the bottom of this. I currently have my My Documents folder on a seperate hardrive and I want to make sure that it is not infected. My OS is XP pro SP3 and it is installed on it's own C: drive, my data is stored on two seperate drives D: and W: as well as my music on an external drive F: I have run Hijack This, Adaware, Spybot S&D, Hitman Pro, Super Antispyware, TDSSKiller, TDL3 Razor and TDSS remover. Some have found things, and some have not, but I will now refer to the experts here for advice on how to run Combofix because I am not cool enough to decipher those results. My infected computer is currently disconnected from my network and I am using my laptop to transfer information via a USB stick.

Thanks for the effort you guys put in here for those of us in need of help.



DDS (Ver_10-03-17.01) - NTFSx86
Run by James at 21:39:21.83 on Wed 04/28/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2507 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask2.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\FreeMem Professional\Fmempro.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = about:blank
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [FreeMem Pro] "c:\program files\freemem professional\Fmempro.exe" Startup
uRun: [IE New Window Maximizer] c:\program files\ie new window maximizer\iemaximizer.exe
uRun: [SPSTEALT] "c:\program files\smart protector pro\SmartProtector-Pro.exe" /stealt
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adsgon~1.lnk - c:\program files\adsgone\adsgone.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\point32.lnk - c:\program files\microsoft hardware\mouse\point32.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244444994156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {3F8FB53D-440D-4865-9755-692DABB9BF9A} = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-17 64288]
R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2010-4-19 50176]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-6-8 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-6-8 202928]
R2 KillTheHooker;KillTheHooker;c:\unzipped\tdl3 razor\tdl3 razor\TizerBruteForceEx.sys [2010-3-18 22320]
R2 SBAMSvc;SystemSuite;c:\program files\common files\antivirus\SBAMSvc.exe [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-6-8 69168]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
R3 KFilter;KFilter;c:\progra~1\avanqu~1\system~1\KFilter.sys [2008-11-20 60272]
R3 TFilter;TFilter;c:\progra~1\avanqu~1\system~1\TFilter.sys [2008-9-22 20225]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S2 SamSsUPS;Security Accounts Manager SamSsUPS; [x]
S2 ThemesWmdmPmSN;Themes ThemesWmdmPmSN; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-8 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
S3 gusvcDcomLaunch;Google Updater Service gusvcDcomLaunch; [x]
S3 klmd21;klmd21;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-17 20824]
S3 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-17 303952]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-4-11 14424]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [2010-4-17 176640]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 95024]

=============== Created Last 30 ================

2010-04-21 16:22:22 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-21 16:22:21 101888 ----a-w- c:\windows\system32\drivers\tsk4.tmp
2010-04-20 16:33:10 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-20 16:32:51 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-20 16:32:51 0 d-----w- c:\docume~1\james\applic~1\SUPERAntiSpyware.com
2010-04-20 00:16:04 0 d-----w- c:\program files\TEAMVIEWER
2010-04-20 00:16:04 0 d-----w- c:\docume~1\james\applic~1\TEAMVIEWER
2010-04-19 21:05:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-19 08:17:56 50176 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-04-19 07:44:10 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-19 07:40:09 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-19 07:39:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-19 07:39:50 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-19 07:09:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-19 07:09:10 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-19 04:42:58 0 d-----w- c:\docume~1\james\applic~1\Wireshark
2010-04-19 04:25:11 0 d-----w- c:\program files\WinPcap
2010-04-19 04:24:22 0 d-----w- c:\program files\Wireshark
2010-04-18 18:19:53 98816 ----a-w- c:\windows\sed.exe
2010-04-18 18:19:53 77312 ----a-w- c:\windows\MBR.exe
2010-04-18 18:19:53 261632 ----a-w- c:\windows\PEV.exe
2010-04-18 18:19:53 161792 ----a-w- c:\windows\SWREG.exe
2010-04-18 07:09:44 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-18 07:09:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-18 04:01:30 49664 ----a-w- c:\windows\unvise32.exe
2010-04-18 04:00:22 0 d-----w- c:\program files\Active Ports
2010-04-18 03:49:42 39424 ----a-w- c:\windows\zipinst.exe
2010-04-18 03:49:42 0 d-----w- c:\program files\WinUpdatesList
2010-04-18 02:59:31 0 d-----w- c:\program files\LIUtilities
2010-04-18 00:32:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-18 00:30:06 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-18 00:29:48 0 d-----w- c:\program files\Lavasoft
2010-04-17 22:26:18 0 d-----w- c:\windows\system32\appmgmt
2010-04-17 22:18:09 0 d-----w- c:\docume~1\james\applic~1\Malwarebytes
2010-04-17 22:17:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 22:17:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-17 22:17:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 22:17:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 21:52:15 0 d-----w- c:\windows\system32\MpEngineStore
2010-04-17 08:39:10 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-17 08:39:10 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-17 08:38:54 13824 ----a-r- c:\windows\system32\drivers\SaiMini.sys
2010-04-17 08:38:23 35200 ----a-r- c:\windows\system32\drivers\SaiBus.sys
2010-04-17 08:37:59 57344 ----a-w- c:\windows\system32\SAIGON.dll
2010-04-17 08:37:59 45056 ----a-w- c:\windows\system32\SAIKICK.dll
2010-04-17 08:37:30 0 d-----w- c:\program files\Saitek
2010-04-17 08:36:56 2138 ----a-w- c:\windows\system32\SaiC0464-05D3E222-AFEE-4DD3-A3C4-A8749209DA4B.pr0
2010-04-17 07:41:20 2066 ----a-w- c:\windows\system32\SaiC0464-1954454B-C49A-4B77-AA9A-4A83635302AD.pr0
2010-04-17 07:39:56 8704 ----a-r- c:\windows\system32\SaiC0464_0A.dll
2010-04-17 07:39:56 7168 ----a-r- c:\windows\system32\SaiC0464_10.dll
2010-04-17 07:39:56 7168 ----a-r- c:\windows\system32\SaiC0464_0C.dll
2010-04-17 07:39:56 7168 ----a-r- c:\windows\system32\SaiC0464_09.dll
2010-04-17 07:39:56 7168 ----a-r- c:\windows\system32\SaiC0464_07.dll
2010-04-17 07:39:56 688 ----a-r- c:\windows\system32\SaiD0464.pr0
2010-04-17 07:39:56 6144 ----a-r- c:\windows\system32\SaiC0464_0402.dll
2010-04-17 07:39:56 507904 ----a-r- c:\windows\system32\SaiC0464.Dll
2010-04-17 07:39:56 306 ----a-r- c:\windows\system32\SaiC0464.pr0
2010-04-17 07:39:56 2457600 ----a-r- c:\windows\system32\SaiD0464.Dll
2010-04-17 07:39:56 176640 ----a-r- c:\windows\system32\drivers\SaiH0464.sys
2010-04-12 23:55:05 0 d-----w- c:\program files\common files\WexTech Shared
2010-04-12 23:55:05 0 d-----w- c:\program files\common files\LHSPF
2010-04-12 23:54:18 0 d-----w- c:\program files\Intuit
2010-04-12 23:54:16 0 d-----w- c:\program files\common files\Intuit
2010-04-12 23:54:15 25088 ----a-w- c:\windows\system32\msxml3a.dll
2010-04-12 23:54:15 1694992 ----a-w- c:\windows\system32\vba6.dll
2010-04-12 23:54:15 1009136 ----a-w- c:\windows\system32\Mschrt20.ocx
2010-04-12 23:52:52 0 d-----w- c:\windows\Intuit
2010-04-11 21:45:01 0 d-----w- c:\program files\PeerBlock
2010-04-11 21:33:39 0 d-----w- c:\docume~1\james\applic~1\Shareaza
2010-04-11 21:33:33 0 d-----w- c:\program files\Shareaza
2010-04-10 20:37:22 0 ----a-w- c:\windows\system32\acelpdect.sys
2010-04-09 22:17:30 3317635 --sha-w- c:\windows\system32\6to4svce.sys

==================== Find3M ====================

2010-04-29 04:36:37 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-04-21 16:20:11 101888 ----a-w- c:\windows\system32\drivers\adpu160m.sys
2010-04-18 01:26:08 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-06-08 05:47:51 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060720090608\index.dat

============= FINISH: 21:40:17.97 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 AM

Posted 30 April 2010 - 08:32 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Please make absolutely certain that all drives are connected during the entire cleanup process!!!!!!!!!!!

==========

You need to immunize your flash drive or your going to infect your clean computer if you have not already.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

==========

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. A report will open. Copy and Paste that report in your next reply.
  9. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


==========

Your Gmer log looks really strange. Please do this then re-run Gmer and post the logs.

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
  • It shall produce a log located at C:\RKill. Please copy and paste it into your next reply.

Now re-run Gmer.

==========

Reconnect to your network then......

* Go to start > Run copy/paste the contents of the code box excluding "code" in the run box and click OK.

CODE
cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

A command window opens. Wait until a log.txt file opens.

* Please copy/paste the log file in your reply.

==========

With your next post please provide:

* OTL.txt
* Extra.txt
* RKill log
* Gmer log
* Internet connection log

Kind regards,
~t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 FrostyJams

FrostyJams
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 30 April 2010 - 09:34 PM

Thanks thcbytes for taking this on,

I am running a new GMER scan now with the IAT/EAT box unchecked. When I reconnect the infected computer to my network to run the connection log you requested, do you want me to leave it connected afterwards? Without my antivirus and active antimalwarebytes running I am wide open to backdoor communication. I will post all the logs you requested when GMER is finished. Do you want them all pasted or just attached?

James

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 AM

Posted 01 May 2010 - 08:28 AM

Let me get a look at all the logs except the internet connection log for now please.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 FrostyJams

FrostyJams
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 01 May 2010 - 06:51 PM

So I nuked my laptop yesterday with that rkill.scr file. When I downloaded it to my laptop to transfer it to the USB stick I left a copy of it on my laptop. I rebooted my laptop an XP boot virus check started and then hung when it got to the "cleaning files" step. I could see the rkill.scr in the file list that it found. I manually powered it down and now it will not boot even in safe mode. I tried to run recovery console with an XP CD and it will not give me an option to repair, it doesn't even seem to see the existing XP installation to do a reinstall. Any ideas on this? I have been able to retrieve my data using Knoppix so I may just reinstall. Here are the logs.

Thanks again for your help

Attached Files



#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 AM

Posted 02 May 2010 - 09:45 AM

Few comments first. smile.gif

I am a little confused. I wanted you to run FlashDisinfector on your flash drive from a clean computer. This would immunize your flash drive so as to not infect your clean computer with data transfer from the infected computer. I never asked you to run RKill on your clean computer. Nevertheless your notebook might have already been infected.

As per my intro....

QUOTE
I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.



I am happy to help you recover your notebook computer but only if you are willing to stop and follow my instructions.

I know its hard as you would like to get it up and running ASAP but if you hang in there with me I can probably get you through this. Based on what you have done so far your notebook might be beyond help!

So this is what I propose.......

Notebook:

We need to create an OTL ReportAfter you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.


      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      userinit.exe
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      CREATERESTOREPOINT
    • Push
    • When finished, the file will be saved in drive C:\OTL.txt
    • Please post the contents of the C:\OTL.txt file in your next reply.
    • Copy this file to your USB drive if you do not have an internet connection.

==========

Desktop:

Again please be certain that all hard drives are connected to the computer before you begin!!!!!!!!!!!! Including your flash drive.

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Will you abide by my requests?
* Please copy and paste all logs unless otherwise instructed
* If we are going to clean both of your computers then it can become very confusing so please be certain to clearly mark and identify logs and discussions relative to which computer your discussing
* Notebook: OTL.txt
* Desktop: Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 FrostyJams

FrostyJams
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 03 May 2010 - 12:48 AM

thcbytes,

There seems to be some confusion here, and after re-reading my last post, I can see that I was not very clear about what actually happened. I have not done or run anything on either my laptop or desktop that you have not requested me to. Here is a step by step of what happened. I downloaded the files and copied the text that you requested onto my laptop. I ran FlashDisinfector on my laptop and followed the prompts to insert my USB drive. All went well, I then dragged the files onto the USB drive, but when you do that it copies them not transfers them so the originals were still on my laptop. I did not ever run any of the files on my laptop. I pulled the USB drive and plugged it into my desktop and transfered those files to it and ran the scans you requested. I was unsure about the network test and sent you a relpy to find out how to proceed. I did not plug the USB drive back into my laptop. When I rebooted my laptop later that day XP started a blue screen boot virus scan on it's own before windows started up and when it finished it got hung on the cleaning step. On the hung screen I saw the filepath for rkill.scr so that is why I suspected that it was the cause for the boot scan in the first place. I have not seen anything that led me to believe my laptop was infected, and I have run malwarebytes and my avanquest antivirus on it a few times since my desktop got infected and there have been no signs of infection from either of those programs. I am not opposed to reformatting because I have a few other OS problems with it but I want to make sure that the data I have retrieved from it is not infected. the backup data is currently on a 500 gig USB drive that I cleared before backing up. I have not plugged it into another computer yet. Will FlashDisinfector work on a drive that large, and will it detect what we are looking for on my desktop? We don't even know what that is yet.

I have two other computers that I can work on so I am not in a hurry, and you have been great in replying daily so I feel that we are making good progress. I would like to figure out my desktop first to keep confusion down to a minumum, but I will run the scans on my laptop if you feel that it will help track down the problem. Let me know about the laptop. I tried to download the renamed combofix to my USB drive and transfer it to the desktop and it would not run. I then reconnected the desktop to the internet and downloaded it directly as per your instructions. It ran fine and installed recovery console, I then disconnected the LAN and let it finish running, here is the log.

I am clear about the copy and paste thing now, sorry for my misunderstanding

Thanks again,

James

ComboFix 10-05-02.01 - James 05/02/2010 20:52:59.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2430 [GMT -7:00]
Running from: c:\documents and settings\James\Desktop\thcbytes.exe
.

((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-04-21 16:22 . 2010-04-21 16:22 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-20 16:33 . 2010-04-20 16:33 52224 ----a-w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-20 16:33 . 2010-04-20 16:33 117760 ----a-w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-20 16:33 . 2010-04-20 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-20 16:32 . 2010-04-20 16:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-20 16:32 . 2010-04-20 16:32 -------- d-----w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com
2010-04-20 00:16 . 2010-04-20 00:16 -------- d-----w- c:\program files\TEAMVIEWER
2010-04-20 00:16 . 2010-04-20 00:16 -------- d-----w- c:\documents and settings\James\Application Data\TEAMVIEWER
2010-04-19 21:05 . 2010-04-18 01:26 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-19 08:17 . 2010-04-19 18:44 50176 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-04-19 07:44 . 2010-04-19 07:44 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-19 07:40 . 2010-04-19 07:45 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-19 07:39 . 2010-04-19 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-19 07:39 . 2010-04-19 07:39 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-19 07:09 . 2010-04-19 07:09 -------- d-----w- c:\windows\Sun
2010-04-19 07:09 . 2010-04-19 07:09 -------- d-----w- c:\program files\Common Files\Java
2010-04-19 07:09 . 2010-04-19 07:09 503808 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ae2522c-n\msvcp71.dll
2010-04-19 07:09 . 2010-04-19 07:09 499712 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ae2522c-n\jmc.dll
2010-04-19 07:09 . 2010-04-19 07:09 348160 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ae2522c-n\msvcr71.dll
2010-04-19 07:09 . 2010-04-19 07:09 61440 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e28809a-n\decora-sse.dll
2010-04-19 07:09 . 2010-04-19 07:09 12800 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e28809a-n\decora-d3d.dll
2010-04-19 07:09 . 2010-04-19 07:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-19 07:08 . 2010-04-19 07:08 -------- d-----w- c:\program files\Java
2010-04-19 04:42 . 2010-04-19 04:42 -------- d-----w- c:\documents and settings\James\Application Data\Wireshark
2010-04-19 04:25 . 2010-04-19 04:25 -------- d-----w- c:\program files\WinPcap
2010-04-19 04:24 . 2010-04-19 04:25 -------- d-----w- c:\program files\Wireshark
2010-04-18 07:09 . 2010-04-18 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-18 07:09 . 2010-04-18 07:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-18 04:01 . 1999-12-17 17:13 49664 ----a-w- c:\windows\unvise32.exe
2010-04-18 04:00 . 2010-04-18 04:01 -------- d-----w- c:\program files\Active Ports
2010-04-18 03:49 . 2010-04-18 04:35 -------- d-----w- c:\program files\WinUpdatesList
2010-04-18 03:49 . 2010-04-18 03:49 39424 ----a-w- c:\windows\zipinst.exe
2010-04-18 02:59 . 2010-04-18 02:59 9728 ----a-r- c:\documents and settings\James\Application Data\Microsoft\Installer\{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}\Icon8C92D38B.exe
2010-04-18 02:59 . 2010-04-18 02:59 -------- d-----w- c:\program files\LIUtilities
2010-04-18 01:25 . 2010-04-18 01:25 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-04-18 01:25 . 2010-04-18 01:25 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-04-18 01:25 . 2010-04-18 01:25 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-04-18 01:25 . 2010-04-18 01:25 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-18 01:25 . 2010-04-18 01:25 849744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-04-18 01:25 . 2010-04-18 01:25 855864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-04-18 01:25 . 2010-04-18 01:25 1597952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-04-18 01:25 . 2010-04-18 01:25 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-18 01:25 . 2010-04-18 01:25 1265264 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-18 00:32 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-18 00:30 . 2010-04-19 21:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-18 00:30 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-18 00:29 . 2010-04-18 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-18 00:29 . 2010-04-18 00:30 -------- d-----w- c:\program files\Lavasoft
2010-04-17 22:36 . 2010-04-17 22:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 22:18 . 2010-04-17 22:18 -------- d-----w- c:\documents and settings\James\Application Data\Malwarebytes
2010-04-17 22:17 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 22:17 . 2010-04-17 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-17 22:17 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 22:17 . 2010-04-18 08:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 21:52 . 2010-04-18 01:13 -------- d-----w- c:\windows\system32\MpEngineStore
2010-04-17 08:39 . 2008-04-14 14:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-17 08:39 . 2008-04-14 14:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-17 08:38 . 2005-12-22 10:54 13824 ----a-r- c:\windows\system32\drivers\SaiMini.sys
2010-04-17 08:38 . 2005-12-22 10:54 35200 ----a-r- c:\windows\system32\drivers\SaiBus.sys
2010-04-17 08:37 . 2005-11-03 18:09 57344 ----a-w- c:\windows\system32\SAIGON.dll
2010-04-17 08:37 . 2005-10-18 21:31 45056 ----a-w- c:\windows\system32\SAIKICK.dll
2010-04-17 08:37 . 2010-04-17 22:29 -------- d-----w- c:\program files\Saitek
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_10.dll
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_0C.dll
2010-04-17 07:39 . 2005-12-22 10:54 2457600 ----a-r- c:\windows\system32\SaiD0464.Dll
2010-04-17 07:39 . 2005-12-22 10:54 176640 ----a-r- c:\windows\system32\drivers\SaiH0464.sys
2010-04-17 07:39 . 2005-12-22 10:54 8704 ----a-r- c:\windows\system32\SaiC0464_0A.dll
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_09.dll
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_07.dll
2010-04-17 07:39 . 2005-12-22 10:54 6144 ----a-r- c:\windows\system32\SaiC0464_0402.dll
2010-04-17 07:39 . 2005-12-22 10:54 507904 ----a-r- c:\windows\system32\SaiC0464.Dll
2010-04-12 23:54 . 2010-04-12 23:54 -------- d-----w- c:\program files\Intuit
2010-04-12 23:54 . 2010-04-12 23:55 -------- d-----w- c:\program files\Common Files\Intuit
2010-04-12 23:54 . 2000-10-20 08:05 25088 ----a-w- c:\windows\system32\msxml3a.dll
2010-04-12 23:54 . 1999-05-10 07:00 1694992 ----a-w- c:\windows\system32\vba6.dll
2010-04-12 23:52 . 2010-04-12 23:52 -------- d-----w- c:\windows\Intuit
2010-04-11 21:45 . 2010-04-11 23:52 -------- d-----w- c:\program files\PeerBlock
2010-04-11 21:34 . 2010-04-11 21:34 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Shareaza
2010-04-11 21:33 . 2010-04-11 21:34 -------- d-----w- c:\documents and settings\James\Application Data\Shareaza
2010-04-11 21:33 . 2010-04-18 06:41 -------- d-----w- c:\program files\Shareaza
2010-04-10 20:37 . 2010-04-13 16:46 0 ----a-w- c:\windows\system32\acelpdect.sys
2010-04-09 22:17 . 2010-04-13 18:32 3317635 --sha-w- c:\windows\system32\6to4svce.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 04:08 . 2008-04-14 07:01 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-05-03 03:05 . 2010-01-03 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-04-21 16:22 . 2010-04-21 16:22 101888 ----a-w- c:\windows\system32\drivers\tsk4.tmp
2010-04-21 16:20 . 2003-03-31 12:00 101888 ----a-w- c:\windows\system32\drivers\adpu160m.sys
2010-04-20 16:32 . 2009-06-08 22:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-18 08:45 . 2009-10-24 23:38 -------- d-----w- c:\program files\AdsGone
2010-04-18 05:28 . 2009-06-08 07:04 20128 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 22:29 . 2009-06-08 06:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-17 22:28 . 2009-11-28 07:23 -------- d-----w- c:\program files\Ray Adams
2010-04-13 03:10 . 2010-04-12 23:55 -------- d-----w- c:\program files\Common Files\WexTech Shared
2010-04-12 23:55 . 2010-04-12 23:55 2232 ----a-w- c:\windows\java\Packages\Data\ATZNTRNZ.DAT
2010-04-12 23:55 . 2010-04-12 23:55 155995 ----a-w- c:\windows\java\Packages\FB9JZJ5R.ZIP
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\UAN9FXNL.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\VTB3TBH7.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\QEHVXJT7.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\PF5ZNFDZ.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\BXNL777J.DAT
2010-04-12 23:55 . 2010-04-12 23:55 -------- d-----w- c:\program files\Common Files\LHSPF
2010-03-27 20:37 . 2010-03-27 20:36 -------- d-----w- c:\documents and settings\James\Application Data\Microsoft Games
2010-03-27 20:34 . 2010-03-27 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-03-27 20:30 . 2010-02-11 04:02 -------- d-----w- c:\program files\Microsoft Games
2010-03-17 00:29 . 2010-03-17 00:29 -------- d-----w- c:\documents and settings\James\Application Data\U3
2010-03-11 12:38 . 2009-06-06 00:49 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-06 00:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2009-06-06 00:48 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:42 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2008-04-14 07:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2008-04-14 07:54 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 07:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:41 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 07:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

------- Sigcheck -------

[-] 2009-06-08 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe


[-] 2009-06-06 . 366476EFD3098809F23752AA30BD7F0C . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-04-18_18.27.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-02 21:19 . 2010-05-02 21:19 16384 c:\windows\temp\Perflib_Perfdata_760.dat
+ 2009-10-20 18:19 . 2009-10-20 18:19 53299 c:\windows\system32\pthreadVC.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 50704 c:\windows\system32\drivers\npf.sys
- 2008-04-14 07:01 . 2010-04-18 08:49 36352 c:\windows\system32\dllcache\intelppm.sys
+ 2008-04-14 07:01 . 2010-05-03 04:08 36352 c:\windows\system32\dllcache\intelppm.sys
+ 2009-06-08 05:47 . 2010-04-19 05:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-08 05:47 . 2010-04-18 01:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-08 05:47 . 2010-04-19 05:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-08 05:47 . 2010-04-18 01:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-19 05:36 . 2010-04-19 05:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-08 05:47 . 2010-04-18 01:26 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-04-20 16:33 . 2010-04-20 16:33 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-04-20 16:33 . 2010-04-20 16:33 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-04-20 16:33 . 2010-04-20 16:33 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2009-10-20 18:19 . 2009-10-20 18:19 281104 c:\windows\system32\wpcap.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 100880 c:\windows\system32\Packet.dll
+ 2010-04-19 07:09 . 2010-04-19 07:08 153376 c:\windows\system32\javaws.exe
+ 2010-04-19 07:09 . 2010-04-19 07:08 145184 c:\windows\system32\javaw.exe
+ 2010-04-19 07:09 . 2010-04-19 07:08 145184 c:\windows\system32\java.exe
+ 2009-09-09 22:40 . 2009-09-09 22:40 632320 c:\windows\Installer\59392.msp
+ 2010-04-19 07:09 . 2010-04-19 07:09 180224 c:\windows\Installer\58833a.msi
+ 2010-04-19 07:08 . 2010-04-19 07:08 576000 c:\windows\Installer\588332.msi
+ 2009-06-08 07:04 . 2009-06-08 07:04 1488688 c:\windows\system32\muBlinder_ValBackup.dll
+ 2009-06-08 07:04 . 2010-04-19 04:56 1488688 c:\windows\system32\LegitCheckControl.DLL
- 2009-06-08 07:04 . 2009-06-08 07:04 1488688 c:\windows\system32\LegitCheckControl.DLL
+ 2010-03-11 19:03 . 2010-03-11 19:03 5524480 c:\windows\Installer\6b20c.msp
+ 2009-12-17 05:58 . 2009-12-17 05:58 5382144 c:\windows\Installer\6b207.msp
+ 2010-01-20 01:29 . 2010-01-20 01:29 5050368 c:\windows\Installer\6b202.msp
+ 2010-03-12 04:16 . 2010-03-12 04:16 4148224 c:\windows\Installer\6b1fd.msp
+ 2010-03-12 04:16 . 2010-03-12 04:16 4148224 c:\windows\Installer\593ab.msp
+ 2010-03-11 19:03 . 2010-03-11 19:03 5524480 c:\windows\Installer\593a6.msp
+ 2010-01-28 00:53 . 2010-01-28 00:53 6820864 c:\windows\Installer\593a1.msp
+ 2010-01-20 01:29 . 2010-01-20 01:29 5050368 c:\windows\Installer\5939c.msp
+ 2009-12-17 05:58 . 2009-12-17 05:58 5382144 c:\windows\Installer\59397.msp
+ 2009-10-07 01:40 . 2009-10-07 01:40 7681024 c:\windows\Installer\5938d.msp
+ 2010-04-20 16:32 . 2010-04-20 16:32 1583616 c:\windows\Installer\178fcf.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeMem Pro"="c:\program files\FreeMem Professional\Fmempro.exe" [2000-03-27 428544]
"IE New Window Maximizer"="c:\program files\IE New Window Maximizer\iemaximizer.exe" [2005-02-09 356352]
"SPSTEALT"="c:\program files\Smart Protector Pro\SmartProtector-Pro.exe" [2005-02-02 1937408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-09 65536]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-30 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2010-03-11 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-10-24 295606]
AdsGone 2006.lnk - c:\program files\AdsGone\adsgone.exe [2005-10-18 1372160]
Point32.lnk - c:\program files\Microsoft Hardware\Mouse\point32.exe [2001-5-9 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/17/2010 5:32 PM 64288]
R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [4/19/2010 1:17 AM 50176]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [6/8/2009 3:47 PM 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [6/8/2009 3:47 PM 202928]
R2 KillTheHooker;KillTheHooker;c:\unzipped\TDL3 Razor\TDL3 Razor\TizerBruteForceEx.sys [3/18/2010 4:50 PM 22320]
R2 SBAMSvc;SystemSuite;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [10/28/2008 4:28 PM 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/8/2009 3:47 PM 69168]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
R3 KFilter;KFilter;c:\progra~1\AVANQU~1\SYSTEM~1\KFilter.sys [11/20/2008 1:56 PM 60272]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/17/2010 3:17 PM 20824]
R3 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/17/2010 3:17 PM 303952]
R3 TFilter;TFilter;c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [9/22/2008 4:21 PM 20225]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S2 SamSsUPS;Security Accounts Manager SamSsUPS; [x]
S2 ThemesWmdmPmSN;Themes ThemesWmdmPmSN; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/8/2009 3:38 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
S3 gusvcDcomLaunch;Google Updater Service gusvcDcomLaunch; [x]
S3 klmd21;klmd21;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1265264]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 11:19 AM 50704]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/11/2010 2:45 PM 14424]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [4/17/2010 12:39 AM 176640]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/23/2008 4:09 AM 95024]
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:25]

2010-05-03 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2010-04-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
TCP: {3F8FB53D-440D-4865-9755-692DABB9BF9A} = 192.168.0.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmd21.sys
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(472)
c:\windows\system32\WININET.dll
c:\progra~1\AVANQU~1\SYSTEM~1\WinHook.dll
c:\program files\Smart Protector Pro\sphook.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-05-02 21:13:06
ComboFix-quarantined-files.txt 2010-05-03 04:12
ComboFix2.txt 2010-04-18 18:32

Pre-Run: 32,681,537,536 bytes free
Post-Run: 32,695,730,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 19B8947951EBD6A10684B0DF7842423A


#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 AM

Posted 03 May 2010 - 07:52 AM

Thanks for the detailed feedback. thumbup2.gif

Now I understand.

No. I don't think that laptop will aid in the repair of the desktop. So if your desire is to nuke and pave please do so and let me know if you need any help. In regards to the big external drive that contained the data from your laptop. There is no need to run flashdisinfector on it. Simply plug it into your sick desktop so it can be part of the cleaning process.

If you would like to salvage the laptop then I can help you. I bet it is malware related.

So for now I will assume that your going to format the laptop. Let's get back to the desktop. Make sure all drives are connected!!

==========

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

==========

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

QUOTE
http://www.bleepingcomputer.com/forums/t/313877/aveexe-and-google-search-redirect/

Collect::
c:\windows\system32\drivers\tsk4.tmp

Suspect::[89]
c:\windows\system32\drivers\klmdb.sys
c:\windows\system32\drivers\rk_remover.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

==========

We need to run an OTL Custom Scan
  1. Please reopen on your desktop. Select "None"
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    /md5start
    winlogon.exe
    sfcfiles.dll
    wscntfy.exe
    atapi.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  3. Push
  4. A report will open. Copy and Paste that report in your next reply.

==========

With your next post please provide:

* Combofix.txt
* RootRepeal.txt
* OTL.txt
* What problems currently remain?

Kind regards,
~t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 FrostyJams

FrostyJams
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 05 May 2010 - 11:21 PM

thcbytes,

Sorry for the delay in replying, I have been trying to get root repeal to run for two days with no luck. I ran Combofix with the script that you gave me and in the process of runing it said that there was an update available and it downloaded something and re-ran itself. I don't know if that is normal. There was some process the had a name with a bunch of x's in it asking to get past my firewall two different times during the scan. I suspected that it was the files that you said it would upload so I let them through. Root repeal will not run on my computer, it allows me to open it and set the settings you specified but when I press "scan" it makes it through the "drivers" section and then when it gets to the "files" section it says "initializing please wait" and it hangs, my mouse still moves but it does not allow me to press anything including the Start menu, I can't even get the taskmanager up to end the process. I have to hard power the system down to get control again. I tried to run it in safe mode and it did the same thing, I even left it running for around 7 hours to see if it was just busy and that didn't work either. So I ran OTL and that went fine. I am still getting redirects and my computer is trying to access web address' in various countries. Here are some of the IP's, 85.12.46.158, 208.87.33.151, 94.228.209.202 if that helps.

Thanks again, James


ComboFix 10-05-03.03 - James 05/03/2010 16:13:54.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2542 [GMT -7:00]
Running from: c:\documents and settings\James\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\James\Desktop\CFScript.txt.txt

file zipped: c:\windows\system32\drivers\tsk4.tmp
file zipped: c:\windows\system32\drivers\klmdb.sys
file zipped: c:\windows\system32\drivers\rk_remover.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\tsk4.tmp
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GUSVCDCOMLAUNCH
-------\Service_gusvcDcomLaunch


((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-04-21 16:22 . 2010-04-21 16:22 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-20 16:33 . 2010-04-20 16:33 52224 ----a-w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-20 16:33 . 2010-04-20 16:33 117760 ----a-w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-20 16:33 . 2010-04-20 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-20 16:32 . 2010-04-20 16:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-20 16:32 . 2010-04-20 16:32 -------- d-----w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com
2010-04-20 00:16 . 2010-04-20 00:16 -------- d-----w- c:\program files\TEAMVIEWER
2010-04-20 00:16 . 2010-04-20 00:16 -------- d-----w- c:\documents and settings\James\Application Data\TEAMVIEWER
2010-04-19 21:05 . 2010-04-18 01:26 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-19 08:17 . 2010-04-19 18:44 50176 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-04-19 07:44 . 2010-04-19 07:44 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-19 07:40 . 2010-04-19 07:45 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-19 07:39 . 2010-04-19 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-19 07:39 . 2010-04-19 07:39 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-19 07:09 . 2010-04-19 07:09 -------- d-----w- c:\windows\Sun
2010-04-19 07:09 . 2010-04-19 07:09 -------- d-----w- c:\program files\Common Files\Java
2010-04-19 07:09 . 2010-04-19 07:09 503808 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ae2522c-n\msvcp71.dll
2010-04-19 07:09 . 2010-04-19 07:09 499712 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ae2522c-n\jmc.dll
2010-04-19 07:09 . 2010-04-19 07:09 348160 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ae2522c-n\msvcr71.dll
2010-04-19 07:09 . 2010-04-19 07:09 61440 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e28809a-n\decora-sse.dll
2010-04-19 07:09 . 2010-04-19 07:09 12800 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e28809a-n\decora-d3d.dll
2010-04-19 07:09 . 2010-04-19 07:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-19 07:08 . 2010-04-19 07:08 -------- d-----w- c:\program files\Java
2010-04-19 04:42 . 2010-04-19 04:42 -------- d-----w- c:\documents and settings\James\Application Data\Wireshark
2010-04-19 04:25 . 2010-04-19 04:25 -------- d-----w- c:\program files\WinPcap
2010-04-19 04:24 . 2010-04-19 04:25 -------- d-----w- c:\program files\Wireshark
2010-04-18 07:09 . 2010-05-03 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-18 07:09 . 2010-04-18 07:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-18 04:01 . 1999-12-17 17:13 49664 ----a-w- c:\windows\unvise32.exe
2010-04-18 04:00 . 2010-04-18 04:01 -------- d-----w- c:\program files\Active Ports
2010-04-18 03:49 . 2010-04-18 04:35 -------- d-----w- c:\program files\WinUpdatesList
2010-04-18 03:49 . 2010-04-18 03:49 39424 ----a-w- c:\windows\zipinst.exe
2010-04-18 02:59 . 2010-04-18 02:59 9728 ----a-r- c:\documents and settings\James\Application Data\Microsoft\Installer\{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}\Icon8C92D38B.exe
2010-04-18 02:59 . 2010-04-18 02:59 -------- d-----w- c:\program files\LIUtilities
2010-04-18 01:25 . 2010-04-18 01:25 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-04-18 01:25 . 2010-04-18 01:25 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-04-18 01:25 . 2010-04-18 01:25 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-04-18 01:25 . 2010-04-18 01:25 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-18 01:25 . 2010-04-18 01:25 849744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-04-18 01:25 . 2010-04-18 01:25 855864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-04-18 01:25 . 2010-04-18 01:25 1597952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-04-18 01:25 . 2010-04-18 01:25 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-18 01:25 . 2010-04-18 01:25 1265264 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-18 00:32 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-18 00:30 . 2010-04-19 21:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-18 00:30 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-18 00:29 . 2010-04-18 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-18 00:29 . 2010-04-18 00:30 -------- d-----w- c:\program files\Lavasoft
2010-04-17 22:36 . 2010-04-17 22:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 22:18 . 2010-04-17 22:18 -------- d-----w- c:\documents and settings\James\Application Data\Malwarebytes
2010-04-17 22:17 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 22:17 . 2010-04-17 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-17 22:17 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 22:17 . 2010-04-18 08:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 21:52 . 2010-04-18 01:13 -------- d-----w- c:\windows\system32\MpEngineStore
2010-04-17 08:39 . 2008-04-14 14:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-17 08:39 . 2008-04-14 14:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-17 08:38 . 2005-12-22 10:54 13824 ----a-r- c:\windows\system32\drivers\SaiMini.sys
2010-04-17 08:38 . 2005-12-22 10:54 35200 ----a-r- c:\windows\system32\drivers\SaiBus.sys
2010-04-17 08:37 . 2005-11-03 18:09 57344 ----a-w- c:\windows\system32\SAIGON.dll
2010-04-17 08:37 . 2005-10-18 21:31 45056 ----a-w- c:\windows\system32\SAIKICK.dll
2010-04-17 08:37 . 2010-04-17 22:29 -------- d-----w- c:\program files\Saitek
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_10.dll
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_0C.dll
2010-04-17 07:39 . 2005-12-22 10:54 2457600 ----a-r- c:\windows\system32\SaiD0464.Dll
2010-04-17 07:39 . 2005-12-22 10:54 176640 ----a-r- c:\windows\system32\drivers\SaiH0464.sys
2010-04-17 07:39 . 2005-12-22 10:54 8704 ----a-r- c:\windows\system32\SaiC0464_0A.dll
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_09.dll
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_07.dll
2010-04-17 07:39 . 2005-12-22 10:54 6144 ----a-r- c:\windows\system32\SaiC0464_0402.dll
2010-04-17 07:39 . 2005-12-22 10:54 507904 ----a-r- c:\windows\system32\SaiC0464.Dll
2010-04-12 23:54 . 2010-04-12 23:54 -------- d-----w- c:\program files\Intuit
2010-04-12 23:54 . 2010-04-12 23:55 -------- d-----w- c:\program files\Common Files\Intuit
2010-04-12 23:54 . 2000-10-20 08:05 25088 ----a-w- c:\windows\system32\msxml3a.dll
2010-04-12 23:54 . 1999-05-10 07:00 1694992 ----a-w- c:\windows\system32\vba6.dll
2010-04-12 23:52 . 2010-04-12 23:52 -------- d-----w- c:\windows\Intuit
2010-04-11 21:45 . 2010-04-11 23:52 -------- d-----w- c:\program files\PeerBlock
2010-04-11 21:34 . 2010-04-11 21:34 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Shareaza
2010-04-11 21:33 . 2010-04-11 21:34 -------- d-----w- c:\documents and settings\James\Application Data\Shareaza
2010-04-11 21:33 . 2010-04-18 06:41 -------- d-----w- c:\program files\Shareaza
2010-04-10 20:37 . 2010-04-13 16:46 0 ----a-w- c:\windows\system32\acelpdect.sys
2010-04-09 22:17 . 2010-04-13 18:32 3317635 --sha-w- c:\windows\system32\6to4svce.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 23:42 . 2008-04-14 07:01 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-05-03 03:05 . 2010-01-03 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-04-21 16:20 . 2003-03-31 12:00 101888 ----a-w- c:\windows\system32\drivers\adpu160m.sys
2010-04-20 16:32 . 2009-06-08 22:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-18 08:45 . 2009-10-24 23:38 -------- d-----w- c:\program files\AdsGone
2010-04-18 05:28 . 2009-06-08 07:04 20128 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 22:29 . 2009-06-08 06:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-17 22:28 . 2009-11-28 07:23 -------- d-----w- c:\program files\Ray Adams
2010-04-13 03:10 . 2010-04-12 23:55 -------- d-----w- c:\program files\Common Files\WexTech Shared
2010-04-12 23:55 . 2010-04-12 23:55 2232 ----a-w- c:\windows\java\Packages\Data\ATZNTRNZ.DAT
2010-04-12 23:55 . 2010-04-12 23:55 155995 ----a-w- c:\windows\java\Packages\FB9JZJ5R.ZIP
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\UAN9FXNL.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\VTB3TBH7.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\QEHVXJT7.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\PF5ZNFDZ.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\BXNL777J.DAT
2010-04-12 23:55 . 2010-04-12 23:55 -------- d-----w- c:\program files\Common Files\LHSPF
2010-03-27 20:37 . 2010-03-27 20:36 -------- d-----w- c:\documents and settings\James\Application Data\Microsoft Games
2010-03-27 20:34 . 2010-03-27 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-03-27 20:30 . 2010-02-11 04:02 -------- d-----w- c:\program files\Microsoft Games
2010-03-17 00:29 . 2010-03-17 00:29 -------- d-----w- c:\documents and settings\James\Application Data\U3
2010-03-11 12:38 . 2009-06-06 00:49 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-06 00:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2009-06-06 00:48 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:42 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2008-04-14 07:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2008-04-14 07:54 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 07:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:41 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 07:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

------- Sigcheck -------

[-] 2009-06-08 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe


[-] 2009-06-06 . 366476EFD3098809F23752AA30BD7F0C . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-04-18_18.27.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-03 23:38 . 2010-05-03 23:38 16384 c:\windows\temp\Perflib_Perfdata_7ac.dat
+ 2009-10-20 18:19 . 2009-10-20 18:19 53299 c:\windows\system32\pthreadVC.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 50704 c:\windows\system32\drivers\npf.sys
- 2008-04-14 07:01 . 2010-04-18 08:49 36352 c:\windows\system32\dllcache\intelppm.sys
+ 2008-04-14 07:01 . 2010-05-03 23:41 36352 c:\windows\system32\dllcache\intelppm.sys
- 2009-06-08 05:47 . 2010-04-18 01:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-08 05:47 . 2010-04-19 05:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-08 05:47 . 2010-04-18 01:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-08 05:47 . 2010-04-19 05:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-20 16:33 . 2010-04-20 16:33 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-04-20 16:33 . 2010-04-20 16:33 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-04-20 16:33 . 2010-04-20 16:33 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2009-10-20 18:19 . 2009-10-20 18:19 281104 c:\windows\system32\wpcap.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 100880 c:\windows\system32\Packet.dll
+ 2010-04-19 07:09 . 2010-04-19 07:08 153376 c:\windows\system32\javaws.exe
+ 2010-04-19 07:09 . 2010-04-19 07:08 145184 c:\windows\system32\javaw.exe
+ 2010-04-19 07:09 . 2010-04-19 07:08 145184 c:\windows\system32\java.exe
+ 2009-09-09 22:40 . 2009-09-09 22:40 632320 c:\windows\Installer\59392.msp
+ 2010-04-19 07:09 . 2010-04-19 07:09 180224 c:\windows\Installer\58833a.msi
+ 2010-04-19 07:08 . 2010-04-19 07:08 576000 c:\windows\Installer\588332.msi
+ 2009-06-08 07:04 . 2009-06-08 07:04 1488688 c:\windows\system32\muBlinder_ValBackup.dll
- 2009-06-08 07:04 . 2009-06-08 07:04 1488688 c:\windows\system32\LegitCheckControl.DLL
+ 2009-06-08 07:04 . 2010-04-19 04:56 1488688 c:\windows\system32\LegitCheckControl.DLL
+ 2010-03-11 19:03 . 2010-03-11 19:03 5524480 c:\windows\Installer\6b20c.msp
+ 2009-12-17 05:58 . 2009-12-17 05:58 5382144 c:\windows\Installer\6b207.msp
+ 2010-01-20 01:29 . 2010-01-20 01:29 5050368 c:\windows\Installer\6b202.msp
+ 2010-03-12 04:16 . 2010-03-12 04:16 4148224 c:\windows\Installer\6b1fd.msp
+ 2010-03-12 04:16 . 2010-03-12 04:16 4148224 c:\windows\Installer\593ab.msp
+ 2010-03-11 19:03 . 2010-03-11 19:03 5524480 c:\windows\Installer\593a6.msp
+ 2010-01-28 00:53 . 2010-01-28 00:53 6820864 c:\windows\Installer\593a1.msp
+ 2010-01-20 01:29 . 2010-01-20 01:29 5050368 c:\windows\Installer\5939c.msp
+ 2009-12-17 05:58 . 2009-12-17 05:58 5382144 c:\windows\Installer\59397.msp
+ 2009-10-07 01:40 . 2009-10-07 01:40 7681024 c:\windows\Installer\5938d.msp
+ 2010-04-20 16:32 . 2010-04-20 16:32 1583616 c:\windows\Installer\178fcf.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeMem Pro"="c:\program files\FreeMem Professional\Fmempro.exe" [2000-03-27 428544]
"IE New Window Maximizer"="c:\program files\IE New Window Maximizer\iemaximizer.exe" [2005-02-09 356352]
"SPSTEALT"="c:\program files\Smart Protector Pro\SmartProtector-Pro.exe" [2005-02-02 1937408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-09 65536]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-30 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2010-03-11 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-10-24 295606]
AdsGone 2006.lnk - c:\program files\AdsGone\adsgone.exe [2005-10-18 1372160]
Point32.lnk - c:\program files\Microsoft Hardware\Mouse\point32.exe [2001-5-9 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/17/2010 5:32 PM 64288]
R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [4/19/2010 1:17 AM 50176]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [6/8/2009 3:47 PM 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [6/8/2009 3:47 PM 202928]
R2 KillTheHooker;KillTheHooker;c:\unzipped\TDL3 Razor\TDL3 Razor\TizerBruteForceEx.sys [3/18/2010 4:50 PM 22320]
R2 SBAMSvc;SystemSuite;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [10/28/2008 4:28 PM 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/8/2009 3:47 PM 69168]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
R3 KFilter;KFilter;c:\progra~1\AVANQU~1\SYSTEM~1\KFilter.sys [11/20/2008 1:56 PM 60272]
R3 TFilter;TFilter;c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [9/22/2008 4:21 PM 20225]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S2 SamSsUPS;Security Accounts Manager SamSsUPS; [x]
S2 ThemesWmdmPmSN;Themes ThemesWmdmPmSN; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/8/2009 3:38 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
S3 klmd21;klmd21;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1265264]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/17/2010 3:17 PM 20824]
S3 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/17/2010 3:17 PM 303952]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 11:19 AM 50704]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/11/2010 2:45 PM 14424]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [4/17/2010 12:39 AM 176640]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/23/2008 4:09 AM 95024]
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:25]

2010-05-03 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2010-04-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
TCP: {3F8FB53D-440D-4865-9755-692DABB9BF9A} = 192.168.0.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 16:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2748)
c:\windows\system32\WININET.dll
c:\progra~1\AVANQU~1\SYSTEM~1\WinHook.dll
c:\program files\Smart Protector Pro\sphook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\progra~1\AVANQU~1\SYSTEM~1\MXTask.exe
c:\progra~1\AVANQU~1\SYSTEM~1\mxtask2.exe
c:\windows\SOUNDMAN.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-05-03 16:47:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-03 23:47
ComboFix2.txt 2010-05-03 04:13
ComboFix3.txt 2010-04-18 18:32

Pre-Run: 32,675,794,944 bytes free
Post-Run: 32,658,513,920 bytes free

- - End Of File - - A5E62AAC78215AF02E475E57C2363721







OTL log and EXTRA log


OTL logfile created on: 5/5/2010 6:00:19 PM - Run 3
OTL by OldTimer - Version 3.2.3.1 Folder = C:\Documents and Settings\James\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 83.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 30.40 Gb Free Space | 44.47% Space Free | Partition Type: NTFS
Drive D: | 186.30 Gb Total Space | 132.45 Gb Free Space | 71.09% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 931.28 Gb Total Space | 232.33 Gb Free Space | 24.95% Space Free | Partition Type: FAT32
Drive G: | 465.65 Gb Total Space | 454.29 Gb Free Space | 97.56% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive W: | 186.31 Gb Total Space | 168.11 Gb Free Space | 90.23% Space Free | Partition Type: NTFS

Computer Name: ASUSSERVER
Current User Name: James
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/30 18:54:58 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
PRC - [2009/03/27 15:50:58 | 000,050,456 | ---- | M] (Avanquest North America, Inc.) -- C:\Program Files\Avanquest\SystemSuite\MXTask2.exe
PRC - [2009/03/27 15:50:56 | 000,161,048 | ---- | M] (Avanquest North America, Inc.) -- C:\Program Files\Avanquest\SystemSuite\MXTask.exe
PRC - [2009/01/08 09:35:36 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2008/10/28 16:28:10 | 000,886,056 | ---- | M] (Sunbelt Software) -- C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/10/16 19:32:08 | 001,372,160 | ---- | M] (A1Tech, Inc.) -- C:\Program Files\AdsGone\adsgone.exe
PRC - [2005/02/08 23:06:40 | 000,356,352 | ---- | M] (jiiSoft) -- C:\Program Files\IE New Window Maximizer\iemaximizer.exe
PRC - [2005/02/02 10:04:12 | 001,937,408 | ---- | M] (Smart Soft) -- C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe
PRC - [2004/01/09 02:54:06 | 000,065,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2001/05/09 19:00:28 | 000,167,936 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Mouse\point32.exe
PRC - [2000/03/27 01:08:38 | 000,428,544 | ---- | M] (Meikel.com) -- C:\Program Files\FreeMem Professional\Fmempro.exe


========== Modules (SafeList) ==========

MOD - [2010/04/30 18:54:58 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
MOD - [2008/09/22 16:15:40 | 000,028,672 | ---- | M] (Avanquest North America, Inc.) -- C:\Program Files\Avanquest\SystemSuite\WinHook.dll
MOD - [2004/08/19 08:41:46 | 000,036,864 | ---- | M] () -- C:\Program Files\Smart Protector Pro\sphook.dll
MOD - [2001/05/09 19:00:28 | 000,045,056 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Mouse\Msh_zwf.dll
MOD - [2001/05/09 19:00:28 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Mouse\point32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (ThemesWmdmPmSN)
SRV - File not found [Auto | Stopped] -- -- (SamSsUPS)
SRV - [2010/04/17 18:25:42 | 001,265,264 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/30 00:46:14 | 000,303,952 | ---- | M] (Malwarebytes Corporation) [On_Demand | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/12/18 01:14:29 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/10/20 11:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/06/08 15:38:23 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2009/03/27 15:50:56 | 000,161,048 | ---- | M] (Avanquest North America, Inc.) [Auto | Running] -- C:\Program Files\Avanquest\SystemSuite\MXTask.exe -- (SystemSuite Task Manager)
SRV - [2009/01/08 09:35:36 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008/10/28 16:28:10 | 000,886,056 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe -- (SBAMSvc)
SRV - [2008/10/08 23:07:56 | 000,107,912 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)


========== Driver Services (SafeList) ==========

DRV - [2010/04/19 11:44:19 | 000,050,176 | ---- | M] (eSage Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\rk_remover.sys -- (rk_remover-boot)
DRV - [2010/04/17 18:26:08 | 000,095,024 | ---- | M] (Sunbelt Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/03/18 16:50:48 | 000,022,320 | ---- | M] () [Kernel | Auto | Running] -- C:\Unzipped\TDL3 Razor\TDL3 Razor\TizerBruteForceEx.sys -- (KillTheHooker)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 11:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/04 08:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/11/28 18:04:45 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2009/10/20 11:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/09/29 21:18:22 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/09/28 02:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2009/03/04 14:46:56 | 000,189,464 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2009/03/04 14:46:48 | 000,162,840 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2009/03/04 14:46:38 | 000,798,744 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2009/03/04 14:46:26 | 000,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2009/03/04 14:46:00 | 000,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2009/03/04 14:45:46 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2009/03/04 14:45:34 | 000,127,512 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2009/03/04 14:44:54 | 000,347,080 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2009/03/04 14:44:38 | 000,528,408 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2009/03/04 14:44:26 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2009/03/04 14:42:56 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
DRV - [2009/03/04 14:42:56 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTERFXFX.sys -- (CTERFXFX)
DRV - [2009/03/04 14:42:42 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
DRV - [2009/03/04 14:42:42 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTSBLFX.sys -- (CTSBLFX)
DRV - [2009/03/04 14:42:30 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
DRV - [2009/03/04 14:42:30 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTAUDFX.sys -- (CTAUDFX)
DRV - [2009/03/04 14:42:16 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
DRV - [2009/03/04 14:42:16 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COMMONFX.sys -- (COMMONFX)
DRV - [2008/11/20 13:56:12 | 000,060,272 | ---- | M] (Avanquest North America, Inc.) [Kernel | On_Demand | Running] -- C:\Program Files\Avanquest\SystemSuite\KFilter.sys -- (KFilter)
DRV - [2008/10/09 10:21:04 | 000,202,928 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbtis.sys -- (sbtis)
DRV - [2008/09/22 16:21:24 | 000,020,225 | ---- | M] (Avanquest North America, Inc.) [Kernel | On_Demand | Running] -- C:\Program Files\Avanquest\SystemSuite\TFilter.sys -- (TFilter)
DRV - [2008/09/12 11:12:06 | 000,069,168 | ---- | M] (Sunbelt Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2008/09/12 11:12:06 | 000,013,360 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbaphd.sys -- (sbaphd)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/14 07:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/14 05:04:20 | 000,063,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinxsxx.sys -- (ATIXSAudio) ATI WDM TV Audio (Microsoft Corporation) Crossbar (Microsoft Corporation)
DRV - [2008/04/14 05:04:18 | 000,104,960 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinrvxx.sys -- (atinrvxx) ATI WDM Rage Theater Video (Microsoft Corporation)
DRV - [2008/04/14 05:04:18 | 000,073,216 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atintuxx.sys -- (ATITUNEP) ATI WDM TV Tuner (Microsoft Corporation)
DRV - [2008/04/14 05:04:18 | 000,052,224 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinraxx.sys -- (ativraxx) ATI WDM Rage Theater Audio (Microsoft Corporation)
DRV - [2008/04/14 05:04:18 | 000,014,336 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinpdxx.sys -- (PCDCODEC) ATI WDM Specialized PCD Codec (Microsoft Corporation)
DRV - [2008/04/14 05:04:18 | 000,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC) ATI WDM Specialized MVD Codec (Microsoft Corporation)
DRV - [2007/12/18 09:14:06 | 000,012,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2007/12/06 09:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/12/22 03:54:38 | 000,035,200 | R--- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiBus.sys -- (SaiNtBus)
DRV - [2005/12/22 03:54:38 | 000,013,824 | R--- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiMini.sys -- (SaiMini)
DRV - [2005/12/22 03:54:33 | 000,176,640 | R--- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SaiH0464.sys -- (SaiH0464)
DRV - [2004/07/14 13:54:42 | 000,676,864 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2004/05/05 21:48:40 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv)
DRV - [2004/01/09 23:17:02 | 000,601,100 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/12/11 23:54:14 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/08/06 10:43:04 | 000,159,744 | R--- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2001/08/17 12:49:42 | 000,322,432 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\G400m.sys -- (G400)
DRV - [2001/05/09 19:00:28 | 000,010,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/05/03 16:40:04 | 000,169,379 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 actionsplash.com
O1 - Hosts: 127.0.0.1 ads.x10.com
O1 - Hosts: 127.0.0.1 images.x10.com
O1 - Hosts: 127.0.0.1 adserv.internetfuel.com
O1 - Hosts: 127.0.0.1 popme.163.com
O1 - Hosts: 127.0.0.1 servedby.advertising.com
O1 - Hosts: 127.0.0.1 specialoffers.aol.com
O1 - Hosts: 127.0.0.1 whenushop.whenu.com
O1 - Hosts: 127.0.0.1 www.popupnation.com
O1 - Hosts: 127.0.0.1 www.popuptraffic.com
O1 - Hosts: 127.0.0.1 view.popupsponsor.com
O1 - Hosts: 127.0.0.1 popups.infostart.com
O1 - Hosts: 127.0.0.1 ads.ad-flow.com
O1 - Hosts: 127.0.0.1 www.popupmoney.com
O1 - Hosts: 127.0.0.1 ad0.popupad.net
O1 - Hosts: 127.0.0.1 ad00.popupad.net
O1 - Hosts: 127.0.0.1 ad01.popupad.net
O1 - Hosts: 127.0.0.1 ad03.popupad.net
O1 - Hosts: 127.0.0.1 ad04.popupad.net
O1 - Hosts: 127.0.0.1 ad05.popupad.net
O1 - Hosts: 127.0.0.1 ad06.popupad.net
O1 - Hosts: 127.0.0.1 ad07.popupad.net
O1 - Hosts: 127.0.0.1 ad08.popupad.net
O1 - Hosts: 127.0.0.1 ad09.popupad.net
O1 - Hosts: 127.0.0.1 contest.x10.com
O1 - Hosts: 5601 more lines...
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [FreeMem Pro] C:\Program Files\FreeMem Professional\Fmempro.exe (Meikel.com)
O4 - HKCU..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe (jiiSoft)
O4 - HKCU..\Run: [SPSTEALT] C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe (Smart Soft)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe (A1Tech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Point32.lnk = C:\Program Files\Microsoft Hardware\Mouse\point32.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1244444994156 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/07 22:43:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465059307421696)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/04 15:48:50 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/03 16:02:14 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\James\Desktop\RootRepeal.exe
[2010/05/02 20:51:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/30 19:00:23 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
[2010/04/21 09:22:22 | 000,036,488 | ---- | C] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/04/20 09:33:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/20 09:32:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\SUPERAntiSpyware.com
[2010/04/20 09:32:51 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/19 17:16:04 | 000,000,000 | ---D | C] -- C:\Program Files\TEAMVIEWER
[2010/04/19 17:16:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\TEAMVIEWER
[2010/04/19 01:17:56 | 000,050,176 | ---- | C] (eSage Lab) -- C:\WINDOWS\System32\drivers\rk_remover.sys
[2010/04/19 00:44:10 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/19 00:39:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/19 00:39:50 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/19 00:09:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/04/19 00:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/19 00:09:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/19 00:09:10 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/19 00:09:10 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/19 00:09:10 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/19 00:09:10 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/19 00:09:10 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/19 00:08:46 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/04/19 00:07:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\Sun
[2010/04/18 21:42:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\Wireshark
[2010/04/18 21:25:11 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2010/04/18 21:24:22 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark
[2010/04/18 21:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/18 20:59:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/18 11:32:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/18 11:19:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/18 11:19:53 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/18 11:19:53 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/18 11:19:53 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/18 11:19:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/18 11:19:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/18 00:09:44 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/18 00:09:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/17 21:01:30 | 000,049,664 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise32.exe
[2010/04/17 21:00:22 | 000,000,000 | ---D | C] -- C:\Program Files\Active Ports
[2010/04/17 20:49:42 | 000,039,424 | ---- | C] (NirSoft) -- C:\WINDOWS\zipinst.exe
[2010/04/17 20:49:42 | 000,000,000 | ---D | C] -- C:\Program Files\WinUpdatesList
[2010/04/17 19:59:31 | 000,000,000 | ---D | C] -- C:\Program Files\LIUtilities
[2010/04/17 17:32:15 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/04/17 17:30:06 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/04/17 17:29:48 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/04/17 17:29:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/04/17 15:36:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/17 15:26:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/04/17 15:18:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\Malwarebytes
[2010/04/17 15:17:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/17 15:17:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/17 15:17:19 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/17 15:17:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/17 14:52:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/04/17 12:48:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/17 12:48:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/17 01:39:10 | 000,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdhid.sys
[2010/04/17 01:38:54 | 000,013,824 | R--- | C] (Saitek) -- C:\WINDOWS\System32\drivers\SaiMini.sys
[2010/04/17 01:38:23 | 000,035,200 | R--- | C] (Saitek) -- C:\WINDOWS\System32\drivers\SaiBus.sys
[2010/04/17 01:37:59 | 000,057,344 | ---- | C] (Saitek) -- C:\WINDOWS\System32\SAIGON.dll
[2010/04/17 01:37:59 | 000,045,056 | ---- | C] (Saitek) -- C:\WINDOWS\System32\SAIKICK.dll
[2010/04/17 01:37:30 | 000,000,000 | ---D | C] -- C:\Program Files\Saitek
[2010/04/17 00:39:56 | 002,457,600 | R--- | C] (Saitek) -- C:\WINDOWS\System32\SaiD0464.Dll
[2010/04/17 00:39:56 | 000,507,904 | R--- | C] (Saitek) -- C:\WINDOWS\System32\SaiC0464.Dll
[2010/04/17 00:39:56 | 000,176,640 | R--- | C] (Saitek) -- C:\WINDOWS\System32\drivers\SaiH0464.sys
[2010/04/17 00:39:56 | 000,008,704 | R--- | C] (Saitek) -- C:\WINDOWS\System32\SaiC0464_0A.dll
[2010/04/17 00:39:56 | 000,007,168 | R--- | C] (Saitek) -- C:\WINDOWS\System32\SaiC0464_10.dll
[2010/04/17 00:39:56 | 000,007,168 | R--- | C] (Saitek) -- C:\WINDOWS\System32\SaiC0464_0C.dll
[2010/04/17 00:39:56 | 000,007,168 | R--- | C] (Saitek) -- C:\WINDOWS\System32\SaiC0464_09.dll
[2010/04/17 00:39:56 | 000,007,168 | R--- | C] (Saitek) -- C:\WINDOWS\System32\SaiC0464_07.dll
[2010/04/17 00:39:56 | 000,006,144 | R--- | C] (Saitek) -- C:\WINDOWS\System32\SaiC0464_0402.dll
[2010/04/12 20:58:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/04/12 16:55:36 | 000,313,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dx3j.dll
[2010/04/12 16:55:36 | 000,171,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jit.dll
[2010/04/12 16:55:36 | 000,139,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javaee.dll
[2010/04/12 16:55:36 | 000,046,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\setdebug.exe
[2010/04/12 16:55:31 | 000,286,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vmhelper.dll
[2010/04/12 16:55:31 | 000,171,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wjview.exe
[2010/04/12 16:55:31 | 000,021,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msjdbc10.dll
[2010/04/12 16:55:30 | 000,404,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javart.dll
[2010/04/12 16:55:30 | 000,187,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javacypt.dll
[2010/04/12 16:55:30 | 000,172,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jview.exe
[2010/04/12 16:55:30 | 000,154,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msawt.dll
[2010/04/12 16:55:30 | 000,063,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javaprxy.dll
[2010/04/12 16:55:30 | 000,015,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jdbgmgr.exe
[2010/04/12 16:55:29 | 000,049,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clspack.exe
[2010/04/12 16:55:14 | 001,683,529 | ---- | C] (Intuit Inc.) -- C:\WINDOWS\System32\InetClnt.dll
[2010/04/12 16:55:05 | 000,225,280 | ---- | C] (WexTech Systems, Inc.) -- C:\WINDOWS\System32\AWRTL30.DLL
[2010/04/12 16:55:05 | 000,111,616 | ---- | C] (Lernout & Hauspie) -- C:\WINDOWS\System32\LTIH30TB.DLL
[2010/04/12 16:55:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\WexTech Shared
[2010/04/12 16:55:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\LHSPF
[2010/04/12 16:54:18 | 000,000,000 | ---D | C] -- C:\Program Files\Intuit
[2010/04/12 16:54:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Intuit
[2010/04/12 16:54:15 | 001,694,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vba6.dll
[2010/04/12 16:54:15 | 001,009,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Mschrt20.ocx
[2010/04/12 16:54:15 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml3a.dll
[2010/04/12 16:52:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Intuit
[2010/04/11 14:45:01 | 000,000,000 | ---D | C] -- C:\Program Files\PeerBlock
[2010/04/11 14:34:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\Local Settings\Application Data\Shareaza
[2010/04/11 14:33:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\Shareaza
[2010/04/11 14:33:33 | 000,000,000 | ---D | C] -- C:\Program Files\Shareaza
[2009/03/04 12:46:18 | 000,010,752 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/05 18:00:50 | 000,036,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\intelppm.sys
[2010/05/05 17:00:01 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2010/05/05 16:15:36 | 000,000,087 | ---- | M] () -- C:\WINDOWS\WinNetOptimize98ag.cfg
[2010/05/05 16:15:16 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/05/05 16:14:37 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/05 16:14:34 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/05 16:14:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/05 16:14:18 | 3220,492,288 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/04 16:01:33 | 000,036,352 | ---- | M] () -- C:\WINDOWS\System32\drivers\intelppm.sys.new
[2010/05/04 16:01:29 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\James\Desktop\settings.dat
[2010/05/03 16:41:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/03 16:40:04 | 000,169,379 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/03 16:32:36 | 000,032,000 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-0000000A-00001102-00000004-20021102}.rfx
[2010/05/03 16:32:36 | 000,032,000 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-0000000A-00001102-00000004-20021102}.rfx
[2010/05/03 16:32:36 | 000,031,368 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-0000000A-00001102-00000004-20021102}.rfx
[2010/05/03 16:32:36 | 000,031,368 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-0000000A-00001102-00000004-20021102}.rfx
[2010/05/03 16:32:36 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-0000000A-00001102-00000004-20021102}.rfx
[2010/05/03 16:32:31 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\James\ntuser.ini
[2010/05/03 16:32:30 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\James\NTUSER.DAT
[2010/05/03 16:08:03 | 003,945,276 | R--- | M] () -- C:\Documents and Settings\James\Desktop\thcbytes.exe
[2010/05/03 16:02:15 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\James\Desktop\RootRepeal.exe
[2010/05/02 20:51:29 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/30 18:58:04 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\James\Desktop\rkill.scr
[2010/04/30 18:54:58 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
[2010/04/28 21:42:08 | 000,003,437 | ---- | M] () -- C:\Documents and Settings\James\Desktop\Attach.zip
[2010/04/28 21:38:42 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\James\Desktop\gmer.zip
[2010/04/28 21:35:19 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\James\Desktop\dds.scr
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/21 09:22:22 | 000,036,488 | ---- | M] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/04/21 09:18:51 | 004,395,736 | -H-- | M] () -- C:\Documents and Settings\James\Local Settings\Application Data\IconCache.db
[2010/04/20 17:32:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/20 09:32:55 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
[2010/04/20 09:12:34 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Point32.lnk
[2010/04/19 11:44:19 | 000,050,176 | ---- | M] (eSage Lab) -- C:\WINDOWS\System32\drivers\rk_remover.sys
[2010/04/19 00:45:37 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/19 00:44:49 | 000,001,675 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/19 00:44:10 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/19 00:08:52 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/19 00:08:52 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/19 00:08:52 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/19 00:08:52 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/19 00:08:52 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/17 23:04:45 | 000,000,324 | ---- | M] () -- C:\WINDOWS\tasks\RegCure.job
[2010/04/17 22:28:35 | 000,020,128 | ---- | M] () -- C:\Documents and Settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/17 22:09:39 | 000,126,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/17 21:38:11 | 004,933,336 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000004-20021102}.CDF
[2010/04/17 21:38:11 | 004,933,336 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000004-20021102}.BAK
[2010/04/17 20:49:42 | 000,039,424 | ---- | M] (NirSoft) -- C:\WINDOWS\zipinst.exe
[2010/04/17 20:00:22 | 000,015,360 | ---- | M] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010/04/17 19:50:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/17 18:26:08 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/17 18:26:05 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/04/17 15:12:13 | 000,012,308 | -HS- | M] () -- C:\Documents and Settings\James\Local Settings\Application Data\uk267W7
[2010/04/17 15:12:13 | 000,012,308 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\uk267W7
[2010/04/17 01:41:41 | 000,002,138 | ---- | M] () -- C:\WINDOWS\System32\SaiC0464-05D3E222-AFEE-4DD3-A3C4-A8749209DA4B.pr0
[2010/04/17 00:41:20 | 000,002,066 | ---- | M] () -- C:\WINDOWS\System32\SaiC0464-1954454B-C49A-4B77-AA9A-4A83635302AD.pr0
[2010/04/15 09:37:31 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\James\Desktop\Microsoft Word 2003.lnk
[2010/04/13 11:32:57 | 003,317,635 | -HS- | M] () -- C:\WINDOWS\System32\6to4svce.sys
[2010/04/13 09:46:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\acelpdect.sys
[2010/04/12 20:10:47 | 000,001,618 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickBooks Pro.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/04 16:01:29 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\James\Desktop\settings.dat
[2010/05/04 07:31:53 | 3220,492,288 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/02 20:51:28 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/02 20:51:23 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/02 20:45:54 | 003,945,276 | R--- | C] () -- C:\Documents and Settings\James\Desktop\thcbytes.exe
[2010/04/30 19:00:39 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\James\Desktop\rkill.scr
[2010/04/28 21:42:08 | 000,003,437 | ---- | C] () -- C:\Documents and Settings\James\Desktop\Attach.zip
[2010/04/28 21:38:24 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\James\Desktop\gmer.zip
[2010/04/28 21:34:50 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\James\Desktop\dds.scr
[2010/04/20 09:32:55 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
[2010/04/20 09:12:34 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Point32.lnk
[2010/04/19 14:05:57 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/04/19 00:40:09 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/19 00:39:50 | 000,001,675 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/18 11:19:53 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/18 11:19:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/18 11:19:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/18 11:19:53 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/18 11:19:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/17 20:00:22 | 000,015,360 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010/04/17 17:33:47 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/17 14:50:07 | 000,012,308 | -HS- | C] () -- C:\Documents and Settings\James\Local Settings\Application Data\uk267W7
[2010/04/17 14:50:07 | 000,012,308 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\uk267W7
[2010/04/17 01:36:56 | 000,002,138 | ---- | C] () -- C:\WINDOWS\System32\SaiC0464-05D3E222-AFEE-4DD3-A3C4-A8749209DA4B.pr0
[2010/04/17 00:41:20 | 000,002,066 | ---- | C] () -- C:\WINDOWS\System32\SaiC0464-1954454B-C49A-4B77-AA9A-4A83635302AD.pr0
[2010/04/17 00:39:56 | 000,000,688 | R--- | C] () -- C:\WINDOWS\System32\SaiD0464.pr0
[2010/04/17 00:39:56 | 000,000,306 | R--- | C] () -- C:\WINDOWS\System32\SaiC0464.pr0
[2010/04/12 16:55:36 | 000,007,315 | ---- | C] () -- C:\WINDOWS\System32\javasup.vxd
[2010/04/12 16:55:36 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/04/12 16:55:31 | 000,000,113 | ---- | C] () -- C:\WINDOWS\System32\zonedon.reg
[2010/04/12 16:55:31 | 000,000,113 | ---- | C] () -- C:\WINDOWS\System32\zonedoff.reg
[2010/04/12 16:55:23 | 000,001,618 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickBooks Pro.lnk
[2010/04/10 13:37:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\acelpdect.sys
[2010/04/09 15:17:30 | 003,317,635 | -HS- | C] () -- C:\WINDOWS\System32\6to4svce.sys
[2010/01/28 13:25:59 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2010/01/28 13:25:59 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2010/01/28 13:25:59 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2010/01/28 13:25:59 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2010/01/28 13:25:59 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2010/01/28 13:25:59 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/11/28 18:04:45 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2009/11/27 00:15:41 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/10/24 16:55:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/10/24 16:03:58 | 000,000,367 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP12.INI
[2009/10/20 11:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/06/08 00:30:42 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/06/08 00:30:42 | 000,012,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/06/07 23:12:31 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2009/03/04 13:15:26 | 000,049,697 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2009/03/04 13:15:24 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/03/04 12:47:28 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2008/04/14 00:01:34 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\intelppm.sys.new
[2007/08/13 20:45:02 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2006/10/02 17:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[2005/07/15 11:35:56 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 11:35:56 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/07/15 11:35:24 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

========== LOP Check ==========

[2009/06/08 15:47:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avanquest
[2009/06/08 15:43:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2010/01/02 22:23:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/01/02 22:42:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2010/01/02 22:35:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2010/05/02 20:05:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
[2010/01/02 22:41:01 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenu
[2009/12/18 01:35:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2010/04/19 00:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2009/12/18 01:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2010/04/19 14:10:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2009/10/26 18:39:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/08 15:49:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Avanquest
[2009/11/28 12:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Canon
[2009/12/13 17:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\FreeHDConverter
[2009/12/19 23:13:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\GetRightToGo
[2010/01/28 13:40:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\InterVideo
[2009/12/18 01:22:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\No Company Name
[2010/04/11 14:34:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Shareaza
[2010/04/19 17:16:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\TEAMVIEWER
[2010/04/18 21:42:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Wireshark
[2010/04/20 17:32:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/05/05 17:00:01 | 000,000,438 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure Program Check.job
[2010/04/17 23:04:45 | 000,000,324 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: ATAPI.SYS >
[2009/06/05 01:33:41 | 015,186,330 | ---- | M] () .cab file -- C:\Downloads\Slipstream Workspace\I386\sp3.cab:atapi.sys
[2009/06/05 01:33:41 | 015,186,330 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: SFCFILES.DLL >
[2009/06/05 18:06:12 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=366476EFD3098809F23752AA30BD7F0C -- C:\WINDOWS\system32\sfcfiles.dll

< MD5 for: WINLOGON.EXE >
[2009/06/07 23:17:06 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=679A7259741F6A09994F02CE261B5F2E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/06/07 15:30:20 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/06/07 15:30:20 | 001,077,248 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/06/07 15:30:20 | 000,856,064 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/09/29 19:20:58 | 000,442,368 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\WINDOWS\system32\ATIDEMGX.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< End of report >







OTL Extras logfile created on: 5/5/2010 6:00:19 PM - Run 3
OTL by OldTimer - Version 3.2.3.1 Folder = C:\Documents and Settings\James\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 83.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 30.40 Gb Free Space | 44.47% Space Free | Partition Type: NTFS
Drive D: | 186.30 Gb Total Space | 132.45 Gb Free Space | 71.09% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 931.28 Gb Total Space | 232.33 Gb Free Space | 24.95% Space Free | Partition Type: FAT32
Drive G: | 465.65 Gb Total Space | 454.29 Gb Free Space | 97.56% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive W: | 186.31 Gb Total Space | 168.11 Gb Free Space | 90.23% Space Free | Partition Type: NTFS

Computer Name: ASUSSERVER
Current User Name: James
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Shareaza\Shareaza.exe" = C:\Program Files\Shareaza\Shareaza.exe:*:Enabled:Shareaza -- (Shareaza Development Team)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0.0 (r181)
"{01B93B3A-283F-411B-A648-69CABCACC986}" = Canon MF Drivers
"{01BDFB08-EE88-4E5E-94A6-AE9EDCFA40C5}" = Microsoft IntelliPoint 4.0
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{06053AB3-B607-B752-3252-4A2EA9E9761E}" = CCC Help Dutch
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0B4A8658-43F1-50CA-AF30-C67E3AE2C9ED}" = CCC Help Greek
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0CC61470-D776-2353-D5CB-C7BC20204863}" = CCC Help Finnish
"{10FC66FB-51C1-47D3-85D7-5AAC12CE5853}" = Splash Lite
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_Pro9000_II_series" = Canon Pro9000 II series Printer Driver
"{12655AB3-9285-A2F0-5BBC-C5C45E4D718C}" = CCC Help Czech
"{132CA5D9-C745-4B0B-A3B2-8C7A6EC3EE7E}" = Canon MF Toolbox 4.7.0.0.mf04
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FF713E1-FE5E-4AD0-9C8C-B2E877846B45}" = Catalyst Control Center - Branding
"{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic
"{238DCFCD-70B3-46B2-B90B-2CDCC69A3D03}" = Zoo Tycoon 2 - Zookeeper Collection
"{24700C01-3A72-29D4-001B-6EE6BF71EB5E}" = CCC Help Korean
"{26262388-95BF-58B0-CD46-A8F957BB67BF}" = Catalyst Control Center Graphics Full Existing
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{2B82EF41-0E63-474D-8C5F-A8EFD0FF3497}" = Chief Architect Full Version
"{329376FB-FB6C-C587-F483-07E3418456F5}" = ccc-utility
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{33A38A8B-9E1E-BCBB-EA87-CE797EC75080}" = CCC Help Chinese Traditional
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{369EEB32-64D1-F22A-1B2C-A3E81582E767}" = CCC Help Japanese
"{3D374523-CFDE-461A-827E-2A102E2AB365}" = Star Wars Battlefront II
"{3FCD8F30-057D-C96F-AEF4-B0D77DE9730C}" = CCC Help Portuguese
"{46605BDE-7F82-DB0F-7906-3279A7E639BE}" = Catalyst Control Center Localization All
"{4685A344-6718-4923-AA9D-158A0A2E1CFB}" = SmartSound Quicktracks for Premiere Elements 8.0
"{480A8E00-D808-7D79-977B-CEBBB3BEB409}" = CCC Help French
"{48C7FD10-D6AD-8EE0-2E8E-0480C4EEB1BD}" = Catalyst Control Center HydraVision Full
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate
"{5CA7ABC3-5F89-3A1D-A113-046EA4C7FCEB}" = ccc-core-static
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A615007-721D-4063-B226-EA41EB6604B9}" = SystemSuite 9 Professional
"{6F77AD48-BA04-F868-2D04-FC1BFF5E00BA}" = Catalyst Control Center Graphics Light
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{788907C5-C83B-9785-A1F0-67050017324E}" = CCC Help Spanish
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7F5F1767-88C6-CBFC-5DD3-D853343FD5AE}" = CCC Help German
"{809987B2-F964-11D4-A1A5-00104BD190B1}" = QuickBooks Pro 2002
"{84DE3702-3262-BE38-27E8-5ED423D803C6}" = CCC Help Chinese Standard
"{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}" = WinTasks Trial
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90885A82-9673-49EA-AB39-AF776639C67C}" = InterVideo WinDVD 7
"{95053B5A-42E0-830E-85BD-733FAFC28BA7}" = ccc-core-preinstall
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"{9B40D533-4F38-893D-EE5A-17226104BBC2}" = Skins
"{A08CB73B-5DEA-185D-5D98-2230004D75ED}" = CCC Help Danish
"{A0E583D1-23F7-4C35-9620-B169D7715E4B}" = Adobe Premiere Elements 8.0
"{A22D91C3-E7BD-CBEE-7CDC-DE4C42FA27B7}" = CCC Help Hungarian
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Franšais, Deutsch
"{AD0DD974-ADC2-8C10-DFA6-C1203A6E5106}" = CCC Help Polish
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B014F739-B305-5319-D996-6612BD60ED74}" = CCC Help Swedish
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C570CAF4-D734-5412-C842-9AB150803074}" = Catalyst Control Center Core Implementation
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Professional
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D01F5B2C-2776-6C46-441C-E819C08DF4FF}" = CCC Help Turkish
"{D2FCA53F-F568-D08A-458F-F7C9769A30ED}" = CCC Help Norwegian
"{D89B70AB-CF91-36A4-8658-FACA3AF6A654}" = Catalyst Control Center Graphics Previews Common
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF1274DC-02D4-B2D7-6197-5D24E1EF84B1}" = CCC Help Thai
"{E000D42E-5842-20A6-EEB1-6DED8C2746C5}" = CCC Help Italian
"{E7679B31-21F5-4AAE-1620-0DFACF702325}" = Catalyst Control Center Graphics Full New
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F83491F9-7CDF-46A7-9994-9E002CE5CE75}" = CCC Help Russian
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FDE409B1-1FF3-DC39-083E-C0F4ED496D5E}" = CCC Help English
"7-Zip" = 7-Zip 4.42
"Active Ports" = Active Ports
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 8 Professional - English, Franšais, Deutsch" = Adobe Acrobat 8 Professional - English, Franšais, Deutsch
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AdsGone_is1" = AdsGone Popup Killer Spyware Blocker by A1Tech.com
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AudioCS" = Creative Audio Console
"CANONIJPLM100" = Canon Inkjet Printer/Scanner/Fax Extended Survey Program
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"Easy-PhotoPrint Pro" = Canon Utilities Easy-PhotoPrint Pro
"Free HD Converter_is1" = Free HD Converter V 1.4
"FreeMem Professional" = FreeMem Professional
"GoldWave v5.06" = GoldWave v5.06
"HijackThis" = HijackThis 1.99.1
"HitmanPro35" = Hitman Pro 3.5
"IE New Window Maximizer_is1" = IE New Window Maximizer 2.4
"IE7 Tools_is1" = IE7 Tools
"InstallShield_{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic 8.0
"InstallShield_{238DCFCD-70B3-46B2-B90B-2CDCC69A3D03}" = Zoo Tycoon 2 - Zookeeper Collection
"InstallShield_{4685A344-6718-4923-AA9D-158A0A2E1CFB}" = SmartSound Quicktracks for Premiere Elements 8.0
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"InterActual Player" = InterActual Player
"Magic ISO Maker v5.1 (build 0184)" = Magic ISO Maker v5.1 (build 0184)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Nero - Burning Rom!UninstallKey" = OEM
"Picasa 3" = Picasa 3
"PremElem80" = Adobe Premiere Elements 8.0
"RegCure" = RegCure 1.5.2.7
"Shareaza_is1" = Shareaza 2.5.2.0
"Smart Protector Pro_is1" = Smart Protector Pro
"ST6UNST #1" = FolderMatch v3.4.8
"TeamViewer 4" = TeamViewer 4
"The Real NFO Viewerv1.1" = The Real NFO Viewer
"Unlocker" = Unlocker 1.8.8
"WinPcapInst" = WinPcap 4.1.1
"WinRAR archiver" = WinRAR archiver
"WinUpdatesList" = WinUpdatesList
"WinZip" = WinZip
"Wireshark" = Wireshark 1.2.7
"Xfire" = Xfire (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/14/2010 3:53:07 PM | Computer Name = ASUSSERVER | Source = MsiInstaller | ID = 11316
Description = Product: MSXML 4.0 SP2 Parser and SDK -- Error 1316. A network error
occurred while attempting to read from the file: C:\Program Files\Microsoft Games\Halo
Trial\redist\msxml4.msi

Error - 3/4/2010 3:31:29 AM | Computer Name = ASUSSERVER | Source = MsiInstaller | ID = 11327
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1327.
Invalid Drive: S:\

Error - 3/4/2010 3:31:29 AM | Computer Name = ASUSSERVER | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for PowerPoint 2003 (KB976881): POWERPNT' could not be installed. Error
code 1603. Windows Installer can create logs to help troubleshoot issues with installing
software packages. Use the following link for instructions on turning on logging
support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 3/4/2010 3:32:16 AM | Computer Name = ASUSSERVER | Source = MsiInstaller | ID = 11327
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1327.
Invalid Drive: S:\

Error - 3/4/2010 3:32:16 AM | Computer Name = ASUSSERVER | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for Word 2003 (KB973443): WINWORD' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 3/4/2010 3:32:50 AM | Computer Name = ASUSSERVER | Source = MsiInstaller | ID = 11327
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1327.
Invalid Drive: S:\

Error - 3/4/2010 3:32:50 AM | Computer Name = ASUSSERVER | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for Excel 2003 (KB973475): EXCEL' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 3/4/2010 3:33:03 AM | Computer Name = ASUSSERVER | Source = MsiInstaller | ID = 11327
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1327.
Invalid Drive: S:\

Error - 3/4/2010 3:33:03 AM | Computer Name = ASUSSERVER | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Security
Update for Office 2003 (KB975051): MSCONV' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 3/11/2010 6:49:19 PM | Computer Name = ASUSSERVER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16981, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/4/2010 7:02:34 PM | Computer Name = ASUSSERVER | Source = adpu160m | ID = 262153
Description = The device, \Device\Scsi\adpu160m1, did not respond within the timeout
period.

Error - 5/4/2010 7:02:49 PM | Computer Name = ASUSSERVER | Source = adpu160m | ID = 262153
Description = The device, \Device\Scsi\adpu160m1, did not respond within the timeout
period.

Error - 5/4/2010 7:03:04 PM | Computer Name = ASUSSERVER | Source = adpu160m | ID = 262153
Description = The device, \Device\Scsi\adpu160m1, did not respond within the timeout
period.

Error - 5/4/2010 7:03:13 PM | Computer Name = ASUSSERVER | Source = adpu160m | ID = 262155
Description = The driver detected a controller error on \Device\Scsi\adpu160m1.

Error - 5/4/2010 7:03:27 PM | Computer Name = ASUSSERVER | Source = adpu160m | ID = 262153
Description = The device, \Device\Scsi\adpu160m1, did not respond within the timeout
period.

Error - 5/4/2010 7:03:41 PM | Computer Name = ASUSSERVER | Source = adpu160m | ID = 262153
Description = The device, \Device\Scsi\adpu160m1, did not respond within the timeout
period.

Error - 5/4/2010 7:03:56 PM | Computer Name = ASUSSERVER | Source = adpu160m | ID = 262153
Description = The device, \Device\Scsi\adpu160m1, did not respond within the timeout
period.

Error - 5/4/2010 7:04:11 PM | Computer Name = ASUSSERVER | Source = adpu160m | ID = 262153
Description = The device, \Device\Scsi\adpu160m1, did not respond within the timeout
period.

Error - 5/5/2010 7:15:21 PM | Computer Name = ASUSSERVER | Source = Service Control Manager | ID = 7000
Description = The wscsvc service failed to start due to the following error: %%1083

Error - 5/5/2010 7:52:34 PM | Computer Name = ASUSSERVER | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{3F8FB53D-440D-4865-9755-692DABB9BF9A}. The
backup browser is stopping.


< End of report >




#10 FrostyJams

FrostyJams
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 05 May 2010 - 11:29 PM

thcbytes,

I forgot to tell you about the tea timer. When I opened Spybot and went to the check boxes you specified, they were not checked in the first place, so I checked both of them and then unchecked them to make sure that they were set to the "off" state. I don't usually use Spybot, I just installed it to get rid of this creature in my machine, so if you think that it needs to be uninstalled to help our cleaning process I am fine with that. Let me know.

James

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 AM

Posted 06 May 2010 - 12:47 PM

Hi James,

You have a few system files that are patched with malware that need to be replaced. You are also missing an important system file that needs to be replaced. Do you have your Windows XP install disc that we can use to replace those files?

==========

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

QUOTE
Mia::
c:\windows\system32\winlogon.exe
c:\windows\system32\sfcfiles.dll
c:\windows\System32\wscntfy.exe

SRPeek::
c:\windows\system32\winlogon.exe
c:\windows\system32\sfcfiles.dll
c:\windows\System32\wscntfy.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

RootRepeal Crash Fix
  1. Open on your desktop
  2. Before doing anything else, try changing the "Disk Access Level" in the Settings->Options dialog. Try moving it to the "Special" or "High" level. Also, click on the Files tab, and uncheck "Use lowest level for MBR check". Please let me know if this fixes the problem.
  3. Click the tab.
  4. Click the button.
  5. Check all seven boxes:
  6. Push Ok
  7. Check the box for your main system drive (Usually C:), and press Ok.
  8. Allow RootRepeal to run a scan of your system. This may take some time.
  9. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

==========

Go ahead and uninstall Spybot.

==========

With your next post please provide:

* Combofix.txt
* RootRepeal log if able
* Answer to question

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 FrostyJams

FrostyJams
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 06 May 2010 - 07:08 PM

thcbytes,

Root Repeal ran! I do have the XP install disk so let me know what and how to replace the files you need. I am now going to uninstall Spybot.

Here are my logs.

Thanks, James



ComboFix 10-05-05.0D - James 05/06/2010 14:18:10.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2611 [GMT -7:00]
Running from: c:\documents and settings\James\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\James\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\wscntfy.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-04-21 16:22 . 2010-04-21 16:22 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-20 16:33 . 2010-04-20 16:33 52224 ----a-w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-20 16:33 . 2010-04-20 16:33 117760 ----a-w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-20 16:33 . 2010-04-20 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-20 16:32 . 2010-04-20 16:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-20 16:32 . 2010-04-20 16:32 -------- d-----w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com
2010-04-20 00:16 . 2010-04-20 00:16 -------- d-----w- c:\program files\TEAMVIEWER
2010-04-20 00:16 . 2010-04-20 00:16 -------- d-----w- c:\documents and settings\James\Application Data\TEAMVIEWER
2010-04-19 21:05 . 2010-04-18 01:26 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-19 08:17 . 2010-04-19 18:44 50176 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-04-19 07:44 . 2010-04-19 07:44 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-19 07:40 . 2010-04-19 07:45 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-19 07:39 . 2010-04-19 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-19 07:39 . 2010-04-19 07:39 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-19 07:09 . 2010-04-19 07:09 -------- d-----w- c:\windows\Sun
2010-04-19 07:09 . 2010-04-19 07:09 -------- d-----w- c:\program files\Common Files\Java
2010-04-19 07:09 . 2010-04-19 07:09 503808 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ae2522c-n\msvcp71.dll
2010-04-19 07:09 . 2010-04-19 07:09 499712 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ae2522c-n\jmc.dll
2010-04-19 07:09 . 2010-04-19 07:09 348160 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ae2522c-n\msvcr71.dll
2010-04-19 07:09 . 2010-04-19 07:09 61440 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e28809a-n\decora-sse.dll
2010-04-19 07:09 . 2010-04-19 07:09 12800 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e28809a-n\decora-d3d.dll
2010-04-19 07:09 . 2010-04-19 07:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-19 07:08 . 2010-04-19 07:08 -------- d-----w- c:\program files\Java
2010-04-19 04:42 . 2010-04-19 04:42 -------- d-----w- c:\documents and settings\James\Application Data\Wireshark
2010-04-19 04:25 . 2010-04-19 04:25 -------- d-----w- c:\program files\WinPcap
2010-04-19 04:24 . 2010-04-19 04:25 -------- d-----w- c:\program files\Wireshark
2010-04-18 07:09 . 2010-05-03 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-18 07:09 . 2010-04-18 07:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-18 04:01 . 1999-12-17 17:13 49664 ----a-w- c:\windows\unvise32.exe
2010-04-18 04:00 . 2010-04-18 04:01 -------- d-----w- c:\program files\Active Ports
2010-04-18 03:49 . 2010-04-18 04:35 -------- d-----w- c:\program files\WinUpdatesList
2010-04-18 03:49 . 2010-04-18 03:49 39424 ----a-w- c:\windows\zipinst.exe
2010-04-18 02:59 . 2010-04-18 02:59 9728 ----a-r- c:\documents and settings\James\Application Data\Microsoft\Installer\{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}\Icon8C92D38B.exe
2010-04-18 02:59 . 2010-04-18 02:59 -------- d-----w- c:\program files\LIUtilities
2010-04-18 01:25 . 2010-04-18 01:25 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-04-18 01:25 . 2010-04-18 01:25 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-04-18 01:25 . 2010-04-18 01:25 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-04-18 01:25 . 2010-04-18 01:25 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-18 01:25 . 2010-04-18 01:25 849744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-04-18 01:25 . 2010-04-18 01:25 855864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-04-18 01:25 . 2010-04-18 01:25 1597952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-04-18 01:25 . 2010-04-18 01:25 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-18 01:25 . 2010-04-18 01:25 1265264 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-18 00:32 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-18 00:30 . 2010-04-19 21:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-18 00:30 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-18 00:29 . 2010-04-18 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-18 00:29 . 2010-04-18 00:30 -------- d-----w- c:\program files\Lavasoft
2010-04-17 22:36 . 2010-04-17 22:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-17 22:18 . 2010-04-17 22:18 -------- d-----w- c:\documents and settings\James\Application Data\Malwarebytes
2010-04-17 22:17 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 22:17 . 2010-04-17 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-17 22:17 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 22:17 . 2010-04-18 08:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 21:52 . 2010-04-18 01:13 -------- d-----w- c:\windows\system32\MpEngineStore
2010-04-17 08:39 . 2008-04-14 14:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-17 08:39 . 2008-04-14 14:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-17 08:38 . 2005-12-22 10:54 13824 ----a-r- c:\windows\system32\drivers\SaiMini.sys
2010-04-17 08:38 . 2005-12-22 10:54 35200 ----a-r- c:\windows\system32\drivers\SaiBus.sys
2010-04-17 08:37 . 2005-11-03 18:09 57344 ----a-w- c:\windows\system32\SAIGON.dll
2010-04-17 08:37 . 2005-10-18 21:31 45056 ----a-w- c:\windows\system32\SAIKICK.dll
2010-04-17 08:37 . 2010-04-17 22:29 -------- d-----w- c:\program files\Saitek
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_10.dll
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_0C.dll
2010-04-17 07:39 . 2005-12-22 10:54 2457600 ----a-r- c:\windows\system32\SaiD0464.Dll
2010-04-17 07:39 . 2005-12-22 10:54 176640 ----a-r- c:\windows\system32\drivers\SaiH0464.sys
2010-04-17 07:39 . 2005-12-22 10:54 8704 ----a-r- c:\windows\system32\SaiC0464_0A.dll
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_09.dll
2010-04-17 07:39 . 2005-12-22 10:54 7168 ----a-r- c:\windows\system32\SaiC0464_07.dll
2010-04-17 07:39 . 2005-12-22 10:54 6144 ----a-r- c:\windows\system32\SaiC0464_0402.dll
2010-04-17 07:39 . 2005-12-22 10:54 507904 ----a-r- c:\windows\system32\SaiC0464.Dll
2010-04-12 23:54 . 2010-04-12 23:54 -------- d-----w- c:\program files\Intuit
2010-04-12 23:54 . 2010-04-12 23:55 -------- d-----w- c:\program files\Common Files\Intuit
2010-04-12 23:54 . 2000-10-20 08:05 25088 ----a-w- c:\windows\system32\msxml3a.dll
2010-04-12 23:54 . 1999-05-10 07:00 1694992 ----a-w- c:\windows\system32\vba6.dll
2010-04-12 23:52 . 2010-04-12 23:52 -------- d-----w- c:\windows\Intuit
2010-04-11 21:45 . 2010-04-11 23:52 -------- d-----w- c:\program files\PeerBlock
2010-04-11 21:34 . 2010-04-11 21:34 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Shareaza
2010-04-11 21:33 . 2010-04-11 21:34 -------- d-----w- c:\documents and settings\James\Application Data\Shareaza
2010-04-11 21:33 . 2010-04-18 06:41 -------- d-----w- c:\program files\Shareaza
2010-04-10 20:37 . 2010-04-13 16:46 0 ----a-w- c:\windows\system32\acelpdect.sys
2010-04-09 22:17 . 2010-04-13 18:32 3317635 --sha-w- c:\windows\system32\6to4svce.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 21:39 . 2008-04-14 07:01 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-05-04 23:01 . 2008-04-14 07:01 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys.new
2010-05-03 03:05 . 2010-01-03 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-04-21 16:20 . 2003-03-31 12:00 101888 ----a-w- c:\windows\system32\drivers\adpu160m.sys
2010-04-20 16:32 . 2009-06-08 22:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-18 08:45 . 2009-10-24 23:38 -------- d-----w- c:\program files\AdsGone
2010-04-18 05:28 . 2009-06-08 07:04 20128 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 22:29 . 2009-06-08 06:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-17 22:28 . 2009-11-28 07:23 -------- d-----w- c:\program files\Ray Adams
2010-04-13 03:10 . 2010-04-12 23:55 -------- d-----w- c:\program files\Common Files\WexTech Shared
2010-04-12 23:55 . 2010-04-12 23:55 2232 ----a-w- c:\windows\java\Packages\Data\ATZNTRNZ.DAT
2010-04-12 23:55 . 2010-04-12 23:55 155995 ----a-w- c:\windows\java\Packages\FB9JZJ5R.ZIP
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\UAN9FXNL.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\VTB3TBH7.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\QEHVXJT7.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\PF5ZNFDZ.DAT
2010-04-12 23:55 . 2010-04-12 23:55 2678 ----a-w- c:\windows\java\Packages\Data\BXNL777J.DAT
2010-04-12 23:55 . 2010-04-12 23:55 -------- d-----w- c:\program files\Common Files\LHSPF
2010-03-27 20:37 . 2010-03-27 20:36 -------- d-----w- c:\documents and settings\James\Application Data\Microsoft Games
2010-03-27 20:34 . 2010-03-27 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-03-27 20:30 . 2010-02-11 04:02 -------- d-----w- c:\program files\Microsoft Games
2010-03-17 00:29 . 2010-03-17 00:29 -------- d-----w- c:\documents and settings\James\Application Data\U3
2010-03-11 12:38 . 2009-06-06 00:49 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-06 00:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2009-06-06 00:48 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:42 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2008-04-14 07:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2008-04-14 07:54 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 07:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:41 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 07:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2009-06-08 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe


[-] 2009-06-06 . 366476EFD3098809F23752AA30BD7F0C . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-04-18_18.27.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-06 18:12 . 2010-05-06 18:12 16384 c:\windows\temp\Perflib_Perfdata_758.dat
+ 2009-10-20 18:19 . 2009-10-20 18:19 53299 c:\windows\system32\pthreadVC.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 50704 c:\windows\system32\drivers\npf.sys
- 2008-04-14 07:01 . 2010-04-18 08:49 36352 c:\windows\system32\dllcache\intelppm.sys
+ 2008-04-14 07:01 . 2010-05-06 21:38 36352 c:\windows\system32\dllcache\intelppm.sys
- 2009-06-08 05:47 . 2010-04-18 01:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-08 05:47 . 2010-04-19 05:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-08 05:47 . 2010-04-18 01:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-08 05:47 . 2010-04-19 05:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-20 16:33 . 2010-04-20 16:33 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-04-20 16:33 . 2010-04-20 16:33 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-04-20 16:33 . 2010-04-20 16:33 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2009-10-20 18:19 . 2009-10-20 18:19 281104 c:\windows\system32\wpcap.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 100880 c:\windows\system32\Packet.dll
+ 2010-04-19 07:09 . 2010-04-19 07:08 153376 c:\windows\system32\javaws.exe
+ 2010-04-19 07:09 . 2010-04-19 07:08 145184 c:\windows\system32\javaw.exe
+ 2010-04-19 07:09 . 2010-04-19 07:08 145184 c:\windows\system32\java.exe
+ 2009-09-09 22:40 . 2009-09-09 22:40 632320 c:\windows\Installer\59392.msp
+ 2010-04-19 07:09 . 2010-04-19 07:09 180224 c:\windows\Installer\58833a.msi
+ 2010-04-19 07:08 . 2010-04-19 07:08 576000 c:\windows\Installer\588332.msi
+ 2009-06-08 07:04 . 2009-06-08 07:04 1488688 c:\windows\system32\muBlinder_ValBackup.dll
- 2009-06-08 07:04 . 2009-06-08 07:04 1488688 c:\windows\system32\LegitCheckControl.DLL
+ 2009-06-08 07:04 . 2010-04-19 04:56 1488688 c:\windows\system32\LegitCheckControl.DLL
+ 2010-03-11 19:03 . 2010-03-11 19:03 5524480 c:\windows\Installer\6b20c.msp
+ 2009-12-17 05:58 . 2009-12-17 05:58 5382144 c:\windows\Installer\6b207.msp
+ 2010-01-20 01:29 . 2010-01-20 01:29 5050368 c:\windows\Installer\6b202.msp
+ 2010-03-12 04:16 . 2010-03-12 04:16 4148224 c:\windows\Installer\6b1fd.msp
+ 2010-03-12 04:16 . 2010-03-12 04:16 4148224 c:\windows\Installer\593ab.msp
+ 2010-03-11 19:03 . 2010-03-11 19:03 5524480 c:\windows\Installer\593a6.msp
+ 2010-01-28 00:53 . 2010-01-28 00:53 6820864 c:\windows\Installer\593a1.msp
+ 2010-01-20 01:29 . 2010-01-20 01:29 5050368 c:\windows\Installer\5939c.msp
+ 2009-12-17 05:58 . 2009-12-17 05:58 5382144 c:\windows\Installer\59397.msp
+ 2009-10-07 01:40 . 2009-10-07 01:40 7681024 c:\windows\Installer\5938d.msp
+ 2010-04-20 16:32 . 2010-04-20 16:32 1583616 c:\windows\Installer\178fcf.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeMem Pro"="c:\program files\FreeMem Professional\Fmempro.exe" [2000-03-27 428544]
"IE New Window Maximizer"="c:\program files\IE New Window Maximizer\iemaximizer.exe" [2005-02-09 356352]
"SPSTEALT"="c:\program files\Smart Protector Pro\SmartProtector-Pro.exe" [2005-02-02 1937408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-09 65536]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-30 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2010-03-11 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-10-24 295606]
AdsGone 2006.lnk - c:\program files\AdsGone\adsgone.exe [2005-10-18 1372160]
Point32.lnk - c:\program files\Microsoft Hardware\Mouse\point32.exe [2001-5-9 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/17/2010 5:32 PM 64288]
R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [4/19/2010 1:17 AM 50176]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [6/8/2009 3:47 PM 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [6/8/2009 3:47 PM 202928]
R2 KillTheHooker;KillTheHooker;c:\unzipped\TDL3 Razor\TDL3 Razor\TizerBruteForceEx.sys [3/18/2010 4:50 PM 22320]
R2 SBAMSvc;SystemSuite;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [10/28/2008 4:28 PM 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/8/2009 3:47 PM 69168]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
R3 KFilter;KFilter;c:\progra~1\AVANQU~1\SYSTEM~1\KFilter.sys [11/20/2008 1:56 PM 60272]
R3 TFilter;TFilter;c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [9/22/2008 4:21 PM 20225]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S2 SamSsUPS;Security Accounts Manager SamSsUPS; [x]
S2 ThemesWmdmPmSN;Themes ThemesWmdmPmSN; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/8/2009 3:38 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]
S3 klmd21;klmd21;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1265264]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/17/2010 3:17 PM 20824]
S3 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/17/2010 3:17 PM 303952]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 11:19 AM 50704]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/11/2010 2:45 PM 14424]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [4/17/2010 12:39 AM 176640]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/23/2008 4:09 AM 95024]
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:25]

2010-05-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2010-04-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
TCP: {3F8FB53D-440D-4865-9755-692DABB9BF9A} = 192.168.0.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1864)
c:\windows\system32\WININET.dll
c:\progra~1\AVANQU~1\SYSTEM~1\WinHook.dll
c:\program files\Smart Protector Pro\sphook.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-05-06 14:42:47
ComboFix-quarantined-files.txt 2010-05-06 21:42
ComboFix2.txt 2010-05-03 23:47
ComboFix3.txt 2010-05-03 04:13
ComboFix4.txt 2010-04-18 18:32

Pre-Run: 32,560,541,696 bytes free
Post-Run: 32,551,837,696 bytes free

- - End Of File - - 7053163430118F5A3CA1242367B2AA72





@@@@@@@@@@@@ROOT REPEAL@@@@@@@@@@@@@




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/05/06 15:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\James\LOCALS~1\Temp\catchme.sys
Address: 0xA97A6000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_adpu160m.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_adpu160m.sys
Address: 0xA97C6000 Size: 102400 File Visible: No Signed: -
Status: -

Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xB9E90000 Size: 16384 File Visible: No Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\James\LOCALS~1\Temp\mbr.sys
Address: 0xA5C7D000 Size: 20864 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7997000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA68B9000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\_restore{E21F9FBA-9390-40FE-AE4B-C9AE1C86034D}\RP3\A0007826.sys
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{E21F9FBA-9390-40FE-AE4B-C9AE1C86034D}\RP3\A0007827.sys
Status: Visible to the Windows API, but not on disk.

Path: c:\program files\avanquest\systemsuite\xacl.cfg
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\WINDOWS\system32\dllcache\intelppm.sys
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sbaphd.sys" at address 0xf79954d0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sbaphd.sys" at address 0xf7995520

==EOF==

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 AM

Posted 06 May 2010 - 10:05 PM

Alright.

Let's first make sure your Install Disc has the necessary files.
  • I made the assumption that your CD drive is D:\
  • If that is incorrect then change the batch file drive letter to correspond withyour CD drive.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

CODE
@echo off
dir /a/s "D:\i386\winlogon.ex_" "D:\i386\wscntfy.ex_" "D:\i386\sfcfiles.dl_" > log.txt&log.txt

  • Name the file as look.bat, making sure save as type is set to " All Files "
  • Double click on look.bat & allow it to run.
Copy and paste the content in your next reply
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 FrostyJams

FrostyJams
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 07 May 2010 - 03:38 PM

thcbytes,

I have two XP disks that are slipstreamed but I am not sure which one I used for my original install so I will give you the logs for both. I also have a stock XP SP2 that I know I did not use for this install if neither of these work.

Thanks, James


----------------Log1


Volume in drive D is Win XP Slip
Volume Serial Number is E8CF-3D0C

Directory of D:\i386

08/04/2004 12:56 AM 261,115 WINLOGON.EX_

Directory of D:\i386

08/04/2004 12:56 AM 6,664 wscntfy.ex_

Directory of D:\i386

08/04/2004 12:56 AM 79,843 SFCFILES.DL_
3 File(s) 347,622 bytes

Total Files Listed:
3 File(s) 347,622 bytes
0 Dir(s) 0 bytes free



----------------------Log2


Volume in drive D is XPSP3-4.24.10
Volume Serial Number is AB3C-6A35

Directory of D:\i386

04/14/2008 05:42 AM 265,069 WINLOGON.EX_

Directory of D:\i386

04/14/2008 05:42 AM 6,662 WSCNTFY.EX_

Directory of D:\i386

04/29/2010 11:36 AM 79,945 SFCFILES.DL_
3 File(s) 351,676 bytes

Total Files Listed:
3 File(s) 351,676 bytes
0 Dir(s) 0 bytes free


#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 AM

Posted 07 May 2010 - 10:13 PM

Well done. thumbup2.gif

Use the second disc....

You might want to print this for reference as your internet browser on thiscomputer will be unavailable while you carry out these steps.
  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
  • Type the green bolded one line at a time and press Enter after entering each line.

    Please note: 'D' signifies the drive letter of your CD-ROM drive!! Please adjust accordingly. <--- Important!!

    expand D:\i386\WSCNTFY.EX_ c:\windows\system32\drivers
    ren c:\windows\SYSTEM32\DRIVERS\winlogon.exe winlogon.old
    expand D:\i386\winlogon.ex_ c:\windows\system32\drivers
    ren c:\windows\SYSTEM32\DRIVERS\sfcfiles.dll sfcfiles.old
    expand D:\i386\sfcfiles.dl_ c:\windows\system32\drivers


  • Type "Exit" and restart the computer.

==========

Reboot into normal Windows. Right click and delete Combofix from your desktop.

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users