Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect removal


  • This topic is locked This topic is locked
33 replies to this topic

#1 SaprkE!

SaprkE!

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 11 June 2010 - 10:02 AM

I encountered the Google redirect issue. Clicking on Google search results redirects to another site, not the site listed in the search results. Copying and pasting the URL into a new tab or browser window worked fine.

To fix this problem, I used Trend Micro's Housecall (I think that is the name of Trend Micro's free virus removal tool.) This program found 7 different trojan infections and removed them. Unfortunately, I failed to write them down because I was expecting some log file to be created that told what they were.

I then used Malwarebytes.exe to find any further problems that might exist. I chose the Full Scan option and left it running overnight because it takes so long to run. In the morning, the machine had been shut down and was waiting for my username and password. Since thunderstorms had been in the area, I suspected that I had just lost power. So I logged back on and ran Malwarebytes.exe again. It found 8 different infections, including 3 memory modules, 4 files and one registry key. The memory modules were called blymbi.dll. The files were also named blymbi.dll. The registry entry was called appsecdll.

After running Malwarebytes.exe full scan and removing the infections, my browser (Firefox) seemed to be working fine, but it was not able to re-start the tabs that had been opened when Firefox was last running. (Remember that the machine apparently lost power in the middle of the night or for some other reason shut itself down and powered back up.)

Later in the day, my firewall (Sygate) warned me that Windows Update was attempting to access the network and that it had been changed since the last time it was used. The particular file was wyackt1.exe. Here is that file and similarly named files in the WINDOWS/system32 folder:

wuauclt1.exe 162 KB Applicaiton 8/4/2004 2:56 AM
wuauclt.exe 53 KB Application 8/6/2009 7:24 PM
wuapi.dll 563 KB Application Extension 8/6/2009 7:23 PM

I did not allow that program to access the network.

I started Malwarebytes.exe again and set it to do a full scan. I again left the program running over night. Again, the machine had been shut down in the middle of the night and was waiting for me to log on. When I logged on, "Windows Update" informed me that it had new items to install, one of which was Windows Explorer 8 (is there a version 8?) and Windows Malware removal and security tools (this is not the exact name - this is from memory) I chose not to install either of them. The thing is that I'm WAY behind on Windows Update, still running SP2 and automatic updates had been turned off until today and I had not turned updates on.

Then I ran the real Windows Update (wupdmgr.exe) and of course, it first wanted to install SP3, not the programs that had been suggested by whatever program was masquerading as Windows Update when I booted up. I again did not do any Windows updates.

Then Sygate warned me that C:\WINDOWS\system32\ntoskrnl.exe was attempting to connect to the network and that it had been changed since the last time it was used. The originating IP was 192.168.0.2 (my PC's IP address on the local network) and the destination IP was 192.169.0.255. I have not yet responded to Sygate whether or not to allow that to occur. Here is that file and other possibly related files that were created at approximately the same time, all resident in the system32 folder:


ntoskrnl.exe 2,087 KB Application 2/16/2010 8:17 AM
ntkrnlpa.exe 1,970 KB Application 2/16/2010 7:39 AM
wmp.dll 4,624 KB Application Extension 2/16/2010 7:27 AM

So, I started looking for this site. When I got here and clicked on the link to get an account, that worked, but the browser quit working and would not let me send the account creation request. The browser is not able to connect to the internet now, even if a specific IP is entered.

I then rebooted the modem/router (Hughes HN 7000s satellite modem with integrated router.) This did not help and the PC is still unable to connect to the internet.

So, I connected my employer's laptop to the router, signed up to this forum, read the instructions on what should be included in this post. I am not able to run gmer on this machine because of security settings made by my employer's IT department. I used my employer's laptop to download the other required programs to a USB stick and ran them on the infected machine. As previously noted, gmer could not be run due to security restrictions in place on my employer's laptop that prevent the gmer download site from being contacted. Here are the other results:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Brad Wiseman at 8:51:51.84 on Fri 06/11/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.589 [GMT -5:00]

FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Brad Wiseman\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
c:\Program Files\HughesNet Tools\bin\mpbtn.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPMixDSP.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brad Wiseman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.myhughesnet.com
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [SansaDispatch] c:\documents and settings\brad wiseman\application data\sandisk\sansa updater\SansaDispatch.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [WinFast Schedule] c:\program files\winfast\wftvfm\WFWIZ.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Motive SmartBridge] c:\progra~1\hughes~1\smartb~1\MotiveSB.exe
StartupFolder: c:\docume~1\bradwi~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org1.1.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\corece~1.lnk - c:\program files\msi\core center\CoreCenter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hughes~1.lnk - c:\program files\hughesnet tools\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238983705796
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {7431EBAE-0284-44C7-8501-4D41586D7700} = 66.82.4.8
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bradwi~1\applic~1\mozilla\firefox\profiles\ee8tmyo4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.taperssection.com/index.php
FF - plugin: c:\program files\canon\program\NPCIG.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-1-1 81356]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2004-1-1 39182]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2004-1-1 9804]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328]
R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784]
R3 PCAlertDriver;PCAlertDriver;c:\program files\msi\core center\NTGLM7X.SYS [2003-12-14 22055]
R3 WFIOCTL;WFIOCTL;c:\program files\winfast\wftvfm\WFIOCTL.sys [2004-1-1 6085]
S1 PDIDRV;PDIDRV; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040]
S3 Jukebox3_1394;Jukebox3_1394;c:\windows\system32\drivers\ctpd1394.sys [2003-12-24 23536]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-9 38224]
S3 RDID1005;EDIROL UA-5;c:\windows\system32\drivers\Rdwm1005.sys [2004-12-24 146606]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-06-11 13:39:57 0 ----a-w- c:\documents and settings\brad wiseman\defogger_reenable
2010-06-11 08:15:12 0 d-----w- c:\program files\MSXML 6.0
2010-06-11 08:12:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-06-11 08:12:34 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-06-11 08:11:55 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-06-11 04:26:29 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-11 04:25:42 352640 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-11 04:23:35 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-11 04:23:17 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-11 04:22:21 1089601 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-06-11 04:20:24 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-11 04:20:09 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-11 04:16:09 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-06-11 04:11:27 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-06-11 04:07:57 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-06-11 04:07:04 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-06-11 04:06:51 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-06-11 04:05:34 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-11 04:05:34 1196000 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-06-10 00:41:24 0 d-----w- c:\docume~1\bradwi~1\applic~1\Malwarebytes
2010-06-10 00:41:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 00:41:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-10 00:41:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-10 00:41:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 05:35:45 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-05-16 15:50:16 0 d-----w- c:\program files\AP Tuner
2010-05-16 15:07:17 54156 ---ha-w- c:\windows\QTFont.qfn
2010-05-16 15:07:17 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:36:49 662016 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:36:45 81920 ------w- c:\windows\system32\ieencode.dll
2001-11-23 04:08:20 712704 ----a-w- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 8:52:45.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:33 AM

Posted 15 June 2010 - 03:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 SaprkE!

SaprkE!
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 16 June 2010 - 08:27 AM

I have done nothing with the machine since I made my original posting above.

I tried leaving it running, but physically disconnected from the internet connection, but the machine seems to have a scheduled task that runs at 3:00 am. I"m not sure what all that task does, but it does result in the machine trying to reboot. When I found the machine in that condition, I shut it down and it has remained shut down since then.

So, my DDS log is current from the last boot cycle.

As noted in my previous post, GMER was not available to me due to restrictions put in place by my employer's IT department and/or Trend Micro which is the provider of the security software on my employer's installed base of computers. When I tried to go there, I got a Trend Micro warning that says:

The URL that you are attempting to access is a potential security risk. Trend Micro OfficeScan has blocked this URL in keeping with network security policy.
URL: http://www2.gmer.net/gmer.zip
Risk Level: Risk level cannot be displayed because active scripting is disabled. High Medium Low
Details: For more information about this URL or to report it to Trend Micro for reclassification,visit http://reclassify.wrs.trendmicro.com.

Today, I tried both GMER links again and the Main link seems to be working now, so I now have a copy of GMER that I can run on my personal machine and will do so as soon as possible. I will also re-run the DDS scan.

I'm assuming that I should run these in Safe Mode or should I first attempt to run them in normal Windows mode? I'm running Windows XP SP2.



#4 SaprkE!

SaprkE!
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 16 June 2010 - 10:09 PM

OK, here are the logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Brad Wiseman at 20:17:03.73 on Wed 06/16/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.672 [GMT -5:00]

FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Brad Wiseman\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPMixDSP.exe
c:\Program Files\HughesNet Tools\bin\mpbtn.exe
C:\Documents and Settings\Brad Wiseman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.myhughesnet.com
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [SansaDispatch] c:\documents and settings\brad wiseman\application data\sandisk\sansa updater\SansaDispatch.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [WinFast Schedule] c:\program files\winfast\wftvfm\WFWIZ.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Motive SmartBridge] c:\progra~1\hughes~1\smartb~1\MotiveSB.exe
StartupFolder: c:\docume~1\bradwi~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org1.1.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\corece~1.lnk - c:\program files\msi\core center\CoreCenter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hughes~1.lnk - c:\program files\hughesnet tools\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238983705796
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {7431EBAE-0284-44C7-8501-4D41586D7700} = 66.82.4.8
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bradwi~1\applic~1\mozilla\firefox\profiles\ee8tmyo4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.taperssection.com/index.php
FF - plugin: c:\program files\canon\program\NPCIG.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-1-1 81356]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2004-1-1 39182]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2004-1-1 9804]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328]
R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784]
R3 PCAlertDriver;PCAlertDriver;c:\program files\msi\core center\NTGLM7X.SYS [2003-12-14 22055]
R3 WFIOCTL;WFIOCTL;c:\program files\winfast\wftvfm\WFIOCTL.sys [2004-1-1 6085]
S1 PDIDRV;PDIDRV; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040]
S3 Jukebox3_1394;Jukebox3_1394;c:\windows\system32\drivers\ctpd1394.sys [2003-12-24 23536]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-9 38224]
S3 RDID1005;EDIROL UA-5;c:\windows\system32\drivers\Rdwm1005.sys [2004-12-24 146606]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-06-11 13:39:57 0 ----a-w- c:\documents and settings\brad wiseman\defogger_reenable
2010-06-11 08:15:12 0 d-----w- c:\program files\MSXML 6.0
2010-06-11 08:12:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-06-11 08:12:34 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-06-11 08:11:55 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-06-11 04:26:29 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-11 04:25:42 352640 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-11 04:23:35 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-11 04:23:17 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-11 04:22:21 1089601 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-06-11 04:20:24 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-11 04:20:09 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-11 04:16:09 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-06-11 04:11:27 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-06-11 04:07:57 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-06-11 04:07:04 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-06-11 04:06:51 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-06-11 04:05:34 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-11 04:05:34 1196000 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-06-10 00:41:24 0 d-----w- c:\docume~1\bradwi~1\applic~1\Malwarebytes
2010-06-10 00:41:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 00:41:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-10 00:41:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-10 00:41:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 05:35:45 0 d-----w- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:36:49 662016 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:36:45 81920 ------w- c:\windows\system32\ieencode.dll
2001-11-23 04:08:20 712704 ----a-w- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 20:17:53.21 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-16 21:32:52
Windows 5.1.2600 Service Pack 2
Running: 2b65tb8y.exe; Driver: C:\DOCUME~1\BRADWI~1\LOCALS~1\Temp\uwtdypob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF2067B30]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF20676F0]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF2067470]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF2067C50]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF2067990]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF20678D0]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF2067D60]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF684E340, 0x1215FF, 0xF8000020]
.text tcpip.sys!IPTransmit + 10BC F0A1ACFA 6 Bytes CALL F7396E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 263D F0A1C27B 6 Bytes CALL F7396E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!ARPRcv + 521E F0A214BE 6 Bytes CALL F7396E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F205A3FD 7 Bytes CALL F7396FA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x2597B1, 0xF8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\bridge.sys[NDIS.SYS!NdisRegisterProtocol] [F73978E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\bridge.sys[NDIS.SYS!NdisOpenAdapter] [F7397BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\bridge.sys[NDIS.SYS!NdisCloseAdapter] [F7397C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\bridge.sys[NDIS.SYS!NdisDeregisterProtocol] [F7397B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7397C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7397BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7397B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F73978E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F73978E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7397BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7397C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7397B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7397B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F73978E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7397BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7397C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F73978E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7397C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7397BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7397B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7397C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7397BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F73978E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F7397C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F7397BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F7397B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F73978E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7397B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F73978E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7397BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7397C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F73978E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7397B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7397C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7397BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

---- EOF - GMER 1.0.15 ----

Attached Files



#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:33 AM

Posted 19 June 2010 - 07:17 AM

Hello, SaprkE!
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.






Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 SaprkE!

SaprkE!
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 19 June 2010 - 09:32 PM

OK, before we get started, I need to reiterate that I do not have an active internet connection. I gave a lot of background information in my first post which, in order to not clutter up this thread, I will not repeat here. However, it may be helpful if you would read through that posting again. My second post also may contain relevant information. I think that the thing that is keeping me from being able to connect to the internet may be the fact that Sygate (my firewall) has detected changes to C:\WINDOWS\system32\ntoskrnl.exe and it is still asking me if I want to allow this program to connect to the network. I have not yet answered, so I presume that this program is not yet allowed to connect to the network. Also note that this happened after my first attempts at fixing the Google redirect issues by using Trend Micro's Housecall, followed by Malwarebytes.exe. Also, it seems that Windows Update (or some program that claims to be Windows Update), which I have never approved for automatic updates, keeps trying to update my machine at 3:00 in the morning. I do not know if this is the result of running Housecall or Malwarebytes.exe or if this is the result of the Google redirect virus or if this is the result of something else.

From your description of the use of Combofix.exe, it appears that internet access is assumed to be working on the affected machine (which it is not). I am currently posting from another machine. Do I somehow need to restore the internet connection on the affected machine? (Do I need to tell Sygate to allow ntoskrnl.exe to access the network?)

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:33 AM

Posted 21 June 2010 - 02:00 PM

Would be better for Combofix when the system would be connected, but we can try something else.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.



Download this tool to another system, transfer it to the infected one and let it run.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 SaprkE!

SaprkE!
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 21 June 2010 - 03:06 PM

Well, should I try allowing ntoskrnl.exe to access the network? From what I've been reading here on the bleepingcomputer forums, Sygate seems to be prone to blocking that program. Other members of the Malware Response Team have advised that it's unlikely that ntoskrnl would be a problem. I just did not want to allow it to access the network unless it was known that it is OK to do so. I suspect that not allowing ntoskrnl.exe to access the network may be the reason that the machine cannot access the internet.

So, which should I do:

1) Allow ntoskrnl.exe to access the network with the hopes that the internet connection would be restored so that I can follow your previous Combofix instructions

2) Follow your most recent instructions to run TDSSKiller

Edited by SaprkE!, 21 June 2010 - 03:07 PM.


#9 SaprkE!

SaprkE!
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 21 June 2010 - 08:06 PM

I tried downloading TDSSKiller.exe from the link you specified and I am not able to get there because of the security policy in effect on my employer's machine that I'm using to download the tools you have specified. Here is the message that I get:

URL Blocked

The URL that you are attempting to access is a potential security risk. Trend Micro OfficeScan has blocked this URL in keeping with network security policy.
URL: http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Risk Level: High
Details: For more information about this URL or to report it to Trend Micro for reclassification,visit http://reclassify.wrs.trendmicro.com.


The file cannot be found on the http://usa.kaspersky.com/ site where there do not appear to be any blocked URLs.

#10 SaprkE!

SaprkE!
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 21 June 2010 - 10:07 PM

OK, I was able to find a Kaspersky URL through which I was allowed to download TDSSKiller.exe:

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Here is the result:

21:47:14:968 2992 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
21:47:14:968 2992 ================================================================================
21:47:14:968 2992 SystemInfo:

21:47:14:968 2992 OS Version: 5.1.2600 ServicePack: 2.0
21:47:14:968 2992 Product type: Workstation
21:47:14:968 2992 ComputerName: SPARKE
21:47:14:968 2992 UserName: Brad Wiseman
21:47:14:968 2992 Windows directory: C:\WINDOWS
21:47:14:968 2992 Processor architecture: Intel x86
21:47:14:968 2992 Number of processors: 2
21:47:14:968 2992 Page size: 0x1000
21:47:14:968 2992 Boot type: Normal boot
21:47:14:968 2992 ================================================================================
21:47:15:343 2992 Initialize success
21:47:15:343 2992
21:47:15:343 2992 Scanning Services ...
21:47:15:640 2992 Raw services enum returned 383 services
21:47:15:640 2992
21:47:15:640 2992 Scanning Drivers ...
21:47:15:921 2992 61883 (86d7b1e70661d754685b9ac6d749aae5) C:\WINDOWS\system32\DRIVERS\61883.sys
21:47:15:953 2992 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:47:16:015 2992 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:47:16:093 2992 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
21:47:16:218 2992 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
21:47:16:250 2992 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
21:47:16:328 2992 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:47:16:390 2992 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:47:16:406 2992 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:47:16:437 2992 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:47:16:484 2992 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:47:16:500 2992 Avc (87c223adb8f7596b31caae3c67b16ddd) C:\WINDOWS\system32\DRIVERS\avc.sys
21:47:16:531 2992 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:47:16:562 2992 Bridge (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
21:47:16:562 2992 BridgeMP (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
21:47:16:609 2992 BT848 (73ba446e4d9dc1a6d00ba77a7538caa9) C:\WINDOWS\system32\drivers\wf2kvcap.sys
21:47:16:671 2992 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:47:16:687 2992 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:47:16:703 2992 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:47:16:750 2992 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
21:47:16:750 2992 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:47:16:843 2992 CDRPDACC (f4dd5641576334e4eeabfe50b065e572) C:\Program Files\321Studios\Shared\CDRPDACC.SYS
21:47:16:937 2992 cmuda (521e6148bfdab257cdee9bf01fe72f1a) C:\WINDOWS\system32\drivers\cmuda.sys
21:47:17:000 2992 COMMONFX (334d77efc9f3d22dee021a9bb3f4e13e) C:\WINDOWS\system32\drivers\COMMONFX.SYS
21:47:17:015 2992 COMMONFX.SYS (334d77efc9f3d22dee021a9bb3f4e13e) C:\WINDOWS\System32\drivers\COMMONFX.SYS
21:47:17:140 2992 CT20XUT (270dfada559691363a276478bab36b68) C:\WINDOWS\system32\drivers\CT20XUT.SYS
21:47:17:156 2992 CT20XUT.SYS (270dfada559691363a276478bab36b68) C:\WINDOWS\System32\drivers\CT20XUT.SYS
21:47:17:187 2992 ctac32k (34ac8a1dc4299a34ff06949011eb53ef) C:\WINDOWS\system32\drivers\ctac32k.sys
21:47:17:234 2992 ctaud2k (bbe95f29eabc46371dadfacc586d420b) C:\WINDOWS\system32\drivers\ctaud2k.sys
21:47:17:265 2992 CTAUDFX (be7dcee4191c74156288b1d217350189) C:\WINDOWS\system32\drivers\CTAUDFX.SYS
21:47:17:281 2992 CTAUDFX.SYS (be7dcee4191c74156288b1d217350189) C:\WINDOWS\System32\drivers\CTAUDFX.SYS
21:47:17:296 2992 CTEAPSFX (e55f88b27498a4b5e17eac75425a7755) C:\WINDOWS\system32\drivers\CTEAPSFX.SYS
21:47:17:312 2992 CTEAPSFX.SYS (e55f88b27498a4b5e17eac75425a7755) C:\WINDOWS\System32\drivers\CTEAPSFX.SYS
21:47:17:328 2992 CTEDSPFX (6be4e4dcb76874765c55ecb1f474f7fd) C:\WINDOWS\system32\drivers\CTEDSPFX.SYS
21:47:17:343 2992 CTEDSPFX.SYS (6be4e4dcb76874765c55ecb1f474f7fd) C:\WINDOWS\System32\drivers\CTEDSPFX.SYS
21:47:17:359 2992 CTEDSPIO (1e7d07d669a2572b73006fede47e173f) C:\WINDOWS\system32\drivers\CTEDSPIO.SYS
21:47:17:375 2992 CTEDSPIO.SYS (1e7d07d669a2572b73006fede47e173f) C:\WINDOWS\System32\drivers\CTEDSPIO.SYS
21:47:17:406 2992 CTEDSPSY (b70dfa869ee0b63b9fa01b038c886640) C:\WINDOWS\system32\drivers\CTEDSPSY.SYS
21:47:17:421 2992 CTEDSPSY.SYS (b70dfa869ee0b63b9fa01b038c886640) C:\WINDOWS\System32\drivers\CTEDSPSY.SYS
21:47:17:437 2992 CTERFXFX (10bc33d886bcd3f0add4aab8051015c1) C:\WINDOWS\system32\drivers\CTERFXFX.SYS
21:47:17:437 2992 CTERFXFX.SYS (10bc33d886bcd3f0add4aab8051015c1) C:\WINDOWS\System32\drivers\CTERFXFX.SYS
21:47:17:500 2992 CTEXFIFX (6337bdb64b1b94fac817a6a9b83b5800) C:\WINDOWS\system32\drivers\CTEXFIFX.SYS
21:47:17:562 2992 CTEXFIFX.SYS (6337bdb64b1b94fac817a6a9b83b5800) C:\WINDOWS\System32\drivers\CTEXFIFX.SYS
21:47:17:593 2992 CTHWIUT (a6c62ae40fc06ea5dbcf82ac24f7ea4e) C:\WINDOWS\system32\drivers\CTHWIUT.SYS
21:47:17:609 2992 CTHWIUT.SYS (a6c62ae40fc06ea5dbcf82ac24f7ea4e) C:\WINDOWS\System32\drivers\CTHWIUT.SYS
21:47:17:625 2992 ctprxy2k (da5ea613e3e77e64d7191bb85675dc45) C:\WINDOWS\system32\drivers\ctprxy2k.sys
21:47:17:656 2992 CTSBLFX (6ea007e24f959fc3cc342aee53838a38) C:\WINDOWS\system32\drivers\CTSBLFX.SYS
21:47:17:671 2992 CTSBLFX.SYS (6ea007e24f959fc3cc342aee53838a38) C:\WINDOWS\System32\drivers\CTSBLFX.SYS
21:47:17:703 2992 ctsfm2k (8cc0d8a826974a2fde2d24b2739ad177) C:\WINDOWS\system32\drivers\ctsfm2k.sys
21:47:17:734 2992 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
21:47:17:781 2992 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
21:47:17:843 2992 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
21:47:17:875 2992 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:47:17:921 2992 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
21:47:17:937 2992 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
21:47:17:968 2992 E1000 (89f28d9e011fd90dec6c0ece52c171bc) C:\WINDOWS\system32\DRIVERS\e1000325.sys
21:47:18:000 2992 emupia (dcf87151c15f56b4ecea370e94ca1297) C:\WINDOWS\system32\drivers\emupia2k.sys
21:47:18:015 2992 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
21:47:18:062 2992 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:47:18:125 2992 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
21:47:18:125 2992 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:47:18:156 2992 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
21:47:18:171 2992 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:47:18:187 2992 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:47:18:203 2992 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:47:18:234 2992 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:47:18:281 2992 ha10kx2k (36322cd973a20f189422bc25562142d7) C:\WINDOWS\system32\drivers\ha10kx2k.sys
21:47:18:312 2992 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:47:18:343 2992 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
21:47:18:375 2992 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:47:18:406 2992 iaStor (50b56e7de809be4b8f4d24b3f0381520) C:\WINDOWS\system32\drivers\iaStor.sys
21:47:18:437 2992 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:47:18:484 2992 InCDfs (d8a77fc386f9297ce4b692fc83b4ba02) C:\WINDOWS\system32\drivers\InCDfs.sys
21:47:18:515 2992 InCDPass (433bb499bcea1c88b55aa67d1b3ef1dc) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
21:47:18:531 2992 InCDrec (12dbb035cd2ed0313fab864470f31c23) C:\WINDOWS\system32\drivers\InCDrec.sys
21:47:18:578 2992 incdrm (9d1adfe6ce5c2e2a42f3b8aa57821d87) C:\WINDOWS\system32\drivers\incdrm.sys
21:47:18:609 2992 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:47:18:640 2992 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
21:47:18:687 2992 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:47:18:718 2992 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:47:18:750 2992 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:47:18:781 2992 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:47:18:796 2992 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:47:18:828 2992 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:47:18:875 2992 Jukebox3_1394 (52cd30f39b4f95dc4c32ebd6d191b75f) C:\WINDOWS\system32\DRIVERS\ctpd1394.sys
21:47:18:890 2992 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:47:18:937 2992 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
21:47:19:000 2992 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
21:47:19:046 2992 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
21:47:19:093 2992 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
21:47:19:140 2992 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:47:19:171 2992 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
21:47:19:187 2992 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:47:19:234 2992 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:47:19:265 2992 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
21:47:19:406 2992 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
21:47:19:437 2992 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:47:19:484 2992 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:47:19:531 2992 MSDV (6dd721dfd2648f3f6d5808b5ba6cb095) C:\WINDOWS\system32\DRIVERS\msdv.sys
21:47:19:546 2992 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
21:47:19:562 2992 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:47:19:578 2992 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:47:19:609 2992 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
21:47:19:640 2992 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:47:19:687 2992 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
21:47:19:718 2992 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
21:47:19:750 2992 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:47:19:796 2992 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
21:47:19:828 2992 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:47:19:859 2992 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:47:19:875 2992 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:47:19:937 2992 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:47:19:953 2992 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
21:47:19:968 2992 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:47:19:968 2992 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:47:20:000 2992 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:47:20:015 2992 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
21:47:20:046 2992 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
21:47:20:171 2992 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
21:47:20:218 2992 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:47:20:343 2992 nv (01fa25e35922b5c50e683339245f552d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:47:20:468 2992 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:47:20:484 2992 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:47:20:531 2992 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:47:20:625 2992 ossrv (f8f7fe5d67c47c2f1016f7a139e0f664) C:\WINDOWS\system32\drivers\ctoss2k.sys
21:47:20:640 2992 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
21:47:20:656 2992 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
21:47:20:734 2992 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:47:20:906 2992 PCAlertDriver (8f9ad7259c308ecf8fa4a5043b4131da) C:\Program Files\MSI\Core Center\NTGLM7X.sys
21:47:20:937 2992 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
21:47:21:062 2992 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:47:21:093 2992 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:47:21:093 2992 Pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\Pcouffin.sys
21:47:21:171 2992 PfModNT (28157deb9473631ba94fe9965b5e0050) C:\WINDOWS\System32\drivers\PfModNT.sys
21:47:21:218 2992 Point32 (f754b09a839719575328f707693a919d) C:\WINDOWS\system32\DRIVERS\point32.sys
21:47:21:234 2992 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:47:21:250 2992 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
21:47:21:265 2992 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
21:47:21:281 2992 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:47:21:312 2992 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
21:47:21:359 2992 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:47:21:375 2992 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:47:21:390 2992 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:47:21:421 2992 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:47:21:453 2992 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:47:21:500 2992 RDID1005 (02a6c27a92301de7429aeb5bd4f9a0b9) C:\WINDOWS\system32\Drivers\rdwm1005.sys
21:47:21:531 2992 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:47:21:562 2992 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:47:21:593 2992 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
21:47:21:640 2992 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:47:21:656 2992 RimUsb (913966a94de5fa40f0948c65221f08cc) C:\WINDOWS\system32\Drivers\RimUsb.sys
21:47:21:703 2992 RushTopDevice (e9d986ce8419571136117520861bd02b) C:\Program Files\MSI\Core Center\RushTop.sys
21:47:21:718 2992 sbp2port (3e2c3b180872be4120f246d85560b734) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
21:47:21:781 2992 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:47:21:812 2992 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:47:21:843 2992 Serial (70536359870079d69abb8094edc8f617) C:\WINDOWS\system32\DRIVERS\avidXPserial.sys
21:47:21:859 2992 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:47:21:921 2992 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:47:21:953 2992 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
21:47:21:968 2992 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
21:47:22:031 2992 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
21:47:22:093 2992 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:47:22:109 2992 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:47:22:171 2992 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
21:47:22:234 2992 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
21:47:22:296 2992 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:47:22:328 2992 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:47:22:359 2992 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
21:47:22:390 2992 Teefer (99336d4da97b4eeaafab46a4f8e512e6) C:\WINDOWS\system32\Drivers\Teefer.sys
21:47:22:406 2992 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:47:22:453 2992 tv2ktunr (ae071a118b0e2adff74d4bf0cc962e4f) C:\WINDOWS\system32\drivers\wf2ktunr.sys
21:47:22:468 2992 Tv2kXbar (483f8fa08a7606070dfd2a3c46dddefc) C:\WINDOWS\system32\drivers\wf2kxbar.sys
21:47:22:484 2992 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
21:47:22:515 2992 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
21:47:22:562 2992 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
21:47:22:578 2992 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:47:22:625 2992 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:47:22:640 2992 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:47:22:656 2992 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:47:22:671 2992 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:47:22:687 2992 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:47:22:703 2992 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:47:22:718 2992 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
21:47:22:781 2992 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
21:47:22:812 2992 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:47:22:875 2992 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
21:47:22:937 2992 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
21:47:23:031 2992 WFIOCTL (01b27c19322f0708f1bc30b5e10d69b4) C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS
21:47:23:062 2992 wg3n (a67340b874df9eaf5b226e5f3473b9da) C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
21:47:23:093 2992 wg4n (851216e2816b7b7e74b5f7ef1d4acfb7) C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
21:47:23:109 2992 wg5n (aedd1fe0df660411d15da3c57cfc2402) C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
21:47:23:125 2992 wg6n (dd0d719a58df79086462bd5fc972a908) C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
21:47:23:140 2992 wpsdrvnt (93c145dceb13156322423efd62d4549a) C:\WINDOWS\System32\drivers\wpsdrvnt.sys
21:47:23:171 2992 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:47:23:171 2992
21:47:23:171 2992 Completed
21:47:23:171 2992
21:47:23:171 2992 Results:
21:47:23:171 2992 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:47:23:171 2992 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:47:23:171 2992
21:47:23:171 2992 KLMD(ARK) unloaded successfully


#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:33 AM

Posted 23 June 2010 - 11:10 PM

Ok, no TDL infection to see.

Please run Combofix, we can install the Recovery Console later when we have an internet connection.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 SaprkE!

SaprkE!
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 24 June 2010 - 09:50 PM

OK, during the previous boot cycle, the Sygate window was in the foreground when I was trying to run TDSSKiller.exe. I was trying to click a button to continue, and used the Enter key. The effect was that I "clicked" the button to allow ntoskrnl.exe to access the network. At the time, I was not connected to the internet and there did not appear to be any resulting hard disk thrashing. I got into Sygate and set it to ask for permission for ntoskrnl.exe to access the network if it tries to access the network again. Since that time (during the current boot cycle), ntoskrnl.exe has not asked to access the network again. I still have not reconnected the network cable to the infected PC and will not do so until you tell me to reconnect the network cable.

Here are the contents of ComboFix.txt:

ComboFix 10-06-19.01 - Brad Wiseman 06/24/2010 21:15:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.671 [GMT -5:00]
Running from: c:\documents and settings\Brad Wiseman\Desktop\schrauber.exe
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brad Wiseman\Application Data\inst.exe
c:\documents and settings\Brad Wiseman\Local Settings\Application Data\Windows Server
c:\documents and settings\Brad Wiseman\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Brad Wiseman\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
C:\feed.txt
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-25 to 2010-06-25 )))))))))))))))))))))))))))))))
.

2010-06-11 08:15 . 2010-06-11 08:15 -------- d-----w- c:\program files\MSXML 6.0
2010-06-11 08:11 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-06-11 04:26 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-11 04:25 . 2009-12-31 16:14 352640 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-11 04:23 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-11 04:23 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-11 04:20 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-11 04:20 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-11 04:11 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-06-11 04:07 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-06-11 04:07 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-06-11 04:06 . 2009-07-31 04:57 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-06-11 04:05 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-10 00:41 . 2010-06-10 00:41 -------- d-----w- c:\documents and settings\Brad Wiseman\Application Data\Malwarebytes
2010-06-10 00:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 00:41 . 2010-06-10 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-10 00:41 . 2010-06-10 11:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-10 00:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 02:08 . 2004-01-04 21:31 -------- d-----w- c:\documents and settings\Brad Wiseman\Application Data\OpenOffice.org1.1.0
2010-06-11 08:13 . 2003-12-26 21:36 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-06-11 08:12 . 2010-06-11 08:12 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-06-11 08:12 . 2010-06-11 08:12 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-06-09 02:48 . 2006-07-27 03:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-06 16:13 . 2010-03-20 17:54 -------- d-----w- c:\documents and settings\Brad Wiseman\Application Data\ZoomBrowser EX
2010-05-27 03:49 . 2006-05-29 03:32 -------- d-----w- c:\documents and settings\Brad Wiseman\Application Data\foobar2000
2010-05-16 15:50 . 2010-05-16 15:50 -------- d-----w- c:\program files\AP Tuner
2010-05-02 05:56 . 2004-02-14 16:28 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 03:30 . 2008-12-21 16:30 -------- d-----w- c:\documents and settings\Brad Wiseman\Application Data\Audacity
2010-04-20 05:51 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:36 . 2004-01-21 22:16 662016 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:36 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-08 03:30 . 2006-08-27 22:35 30584 ----a-w- c:\documents and settings\Brad Wiseman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-09-25 49152]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"SetDefaultMIDI"="MIDIDef.exe" [2008-03-20 31232]
"SansaDispatch"="c:\documents and settings\Brad Wiseman\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-05-02 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-08-19 126976]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-09-25 5033984]
"nwiz"="nwiz.exe" [2003-09-25 741376]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2003-09-29 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-27 282624]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"CTHelper"="CTHELPER.EXE" [2008-03-20 23040]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-03-20 23552]
"Motive SmartBridge"="c:\progra~1\HUGHES~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]

c:\documents and settings\Brad Wiseman\Start Menu\Programs\Startup\
OpenOffice.org 1.1.0.lnk - c:\program files\OpenOffice.org1.1.0\program\quickstart.exe [2003-9-1 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-3-9 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [2003-12-14 2605056]
HughesNet Tools.lnk - c:\program files\HughesNet Tools\bin\matcli.exe [2009-6-22 217088]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-12-14 102400]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2007-4-28 339968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=rddv1005.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [1/1/2004 4:15 PM 81356]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [1/1/2004 4:15 PM 39182]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [1/1/2004 4:15 PM 9804]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/20/2008 5:23 PM 98328]
R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [3/20/2008 5:32 PM 259096]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [3/20/2008 5:38 PM 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [3/20/2008 5:37 PM 309784]
R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [1/1/2004 4:18 PM 6085]
S1 PDIDRV;PDIDRV; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/20/2008 5:23 PM 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [3/20/2008 5:36 PM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [3/20/2008 5:36 PM 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/20/2008 5:23 PM 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/20/2008 5:23 PM 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [3/20/2008 5:26 PM 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [3/20/2008 5:26 PM 163352]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [3/20/2008 5:32 PM 259096]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [3/20/2008 5:38 PM 134168]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [3/20/2008 5:37 PM 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/20/2008 5:36 PM 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/20/2008 5:36 PM 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [3/20/2008 5:40 PM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [3/20/2008 5:40 PM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [3/20/2008 5:37 PM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [3/20/2008 5:37 PM 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/20/2008 5:25 PM 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/20/2008 5:25 PM 534040]
S3 Jukebox3_1394;Jukebox3_1394;c:\windows\system32\drivers\ctpd1394.sys [12/24/2003 10:24 AM 23536]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/9/2010 7:41 PM 38224]
S3 RDID1005;EDIROL UA-5;c:\windows\system32\drivers\Rdwm1005.sys [12/24/2004 2:32 PM 146606]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCAlertDriver
*Deregistered* - RushTopDevice
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myhughesnet.com
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: {7431EBAE-0284-44C7-8501-4D41586D7700} = 66.82.4.8
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brad Wiseman\Application Data\Mozilla\Firefox\Profiles\ee8tmyo4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.taperssection.com/index.php
FF - plugin: c:\program files\Canon\Program\NPCIG.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-24 21:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Brad Wiseman\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?NSA124410466935213%2526version%253d4%26certificate-verification-url%3dhttps%253a%252f%252ffe.gum

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\rddv1005.dll
.
Completion time: 2010-06-24 21:32:56
ComboFix-quarantined-files.txt 2010-06-25 02:32

Pre-Run: 4,215,611,392 bytes free
Post-Run: 6,184,562,688 bytes free

- - End Of File - - DF22CA793EF7A836074DCE65D94A3E29

Edited by SaprkE!, 24 June 2010 - 09:51 PM.


#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:33 AM

Posted 26 June 2010 - 02:36 PM

Hi,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 SaprkE!

SaprkE!
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 27 June 2010 - 09:25 AM

Well, your instructions indicate to "Make sure you are connected to the internet", but we had not yet reestablished an internet connection on the affected machine. I had previously installed Malwarebyte's Anti Virus software on the affected machine, so I thought I could run that. Unfortunately, the link you give to the manual updates (http://malwarebytes.gt500.org/mbam-rules.exe) gives a 404 Not Found error. So, I reestablished the internet connection and ran the existing installation of MBAM and asked it to update the definitions. That process failed with a note to notify Malwarebyte's Support. So, I reinstalled MBAM, updated the definitions and ran the quick scan. The log results are below.

Then I ran OTL. It failed, giving the message:

Access Violation at address 0040295B in module OTL.exe. Read of address 001EA000

So, I shut the machine down, removed the network connection, rebooted the machine and ran OTL again. It failed, giving the message:

Access Violation at address 0040295B in module OTL.exe. Read of address 001EB000

Notice that the read address where the violation occurred was different this time. I then ran OTL again and it worked that time. Please note that I did not have an internet connection at the time that this was run. The logged results are below.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4245

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/27/2010 8:26:29 AM
mbam-log-2010-06-27 (08-26-29).txt

Scan type: Quick scan
Objects scanned: 120982
Time elapsed: 24 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



OTL logfile created on: 6/27/2010 8:50:13 AM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Brad Wiseman\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 679.00 Mb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 305.33 Gb Total Space | 5.46 Gb Free Space | 1.79% Space Free | Partition Type: NTFS
Drive D: | 483.65 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
Drive F: | 210.62 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 37.58 Mb Total Space | 22.83 Mb Free Space | 60.75% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SPARKE
Current User Name: Brad Wiseman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/27 08:31:16 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brad Wiseman\Desktop\OTL.exe
PRC - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/09/08 18:25:52 | 000,096,334 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2009/05/02 18:56:51 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\Brad Wiseman\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
PRC - [2008/04/29 13:25:50 | 000,671,863 | ---- | M] (E-MU Systems) -- C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPMixDSP.exe
PRC - [2008/03/20 15:35:04 | 000,023,040 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2007/04/03 20:50:00 | 001,603,152 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2007/01/12 13:40:36 | 000,339,968 | ---- | M] () -- C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
PRC - [2006/04/21 15:41:20 | 000,438,359 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\HughesNet Tools\SmartBridge\MotiveSB.exe
PRC - [2006/03/23 17:06:50 | 001,398,272 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCD.exe
PRC - [2006/03/23 17:06:38 | 000,880,128 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\incdsrv.exe
PRC - [2005/06/10 04:21:01 | 000,217,088 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe
PRC - [2005/06/09 02:42:32 | 000,192,512 | ---- | M] () -- c:\Program Files\HughesNet Tools\bin\mpbtn.exe
PRC - [2004/10/15 19:40:56 | 002,577,632 | ---- | M] (Sygate Technologies, Inc.) -- C:\Program Files\Sygate\SPF\Smc.exe
PRC - [2004/08/04 02:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/11/19 18:48:14 | 000,032,881 | ---- | M] () -- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
PRC - [2003/09/29 17:39:36 | 000,155,648 | ---- | M] (Leadtek Research Inc.) -- C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
PRC - [2003/09/01 02:10:00 | 000,425,984 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
PRC - [2003/08/19 15:21:54 | 002,605,056 | ---- | M] () -- C:\Program Files\MSI\Core Center\CoreCenter.exe
PRC - [2003/08/19 01:00:00 | 000,126,976 | ---- | M] (Intel) -- C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe
PRC - [2003/08/19 01:00:00 | 000,073,838 | ---- | M] (Intel) -- C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
PRC - [2003/05/15 17:45:54 | 000,114,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\type32.exe
PRC - [2003/03/11 17:24:40 | 000,086,016 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
PRC - [2002/09/11 06:33:36 | 000,102,400 | ---- | M] () -- C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe


========== Modules (SafeList) ==========

MOD - [2010/06/27 08:31:16 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brad Wiseman\Desktop\OTL.exe
MOD - [2009/09/01 21:09:10 | 000,470,328 | ---- | M] (SmartSoft Ltd) -- C:\Program Files\SmartFTP Client\sfShellTools.dll
MOD - [2009/09/01 20:40:40 | 000,003,584 | ---- | M] (SmartSoft Ltd) -- C:\Program Files\SmartFTP Client\en-US\sfShellTools.dll.mui
MOD - [2008/03/20 15:35:02 | 000,012,800 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\ctagent.dll
MOD - [2006/04/21 15:40:14 | 000,122,880 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\HughesNet Tools\SmartBridge\SBHook.dll
MOD - [2004/10/15 18:32:10 | 000,083,096 | ---- | M] (Sygate Technologies, Inc.) -- C:\WINDOWS\system32\SSSensor.dll
MOD - [2004/08/04 02:57:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 01:01:17 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/09/08 18:25:52 | 000,096,334 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/03/23 17:06:38 | 000,880,128 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\incdsrv.exe -- (InCDsrv)
SRV - [2004/10/15 19:40:56 | 002,577,632 | ---- | M] (Sygate Technologies, Inc.) [Auto | Running] -- C:\Program Files\Sygate\SPF\Smc.exe -- (SmcService)
SRV - [2003/08/19 01:00:00 | 000,073,838 | ---- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe -- (IAANTMon)
SRV - [2003/03/03 14:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/03/20 17:57:26 | 000,015,896 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pfmodnt.sys -- (PfModNT)
DRV - [2008/03/20 17:55:16 | 000,802,840 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2008/03/20 17:54:42 | 000,095,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2008/03/20 17:52:50 | 000,159,256 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2008/03/20 17:52:22 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2008/03/20 17:51:56 | 000,129,560 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2008/03/20 17:49:30 | 000,524,824 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2008/03/20 17:48:56 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2008/03/20 17:40:38 | 001,324,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTEXFIFX.SYS -- (CTEXFIFX.SYS)
DRV - [2008/03/20 17:40:38 | 001,324,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTEXFIFX.sys -- (CTEXFIFX)
DRV - [2008/03/20 17:38:06 | 000,134,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTEDSPIO.SYS -- (CTEDSPIO.SYS)
DRV - [2008/03/20 17:38:06 | 000,134,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTEDSPIO.sys -- (CTEDSPIO)
DRV - [2008/03/20 17:37:36 | 000,309,784 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTEDSPSY.SYS -- (CTEDSPSY.SYS)
DRV - [2008/03/20 17:37:36 | 000,309,784 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTEDSPSY.sys -- (CTEDSPSY)
DRV - [2008/03/20 17:37:10 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTHWIUT.SYS -- (CTHWIUT.SYS)
DRV - [2008/03/20 17:37:10 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTHWIUT.sys -- (CTHWIUT)
DRV - [2008/03/20 17:36:44 | 000,171,032 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CT20XUT.SYS -- (CT20XUT.SYS)
DRV - [2008/03/20 17:36:44 | 000,171,032 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CT20XUT.sys -- (CT20XUT)
DRV - [2008/03/20 17:36:14 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
DRV - [2008/03/20 17:36:14 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTERFXFX.sys -- (CTERFXFX)
DRV - [2008/03/20 17:32:36 | 000,259,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTEDSPFX.SYS -- (CTEDSPFX.SYS)
DRV - [2008/03/20 17:32:36 | 000,259,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTEDSPFX.sys -- (CTEDSPFX)
DRV - [2008/03/20 17:26:30 | 000,163,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTEAPSFX.SYS -- (CTEAPSFX.SYS)
DRV - [2008/03/20 17:26:30 | 000,163,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTEAPSFX.sys -- (CTEAPSFX)
DRV - [2008/03/20 17:25:44 | 000,534,040 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
DRV - [2008/03/20 17:25:44 | 000,534,040 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTSBLFX.sys -- (CTSBLFX)
DRV - [2008/03/20 17:23:44 | 000,528,920 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
DRV - [2008/03/20 17:23:44 | 000,528,920 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTAUDFX.sys -- (CTAUDFX)
DRV - [2008/03/20 17:23:08 | 000,098,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
DRV - [2008/03/20 17:23:08 | 000,098,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COMMONFX.sys -- (COMMONFX)
DRV - [2006/03/23 17:15:58 | 000,102,016 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\incdfs.sys -- (InCDfs)
DRV - [2006/03/23 17:15:56 | 000,033,536 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDrm.sys -- (incdrm)
DRV - [2006/03/23 17:15:56 | 000,029,440 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\incdpass.sys -- (InCDPass)
DRV - [2004/11/22 11:36:40 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2004/10/15 18:32:44 | 000,014,568 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys -- (wg6n)
DRV - [2004/10/15 18:32:42 | 000,014,568 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys -- (wg5n)
DRV - [2004/10/15 18:32:40 | 000,014,568 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys -- (wg4n)
DRV - [2004/10/15 18:32:38 | 000,014,568 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys -- (wg3n)
DRV - [2004/10/15 18:18:46 | 000,021,075 | ---- | M] (Sygate Technologies, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys -- (wpsdrvnt)
DRV - [2004/10/15 18:17:02 | 000,060,496 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys -- (Teefer)
DRV - [2004/08/04 01:10:10 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2004/08/04 01:10:10 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2004/08/04 01:09:58 | 000,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2004/08/04 01:07:55 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/03/02 17:03:30 | 000,146,606 | R--- | M] (Roland Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rdwm1005.sys -- (RDID1005)
DRV - [2003/10/23 02:23:00 | 000,023,536 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctpd1394.sys -- (Jukebox3_1394)
DRV - [2003/10/09 20:57:58 | 000,054,272 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AvidXPSerial.sys -- (Serial)
DRV - [2003/09/24 20:32:00 | 001,548,331 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/08/20 15:44:04 | 000,048,864 | ---- | M] (Vireo Software) [Kernel | On_Demand | Running] -- C:\Program Files\MSI\Core Center\RushTop.sys -- (RushTopDevice)
DRV - [2003/08/19 01:00:00 | 000,274,816 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2003/08/05 12:04:56 | 000,022,055 | ---- | M] (MICRO-STAR INT'L CO., LTD.) [Kernel | On_Demand | Running] -- C:\Program Files\MSI\Core Center\NTGLM7X.SYS -- (PCAlertDriver)
DRV - [2003/01/07 11:16:32 | 000,006,085 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\WinFast\WFTVFM\WFIOCTL.sys -- (WFIOCTL)
DRV - [2002/07/25 12:33:58 | 000,004,633 | ---- | M] (Arrowkey) [Kernel | Auto | Running] -- C:\Program Files\321Studios\Shared\CDRPDACC.SYS -- (CDRPDACC)
DRV - [2002/06/24 12:57:58 | 000,039,182 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\wf2ktunr.sys -- (tv2ktunr)
DRV - [2002/06/24 12:57:58 | 000,009,804 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\wf2kXbar.sys -- (Tv2kXbar)
DRV - [2002/06/24 12:57:56 | 000,081,356 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\wf2kvcap.sys -- (BT848)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myhughesnet.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;<local>

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.taperssection.com/index.php"
FF - prefs.js..network.proxy.http: "192.168.0.1"
FF - prefs.js..network.proxy.http_port: 85
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 15:41:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 15:41:42 | 000,000,000 | ---D | M]

[2008/08/27 22:52:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Mozilla\Extensions
[2010/02/21 12:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Mozilla\Firefox\Profiles\ee8tmyo4.default\extensions
[2008/06/18 23:13:24 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\Application Data\Mozilla\Firefox\Profiles\ee8tmyo4.default\searchplugins\webster.xml
[2008/06/18 23:13:26 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\Application Data\Mozilla\Firefox\Profiles\ee8tmyo4.default\searchplugins\wikipedia-en.xml
[2008/08/27 22:52:10 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2004/11/12 22:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll

O1 HOSTS File: ([2010/06/24 21:30:26 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe (Intel)
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Motive SmartBridge] C:\Program Files\HughesNet Tools\SmartBridge\MotiveSB.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
O4 - HKLM..\Run: [SmcService] C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
O4 - HKLM..\Run: [type32] C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe (Leadtek Research Inc.)
O4 - HKCU..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKCU..\Run: [NvMediaCenter] C:\WINDOWS\System32\NVMCTRAY.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [SansaDispatch] C:\Documents and Settings\Brad Wiseman\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKCU..\Run: [SetDefaultMIDI] C:\WINDOWS\System32\MIDIDEF.EXE (Creative Technology Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HughesNet Tools.lnk = C:\Program Files\HughesNet Tools\bin\matcli.exe (Motive Communications, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe ()
O4 - Startup: C:\Documents and Settings\Brad Wiseman\Start Menu\Programs\Startup\OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (Yahoo! Audio Conferencing)
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1238983705796 (WUWebControl Class)
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} http://chat.yahoo.com/cab/yacsui.cab (Yahoo! Audio UI1)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/12/14 17:21:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/11/03 20:06:29 | 000,000,113 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2009/05/04 09:21:23 | 000,000,087 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{9e9db840-15f0-11df-a59f-000c765ac0fd}\Shell - "" = AutoRun
O33 - MountPoints2\{9e9db840-15f0-11df-a59f-000c765ac0fd}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9e9db840-15f0-11df-a59f-000c765ac0fd}\Shell\AutoRun\command - "" = F:\laucher.exe -- [2007/03/27 22:07:02 | 000,180,224 | R--- | M] (Chipsbank)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16620634377289728)

========== Files/Folders - Created Within 90 Days ==========

[2010/06/27 07:56:21 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brad Wiseman\Desktop\mbam-setup-1.46.exe
[2010/06/27 07:33:39 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brad Wiseman\Desktop\OTL.exe
[2010/06/27 07:29:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2010/06/24 21:32:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/06/24 21:10:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/24 21:10:56 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/24 21:10:56 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/24 21:10:56 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/24 21:10:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/24 21:10:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/21 21:46:31 | 000,998,736 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Brad Wiseman\Desktop\tdsskiller.exe
[2010/06/11 03:20:50 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/06/11 03:15:12 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2010/06/09 19:41:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brad Wiseman\Application Data\Malwarebytes
[2010/06/09 19:41:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/09 19:41:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/09 19:41:12 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/09 19:41:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/09 00:35:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2010/05/16 10:50:16 | 000,000,000 | ---D | C] -- C:\Program Files\AP Tuner
[2010/04/23 22:53:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brad Wiseman\Application Data\Canon
[2010/04/23 22:52:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PhotoStitch
[2010/04/07 22:38:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\IsolatedStorage
[2010/04/07 22:30:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brad Wiseman\Local Settings\Application Data\IsolatedStorage
[2010/04/07 22:25:08 | 000,000,000 | ---D | C] -- C:\e3d13acb4af7b3881f292439
[2010/04/07 22:24:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2010/04/01 00:19:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2010/04/01 00:18:20 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2010/04/01 00:16:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2010/04/01 00:16:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2010/04/01 00:15:36 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2008/03/20 15:35:52 | 000,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\*.tmp files -> C:\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/06/27 08:44:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/27 08:44:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/27 08:42:45 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\Brad Wiseman\NTUSER.DAT
[2010/06/27 08:42:45 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000003-00000000-00000001-00001102-00000004-40011102}.rfx
[2010/06/27 08:42:45 | 000,001,404 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000003-00000000-00000001-00001102-00000004-40011102}.rfx
[2010/06/27 08:42:45 | 000,001,404 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000003-00000000-00000001-00001102-00000004-40011102}.rfx
[2010/06/27 08:42:45 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000003-00000000-00000001-00001102-00000004-40011102}.rfx
[2010/06/27 08:42:45 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000003-00000000-00000001-00001102-00000004-40011102}.rfx
[2010/06/27 08:42:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Brad Wiseman\ntuser.ini
[2010/06/27 08:31:16 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brad Wiseman\Desktop\OTL.exe
[2010/06/27 07:57:07 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/06/27 07:52:18 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brad Wiseman\Desktop\mbam-setup-1.46.exe
[2010/06/27 07:25:19 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/24 21:30:35 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/24 21:30:26 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/21 21:30:00 | 000,998,736 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Brad Wiseman\Desktop\tdsskiller.exe
[2010/06/19 21:12:32 | 003,716,011 | R--- | M] () -- C:\Documents and Settings\Brad Wiseman\Desktop\schrauber.exe
[2010/06/16 08:20:04 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\Desktop\2b65tb8y.exe
[2010/06/11 08:44:16 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\Desktop\dds.scr
[2010/06/11 08:39:57 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\defogger_reenable
[2010/06/11 06:44:13 | 000,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/11 06:44:13 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/11 06:44:13 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/11 03:40:04 | 000,138,848 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 03:23:26 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/11 03:12:36 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/06/11 03:12:34 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/06/08 23:31:44 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\Local Settings\Application Data\housecall.guid.cache
[2010/05/31 23:26:49 | 000,060,416 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/16 10:07:17 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/16 10:07:17 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/13 21:11:24 | 000,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010/04/07 22:30:10 | 000,030,584 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/01 00:19:48 | 000,000,772 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2010/03/30 22:37:42 | 000,063,558 | ---- | M] () -- C:\Documents and Settings\Brad Wiseman\My Documents\heart.jpg
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\*.tmp files -> C:\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/24 21:10:56 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/24 21:10:56 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/24 21:10:56 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/24 21:10:56 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/24 21:10:56 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/24 21:09:31 | 003,716,011 | R--- | C] () -- C:\Documents and Settings\Brad Wiseman\Desktop\schrauber.exe
[2010/06/16 20:16:43 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Brad Wiseman\Desktop\2b65tb8y.exe
[2010/06/11 08:51:34 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Brad Wiseman\Desktop\dds.scr
[2010/06/11 08:39:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Brad Wiseman\defogger_reenable
[2010/06/11 03:12:36 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/06/11 03:12:34 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/06/09 19:41:16 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\Brad Wiseman\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/06/08 23:31:44 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Brad Wiseman\Local Settings\Application Data\housecall.guid.cache
[2010/05/16 10:07:17 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/05/16 10:07:17 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/04/07 22:34:13 | 000,002,393 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010/04/01 00:19:48 | 000,000,772 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2010/03/30 22:35:13 | 000,063,558 | ---- | C] () -- C:\Documents and Settings\Brad Wiseman\My Documents\heart.jpg
[2009/04/18 22:18:45 | 000,002,560 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/03/20 16:02:24 | 000,097,461 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/03/20 16:02:24 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/03/20 15:36:48 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2007/06/24 22:05:22 | 000,003,762 | ---- | C] () -- C:\WINDOWS\scad3.INI
[2007/04/28 15:50:11 | 000,000,041 | ---- | C] () -- C:\WINDOWS\System32\MSCANDC.INI
[2007/04/28 15:48:43 | 000,044,491 | ---- | C] () -- C:\WINDOWS\System32\MiiIniFile13.ini
[2007/04/28 15:48:40 | 000,285,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\Onsio.sys
[2007/04/28 15:48:40 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\drivers\Onsreged.sys
[2006/10/02 17:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[2006/04/15 09:04:20 | 000,000,187 | ---- | C] () -- C:\WINDOWS\sc.INI
[2006/02/23 21:16:25 | 000,002,254 | ---- | C] () -- C:\WINDOWS\TAPETRAK.INI
[2005/08/12 16:57:09 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/06/16 18:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2004/12/24 14:32:35 | 000,038,401 | R--- | C] () -- C:\WINDOWS\System32\RdCi1005.dll
[2004/10/15 18:31:56 | 000,218,264 | ---- | C] () -- C:\WINDOWS\System32\SetAid.dll
[2004/08/21 20:52:16 | 000,000,067 | ---- | C] () -- C:\WINDOWS\StationRipper.INI
[2004/04/05 21:24:00 | 000,000,048 | ---- | C] () -- C:\WINDOWS\PerWin.ini
[2004/02/29 18:17:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/02/29 18:11:28 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS56.DLL
[2004/01/18 13:46:22 | 000,905,290 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2004/01/18 13:46:22 | 000,054,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\AvidXPSerial.sys
[2004/01/18 13:46:21 | 000,311,296 | ---- | C] () -- C:\WINDOWS\System32\AvidJPEGCodec.dll
[2004/01/18 13:46:21 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2004/01/04 17:43:23 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\cutemon2k.dll
[2003/12/29 23:36:26 | 000,000,230 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2003/12/24 10:24:06 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\PdeSrvps.dll
[2003/12/20 20:26:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/12/15 22:19:24 | 000,000,139 | ---- | C] () -- C:\WINDOWS\msicpl.ini
[2003/12/15 22:17:43 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\memtest.dll
[2003/12/15 22:17:43 | 000,036,076 | R--- | C] () -- C:\WINDOWS\System32\drivers\vgauti.sys
[2003/12/15 22:17:43 | 000,036,076 | R--- | C] () -- C:\WINDOWS\System32\drivers\msicpl.sys
[2003/12/14 23:23:17 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\drivers\Stdsys.SYS
[2003/12/14 18:54:47 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2003/12/14 18:54:47 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2003/12/14 18:54:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2003/12/14 18:54:42 | 001,900,544 | ---- | C] () -- C:\WINDOWS\System32\cmiwcnfg.dll
[2003/12/14 18:54:42 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2003/12/14 18:54:35 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2003/12/14 18:51:41 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2003/09/09 16:37:16 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\avisynth_c.dll
[2003/03/31 07:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2000/07/22 17:49:46 | 000,431,104 | ---- | C] () -- C:\WINDOWS\System32\VFCodec.dll

========== LOP Check ==========

[2007/12/19 22:42:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/04/23 22:58:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PhotoStitch
[2004/02/03 20:40:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2010/02/18 00:12:01 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{79780278-DECB-496D-B76B-E380D473969F}
[2007/04/22 17:55:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\aicon
[2010/04/30 22:30:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Audacity
[2008/10/16 22:26:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\CadSoft
[2010/04/23 22:53:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Canon
[2009/04/18 23:07:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\EmuPatchMixDSP
[2010/03/30 22:54:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\FileZilla
[2010/05/26 22:49:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\foobar2000
[2003/12/14 20:14:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\InterTrust
[2003/12/14 23:25:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\InterVideo
[2007/10/30 00:45:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Mp3tag
[2004/08/17 21:35:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Old Thunderbird
[2010/06/27 08:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\OpenOffice.org1.1.0
[2004/12/12 18:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Recent Thunderbird
[2003/12/24 15:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Red Chair Software
[2009/01/09 23:25:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\SanDisk
[2004/12/12 19:18:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Thunderbird
[2004/12/12 18:30:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Thunderbird Bad
[2004/02/03 20:41:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Ulead Systems
[2006/05/27 09:59:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\uTorrent
[2009/07/04 15:46:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\Vso
[2007/01/21 14:44:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brad Wiseman\Application Data\XnView

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/04/05 22:08:46 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/04/05 22:08:46 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\agp440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys
[2001/08/17 14:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/03/31 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2009/04/05 22:08:46 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/04/05 22:08:46 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2002/08/29 02:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2003/03/31 07:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/04 02:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 02:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 02:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\eventlog.dll
[2004/08/04 02:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2003/03/31 07:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2003/08/19 01:00:00 | 000,274,816 | ---- | M] (Intel Corporation) MD5=50B56E7DE809BE4B8F4D24B3F0381520 -- C:\Program Files\Intel\Intel Application Accelerator\Driver\iaStor.sys
[2003/07/02 19:00:00 | 000,274,816 | ---- | M] (Intel Corporation) MD5=50B56E7DE809BE4B8F4D24B3F0381520 -- C:\WINDOWS\OemDir\iaStor.sys
[2003/08/19 01:00:00 | 000,274,816 | ---- | M] (Intel Corporation) MD5=50B56E7DE809BE4B8F4D24B3F0381520 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2003/07/02 19:00:00 | 000,274,816 | ---- | M] (Intel Corporation) MD5=50B56E7DE809BE4B8F4D24B3F0381520 -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2003/03/31 07:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 02:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 02:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 02:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\netlogon.dll
[2004/08/04 02:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 02:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 02:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 02:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2003/03/31 07:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2003/12/14 11:08:49 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2003/12/14 11:08:49 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2003/12/14 11:08:49 | 000,421,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemdrive%\*.sys /90 /md5 >
[2010/06/27 08:44:23 | 1610,612,736 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys
[3 C:\*.tmp files -> C:\*.tmp -> ]
< End of report >



OTL Extras logfile created on: 6/27/2010 8:50:13 AM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Brad Wiseman\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 679.00 Mb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 305.33 Gb Total Space | 5.46 Gb Free Space | 1.79% Space Free | Partition Type: NTFS
Drive D: | 483.65 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
Drive F: | 210.62 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 37.58 Mb Total Space | 22.83 Mb Free Space | 60.75% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SPARKE
Current User Name: Brad Wiseman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\SmartFTP Client\SmartFTP.exe" = C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 4.0 -- (SmartSoft Ltd.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0168645A-B729-43FC-B994-DE9C8507D67D}" = FAB 3000 - Free DFM
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP3500_series" = Canon iP3500 series
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{190BF7E6-59C5-45E2-B9CE-E8E7245A5B4D}" = TMPGEnc Plus 2.5
"{216EAAD9-D733-4141-BEAF-2C0B6F6B1D04}" = AmpliTube LE
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2B7B47E1-B482-4D3A-ABFD-2FF8E077ECA6}" = SmartFTP Client
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{345C90FB-FA10-11D5-9C2A-0080C85A0C2D}" = ABBYY FineReader OCR Engine for Microtek
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36495C59-089C-49D1-BD15-9E5BD86DC9A1}" = ItsDeductible Express
"{378E6AB4-C604-4D67-83D5-E973F0DE7EC9}" = ExpressPCB
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{38D097C0-EAA2-012B-ADC2-000000000000}" = TurboTax 2009 wksiper
"{3B585747-0A00-4324-9683-7D406AC4761F}" = Avid Free DV
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{49062DAB-7009-4EBD-903A-830B283407C4}" = TMPGEnc DVD Author 1.5
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{81463B08-A929-4125-A5F4-1B053AC35A09}" = Microsoft IntelliType Pro 5.0
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{88F93347-0F9B-4FED-BA71-6C2A4CDFE61D}" = Ulead DVD MovieFactory 2.5 SE
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2C1E44-7685-4D05-8342-B0DC6422FA47}" = Ulead Disc-Direct SDK
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Application Accelerator RAID Edition
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AC76BA86-7AD7-5A76-5A64-7E8A45000001}" = Adobe Reader Japanese Fonts
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B08D262E-D902-11D5-9C28-0080C85A0C2D}" = ScanWizard 5
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BE4AA694-815A-4045-BD49-C94F2BED7458}" = WinFast Entertainment Center(WDM Driver)
"{BE9E4FE7-8259-405D-8D9E-9A31CFEE5784}" = ExpressPCB
"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"{C882DE6B-1482-42D6-A7C2-A9F946EDBAF6}" = WinFast PVR
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EECDDEA0-DB76-4488-8E52-0EF1DF63700A}" = Microsoft IntelliPoint 5.4
"{F34D9A5F-484A-4E31-A9D3-908CB265B289}" = Sygate Personal Firewall
"{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = RAW Image Task
"{FCCC1736-143E-4D35-A535-91840BB8C3BE}" = TurboTax 2008 wksiper
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"7-Zip" = 7-Zip 3.13
"ABC" = ABC (remove only)
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"Adobe SVG Viewer" = Adobe SVG Viewer
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"Amazing Slow Downer" = Amazing Slow Downer (remove only)
"AP Tuner 3.08" = AP Tuner 3.08
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.6 (Unicode)
"Audacity_is1" = Audacity 1.2.3
"AviSynth" = AviSynth 2.5
"CAL" = Canon Camera Access Library
"CameraUserGuide-PSSD1200IS_IXUS95IS" = Canon PowerShot SD1200 IS_IXUS 95 IS Camera User Guide
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDC8" = Canon Utilities CameraWindow DC 8
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon iP3500 series User Registration" = Canon iP3500 series User Registration
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"CANONBJ_Deinstall_CNMCP56.DLL" = Canon i860
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CD Wave_is1" = CD Wave Editor version 1.94.4
"C-Media Audio" = C-Media 3D Audio
"Core Center" = Core Center
"Creative File Manager" = NOMAD Explorer
"Creative Jukebox Driver" = Creative Jukebox Driver
"CSCLIB" = Canon Camera Support Core Library
"CutePDF Port Monitor" = CutePDF Printer Setup
"discWelder BRONZE" = discWelder BRONZE
"DMI Browser" = DMI Browse
"DVD Shrink_is1" = DVD Shrink 3.2
"DVD X Rescue" = DVD X Rescue
"DVD2SVCD Software Bundle_is1" = DVD2SVCD 1.2.1 Build 3
"DVDFab 6_is1" = DVDFab 6.0.2.2 (June 26, 2009)
"DVDFab Decrypter_is1" = DVDFab Decrypter 3.0.9.6
"DVDXCopyPlatinum" = DVDXCopy Platinum 3.2.1
"EAGLE 5.2.5" = EAGLE 5.2.5
"EAGLE 5.3.0" = EAGLE 5.3.0
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-PhotoPrint Plus" = Canon Utilities Easy-PhotoPrint Plus
"Easy-WebPrint" = Easy-WebPrint
"E-MU Audio Drivers Hotfix" = E-MU Audio Drivers
"EMU PatchMix DSP" = E-muPatchMix DSP
"ExpressPCB" = ExpressPCB
"FAB 3000 - Free DFM" = FAB 3000 - Free DFM
"FileZilla Client" = FileZilla Client 3.3.2.1
"FilterPro" = FilterPro
"FLAC" = FLAC Installer 1.1.0m (remove only)
"foobar2000" = foobar2000 v0.9.4.1
"HTMLKit_is1" = HTML-Kit
"HUFFYUV" = Huffyuv AVI lossless video codec (Remove Only)
"hughes.MCCInstall" = HughesNet Tools
"InCD!UninstallKey" = InCD
"InfoView" = InfoView
"InstallShield_{190BF7E6-59C5-45E2-B9CE-E8E7245A5B4D}" = TMPGEnc Plus 2.5
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"InstallShield_{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = Canon RAW Image Task for ZoomBrowser EX
"IrfanView" = IrfanView (remove only)
"i-Speeder" = i-Speeder
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (0.9)" = Mozilla Thunderbird (0.9)
"Mozilla Thunderbird (1.0)" = Mozilla Thunderbird (1.0)
"Mozilla Thunderbird (1.0.2)" = Mozilla Thunderbird (1.0.2)
"Mp3tag" = Mp3tag v2.39
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NeroVision!UninstallKey" = Nero Digital
"NMIX!UninstallKey" = NeroMIX
"NMPUninstallKey" = Nero Media Player
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PasswordKeeper" = PasswordKeeper
"Pegasus Mail" = Pegasus Mail
"Personal Printing Guide" = Canon Personal Printing Guide
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel® PRO Network Adapters and Drivers
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SmartFTP Client 2.0 Setup Files" = SmartFTP Client 2.0 Setup Files (remove only)
"SmartFTP Client 2.5 Setup Files" = SmartFTP Client 2.5 Setup Files (remove only)
"SmartFTP Client 3.0 Setup Files" = SmartFTP Client 3.0 Setup Files (remove only)
"SmartFTP Client 4.0 Setup Files" = SmartFTP Client 4.0 Setup Files (remove only)
"SoftwareStarterGuide-DCSD40_46" = Canon Digital Camera Solution Disk 40-46 Software Starter Guide
"SoundCapture" = SoundCapture
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"ST5UNST #1" = ABX
"StationRipper" = StationRipper 2.33C
"SwitcherCAD III" = LTspice/SwCADIII
"TurboTax 2008" = TurboTax 2008
"TurboTax 2009" = TurboTax 2009
"TurboTax Deluxe 2003" = TurboTax Deluxe 2003
"TurboTax Deluxe 2004" = TurboTax Deluxe 2004
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"Viewplot" = Viewplot
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinGimp-1.2.3_is1" = The GIMP 1.2.5-20030729-1
"WinGTK-1.3_is1" = GTK+ 1.3.0-20030717-1 runtime environment
"WinMX" = WinMX
"WMIinfo" = WMIinfo
"XnView_is1" = XnView 1.82.4
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"OpenOffice.org 1.1.0" = OpenOffice.org 1.1.0
"Sansa Updater" = Sansa Updater

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/3/2007 8:36:50 AM | Computer Name = SPARKE | Source = Application Hang | ID = 1002
Description = Hanging application DVD Shrink 3.2.exe, version 3.2.0.15, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/8/2007 9:27:06 PM | Computer Name = SPARKE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.0.3.0, hang module firefox.exe,
version 1.0.3.0, hang address 0x00173adb.

Error - 12/28/2007 7:54:03 PM | Computer Name = SPARKE | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/28/2007 7:55:25 PM | Computer Name = SPARKE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.8.20071.12718, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 6/25/2010 11:39:04 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 6/25/2010 11:39:04 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 6/27/2010 8:26:19 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 6/27/2010 8:26:19 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 6/27/2010 8:40:26 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 6/27/2010 8:40:26 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 6/27/2010 8:40:26 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 6/27/2010 8:40:26 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 6/27/2010 8:40:26 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 6/27/2010 8:40:26 AM | Computer Name = SPARKE | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.


< End of report >






#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:33 AM

Posted 29 June 2010 - 04:23 PM

Hi,

So now you can use the internet connection? Do you use a router? How is it running now?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users